Dirty Frag: A New Deterministic Linux Page‑Cache Write Vulnerability for Stable Root Escalation

On 2026‑05‑07 the vulnerability named Dirty Frag was fully disclosed. It is a page‑cache write bug similar to Dirty Pipe and Copy Fail, allowing deterministic writes to the page cache of any readable file and achieving local privilege escalation (LPE) from an unprivileged user to root. The exploit does not rely on a race condition, does not trigger a kernel panic on failure, and reproduces reliably on all major Linux distributions.

Vulnerability Overview

Type : Local privilege escalation (LPE)

Impact : Unprivileged user → root

Success rate : Extremely high (deterministic logic bug)

Race condition required : No

Failure consequence : Silent failure, no kernel panic

Public PoC : https://github.com/V4bel/dirtyfrag

Technical Deep Dive

Core Mechanism

Dirty Frag combines two independent page‑cache write defects – the xfrm‑ESP primitive and the RxRPC primitive – to corrupt the frag member of struct sk_buff. The chain is fully deterministic and does not depend on timing windows.

xfrm‑ESP primitive provides a 4‑byte arbitrary STORE capability but requires a user namespace, which is blocked on distributions that enable AppArmor by default (e.g., Ubuntu).

RxRPC primitive does not require a user namespace (Ubuntu loads rxrpc.ko by default) and serves as a fallback when the xfrm‑ESP path is unavailable.

Exploitation Chain

The attacker performs the following steps:

Use splice() to construct a nonlinear sk_buff.

Exploit the xfrm‑ESP and RxRPC page‑cache write defects to corrupt sk_buff->frag.

The corrupted frag causes a deterministic modification of read‑only pages in the page cache, including setuid binaries, thereby granting root privileges.

Fully deterministic logic bug, no randomness.

No timing window required.

Stable reproduction on all mainstream Linux distributions.

Failure‑safe and highly reliable.

Comparison with Similar Vulnerabilities

Dirty Pipe (2022) – page‑cache write, medium difficulty because it requires a race.

Copy Fail (2024) – page‑cache write, low difficulty due to existing mitigations.

Dirty Frag (2026) – page‑cache write chain, very low difficulty because the exploit is deterministic.

Impact Scope

Affected Modules and Commits

xfrm‑ESP module : introduced by kernel commit cac2661c53f3 on 2017‑01‑17 (affects nine years of kernels).

RxRPC module : introduced by kernel commit 2dc334f1a63a in June 2023.

Verified Affected Distributions

Ubuntu 24.04.4 (6.17.0‑23‑generic)

RHEL 10.1 / CentOS Stream 10 / AlmaLinux 10 (6.12 series)

Fedora 44 (6.19.14‑300.fc44)

openSUSE Tumbleweed (7.0.2‑1‑default)

Disclosure Timeline

2026‑04‑29: Detailed RxRPC vulnerability information and weaponized exploit submitted to [email protected].

2026‑04‑29: RxRPC fix patch submitted to the netdev mailing list.

2026‑05‑07: Full Dirty Frag description and exploit submitted to the linux‑distros mailing list with a five‑day embargo.

2026‑05‑07: Third‑party disclosed the ESP vulnerability, breaking the embargo.

2026‑05‑07: After distro maintainer consent, the complete technical document and PoC were publicly released.

Exploitation Conditions and Mitigations

Preconditions

Local unprivileged user.

Either esp4 / esp6 or rxrpc kernel module loaded (most distributions load them by default or can auto‑load).

Public PoC available at https://github.com/V4bel/dirtyfrag.

Temporary Mitigation (no reboot required)

sudo sh -c "printf 'install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
' > /etc/modprobe.d/dirtyfrag.conf"

sudo rmmod esp4 esp6 rxrpc 2>/dev/null || true

Side‑effect warning: Disabling these modules breaks IPsec (VPN) and RxRPC (AFS file system); assess impact before applying.

Fix Status and Security Recommendations

Fix Status

No official patch or CVE number yet (embargo broken by third‑party).

Upstream has begun merging a fix into the netdev tree.

Distributions will backport the fix in upcoming releases.

Security Recommendations

The PoC is publicly available, and any attacker with basic Linux knowledge can achieve root within minutes.

Apply the mitigation script on all production Linux servers.

Monitor loading of the esp4, esp6, and rxrpc modules.

Track official kernel security updates from each distribution.

Upgrade kernels to versions that include the upstream fix as soon as they are released.

Audit the integrity of setuid binaries on the system.

References

Official repository & PoC: https://github.com/V4bel/dirtyfrag

Technical write‑up: assets/write-up.md in the repository