Dirty Frag Exposed: What Every Linux User Should Know
A newly disclosed Linux kernel vulnerability dubbed "Dirty Frag" allows any unprivileged local user to gain full root access on virtually every major Linux distribution, with no patches currently available from any vendor. The flaw was publicly released on May 7, 2026, after an unrelated third party broke the coordinated disclosure embargo, leaving distributions scrambling to advise users on temporary workarounds.
How the Vulnerability Works
Dirty Frag, discovered by security researcher Hyunwoo Kim (@v4bel), chains two separate page-cache write bugs — one in the kernel's xfrm-ESP (IPsec) receive path and another in the RxRPC transport layer — to corrupt read-only files in memory and escalate privileges. The technique exploits the kernel's zero-copy send path, where splice() plants a reference to a cached page into a network buffer's "frag" slot. Receiver-side code then performs in-place cryptographic operations directly on that page, permanently altering the cached version of files like /usr/bin/su or /etc/passwd.
Unlike race-condition exploits, Dirty Frag is a deterministic logic bug that requires no timing window and carries an extremely high success rate. A working proof-of-concept capable of achieving root "in a single command" has been published on GitHub. Red Hat has assigned CVE-2026-43284 to track the issue, and the vulnerability is estimated to affect roughly nine years of kernel versions.
Broken Embargo Forces Early Disclosure
Kim reported the ESP flaw to security@kernel.org on April 30 and submitted the vulnerability details to the linux-distros mailing list on May 7 with a five-day embargo set for May 12. However, within hours, an unrelated third party independently reverse-engineered the public netdev fix commit and published exploit details, breaking the embargo before any distribution could ship a patch. After consulting with distribution maintainers, Kim released the full Dirty Frag documentation and exploit code.
The third party, who posted a repository titled "Copy Fail 2: Electric Boogaloo," stated their work was standard "n-day weaponization" built from a publicly available upstream commit, not a leak from the coordinated process.
Mitigation Without a Patch
With no kernel patches available from Ubuntu, Red Hat, Fedora, AlmaLinux, openSUSE, or CentOS Stream, administrators are advised to blocklist the three vulnerable kernel modules — esp4, esp6, and rxrpc — as an interim measure. Red Hat warned that this workaround will break IPsec tunnels relying on the kernel data path and urged customers to test in non-production environments first. CloudLinux noted that the rxrpc module, used almost exclusively by AFS clients, is not present on typical web-hosting servers.
The vulnerability follows closely on the heels of Copy Fail (CVE-2026-31431), a related flaw in the same kernel subsystem disclosed just one week earlier. Kim noted that Dirty Frag remains exploitable even on systems where the Copy Fail mitigation — blocklisting algif_aead — has already been applied.
