Dirty Frag: New Linux Kernel LPE Vulnerability Grants Root Access Across Major Distros A newly disclosed Linux kernel vulnerability, dubbed Dirty Frag, enables local privilege escalation (LPE) by chaining two page-cache write flaws xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write to achieve root access on nearly all major Linux distributions. The exploit, publicly released on May 7, 2026, following an embargo break, leverages a deterministic logic flaw rather than race conditions, ensuring a high success rate without kernel panics. Discovered by security researcher Hyunwoo Kim (@v4bel), Dirty Frag exploits the kernel’s zero-copy send path, where `splice()` inserts a reference to a read-only page cache (e.g., `/etc/passwd` or `/usr/bin/su`) into the `frag` slot of a sender-side `sk_buff`. Receiver-side cryptographic operations then modify the page cache in-place, corrupting files even for unprivileged users. ### Exploit Mechanics 1. xfrm-ESP Variant: - Targets `esp_input()` in the IPsec ESP receive path, skipping buffer allocation checks (`skb_cow_data()`) for non-linear `skb`s. - Attackers use `XFRMA_REPLAY_ESN_VAL` to overwrite arbitrary bytes (e.g., `/usr/bin/su`) with a root-shell ELF, requiring user namespace creation (`unshare(CLONE_NEWUSER)`), which is blocked on some Ubuntu systems via AppArmor. 2. RxRPC Variant: - Exploits `rxkad_verify_packet_1()` to perform in-place decryption on the first 8 bytes of an RxRPC payload. - Attackers brute-force a session key to manipulate plaintext (e.g., emptying `/etc/passwd`’s password field), bypassing PAM authentication. This variant does not require namespace privileges but relies on the `rxrpc.ko` module, absent by default on RHEL but present on Ubuntu. Chaining both exploits ensures root access across distributions, with the PoC first attempting the ESP path before falling back to RxRPC if `unshare` fails. ### Affected Systems The vulnerabilities span nine years, with the ESP flaw introduced in January 2017 (commit `cac2661c53f3`) and the RxRPC flaw in June 2023 (commit `2dc334f1a63a`). Confirmed affected distributions include: - Ubuntu 24.04.4 (kernel 6.17.0-23) - RHEL 10.1 (kernel 6.12.0-124.49.1) - openSUSE Tumbleweed (kernel 7.0.2-1) - CentOS Stream 10, AlmaLinux 10, Fedora 44 ### Patches & Mitigation - The ESP patch, using `SKBFL_SHARED_FRAG` to enforce buffer isolation, was merged into the netdev tree on May 7, 2026. - The RxRPC patch remains unmerged upstream. - No CVEs have been assigned due to the premature embargo break. - Temporary mitigation involves blacklisting the affected modules (`esp4`, `esp6`, `rxrpc`) via: ```bash sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true" ``` This disrupts IPsec and RxRPC functionality, requiring careful evaluation for systems reliant on VPNs. The full technical write-up and PoC are available on the researcher’s GitHub repository.

Critical Linux Kernel Vulnerability (CVE-2026-23111) Enables Local Privilege Escalation A use-after-free vulnerability in the Linux kernel’s nftables subsystem has been disclosed, allowing unprivileged local attackers to escalate privileges to root on widely used distributions, including Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. Tracked as CVE-2026-23111, the flaw was discovered in early 2025 and patched upstream on February 5, 2026, via a kernel commit. The bug resides in the nft_map_catchall_activate() function within nftables, a packet filtering framework built on Linux’s Netfilter hooks. Testing in a controlled lab environment revealed that Rocky Linux exhibited lower vulnerability exposure post-update compared to Ubuntu and Red Hat systems. However, kernel backports and system configurations influence risk, meaning version numbers alone may not fully indicate exposure. The vulnerability appears to affect Linux kernels 5.15 and later, while default kernels in AlmaLinux and Rocky Linux (5.14) remain unaffected. The flaw underscores the ongoing risks of privilege escalation in Linux environments, particularly in systems relying on nftables for network filtering.