Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag, (Fri, May 8th)

Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag

Click HERE to learn more about classes Yee Ching is teaching for SANS

**Published**: 2026-05-08. **Last Updated**: 2026-05-08 07:50:01 UTC

Less than two weeks after the public disclosure of the Copy Fail vulnerability (CVE-2026-31431), another local privilege escalation (LPE) vulnerability in the Linux kernel has been revealed. Referred to as "Dirty Frag," this vulnerability was discovered and reported by Hyunwoo Kim (@v4bel) [1]. In this diary, I will provide a brief background on Dirty Frag, and discuss its relationship to Copy Fail. I will then discuss how to mitigate Dirty Frag and outline recommended next steps for system owners.

The existence of Dirty Frag was revealed after the coordinated disclosure embargo was broken by an unrelated third party [1]. Just like Copy Fail [2], Dirty Frag allows an unprivileged local user to escalate to root on most major Linux distributions. Due to the premature disclosure of Dirty Frag, no CVE IDs were assigned [3].

Dirty Frag chains two distinct vulnerabilities:

1. **xfrm-ESP Page-Cache Write** - residing in the IPsec ESP decryption fast paths (`esp4`, `esp6`) 2. **RxRPC Page-Cache Write** - residing in the RxRPC module

Both sub-vulnerabilities share a common root cause: on a zero-copy send path where `splice()` plants a reference to a page cache page that an attacker only has read access to into the `frag` slot of the sender-side skb, the receiver-side kernel code performs in-place crypto on top of that frag. As a result, the page cache of files that an unprivileged user only has read access to (such as `/etc/passwd` or `/usr/bin/su`) is modified in RAM, and every subsequent read sees the modified copy [1].

While both Dirty Frag and Copy Fail belong to the same broad vulnerability class (page-cache corruption via kernel crypto in-place operations), they were discovered by different researchers and reside in different kernel subsystems. Copy Fail (CVE-2026-31431) was discovered by researchers at Theori and abuses the `algif_aead` module in the AF_ALG crypto interface.

| Factors | Copy Fail (CVE-2026-31431) | Dirty Frag | | --- | --- | --- | | **Kernel Subsystem** | AF_ALG / algif_aead | xfrm ESP (esp4, esp6) and RxRPC | | **CVE Assigned** | Yes (CVE-2026-31431) | No (embargo broken before allocation) | | **Controlled Bytes Written** | 4 bytes | 4 bytes (per sub-vulnerability) | | **Chaining Required** | No (single vulnerability) | Yes (two sub-vulnerabilities chained) | | **Discoverer** | Theori (Research Team) | Hyunwoo Kim (@v4bel) | | **Public Disclosure Date** | 29 April 2026 | 7 May 2026 |

The Dirty Frag vulnerability is significant (beyond its possible utility in Capture-the-Flag challenges). Firstly, the vulnerability affects many major Linux distributions with kernels dating back to approximately 2017, similar to Copy Fail. Secondly, due to the unfortunate embargo breach, the working exploit code is publicly available. Thirdly, since no CVE identifier was assigned, any automated workflow or systems tracking vulnerabilities by CVE identifers would not be able to show Dirty Frag automatically. Finally, in the case of containerized environments, an adversary may be able to leverage Dirty Frag, override relevant binaries in the base layer and escape to host.

Unload modules if currently loaded modprobe -r esp4 esp6 rxrpc

Denylist modules to prevent loading on