Share
## https://sploitus.com/exploit?id=BA925003-C87D-5D7B-B4D5-1424E0141A88
# dirtyfrag_probe
Non-exploitative detector for **CVE-2026-31431 (DirtyFrag)** โ Linux
kernel page-cache mutation via `xfrm`/espinudp ESN and `rxrpc`/rxkad.
Single C file. Triggers both primitives against a tempfile under `/tmp`,
re-reads, reports per-primitive verdict. No setuid target, no shellcode,
no key brute force, page cache dropped on exit.
## Build / run
```
gcc -O2 -Wall -Wextra -o dirtyfrag_probe poc_no_exp.c
./dirtyfrag_probe -v
```
Flags: `--xfrm-only`, `--rxrpc-only`, `--no-cleanup`, `-v`.
## Output
```
=== DirtyFrag (CVE-2026-31431) detector ===
XFRM/espinudp ESN seq_hi write : VULNERABLE
rxrpc/rxkad in-place decrypt : VULNERABLE
Result: VULNERABLE โ kernel mutated probe-file page cache.
```
Per-probe verdicts:
| Verdict | Meaning |
|------------------|----------------------------------------------------------------------------|
| `VULNERABLE` | Probe ran end-to-end, kernel mutated the page cache. |
| `NOT_VULNERABLE` | Probe ran end-to-end, page cache unchanged (kernel-side fix). |
| `UNREACHABLE` | Vulnerable primitive surface absent (e.g. `esp4`/`rxrpc` modules blocked). |
| `INCONCLUSIVE` | Probe could not be run end-to-end for an unclear reason. |
Exit code:
| Exit | Meaning |
|------|----------------------------------------------------------------------------------------|
| `0` | `NOT_VULNERABLE` โ including hosts where the surface is `UNREACHABLE`. |
| `1` | `VULNERABLE` โ at least one probe observed a mutation. |
| `2` | `ERROR` / `INCONCLUSIVE` โ at least one probe couldn't run; AppArmor and similar. |
## Caveat
Ubuntu 24.04+ defaults to
`kernel.apparmor_restrict_unprivileged_userns=1`, blocking the
`uid_map` write โ both probes return `INCONCLUSIVE`. Run via `sudo`,
or:
```
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
```
## Related
Upstream exploit: