Dirty Frag: Nine-Year-Old Linux Kernel Vulnerabilities Expose Systems to Privilege Escalation Researchers have uncovered two critical Linux kernel vulnerabilities, collectively named Dirty Frag, which remained undetected for nearly nine years. Discovered by independent security researcher Hyunwoo Kim, these flaws enable local privilege escalation (LPE), allowing an unprivileged user to gain root access a severe security risk given root privileges grant full system control. The vulnerabilities stem from logic flaws in the Linux kernel’s networking components, specifically the IPSec ESP (esp4 and esp6) and rxrpc modules. The IPSec ESP flaw is tracked as CVE-2026-43284, while the rxrpc issue is designated CVE-2026-43500. By chaining these vulnerabilities, attackers can overwrite protected memory and modify critical system files. Dirty Frag belongs to the page-cache-write family of bugs, similar to earlier exploits like Dirty Pipe and Copy Fail, but leverages the fragment field for exploitation. Unlike its predecessors, it does not rely on timing windows, increasing its reliability. While CVE-2026-43284 requires namespace permissions (blocked by default on some systems like Ubuntu), CVE-2026-43500 bypasses this restriction but depends on the rxrpc module being enabled often disabled by default. The vulnerabilities affect a wide range of Linux distributions, including Red Hat Enterprise Linux 8, 9, and 10, OpenShift 4, Ubuntu, Fedora, CentOS Stream, and AlmaLinux. Red Hat has advised temporary mitigations, such as blocking the affected modules by creating a configuration file at /etc/modprobe.d/dirtyfrag.conf with commands like `install esp4 /bin/false`. Users can check for active modules using `lsmod | grep -E 'esp4|esp6'`. Enabling SELinux in enforcing mode and avoiding root-level workloads are also recommended until official patches are released. Industry experts have weighed in on the severity of the discovery. Ben Ronallo, Principal Cybersecurity Engineer at Black Duck, noted that Dirty Frag exploits the same root cause as Copy Fail and Dirty Pipe but is not limited to a single subsystem. With exploit code now public, weaponization is expected within days. David Brumley, Chief AI and Science Officer at Bugcrowd, emphasized that the fix for Copy Fail alone was insufficient, highlighting the ongoing need for independent research to uncover overlooked vulnerability classes. The early leak of Kim’s research accelerated public disclosure, underscoring the challenges of coordinated vulnerability reporting. As Linux distributions rush to deploy fixes, the incident serves as a reminder of the persistent risks posed by long-standing kernel flaws.

Dirty Frag: New Linux Kernel LPE Vulnerability Grants Root Access Across Major Distros A newly disclosed Linux kernel vulnerability, dubbed Dirty Frag, enables local privilege escalation (LPE) by chaining two page-cache write flaws xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write to achieve root access on nearly all major Linux distributions. The exploit, publicly released on May 7, 2026, following an embargo break, leverages a deterministic logic flaw rather than race conditions, ensuring a high success rate without kernel panics. Discovered by security researcher Hyunwoo Kim (@v4bel), Dirty Frag exploits the kernel’s zero-copy send path, where `splice()` inserts a reference to a read-only page cache (e.g., `/etc/passwd` or `/usr/bin/su`) into the `frag` slot of a sender-side `sk_buff`. Receiver-side cryptographic operations then modify the page cache in-place, corrupting files even for unprivileged users. ### Exploit Mechanics 1. xfrm-ESP Variant: - Targets `esp_input()` in the IPsec ESP receive path, skipping buffer allocation checks (`skb_cow_data()`) for non-linear `skb`s. - Attackers use `XFRMA_REPLAY_ESN_VAL` to overwrite arbitrary bytes (e.g., `/usr/bin/su`) with a root-shell ELF, requiring user namespace creation (`unshare(CLONE_NEWUSER)`), which is blocked on some Ubuntu systems via AppArmor. 2. RxRPC Variant: - Exploits `rxkad_verify_packet_1()` to perform in-place decryption on the first 8 bytes of an RxRPC payload. - Attackers brute-force a session key to manipulate plaintext (e.g., emptying `/etc/passwd`’s password field), bypassing PAM authentication. This variant does not require namespace privileges but relies on the `rxrpc.ko` module, absent by default on RHEL but present on Ubuntu. Chaining both exploits ensures root access across distributions, with the PoC first attempting the ESP path before falling back to RxRPC if `unshare` fails. ### Affected Systems The vulnerabilities span nine years, with the ESP flaw introduced in January 2017 (commit `cac2661c53f3`) and the RxRPC flaw in June 2023 (commit `2dc334f1a63a`). Confirmed affected distributions include: - Ubuntu 24.04.4 (kernel 6.17.0-23) - RHEL 10.1 (kernel 6.12.0-124.49.1) - openSUSE Tumbleweed (kernel 7.0.2-1) - CentOS Stream 10, AlmaLinux 10, Fedora 44 ### Patches & Mitigation - The ESP patch, using `SKBFL_SHARED_FRAG` to enforce buffer isolation, was merged into the netdev tree on May 7, 2026. - The RxRPC patch remains unmerged upstream. - No CVEs have been assigned due to the premature embargo break. - Temporary mitigation involves blacklisting the affected modules (`esp4`, `esp6`, `rxrpc`) via: ```bash sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true" ``` This disrupts IPsec and RxRPC functionality, requiring careful evaluation for systems reliant on VPNs. The full technical write-up and PoC are available on the researcher’s GitHub repository.

