New Linux 'Dirty Frag' Zero-Day Gives Root On All Major Distros

mrspoonsi shares a report: Dirty Frag is a vulnerability class, first discovered and reported by Hyunwoo Kim (@v4bel), that can obtain root privileges on major Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability. Dirty Frag extends the bug class to which Dirty Pipe and Copy Fail belong. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high. Because the embargo has been broken, no patch or CVE currently exists. "As with the previous Copy Fail vulnerability, Dirty Frag likewise allows immediate root privilege escalation on all major distributions, and it chains two separate vulnerabilities," Kim said. Detailed technical information can be found here.

BleepingComputer notes that the two vulnerabilities chained by Dirty Frag are "now tracked under the following CVE IDs: the xfrm-ESP one was assigned CVE-2026-43284, and the RxRPC isye is now CVE-2026-43500."

On your mark, get set... GO!

[93 Escort Wagon]

Quick - copy and paste all your comments from the "Copy Fail" discussion over here!

Re:On your mark, get set... GO!

[markdavis]

>"Quick - copy and paste all your comments from the "Copy Fail" discussion over here!"

Pretty much :) It is essentially the same issue, found in three other kernel modules. Alma Linux and others already have pages up about it. These are serious issues for multiuser/multitenant servers needing to mitigate immediately. Not so much for single-user or home systems.

Copy Fail used the algif_aead module and for enterprise Linuxes, that is built-into the kernel. So either update the kernel, or mitigate with:

# grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"

and reboot. Dirty Frag uses three additional modules: esp4, esp6, and rxrpc. Enterprise Linuxes don't build those in, so all distros should be able to use something like:

# rmmod esp4 esp6 rxrpc
# sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf"

for immediate mitigation, without rebooting. Of course, disabling those modules has a price, it will disable IPsec ESP, IPsec VPNs (like Swan), and AFS clients. So if you use/need those, you can't mitigate without losing that functionality.

Re:On your mark, get set... GO!

[93 Escort Wagon]

AlmaLinux has already patched it [almalinux.org].

Re:On your mark, get set... GO!

[Himmy32]

The interesting part there is that Alma patched it ahead of their upstream CentOS Stream. And backported skipping all the Red Hat driven flow.

Release the AI virtual flying chaos monkeys!

[shanen]

How do you complain about dupe without saying dupe (or duplicate)? Citing FP and this thread. But at least FP got a Funny, even if'n I can't understand why.

But is it possible that some serious topics will evolve and develop in ways that justify discussions that extend longer than the one-day lifetime of a Slashdot story? Naw, that can't possibly be it.

Of course I shall now diverge. This time I'm wondering about the source of this vulnerability. So far I haven't spotted any insight into causes here on ye anc

Embargo intrigue

[Himmy32]

There's a little more intrigue here on the breaking of the embargo. Basically the bugs were responsibly reported and the finders helped with writing the patch under embargo. Then when the patch commit dropped, someone instantly figured out that it was the same class of bug as Copy Fail. And then someone then wrote new exploit code [afflicted.sh] for the bug before the patch worked it's way through. No one improperly leaked something, but watching new patches for previous exploits was quicker than the patch could work it's way through the system.

Which leaves us where we are with Hyunwoo Kim releasing the original exploit code early and a patch that seems to have made it into the kernel [kernel.org], but without downstream distro's having released their patches.

Here's the link to the mitigation [github.com] for anyone wanting to deal with it before their distro drops their patch. Noting that the mitigation will break IPsec VPNs and AFS distributed network file systems.

Re:Embargo intrigue

[Himmy32]

Also intriguing is that it's a Michael Bolton situation [youtube.com] with Hyunwoo Kim's name shared by a K-Pop Star / Actor [wikipedia.org]

Re:

[93 Escort Wagon]

Just once, I'd like to see the white hat turn out to be someone like Jisoo [ranker.com]...

Re: Embargo intrigue

[iabervon]

Yeah, and the person who released the information first was operating in an "if I noticed this, doing only as much as I'm doing, surely attackers would also notice" mode. Possibly some patches these days are sufficiently obvious as to their correctness and also effect that they should first become public as a set of stable releases. This was a kind of special case, as CopyFail was the combination of some code doing something strange with one user not being prepared for it, and fixed the user. If there are o

how ironic!

[david.emery]

The post itself has an error. The last link's URL points to the same page as the predecessor. There is no record for 43500

Re:how ironic!

[Himmy32]

According to Alma Foundation [almalinux.org] that is the reserved CVE number but it's pending publication.

Probably because it was released before the embargo was supposed to be lifted.

Re:

[david.emery]

hmmm... Providing a link to something not yet published is questionable (at least without mentioning that.) But having the link point to the -wrong- page is just bogus.

