Recently, a high-risk local privilege escalation vulnerability (codenamed Dirty Frag, with no CVE ID assigned yet) has been disclosed in the Linux kernel. Discovered by South Korean security researcher Hyunwoo Kim, this vulnerability is a similar successor to the earlier Copy Fail (CVE-2026-31431) flaw. Both are page-cache write vulnerabilities located in the kernel zero-copy paths. Full proof-of-concept (PoC) and exploit (EXP) code for this vulnerability are now publicly available, enabling stable and deterministic privilege escalation on nearly all mainstream Linux distributions. Cloud servers, container hosts, and multi-tenant environments are exposed to extremely high security risks.

1. Vulnerability Details

1.1 Root Cause

The vulnerability stems from logical flaws in two independent Linux kernel modules: xfrm‑ESP (since 2017) and RxRPC (since June 2023). By using zero‑copy syscalls such as splice(), an attacker can tamper with the frag member of sk_buff to illegally write to the page cache of system files and achieve local privilege escalation.

1.2 Vulnerability Characteristics

Stable Exploitation: No race condition required; exploitation does not crash the system.

Same Family as Copy Fail: Both are page‑cache write vulnerabilities in kernel zero‑copy paths.

Wide Impact: Affects most upstream kernels and mainstream distributions since 2017; easy mass exploitation due to public PoC/EXP.

2. Impact

2.1 Local Privilege Escalation

Unprivileged local users can tamper with page cache of critical system files to gain full root privileges.

2.2 Container Escape & Cross‑tenant Attack:

Attackers inside containers can break isolation by leveraging shared page cache, escape to the host, and take over Kubernetes nodes or physical hosts.

2.3 Multi‑environment Threat:

Poses severe cross‑isolation risks to multi‑user servers, workstations, CI/CD runners, Serverless platforms, and other multi‑tenant cloud services.

3. Affected Versions

3.1 Kernel Commit Range

xfrm‑ESP Page‑Cache Write: All upstream kernels since 2017

RxRPC Page‑Cache Write: All upstream kernels since June 2023

3.2 Known Affected Distributions

Ubuntu 24.04.4 (6.17.0‑23‑generic)

RHEL 10.1 (6.12.0‑124.49.1.el10_1.x86_64)

openSUSE Tumbleweed (7.0.2‑1‑default)

CentOS Stream 10 (6.12.0‑224.el10.x86_64)

AlmaLinux 10 (6.12.0‑124.52.3.el10_1.x86_64)

Fedora 44 (6.19.14‑300.fc44.x86_64)

3.3 Unaffected Versions

No officially confirmed unaffected versions yet; please follow vendor security bulletins for updates.

4. Detection Methods

4.1 Check Kernel Version

4.2 Check Vulnerable Kernel Modules

5. Remediation & Mitigation

5.1 Kernel Update (Recommended)

As of 8 May 2026, official security patches are not yet available. Please monitor vendor announcements and update the kernel immediately upon patch release, then reboot the system.

5.2 Temporary Mitigation (Disable Vulnerable Modules)

If modules are built‑in and cannot be unloaded, prioritize kernel upgrade or use Grub parameters to block module initialization.

Disabling these modules does not affect standard services including SSH, IPsec, dm‑crypt/LUKS, etc. Only rare custom workloads relying on RxRPC/ESP may be impacted.

5.3 Container Hardening

For containers/K8s clusters running untrusted workloads, restrict related zero‑copy syscalls (e.g., splice()) using Seccomp profiles to prevent container escape.

6. References

1. Qianxin Threat Intelligence: https://ti.qianxin.com/vulnerability/notice-detail/1824

2. OSS‑SEC Mailing List: https://www.openwall.com/lists/oss-security/2026/05/07/8

3. Vulnerability POC Repository: https://github.com/V4bel/dirtyfrag/tree/master

If there are any questions, please feel free to contact the Information Technology and Data Intelligence Department at <gzit@hkust-gz.edu.cn>. 

Information Technology and Data Intelligence Department (ITDID)

May 12, 2026