Dirty Frag Vulnerability: How Two Linux Kernel Flaws Combine for Root Access

Introduction

Just days after the disclosure of the Copy Fail exploit, a new and more sophisticated Linux kernel vulnerability has emerged. Dubbed Dirty Frag, this attack chain escalates local privileges to root by exploiting two distinct memory corruption flaws. Security researcher Hyunwoo Kim (v4bel) responsibly disclosed the issue to the linux-distros mailing list with a five-day embargo, but an unidentified third party published a working exploit on the same day, leaving most distributions scrambling for a fix. As of now, no official patch is available, and the earlier algif_aead blacklist recommended for Copy Fail offers no protection against Dirty Frag.

Understanding Dirty Frag

Like its predecessor Copy Fail, Dirty Frag manipulates the in-memory copy of a system file without altering the version stored on disk. This means every subsequent read from the kernel page cache presents the corrupted data, while the underlying filesystem remains pristine — making forensic detection difficult.

Dirty Frag achieves this via two separate Common Vulnerabilities and Exposures (CVEs):

CVE-2026-43284: xfrm-ESP Page-Cache Write

This flaw targets /usr/bin/su, replacing its in-memory copy with a version that grants a root shell to any user executing it. The exploit leverages the xfrm (IPsec) subsystem’s ESP (Encapsulating Security Payload) handling to inject a crafted page into the cache.

CVE-2026-43500: RxRPC Page-Cache Write

The second vulnerability targets /etc/passwd. It empties the root password field, causing the Pluggable Authentication Modules (PAM) to accept a blank password and allow a root login. This attack relies on the rxrpc.ko kernel module, which is not enabled by default in most Linux distributions.

Hyunwoo Kim designed the two bugs to be chained because neither works universally alone. The first requires a user namespace, which Ubuntu’s AppArmor profile can block. The second has no such dependency but depends on the rxrpc module — absent from most distros. However, Ubuntu ships rxrpc by default, so combining both exploits covers the major Linux distributions in practice.

Current Mitigation Steps

As of now, only AlmaLinux has released patched kernels in its testing repository. Other distributions have yet to provide a fix. The immediate and recommended action is to blacklist the three kernel modules involved in the exploit chain. Run the following command as root:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"

This command performs several actions:

• Creates a configuration file that prevents the esp4, esp6, and rxrpc modules from loading.
• Attempts to unload the modules if they are currently loaded.
• Clears the page cache by writing 3 to /proc/sys/vm/drop_caches, removing any already-corrupted memory pages.

After applying the blacklist, it is critical to update the kernel and reboot as soon as your distribution releases a patch. Hyunwoo Kim emphasizes this as the only long-term fix.

Additional Guidance for Ubuntu Users

Canonical, the company behind Ubuntu, has published a set of mitigation guidelines specifically for its users. While the blacklist command above works on Ubuntu as well, administrators should monitor Ubuntu Security Notices for official patches and follow any supplemental advice provided.

Conclusion

Dirty Frag represents a significant privilege escalation threat due to its ability to bypass filesystem integrity checks and its active exploitation in the wild. Until all major distributions ship kernel updates, the module blacklist remains the only reliable defense. System administrators are urged to apply the mitigation immediately and prepare for a patched kernel upgrade as soon as it becomes available.