Security researchers have disclosed a new Linux kernel privilege escalation vulnerability named DirtyClone (CVE-2026-43503) that enables local attackers to obtain root privileges by exploiting flaws in the kernel’s zero-copy networking implementation. The vulnerability, which carries a CVSS score of 8.8, stems from improper handling of cloned network packets that can cause file-backed memory pages to lose critical protection flags, opening the door to in-memory modification of privileged executables.
According to JFrog Security Research, attackers can abuse the flaw by loading a privileged binary such as /usr/bin/su into memory, attaching its pages to a cloned network packet, and routing it through a specially crafted IPsec tunnel. During packet processing, the kernel mistakenly allows portions of the executable’s in-memory image to be overwritten with attacker-controlled data. Because only the page cache is modified—not the actual file stored on disk—the attack leaves virtually no forensic evidence and bypasses traditional file integrity monitoring. The original binary is restored after a reboot, but by then the attacker may have already obtained persistent root access.
DirtyClone is the latest member of the growing “DirtyFrag” family of Linux privilege escalation flaws, following earlier vulnerabilities such as Copy Fail, DirtyFrag, and Fragnesia. Researchers say all of these issues stem from the same underlying design problem: kernel functions that manipulate packet fragments sometimes fail to preserve metadata indicating that memory pages are shared with files. Each newly discovered code path has exposed another opportunity for attackers to convert networking optimizations into arbitrary memory write primitives.
The vulnerability primarily affects multi-user Linux environments where unprivileged users can create namespaces, including shared servers, CI/CD runners, Kubernetes clusters, and container hosts. Kernel patches addressing the flaw have already been merged into upstream Linux and backported to supported stable releases. Administrators are urged to install updated kernels as soon as possible. Where immediate patching is not feasible, temporarily disabling unprivileged user namespaces or restricting IPsec-related kernel modules can reduce exposure, although researchers stress these are only interim mitigations rather than permanent fixes.