High-Severity Linux Privilege Escalation Flaw "Pack2TheRoot" Disclosed Deutsche Telekom’s Red Team has publicly disclosed a high-severity privilege escalation vulnerability, CVE-2026-41651 (CVSS 8.8), dubbed Pack2TheRoot, affecting default installations of major Linux distributions. The flaw, present in the PackageKit daemon a widely used package management abstraction layer allows any local unprivileged user to silently install or remove system packages, ultimately gaining full root access without authentication. The vulnerability impacts PackageKit versions 1.0.2 through 1.3.4, spanning over 12 years of releases and exposing systems across Debian, Ubuntu, Fedora, and Red Hat-based distributions, including enterprise servers running Cockpit. Confirmed vulnerable default installations include: - Ubuntu Desktop (18.04, 24.04.4 LTS, 26.04 LTS Beta) - Ubuntu Server (22.04, 24.04 LTS) - Debian Desktop (Trixie 13.4) - Rocky Linux Desktop (10.1) - Fedora (43 Desktop and Server) Exploitation is straightforward: an attacker with basic local access can bypass authorization controls, install malicious packages, or remove critical security components. A proof-of-concept (PoC) exists, reliably achieving root code execution in seconds, though it remains undisclosed. The flaw was discovered during Telekom Security’s research into local privilege escalation vectors, with Claude Opus (Anthropic) assisting in the investigation starting in 2025. Findings were responsibly disclosed to PackageKit maintainers, who confirmed the issue and its exploitability. While the attack leaves detectable traces such as PackageKit daemon crashes logged in *journalctl* systems can be checked for vulnerability using: - Debian/Ubuntu: `dpkg -l | grep -i packagekit` - RPM-based: `rpm -qa | grep -i packagekit` - Daemon status: `systemctl status packagekit` or `pkmon` A patch was released in PackageKit 1.3.5 (April 22, 2026), with distribution-specific fixes available via: - Debian: [security-tracker.debian.org](https://security-tracker.debian.org) - Ubuntu: Launchpad CVE tracker - Fedora: PackageKit-1.3.4-3 (via Koji) Administrators are advised to apply updates immediately, particularly on internet-facing servers running Cockpit.

Critical Linux Kernel Flaw "Copy Fail" Grants Root Access Across Decade of Releases A newly disclosed vulnerability in the Linux kernel, tracked as CVE-2026-31431 and dubbed "Copy Fail," allows local attackers to gain full root access on affected systems with near-perfect reliability. The flaw, discovered by offensive security firm Theori, impacts Linux kernel versions released since 2017, exposing millions of systems globally. ### Discovery and Disclosure Theori’s researchers identified the bug using Xint Code, an AI-assisted penetration testing platform, in just one hour of automated analysis targeting the kernel’s cryptographic subsystem. The vulnerability was responsibly disclosed to the Linux kernel security team on March 23, 2026, with patches released within a week. However, the subsequent public release of technical details and a proof-of-concept exploit has heightened urgency for system administrators. ### Technical Breakdown Copy Fail is a logic flaw in the kernel’s cryptographic processing pipeline, specifically within the authentication encryption ("authenc") template. The exploit leverages the AF_ALG interface and the splice() system call to perform a controlled 4-byte write into the page cache of any readable file. By targeting setuid-root executables, attackers can manipulate file contents in memory, escalating privileges to root access. The root cause stems from a 2017 performance optimization in Linux kernel 4.14, which allowed in-place buffer processing a design choice that inadvertently enabled memory manipulation. ### Impact and Exploitation Theori demonstrated successful exploitation across major Linux distributions, including Ubuntu, Debian, Fedora, and RHEL, using a 732-byte Python script with a 100% success rate in testing. The flaw’s portability, reliability, and simplicity make it more dangerous than previous high-profile vulnerabilities like Dirty Pipe (CVE-2022-0847), as it affects a broader range of kernel versions without requiring complex offsets or environment tuning. ### Patch Status and Mitigation The Linux kernel maintainers addressed the issue by reverting the problematic optimization, with fixes included in kernel versions 6.18.22, 6.19.12, and 7.0. Major distributions have begun rolling out updates, though some like Fedora 42+ have not yet published formal advisories, potentially delaying awareness. For unpatched systems, temporary mitigation involves disabling the vulnerable crypto interface: ```bash echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead ``` ### High-Risk Environments Security teams are prioritizing patching in multi-tenant servers, Kubernetes clusters, CI/CD pipelines, and cloud-based SaaS environments, where a single compromised low-privilege user could lead to full system takeover or lateral movement. ### Broader Implications The discovery underscores the growing role of AI in vulnerability research, with tools like Xint Code accelerating flaw detection from weeks to hours. While this speeds up defensive patching, it also raises concerns about attackers adopting similar automation to exploit vulnerabilities faster. The security community’s response remains clear: immediate patching is critical to prevent system compromise.