DirtyClone Linux Kernel Flaw Lets Local Users Get Root

TL;DR

DirtyClone is a Linux kernel privilege escalation flaw tracked as CVE-2026-43503. It scores 8.8 on the CVSS scale. JFrog Security Research found the bug and published a working exploit demonstration on June 25.

Why It Matters

This flaw turns any unprivileged local account into root. Worse, the attack stays silent. It writes nothing to disk and leaves no kernel logs or audit traces. Therefore, on-disk integrity tools miss it entirely.

The danger peaks in shared environments. Multi-tenant clouds, Kubernetes clusters, and container hosts all grant limited access to many users. As a result, one local foothold can compromise the whole machine. Some setups may even allow a container escape. The bug cannot be triggered remotely, yet local access is common in these places.

How the Attack Works

DirtyClone belongs to the DirtyFrag family. These bugs abuse how the kernel shares page-cache memory with network buffers. Linux uses zero-copy networking for speed, so a packet can point at existing memory instead of copying it.

A safety flag named SKBFL_SHARED_FRAG marks buffers that reference file-backed pages. When that flag is set, IPsec copies the data before it decrypts. The problem appears during packet cloning. The helper function __pskb_copy_fclone() drops that flag. Consequently, the cloned packet looks safe when it is not.

From there, the attacker maps a privileged binary like /usr/bin/su into the page cache. Then a cloned packet travels through a local IPsec tunnel. In-place decryption overwrites the cached binary with attacker-chosen bytes. The next run of that binary executes the changed code, and the user gains root.

JFrog stresses the wider lesson. The issue is not one bad function. Instead, every code path that moves packet fragments must preserve the shared-frag flag. Miss it once, and a speed optimization becomes a write primitive.

Part of the DirtyFrag Family

DirtyFrag, Fragnesia, and DirtyClone are siblings, not a single chain. Each one finds a different code path where the shared-frag flag gets dropped. The original DirtyFrag fix added the flag for spliced UDP packets. Later variants then showed the kernel could lose it elsewhere. For that reason, JFrog warns that more variants are likely until every fragment-transfer path is audited.

Affected Versions

This Linux kernel privilege escalation affects many modern distributions. JFrog confirmed working attacks on Debian, Ubuntu, and Fedora where unprivileged user namespaces are enabled. Debian and Fedora are vulnerable by default. Ubuntu 24.04 and later add AppArmor namespace limits, yet still list the issue as affected.

Any kernel missing the full DirtyFrag patch chain stays exposed. That chain includes earlier fixes for CVE-2026-43284 and CVE-2026-46300. In short, a system is only safe once the entire series is applied.

Exploitation Status

No public proof-of-concept existed before the disclosure. On June 25, JFrog published the first working exploit walkthrough for this variant. However, the team withheld the full exploit code while distributions ship patches. So far, no in-the-wild exploitation has been confirmed.

Patch and Mitigation

Update your kernel now. The fix merged into mainline on May 21 (commit 48f6a5356a33). It first shipped in Linux v7.1-rc5 on May 24, and vendors have backported it to stable and LTS branches.

Check your distribution’s advisory and install the latest kernel build. If you cannot patch right away, reduce exposure with these steps:

• Block unprivileged user namespaces by setting kernel.unprivileged_userns_clone=0.
• Blacklist the esp4, esp6, and rxrpc modules if you do not use IPsec.
• Drop the page cache after patching to evict any tampered pages.

For the full technical breakdown, read JFrog’s DirtyClone research write-up.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.