Embargo Broken: Public PoC Released for “Dirty Frag” Linux Kernel Exploit Granting Instant Root Access

A new class of Linux vulnerabilities has been unearthed, threatening the core security boundaries of nearly every major distribution. Dubbed “Dirty Frag” by security researcher Hyunwoo Kim (@v4bel), this discovery highlights a sophisticated method for unprivileged users to escalate their privileges to root by exploiting how the Linux kernel handles memory during data transmission.

The vulnerability is a direct spiritual successor to the infamous “Dirty Pipe” and “Copy Fail” flaws, targeting the way the Linux kernel “dirties” memory segments during specific network operations.

At its core, Dirty Frag exploits a “zero-copy” send path in the Linux kernel. This path is designed for high efficiency, allowing the system to transmit data without moving it between memory buffers.

According to Kim’s report, “On a zero-copy send path where splice() plants a reference to a page cache page that the attacker only has read access to into the frag slot of the sender side skb as is, the receiver side kernel code performs in-place crypto on top of that frag.”

Because the kernel performs this “in-place” cryptographic operation on memory that the attacker should only be able to read, the attacker can effectively modify the page cache of critical system files (like /etc/passwd or /usr/bin/su) directly in RAM. Every subsequent read by the system then sees this “dirty,” modified copy, allowing for instant privilege escalation.

The full technical details and a Proof-of-Concept (PoC) exploit have been made entirely public. The researcher has provided a comprehensive walkthrough and code that demonstrates the step-by-step process of achieving root access.

By releasing the exploit code, Kim aims to facilitate immediate testing and verification across different environments, though it also means the roadmap for exploitation is now available to both defenders and potential attackers alike.

The power of Dirty Frag lies in the chaining of two distinct vulnerabilities

• xfrm-ESP Page-Cache Write: This provides a powerful “4-byte STORE primitive” but typically requires the privilege to create a namespace. Distributions like Ubuntu often block unprivileged namespace creation, which would normally stop this attack in its tracks.
• RxRPC Page-Cache Write: This variant does not require namespace privileges. While the rxrpc.ko module is not included in all distributions, it is loaded by default in Ubuntu, providing the perfect bridge for an attacker.

By chaining these two, an attacker can obtain root privileges on every major Linux distribution.

One of the most concerning aspects of Dirty Frag is its resilience against existing patches. Many administrators attempted to mitigate the earlier “Copy Fail” vulnerability by blacklisting the algif_aead module.

Kim warns that this is no longer enough: “Even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, your Linux is still vulnerable to Dirty Frag.”

Update:

This flaw now is tracked as CVE-2026-43284 for xfrm-ESP Page-Cache Write and CVE-2026-43500 for RxRPC Page-Cache Write.