## https://sploitus.com/exploit?id=E9DB4A0C-B2CD-579B-AA2F-0B3F378E06B0
# Dirty Frag โ Kernel Patches
Patch series for the **Dirty Frag** vulnerability class discovered by [Hyunwoo Kim (@v4bel)](https://github.com/V4bel/dirtyfrag).
Dirty Frag allows an unprivileged local user to overwrite arbitrary bytes of the page cache of read-only files (e.g. `/usr/bin/su`, `/etc/passwd`) leading to **local privilege escalation to root** on all major Linux distributions.
---
## โ ๏ธ Attribution
> **The patches in this repository were NOT written by the maintainer of this repo.**
>
> - **CVE-2026-43284 (ESP patch):** authored by [Hyunwoo Kim (@v4bel)](https://x.com/v4bel) and [Kuan-Ting Chen](https://lore.kernel.org/all/20260504073403.38854-1-h3xrabbit@gmail.com/). Merged into the Linux kernel mainline at commit [`f4c50a4034e6`](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4).
> - **CVE-2026-43500 (RxRPC patch):** authored by [Hyunwoo Kim (@v4bel)](https://x.com/v4bel). Submitted to the netdev mailing list at [`afKV2zGR6rrelPC7@v4bel`](https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/), pending merge.
>
> This repository is a **formatted mirror** of those patches, collected here for convenience in `git am`-ready format.
> All credit goes to the original authors. Original research and PoC: https://github.com/V4bel/dirtyfrag
---
## Patches
| File | CVE | Subsystem | Status |
|---|---|---|---|
| [`0001-net-xfrm-fix-page-cache-write-via-esp-splice-CVE-2026-43284.patch`](./0001-net-xfrm-fix-page-cache-write-via-esp-splice-CVE-2026-43284.patch) | CVE-2026-43284 | `net/ipv4/esp4.c`, `net/ipv6/esp6.c`, `net/ipv4/ip_output.c`, `net/ipv6/ip6_output.c` | โ Merged in mainline ([`f4c50a4034e6`](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4)) |
| [`0002-net-rxrpc-fix-page-cache-write-via-rxkad-splice-CVE-2026-43500.patch`](./0002-net-rxrpc-fix-page-cache-write-via-rxkad-splice-CVE-2026-43500.patch) | CVE-2026-43500 | `net/rxrpc/call_event.c`, `net/rxrpc/conn_event.c` | โณ Submitted to netdev ML ([`afKV2zGR6rrelPC7@v4bel`](https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/)), pending merge |
---
## Affected Kernel Versions
- **CVE-2026-43284** (ESP): kernels from `4.10` (commit `cac2661c53f3`, 2017-01-17) up to `6.x` pre-`f4c50a4034e6`
- **CVE-2026-43500** (RxRPC): kernels from `6.4` (commit `2dc334f1a63a`, 2023-06-08) up to upstream (no patch merged yet)
---
## How to Apply
### Apply to a kernel source tree
```bash
git clone https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
cd linux
# Apply patch 1 (ESP โ CVE-2026-43284)
git am 0001-net-xfrm-fix-page-cache-write-via-esp-splice-CVE-2026-43284.patch
# Apply patch 2 (RxRPC โ CVE-2026-43500)
git am 0002-net-rxrpc-fix-page-cache-write-via-rxkad-splice-CVE-2026-43500.patch
```
### Apply with `patch` (if git am fails due to context drift)
```bash
patch -p1 /etc/modprobe.d/dirtyfrag.conf && \
rmmod esp4 esp6 rxrpc 2>/dev/null; \
echo 3 > /proc/sys/vm/drop_caches"
```
> **Warning:** Removing `esp4`/`esp6` disables IPsec ESP. Evaluate the impact before applying on production systems.
---
## Technical Summary
### Root Cause
Both variants share the same root cause: the kernel's zero-copy `splice()` path plants a **read-only page-cache page** directly into an `skb` frag without copy-on-write semantics. Subsequent in-place crypto operations then write into that page-cache page, permanently modifying the cached file content.
```
splice(file_fd โ pipe โ socket)
โ
โผ
skb->frags[0].page = &page_cache_page_P data_len)` so non-linear skbs (which may contain splice frags) are always copied before in-place decryption |
---
## References
- Original PoC & write-up: https://github.com/V4bel/dirtyfrag
- CVE-2026-43284: https://vulners.com/cve/CVE-2026-43284
- CVE-2026-43500: https://vulners.com/cve/CVE-2026-43500
- Mainline commit (ESP fix): https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4
- RxRPC patch (netdev ML): https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/
- Copy Fail (ancestor vulnerability): https://copy.fail/
- Dirty Pipe (same bug class): https://dirtypipe.cm4all.com/