Deja Vu

[gQuigs]

I'm expecting this next year to be rough for patching systems with AI getting good at this. I'd guess at least one new zero of a similar urgency every 2 weeks for Linux.

So 16 until the end of the year.

I think we will be more secure at the end of it.. but it could be rough.

Re: Deja Vu

[madbrain]

It will certainly force users/providers/administrator to review their patching processes, and velocity.

Re:

[Slayer]

If this puts companies like Celebrite out of business, then I'll happily accept, that I have to update my servers 16 times a year until 2028. At least the linux branches of these companies can go, I don't care much about the others.

Don't care

[Bahbus]

Was already patched in my distro before the embargo was broken.

Re:Don't care

[Himmy32]

Interesting which distro? Is it running a pre-mainline kernel?

The embargo was broken yesterday 6:09PM UTC [github.com] and the Linux kernel patch was released today at 6:42 AM UTC [kernel.org].

Re:

[thegarbz]

If the distro is that good at timing why does it exist? Presumably the maintainer of the distro would use their time machine to get rich and be laying on an island somewhere given how the vulnerability was "disclosed" before the mainline kernel even had the patch in place.

what access is required?

[awwshit]

What access is required to use these vulns?

Re:

[Himmy32]

The CVSS 3.x / 4.x score that have a Privileges Required Score which in this case is rated "Low" [nist.gov]. Which makes sense since these are a Privilege Escalation attack, you can read up on how different distros are handle things in the researcher's Chaining section of the write-up [github.com]

Re:

[bill_mcgonigle]

Local access, unless you haven't patched apache this week, then it's remote access.

Re:

[SpzToid]

Local access, unless you haven't patched apache this week, then it's remote access.

What if you're using OpenLiteSpeed instead of Apache? Asking for a friend.

Re:

[thegarbz]

Arbitrary code execution - a type of access that is ubiquitous in the bugs of countless programs (which is why we don't allow them to run with privileges in the first place)

Android

[OrangAsm]

What happens if you run the exploit on Android?

Re:

[Himmy32]

My guess is not really affected because of SELinux being enforced by default.

Re:

[Himmy32]

Looks like that's the general vibe from others on the exploit's GitHub issues [github.com]

Re:

[thegarbz]

The phone is only more secure than your server if you choose to setup your server so poorly. SELinux was introduced 25 years ago and is the mitigation here.

Auditing suggestions?

[bill_mcgonigle]

Are there any tools to watch my lsmod, walk /lib/modules, and configure modprobe.d to deny loading anything I'm not using?

All of these exploits are in distro modules I'd never use.

Re:

[Himmy32]

SELinux and don't let things have module_load that don't need it? And if you didn't want to enforce, it'd get you the audit log.

Re:

[gweihir]

You can delete the modules or move them some place else. What the kernel does not find, it does not load.

OMG

[Tommy_S]

I bet it was less than 3 minutes from the time I saw this slashdot article to the time I had clicked on the details link downloaded compiled and ran the exploit to root this Fedora system I'm on. That is freakin' scary. I'm glad I'm not a Linux Admin anymore.

Heck

[felixrising]

We're in the middle of emergency patching 6000 Linux hosts to address copy fail, now we have another set of CVEs to urgently patch? Oh boy

Re:

[Anonymous Coward]

well you got time to post on slashdot so hey

Re:

[BlueKitties]

Code's compiling.

https://xkcd.com/303/ [xkcd.com]

Re:

[buchner.johannes]

Either you get faster and faster at it, or 2026 is the year we work on pen and paper until the storm is over...

What am I missing?

[pooh666]

Are people still managing multiple users on their Linux machines? Why? Are these users other processes that we are pretending are separate and safe (so called lower privileges on the system) as if these exploits haven't been around since UNIX existed.

Re:

[tijgertje]

You realise that servers exist? Which people have to be able to log into?

Anyway in my case in theory my clients could try to get out of the git-shell I guess.
Server patched and rebooted

Re:

[sabbede]

Pfft. Servers are a myth perpetrated by Big Session. Wake up sheeple!

Re:

[Excelcia]

You are missing the fact that a remote exploit to run unprivileged commands is a far lower bar to achieve than priveleged. And that there are many, many, MANY systems that intentionally give access to unpriveleged commands through web interfaces to a wide audience.

X^W in no major distro?

[buchner.johannes]

The class of bugs for PipeFail can be prevented in principle with X^W [wikipedia.org], which is implemented in PaX, Exec Shield, and some SELinux configs.

Is any distribution that comes with these in the default installation protected against these exploits? If not, what is missing in terms of mitigation protections against this class of bugs?

mitigation while keeping ipsec functional

[diab303]

blacklisting the rpc module and disabling user namespaces seem to block the exploit on older kernels without having to blacklist ipsec modules according to my limited testing, YMMV. it probably breaks eg. rootless docker user mapping so there is a tradeoff