## https://sploitus.com/exploit?id=A52C16D2-6268-5E52-80BD-03B0171F0C41
# Dirty Frag
## Overview
**Dirty Frag** is a class of Linux kernel LPE vulnerabilities disclosed by security researcher **Hyunwoo Kim** ([@v4bel](https://x.com/v4bel)) in **early May 2026**, centered around the misuse of **page cache write primitives**. This vulnerability is similar to [Dirty Pipe (CVE-2022-0847)](https://dirtypipe.cm4all.com/), and the contemporaneous [Copy Fail (CVE-2026-31431)](https://dirtypipe.cm4all.com/), as well as [Copy Fail (CVE-2026-31431)](https://dirtypipe.cm4all.com/). Dirty Pipe (CVE-2022-0847)](https://vulners.com/cve/CVE-2026-31431), and the companion [Copy Fail (CVE-2026-31431)](https://vulners.com/cve/CVE-2026-31431). **Instead of being an isolated bug**, it combines **two different kernel subsystem page-cache write paths** to form a more generalized privilege chain.
## Vulnerability rationale
Dirty Frag exploits the combinability of page-cache write primitives in the following two kernel paths:
1. **ESP / authencesn path (XFRM subsystem)
Setting a malicious `seq_hi` value via the `XFRMA_REPLAY_ESN_VAL` netlink attribute triggers `pagecache_write` when the kernel processes the ESP decapsulation, writing attacker-controlled data to the page-cache page of the target file. This path can overwrite the contents of any file (e.g. `/usr/bin/su`).
2. **rxrpc / rxkad path (AF_RXRPC subsystem)
By constructing a malicious rxkad authentication response packet and writing the decryption result directly back to the page-cache when the kernel `rxkad_verify_packet_1()` performs a pcbc(fcrypt) decryption -- the attacker brute-force searches for the appropriate session key to make the decryption result render the desired ASCII characters. the result is rendered in the expected ASCII characters (e.g., the password field of the root entry in `/etc/passwd` is cleared).
Both paths share the **splice / vmsplice system** call as the delivery mechanism for page-cache writes, and both rely on the `CAP_NET_RAW` permission obtained from the user namespace + network namespace (`unshare(CLONE_NEWUSER | CLONE_NEWNET)`).
## Attack flow
``
uid=1000 โ Create user+net namespace โ
โโ ESP path: install 40 malicious XFRM SAs โ splice file contents โ overwrite /usr/bin/su as root shell ELF โ (for all distributions, run /bin/sh directly with uid=0 when su executes)
โ (for all distributions, su runs /bin/sh directly with uid=0)
โ (For all distributions, run /bin/sh directly with uid=0 when su is executed)
โโ rxrpc/rxkad path (fallback in case of ESP failure): userland brute-force search for fcrypt key ร
Three kernel triggers (offsets 4/6/8) โ /etc/passwd root entry password field cleared โ
PAM nullok + `su -` โ root shell
``
## Utilization code
This project contains utilization programs for two architectures:
| path | file |
|------|------|
| aarch64 | `aarch64/exp.c` |
| x86_64 | `x64/exp.c` |
### Core components
- **`su_lpe_main()`** - ESP/authencesn path: overrides the first 192 bytes of `/usr/bin/su` via the XFRM ESN mechanism, embedding a minimal root shell ELF.
- **`rxrpc_lpe_main()`** - rxrpc/rxkad path: brute-force search for fcrypt session key via rxkad v1 authentication protocol with AF_RXRPC, clear `/etc/passwd` root entry password field after three triggers.
- **`main()`** - Chained calls: prioritize ESP paths to try; fallback to rxkad path if it fails; after either path succeeds, run `su -` to get an interactive root shell by creating a new PTY.
## Affected kernel versions
This vulnerability affects all major Linux kernel versions **before May 2026** that have not yet been patched with a fix, pending official announcements.
## Fix
The Linux kernel community has fixed this issue in the following commits (merging of related commits is required):
- XFRM/ESP path: restrict `splice` system call write access to non-privately mapped page-cache pages.
- AF_RXRPC/rxkad path: ensure that decryption operations do not directly modify page-cache pages in `rxkad_verify_packet_1()`.
## Reproduce the screenshot
### Ubuntu 24.04 - aarch64
```
Linux ubuntu-linux-2404 6.8.0-110-generic #110-Ubuntu SMP PREEMPT_DYNAMIC Thu Mar 19 17:16:23 UTC 2026 aarch64 aarch64 aarch64 GNU/Linux
``
! [ubuntu-24-04-aarch64-exploit](pic/ubuntu-24-04-aarch64-exploit.png)
### Ubuntu 24.04 - x86_64
``
Linux song 6.8.0-65-generic #68~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Jul 15 18:06:34 UTC 2 x86_64 x86_64 x86_64 x86_64 GNU/Linux
``
! [ubuntu-24.04-x64-exploit](pic/ubuntu-24.04-x64-exploit.png)
## Author
- **Hyunwoo Kim** ([@v4bel](https://x.com/v4bel)) - Vulnerability Discovery and Disclosure
## Reference
- [Dirty Pipe (CVE-2022-0847)](https://dirtypipe.cm4all.com/)
- [Copy Fail (CVE-2026-31431)](https://vulners.com/cve/CVE-2026-31431)
- [V4bel / dirtyfrag (GitHub)](https://github.com/V4bel/dirtyfrag.git) - the original author's exploit code repository, x86_64 POC is referenced at this link
- Linux kernel XFRM subsystem documentation
- Linux kernel AF_RXRPC subsystem documentation.