CTI Swarm
Zurück zu allen Deep Dives
SANS INTERNET STORM CENTER, INFOCON: GREEN

Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag, (Fri, May 8th)

Strategische Zusammenfassung

Eine neue lokale Privilege-Eskalation namens Dirty Frag wurde im Linux-Kernel entdeckt. Sie ermöglicht nicht privilegierten Benutzern Root-Zugriff durch Page-Cache-Korruption mittels Kernel-In-Place-Krypto-Operationen. Die Schwachstelle kombiniert zwei Teilprobleme im IPsec- und RxRPC-Modul und betrifft die meisten großen Distributionen. Es existiert noch keine CVE-Nummer, da die Offenlegung vorzeitig erfolgte.

Key Findings

  • Dirty Frag ist eine lokale Privilege-Eskalation im Linux-Kernel, die unprivilegierten Nutzern Root-Rechte verschaffen kann.
  • Die Schwachstelle kombiniert zwei Angriffsvektoren: einen im xfrm-ESP Page-Cache (IPsec) und einen im RxRPC-Modul, die beide über splice() ausgenutzt werden.
  • Angreifer können damit den Page-Cache schreibgeschützter Dateien wie /etc/passwd im RAM modifizieren und so Rechte ausweiten.
  • Es wurde keine CVE-Nummer vergeben, da die koordinierte Offenlegung durch eine dritte Partei vorzeitig unterbrochen wurde.
  • Betroffen sind die meisten großen Linux-Distributionen; Abhilfe schaffen Kernel-Patches und das Deaktivieren nicht benötigter Module.

Volltext

Title: Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag

URL Source: https://isc.sans.edu/diary/rss/32968

Markdown Content: # Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag

# [Internet Storm Center](https://isc.sans.edu/)

[Sign In](https://isc.sans.edu/login.html)[Sign Up](https://isc.sans.edu/register.html)

Handler on Duty: [Yee Ching Tok](https://isc.sans.edu/handler_list.html#yee-ching-tok "Yee Ching Tok")

Threat Level: [green](https://isc.sans.edu/infocon.html)

* [previous](https://isc.sans.edu/diary/32962)

Click [HERE](https://isc.sans.edu/diary/rss/32968) to learn more about classes Yee Ching is teaching for SANS

# [Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag](https://isc.sans.edu/forums/diary/Another+Universal+Linux+Local+Privilege+Escalation+LPE+Vulnerability+Dirty+Frag/32968/)

* * *

**Published**: 2026-05-08. **Last Updated**: 2026-05-08 07:50:01 UTC

**by**[Yee Ching Tok](https://poppopretn.com/aboutme/) (Version: 1)

[0 comment(s)](https://isc.sans.edu/diary/Another+Universal+Linux+Local+Privilege+Escalation+LPE+Vulnerability+Dirty+Frag/32968/#comments)

Less than two weeks after the public disclosure of the Copy Fail vulnerability (CVE-2026-31431), another local privilege escalation (LPE) vulnerability in the Linux kernel has been revealed. Referred to as "Dirty Frag," this vulnerability was discovered and reported by Hyunwoo Kim (@v4bel) [1]. In this diary, I will provide a brief background on Dirty Frag, and discuss its relationship to Copy Fail. I will then discuss how to mitigate Dirty Frag and outline recommended next steps for system owners.

The existence of Dirty Frag was revealed after the coordinated disclosure embargo was broken by an unrelated third party [1]. Just like Copy Fail [2], Dirty Frag allows an unprivileged local user to escalate to root on most major Linux distributions. Due to the premature disclosure of Dirty Frag, no CVE IDs were assigned [3].

Dirty Frag chains two distinct vulnerabilities:

1. **xfrm-ESP Page-Cache Write** - residing in the IPsec ESP decryption fast paths (`esp4`, `esp6`) 2. **RxRPC Page-Cache Write** - residing in the RxRPC module

Both sub-vulnerabilities share a common root cause: on a zero-copy send path where `splice()` plants a reference to a page cache page that an attacker only has read access to into the `frag` slot of the sender-side skb, the receiver-side kernel code performs in-place crypto on top of that frag. As a result, the page cache of files that an unprivileged user only has read access to (such as `/etc/passwd` or `/usr/bin/su`) is modified in RAM, and every subsequent read sees the modified copy [1].

While both Dirty Frag and Copy Fail belong to the same broad vulnerability class (page-cache corruption via kernel crypto in-place operations), they were discovered by different researchers and reside in different kernel subsystems. Copy Fail (CVE-2026-31431) was discovered by researchers at Theori and abuses the `algif_aead` module in the AF_ALG crypto interface.

[… 3,666 Zeichen — nächste Zone: keyword-dense paragraphs …]

* * [Homepage](https://isc.sans.edu/index.html) * [Diaries](https://isc.sans.edu/diaryarchive.html) * [Podcasts](https://isc.sans.edu/podcast.html) * [Jobs](https://isc.sans.edu/jobs) * [Data](https://isc.sans.edu/data) * [TCP/UDP Port Activity](https://isc.sans.edu/data/port.html) * [Port Trends](https://isc.sans.edu/data/trends.html) * [SSH/Telnet Scanning Activity](https://isc.sans.edu/data/ssh.html) * [Weblogs](https://isc.sans.edu/weblogs) * [Domains](https://isc.sans.edu/data/domains.html) * [Threat Feeds Activity](https://isc.sans.edu/data/threatfeed.html) * [Threat Feeds Map](https://isc.sans.edu/data/threatmap.html) * [Useful InfoSec Links](https://isc.sans.edu/data/links.html) * [Presentations & Papers](https://isc.sans.edu/data/presentation.html) * [Research Papers](https://isc.sans.edu/data/researchpapers.html) * [API](https://isc.sans.edu/api)

| Factors | Copy Fail (CVE-2026-31431) | Dirty Frag | | --- | --- | --- | | **Kernel Subsystem** | AF_ALG / algif_aead | xfrm ESP (esp4, esp6) and RxRPC | | **CVE Assigned** | Yes (CVE-2026-31431) | No (embargo broken before allocation) | | **Controlled Bytes Written** | 4 bytes | 4 bytes (per sub-vulnerability) | | **Chaining Required** | No (single vulnerability) | Yes (two sub-vulnerabilities chained) | | **Discoverer** | Theori (Research Team) | Hyunwoo Kim (@v4bel) | | **Public Disclosure Date** | 29 April 2026 | 7 May 2026 |

The Dirty Frag vulnerability is significant (beyond its possible utility in Capture-the-Flag challenges). Firstly, the vulnerability affects many major Linux distributions with kernels dating back to approximately 2017, similar to Copy Fail. Secondly, due to the unfortunate embargo breach, the working exploit code is publicly available. Thirdly, since no CVE identifier was assigned, any automated workflow or systems tracking vulnerabilities by CVE identifers would not be able to show Dirty Frag automatically. Finally, in the case of containerized environments, an adversary may be able to leverage Dirty Frag, override relevant binaries in the base layer and escape to host.

# Unload modules if currently loaded modprobe -r esp4 esp6 rxrpc

# Denylist modules to prevent loading on […]

As […]

[… 2,766 Zeichen — nächste Zone: tail …]

* [Tools](https://isc.sans.edu/tools/) * [DShield Sensor](https://isc.sans.edu/howto.html) * [DNS Looking Glass](https://isc.sans.edu/tools/dnslookup) * [Honeypot (RPi/AWS)](https://isc.sans.edu/tools/honeypot) * [InfoSec Glossary](https://isc.sans.edu/tools/glossary)

* [Contact Us](https://isc.sans.edu/contact.html) * [Contact Us](https://isc.sans.edu/contact.html) * [About Us](https://isc.sans.edu/about.html) * [Handlers](https://isc.sans.edu/handler_list.html)

* [About Us](https://isc.sans.edu/about.html)

[Slack Channel](https://isc.sans.edu/slack/index.html)

[Mastodon](https://infosec.exchange/@sans_isc)

[Bluesky](https://bsky.app/profile/sansisc.bsky.social)

[X](https://twitter.com/sans_isc)

© 2026 SANS™ Internet Storm Center Developers: We have an [API](https://isc.sans.edu/api/) for you! * [Link To Us](https://isc.sans.edu/linkback.html) * [About Us](https://isc.sans.edu/about.html) * [Handlers](https://isc.sans.edu/handler_list.html) * [Privacy Policy](https://isc.sans.edu/privacy.html)

* * * * *