Dirty Frag Exploit: A New Linux Root Attack
A new Linux kernel privilege escalation exploit, dubbed Dirty Frag, has been publicly released, leaving most major distributions without a proper patch. The exploit chains two separate vulnerabilities to grant root access on nearly any Linux system.
Security researcher Hyunwoo Kim (v4bel) discovered the flaws and attempted to disclose them responsibly, but an unnamed third party published the exploit code prematurely. "The embargo was broken within hours of my submission," Kim said. "Now attackers have a working exploit before most vendors could prepare a fix."
How Dirty Frag Works
Dirty Frag modifies in-memory copies of critical system files without altering the disk. The first flaw, tracked as CVE-2026-43284 (xfrm-ESP Page-Cache Write), targets /usr/bin/su and replaces its memory image with one that grants a root shell. The second, CVE-2026-43500 (RxRPC Page-Cache Write), empties the root password field in /etc/passwd, allowing PAM to accept a blank password.
Neither vulnerability works alone on every system. The first requires user namespaces, which Ubuntu's AppArmor sometimes blocks. The second depends on the rxrpc.ko module, absent from most default kernels. However, when chained, they cover all major distros.
Immediate Mitigation Steps
Most distributions have not released patches yet. AlmaLinux is an exception, with patched kernels in its testing repository. For others, Kim recommends blacklisting three kernel modules: esp4, esp6, and rxrpc. This also clears the page cache to remove any ongoing tampering.
Users can execute the following command as root: sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true". Kim additionally advises updating the kernel and rebooting as soon as a patch becomes available.
Background
This exploit follows closely on the heels of Copy Fail, another Linux privilege escalation technique that exploited an old logic flaw. Unlike Copy Fail, Dirty Frag leverages page-cache write vulnerabilities to corrupt memory without touching disk, making detection difficult.
Canonical has issued mitigation guidelines for Ubuntu users. The broader Linux ecosystem is now scrambling to deploy kernel updates across enterprise and consumer systems.
What This Means
System administrators must act immediately to apply the module blacklist until patches arrive. The exploit is trivial to execute once an attacker gains local access, and the broken disclosure means exploit code is already circulating in attacker forums.
This incident underscores the fragile security chain in modern Linux kernels. Until all distributions ship fixes, every unpatched system remains one user account away from complete compromise.