Dirty Frag Linux bug lets local users gain root

Security researcher Hyunwoo Kim reported on April 30, 2026, an unpatched local privilege escalation vulnerability in the Linux kernel called “Dirty Frag.” The exploit chain combines two page‑cache write flaws to escalate an unprivileged local account to root on distributions including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10 and Fedora 44. A working proof‑of‑concept that can gain root with a single command has been published publicly.

The attack links two distinct primitives. The xfrm‑ESP page‑cache write, traced to a January 2017 commit in the IPSec xfrm subsystem, provides a four‑byte store primitive that can overwrite parts of the kernel page cache but normally requires creating a user namespace. Ubuntu blocks that step through AppArmor. The RxRPC page‑cache write, introduced in June 2023, does not need a user namespace but depends on the rxrpc kernel module (rxrpc.ko), which is not built into some distributions by default. RHEL 10.1 does not ship rxrpc.ko in its default build, while Ubuntu loads the module by default. Chaining the two primitives lets an attacker exploit systems where one vector would otherwise be blocked.

Vendor advisories describe the technical trigger. The xfrm variant is reachable via the XFRM user netlink interface and affects the ESP‑in‑UDP MSG_SPLICE_PAGES no‑COW fast path. The root cause is in the in‑place decryption fast paths of esp4, esp6 and rxrpc. When a socket buffer contains paged fragments that are not privately owned by the kernel — for example, pages attached via splice(2), sendfile(2) or MSG_SPLICE_PAGES — the receive path can decrypt directly over those externally backed pages, exposing or corrupting plaintext that an unprivileged process still holds a reference to.

A public proof‑of‑concept has increased urgency for mitigation and patches. Kernel maintainers have been alerted and distribution vendors are expected to issue fixes. Until patches are available, a temporary mitigation is to prevent the vulnerable modules from loading and unload them if present. One suggested command to implement the blocklist and remove modules is: sudo sh -c “printf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true”.

Kim wrote that Dirty Frag is a deterministic logic error that does not rely on a timing window or a race condition, that failed attempts do not crash the kernel, and that the exploit has a very high success rate. He also noted the vulnerability can be triggered regardless of whether the algif_aead module — the mitigation used for earlier Copy Fail attacks — is present, leaving systems that applied that mitigation still at risk.

System administrators are advised to apply the module blocklist, remove the modules where possible, and monitor vendor advisories for official patches and updated guidance.