A Working Root Exploit for Every Major Linux Distribution
No Patch Yet.
Dirty Frag is a deterministic logic bug, no race condition, no timing window, the kernel doesn’t panic on failure, and the success rate is very high. Any unprivileged local user can run the public proof-of-concept and get root in a single command. No distribution patches exist yet. No CVE has been assigned. The embargo was broken by an unrelated third party yesterday, forcing researcher Hyunwoo Kim to publish five days ahead of the planned May 12 disclosure date.
The mechanism
Dirty Frag chains two page-cache write flaws: xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write. The exploit uses the zero-copy send path where splice() plants a reference to a read-only page cache page — /etc/passwd or /usr/bin/su into the frag slot of a sender-side socket buffer. The receiver-side kernel then performs in-place cryptographic operations directly on that frag, permanently modifying the page cache in RAM.
The attacker controls both the file offset and written value using the XFRMA_REPLAY_ESN_VAL netlink attribute, overwriting /usr/bin/su‘s page cache with a static root-shell ELF, 192 bytes across 48 four-byte chunks. Authentication failure is returned afterward. The write has already persisted.
The exploit tries the ESP path first. If unshare(CLONE_NEWUSER) fails, blocked by Ubuntu’s AppArmor, it falls back automatically to the RxRPC path targeting /etc/passwd. The chain closes both blind spots. Confirmed affected: Ubuntu 24.04.4, RHEL 10.1, Fedora 44, CentOS Stream 10, AlmaLinux 10, openSUSE Tumbleweed.
The Copy Fail mitigation doesn’t cover this
The xfrm-ESP component shares the same sink as Copy Fail (CVE-2026-31431) but is triggered regardless of whether the algif_aead module is available. Systems with the published Copy Fail mitigation applied are still fully vulnerable. The ESP flaw dates to January 2017. The RxRPC flaw to June 2023. Effective window: nine years for ESP, three for RxRPC.
Immediate mitigation, with a critical caveat
bash
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \
> /etc/modprobe.d/dirtyfrag.conf; \
rmmod esp4 esp6 rxrpc 2>/dev/null; \
echo 3 > /proc/sys/vm/drop_caches; true"Disabling esp4 and esp6 breaks IPsec tunnels relying on the kernel data path. Do not apply this to hosts that terminate or transit IPsec, strongSwan, or Libreswan tunnels. For those systems, weigh the tradeoff deliberately. Patch when it lands, don’t break production VPN infrastructure as a workaround.
If the exploit ran before the mitigation was applied, it may have modified system binaries in the page cache. Drop page-cache after mitigating and verify binary integrity on any system that could have been exposed.
Patch status
The ESP variant patch merged into the netdev tree yesterday. The RxRPC patch is not yet merged upstream. AlmaLinux has backported the ESP fix and published testing-repo kernels. RHEL patches are not yet available — AlmaLinux shipped ahead of Red Hat given the severity. Watch your distribution’s security channel; with a public PoC live, patches will move fast.
- Alex
PS: Secure your spot for our Discord!