Share
## https://sploitus.com/exploit?id=4150BCA9-6532-53F1-A2E6-977A52991F0E
# Dirty Frag: Universal Linux LPE


## Abstract

This document explains the Dirty Frag vulnerability class, discovered and reported by [Hyunwoo Kim (@v4bel)](https://x.com/v4bel). By chaining `xfrm-ESP Page-Cache Write (CVE-2026-43284)` with `RxRPC Page-Cache Write (CVE-2026-43500)`, an attacker can escalate to root on major Linux distributions.

Dirty Frag extends the same bug family as [Dirty Pipe](https://dirtypipe.cm4all.com/) and [Copy Fail](https://copy.fail/). It is a deterministic logic bug that does not rely on timing windows or races, does not cause kernel panics on failure, and has a very high success rate when exploited.

For full technical details and the disclosure timeline, see the accompanying write-up (not included in this repository).

- `xfrm-ESP Page-Cache Write (CVE-2026-43284)` was fixed in mainline at commit [f4c50a4034e6](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4).
- `RxRPC Page-Cache Write (CVE-2026-43500)` was fixed in mainline at commit [aa54b1d27fe0](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71).

> [!NOTE]
> When this document was first released (2026-05-07), the embargo had already been broken externally. At that time, no public patch or CVE was available. After discussions with maintainers on linux-distros@vs.openwall.org, the Dirty Frag disclosure was published. See the technical write-up for the timeline.

## Exploiting

### Quick one-liner

```
git clone https://github.com/V4bel/dirtyfrag.git && cd dirtyfrag && gcc -O0 -Wall -o exp exp.c -lutil && ./exp
```

This PoC is shared for informational purposes after coordination with linux-distros. Do not run it against systems you are not authorized to test.

### Cleanup

โš ๏ธ  **Important:** Running the exploit pollutes the page cache. To restore a clean state, either run:

```bash
echo 3 > /proc/sys/vm/drop_caches
```

or reboot the machine.

## Affected Versions

- **CVE-2026-43284**: xfrm-ESP Page-Cache Write is present from [cac2661c53f3 (2017-01-17)](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cac2661c53f3) through [f4c50a4034e6 (2026-05-05)](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4).
- **CVE-2026-43500**: RxRPC Page-Cache Write is present from [2dc334f1a63a (2023-06-08)](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2dc334f1a63a) through [aa54b1d27fe0 (2026-05-10)](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71).

Effectively, these vulnerabilities span roughly nine years.

Tested distribution versions include:

- Ubuntu 24.04.4: 6.17.0-23-generic
- RHEL 10.1: 6.12.0-124.49.1.el10_1.x86_64
- openSUSE Tumbleweed: 7.0.2-1-default
- CentOS Stream 10: 6.12.0-224.el10.x86_64
- AlmaLinux 10: 6.12.0-124.52.3.el10_1.x86_64
- Fedora 44: 6.19.14-300.fc44.x86_64
- ...

## Mitigation

1. To remove the affected modules and clear the page cache, run:

```bash
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"
```

2. Apply distribution backports or vendor patches as they become available.

## FAQ

### Why chain two vulnerabilities?

xfrm-ESP Page-Cache Write offers a strong arbitrary 4-byte STORE primitive similar to Copy Fail and is available on many distributions, but it requires privilege to create a namespace.

Ubuntu may restrict unprivileged user namespace creation via AppArmor, preventing xfrm-ESP from being triggered. RxRPC Page-Cache Write does not require namespace creation privileges, but the `rxrpc.ko` module is not present by default on many distributions. On Ubuntu, however, `rxrpc.ko` is typically loaded.

Chaining both covers each other's gaps, enabling root on all major distributions. See the technical write-up for details.

### Another "branded" "Dirty" series?

Yes โ€” Dirty Frag is related to "Dirty Pipe", and the name reflects that the bug class alters the `frag` member of `struct sk_buff`.

### Relationship with "Copy Fail"?

Copy Fail inspired this research. xfrm-ESP Page-Cache Write in the Dirty Frag chain shares the same sink as Copy Fail, but it triggers even when the `algif_aead` mitigation is present. Thus, systems hardened against Copy Fail may still be vulnerable to Dirty Frag.

### How do I fix my Linux?

Follow the steps in the Mitigation section above.

## Contact

Maintainer: https://linkedin.com/in/tahamuhammadshafiq