Dirty Frag: New Linux Local Root Exploit Chain Hits Major Distros

Dirty Frag: Two Bugs, One Root Shell

A new Linux kernel vulnerability chain, dubbed Dirty Frag, gives untrusted users root access on every major distribution. Researchers from Automox and Microsoft detail two CVEs that, when combined, bypass existing mitigations. Patches are available now.

The Two Vulnerabilities

CVE-2026-43284 targets the IPsec ESP receive path (esp_input()). When an skb object is non-linear but lacks a frag list, the kernel skips skb_cow_data() and decrypts AEAD in place on a splice-pinned page. An attacker controls the file offset and writes 4-byte values.

CVE-2026-43500 hits rxkad_verify_packet_1() in the RxRPC subsystem. Splice-pinned pages become both source and destination for decryption, and the decryption key can be extracted via add_key(rxrpc). This lets an attacker rewrite memory contents.

Why Chaining Matters

Alone, each exploit is unreliable. Ubuntu's AppArmor blocks namespace creation, neutralizing the ESP technique. Most distributions don't load rxrpc.ko by default, neutralizing the RxRPC arm. But chained together, the two exploits provide root on every major distribution tested by researcher Kim.

Attack Surface and Impact

Attackers can leverage SSH access, web-shell execution, container escapes, or compromised low-privilege accounts. Microsoft researchers note: "Dirty Frag is notable because it introduces multiple kernel attack paths involving rxrpc and esp/xfrm networking components to improve exploitation reliability." It avoids narrow timing windows or unstable corruption.

Mitigations

Wiz researchers say hardened containerized environments like Kubernetes with default security settings are less likely to be exploited. However, virtual machines or less restricted environments remain at significant risk.

Patch Now

Install the latest kernel updates from your distribution immediately. Most fixes require a reboot. If you can't reboot, follow the mitigation steps linked in the original advisory.

Technical Deep Dive

The Dirty Frag technique belongs to the same bug family as Dirty Pipe (2022) and CopyFail (last week). All exploit flaws in page-cache handling. Dirty Frag targets the frag member of struct sk_buff rather than pipe_buffer. The exploit uses splice() to plant a reference to a read-only page-cache page (e.g., /etc/passwd or /usr/bin/su) into the frag slot of a sender-side skb. Receiver-side kernel code performs in-place cryptographic operations on that frag, modifying the page cache in RAM. Every subsequent read of the file sees the corrupted version, even though the attacker only ever had read access.

Check Your Kernel

To see if your system is vulnerable, check your kernel version:

uname -r

Compare against the patched versions listed in your distribution's security advisories. For Ubuntu, check:

grep VERSION_ID /etc/os-release
apt list --upgradable 2>/dev/null | grep linux-image

For RHEL/Fedora:

rpm -q kernel
dnf check-update kernel

What You Should Do Now

1. Apply kernel updates immediately.
2. If immediate patching is impossible, restrict unprivileged user access and disable unnecessary kernel modules (rxrpc, esp4, esp6).
3. Monitor for signs of exploitation (unexpected file modifications, privilege escalation attempts).
4. In containerized environments, ensure AppArmor or SELinux profiles are enforced.