Dirty Frag: The Linux Kernel Exploit Granting Root Access Without a Patch

Introduction

Just days after the disclosure of the Copy Fail exploit—which abused a longstanding logic flaw to escalate privileges to root—another critical Linux kernel vulnerability has emerged. Dirty Frag, reported by security researcher Hyunwoo Kim (v4bel), is a new privilege escalation threat that leaves most distributions without an official fix. The disclosure process took an unfortunate turn: Kim set a five-day embargo after reporting to the linux-distros mailing list, but an unidentified third party published a working exploit the same day, immediately putting systems at risk.

Dirty Frag: The Linux Kernel Exploit Granting Root Access Without a Patch — Source: itsfoss.com

What Is Dirty Frag?

Like its predecessor Copy Fail, Dirty Frag manipulates the in-memory copy of a system file without altering the version stored on disk. This means every subsequent read of that file encounters the corrupted copy, while the filesystem appears untouched. The attack relies on two separate vulnerabilities that are chained together for maximum impact.

The Two Vulnerabilities

The first flaw, tracked as CVE-2026-43284 (xfrm-ESP Page-Cache Write), targets /usr/bin/su. It replaces its in-memory copy with a version that grants a root shell to any user who runs it. The second, CVE-2026-43500 (RxRPC Page-Cache Write), goes after /etc/passwd and empties the root password field. The Pluggable Authentication Module (PAM) then accepts the blank entry, allowing an unauthenticated root login.

Chaining for Universal Impact

Neither vulnerability works on every system alone. The first requires a user namespace, which some Ubuntu AppArmor setups block. The second does not have that requirement, but the rxrpc.ko kernel module it depends on is absent from most distributions’ default builds. Ubuntu is one of the few that ships this module by default. By chaining the two exploits, attackers can target all major Linux distributions: the xfrm-ESP bug works on systems with user namespaces enabled, while the RxRPC bug covers the rest, especially Ubuntu.

Current Mitigation Options

Most distributions have not yet released official patches. AlmaLinux is an exception, with patched kernels already available in its testing repository. For everyone else, the immediate and practical step is to blacklist the three kernel modules involved:

sh -c 'printf "install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n" > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true'

This command not only prevents the modules from loading but also clears the page cache, removing any tampering that may have already occurred. For a complete solution, follow this with a reboot after your distribution releases an update.

Recommendations

Hyunwoo Kim advises updating the kernel and rebooting as soon as your distro provides a patch. Canonical has issued mitigation guidelines for Ubuntu users, which should be reviewed promptly. Given the active exploitation in the wild, administrators should treat this threat with high urgency.

In summary, Dirty Frag is a potent exploit that combines two kernel flaws to achieve root access on most Linux systems. Until official patches arrive, the module blacklist remains your best defense.

Tags: