A proof-of-concept exploit for a new Linux kernel vulnerability class dubbed “Dirty Frag”. This universal local privilege escalation vulnerability allows attackers to obtain root access across most major Linux distributions reliably.
Because a third party unexpectedly broke the responsible disclosure embargo, the exploit is now public without official patches or an assigned Common Vulnerabilities and Exposures (CVE) identifier.
Technical Details of the Vulnerability
Dirty Frag operates similarly to previous kernel flaws like Dirty Pipe and Copy Fail by maliciously manipulating the Linux kernel’s page cache, which is the in-memory copy of files maintained for performance optimization.
The vulnerability is a deterministic logic bug that avoids race conditions, ensuring it executes reliably and does not crash the kernel. This allows the attacker to alter read-only files in system memory without ever needing write permissions on the actual disk files.
Attackers achieve root privileges by chaining two distinct page-cache write vulnerabilities to bypass individual system protections.
Security researcher Hyunwoo Kim has discovered that the first flaw, known as the xfrm-ESP Page-Cache Write, resides in the IPsec networking stack and has existed in the codebase since January 2017.
When a non-linear socket buffer carrying a splice-pinned page cache reference bypasses a mandatory copy-on-write check, the ESP decryption path executes a direct four-byte arbitrary write into the page cache.
Attackers use this primitive to completely overwrite the page cache of the setuid-root binary for the switch user command with a malicious root-shell payload.
The second vulnerability, the RxRPC Page-Cache Write, was introduced to the kernel more recently in June 2023. This flaw performs an eight-byte in-place decryption directly on a splice-pinned page without requiring any user-namespace privileges.
Attackers leverage this deterministic operation to brute-force a decryption key in user space before triggering the kernel write. This precisely modifies the system password registry in the page cache, altering the root user entry to bypass authentication prompts entirely.
Exploit Chaining and Affected Systems
By chaining these two vulnerabilities, the exploit seamlessly covers environmental blind spots across different operating systems. The xfrm-ESP vulnerability provides a powerful arbitrary-write primitive, as reported by V4Bel in github.
- Ubuntu 24.04.4 (kernel 6.17.0-23-generic)
- RHEL 10.1 (kernel 6.12.0-124.49.1.el10_1.x86_64)
- openSUSE Tumbleweed (kernel 7.0.2-1-default)
- CentOS Stream 10 (kernel 6.12.0-224.el10.x86_64)
- AlmaLinux 10 (kernel 6.12.0-124.52.3.el10_1.x86_64)
- Fedora 44 (kernel 6.19.14-300.fc44.x86_64)
Still, it requires the ability to create a user namespace, which is often blocked by default on distributions like Ubuntu via AppArmor policies.
However, the RxRPC vulnerability does not require namespace privileges and acts as a powerful fallback on Ubuntu systems, where the necessary kernel module is loaded by default.
This chained methodology allows a single exploit binary to achieve root access across Ubuntu, Red Hat Enterprise Linux, Fedora, CentOS Stream, AlmaLinux, and openSUSE.
Furthermore, Dirty Frag successfully executes even on systems that applied mitigations for the recent Copy Fail vulnerability, as the flaws target entirely different kernel subsystems.
Because the embargo was broken prematurely, official security patches are not yet available for any major Linux distribution.
Until distribution maintainers release updated kernel versions, system administrators must rely on manual workarounds to secure their infrastructure.
The primary mitigation strategy involves blocking the specific kernel modules that Dirty Frag exploits. Administrators should immediately prevent the loading of the esp4, esp6, and rxrpc kernel modules to disable the vulnerable in-place decryption paths.
Security teams should monitor threat intelligence feeds for patch releases and continuously audit systems for unauthorized modifications to the page cache of critical authentication binaries.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
