Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag, (Fri, May 8th)
Less than two weeks after the public disclosure of the Copy Fail vulnerability (CVE-2026-31431), another local privilege escalation (LPE) vulnerability in the Linux kernel has been revealed. Referred to as "Dirty Frag," this vulnerability was discovered and reported by Hyunwoo Kim (@v4bel) [1]. In this diary, I will provide a brief background on Dirty Frag, and discuss its relationship to Copy Fail. I will then discuss how to mitigate Dirty Frag and outline recommended next steps for system owners.
AI Analysis
Technical Summary
Dirty Frag is a Linux kernel local privilege escalation vulnerability discovered by Hyunwoo Kim. It exploits two chained sub-vulnerabilities: xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write. Both vulnerabilities arise from zero-copy send paths where splice() references a read-only page cache page in the sender-side skb frag slot, and the receiver-side kernel performs in-place cryptographic operations on that page. This modifies the page cache of files that an unprivileged user can read, causing subsequent reads to see the modified content. Unlike the related Copy Fail vulnerability (CVE-2026-31431), Dirty Frag requires chaining two vulnerabilities to achieve reliable root escalation. It affects many Linux distributions with kernels back to 2017. Due to an embargo breach, no CVE was assigned, and exploit code is publicly available. Mitigations include denylisting and unloading vulnerable kernel modules (esp4, esp6, rxrpc), applying live patches such as those from CloudLinux KernelCare, and installing patched kernels from testing repositories like AlmaLinux. Denylisting esp4 and esp6 disables IPsec ESP, and unloading rxrpc impacts RxRPC-dependent services, so administrators must assess operational impact before mitigation.
Potential Impact
The vulnerability allows an unprivileged local user to escalate privileges to root on most major Linux distributions with kernels dating back to approximately 2017. This can lead to full system compromise. The exploit modifies the page cache of read-only files in memory, potentially allowing attackers to override critical binaries and escape container environments. The public availability of exploit code increases the risk of exploitation. Systems relying on IPsec ESP or RxRPC services may experience disruption if mitigations are applied without proper assessment.
Mitigation Recommendations
Patched kernels and live patches are currently in active build and testing for several distributions. Until patches are applied, immediate mitigation involves unloading and denylisting the vulnerable kernel modules esp4, esp6, and rxrpc to prevent their loading. Note that denylisting esp4 and esp6 disables IPsec ESP functionality, and unloading rxrpc affects RxRPC-dependent services such as AFS filesystems; assess impact before applying. CloudLinux KernelCare live patches are available for affected CloudLinux versions, allowing patching without reboot. AlmaLinux has published patched kernels in testing repositories; apply these and reboot once stable versions are released. After patching, remove the denylist entries to restore normal module loading. Monitor vendor advisories for official patch releases and update systems promptly.
Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag, (Fri, May 8th)
Description
Less than two weeks after the public disclosure of the Copy Fail vulnerability (CVE-2026-31431), another local privilege escalation (LPE) vulnerability in the Linux kernel has been revealed. Referred to as "Dirty Frag," this vulnerability was discovered and reported by Hyunwoo Kim (@v4bel) [1]. In this diary, I will provide a brief background on Dirty Frag, and discuss its relationship to Copy Fail. I will then discuss how to mitigate Dirty Frag and outline recommended next steps for system owners.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Dirty Frag is a Linux kernel local privilege escalation vulnerability discovered by Hyunwoo Kim. It exploits two chained sub-vulnerabilities: xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write. Both vulnerabilities arise from zero-copy send paths where splice() references a read-only page cache page in the sender-side skb frag slot, and the receiver-side kernel performs in-place cryptographic operations on that page. This modifies the page cache of files that an unprivileged user can read, causing subsequent reads to see the modified content. Unlike the related Copy Fail vulnerability (CVE-2026-31431), Dirty Frag requires chaining two vulnerabilities to achieve reliable root escalation. It affects many Linux distributions with kernels back to 2017. Due to an embargo breach, no CVE was assigned, and exploit code is publicly available. Mitigations include denylisting and unloading vulnerable kernel modules (esp4, esp6, rxrpc), applying live patches such as those from CloudLinux KernelCare, and installing patched kernels from testing repositories like AlmaLinux. Denylisting esp4 and esp6 disables IPsec ESP, and unloading rxrpc impacts RxRPC-dependent services, so administrators must assess operational impact before mitigation.
Potential Impact
The vulnerability allows an unprivileged local user to escalate privileges to root on most major Linux distributions with kernels dating back to approximately 2017. This can lead to full system compromise. The exploit modifies the page cache of read-only files in memory, potentially allowing attackers to override critical binaries and escape container environments. The public availability of exploit code increases the risk of exploitation. Systems relying on IPsec ESP or RxRPC services may experience disruption if mitigations are applied without proper assessment.
Mitigation Recommendations
Patched kernels and live patches are currently in active build and testing for several distributions. Until patches are applied, immediate mitigation involves unloading and denylisting the vulnerable kernel modules esp4, esp6, and rxrpc to prevent their loading. Note that denylisting esp4 and esp6 disables IPsec ESP functionality, and unloading rxrpc affects RxRPC-dependent services such as AFS filesystems; assess impact before applying. CloudLinux KernelCare live patches are available for affected CloudLinux versions, allowing patching without reboot. AlmaLinux has published patched kernels in testing repositories; apply these and reboot once stable versions are released. After patching, remove the denylist entries to restore normal module loading. Monitor vendor advisories for official patch releases and update systems promptly.
Technical Details
- Article Source
- {"url":"https://isc.sans.edu/diary/rss/32968","fetched":true,"fetchedAt":"2026-05-08T07:51:24.075Z","wordCount":1155}
Threat ID: 69fd95fccbff5d8610a97702
Added to database: 5/8/2026, 7:51:24 AM
Last enriched: 5/8/2026, 7:51:40 AM
Last updated: 5/9/2026, 1:05:17 AM
Views: 50
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.