Dirty Frag: unpatched Linux kernel flaw grants root access on Ubuntu, RHEL and Fedora. A working exploit is already public.
Security researchers have disclosed a new unpatched vulnerability in the Linux kernel, code-named Dirty Frag, that allows an unprivileged local user to gain full root access on most major Linux distributions, including Ubuntu, RHEL, Fedora, AlmaLinux, and CentOS Stream.
Dirty Frag is related to the Dirty Pipe family of vulnerabilities but is independent of the Copy Fail mitigation, meaning systems that already applied the algif_aead blacklist remain fully exposed.
“[the flaw] can obtain root privileges on major Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability.” reads the advisory. “Dirty Frag is a case that extends the bug class to which Dirty Pipe and Copy Fail belong. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.”
The researcher Hyunwoo Kim (@v4bel) first disclosed the vulnerability.
The vulnerability chains two separate flaws. The first is the xfrm-ESP Page-Cache Write bug, rooted in the Linux IPsec subsystem and introduced in a January 2017 source code commit, the same commit responsible for CVE-2022-27666, a buffer overflow affecting multiple Linux distributions. The second is the RxRPC Page-Cache Write bug, introduced in June 2023. Neither flaw alone is sufficient on all systems, but together they cover each other’s blind spots: where one path is blocked by the environment, such as Ubuntu’s AppArmor restrictions on namespace creation, the other opens. The chain is what makes Dirty Frag universally dangerous across distributions.
“What both vulnerabilities have in common is that, on a zero-copy send path where splice() plants a reference to a page cache page that the attacker only has read access to into the frag slot of the sender side skb as is, the receiver side kernel code performs in-place crypto on top of that frag.” reads the analysis. “As a result, the page cache of files that an unprivileged user only has read access to (such as /etc/passwd or /usr/bin/su) is modified in RAM, and every subsequent read sees the modified copy.”
What makes Dirty Frag particularly dangerous is its reliability. Unlike many kernel exploits that depend on precise timing windows or race conditions, this is a deterministic logic bug. It doesn’t panic the kernel on failure, and its success rate is described as very high. A working proof-of-concept is already public, reducing exploitation to a single command.
The disclosure itself was complicated: the embargo broke early after a third party published detailed technical information and the exploit code without coordination. No CVE identifier has been assigned yet.
“Chaining the two variants makes the blind spots cover each other. In an environment where user namespace creation is allowed, the ESP exploit runs first. Conversely, on Ubuntu where user namespace creation is blocked but rxrpc.ko is built, the RxRPC exploit works” concludes the report.
Until official patches are available, the recommended workaround is to blocklist the esp4, esp6, and rxrpc kernel modules to prevent them from loading.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Dirty Frag)
