Understanding Dirty Frag: The No-Patch Linux Privilege Escalation Exploit

In the ever-evolving landscape of Linux security, a new threat named Dirty Frag has emerged, demanding immediate attention. Discovered by researcher Hyunwoo Kim (v4bel), this exploit chain can elevate a local user to full root access without requiring a matching patch from most distributions. Unlike the recent Copy Fail vulnerability, Dirty Frag leverages two distinct kernel flaws to corrupt in-memory copies of critical system files, leaving no traces on disk. This guide answers key questions about the exploit, its mechanisms, and how to protect your systems until official patches arrive.

What Exactly Is Dirty Frag?

Dirty Frag is a privilege escalation exploit targeting the Linux kernel. It works by modifying the in-memory copy of a system file—specifically /usr/bin/su or /etc/passwd—without altering the file on disk. This means any subsequent read of the file sees the tampered version, while the filesystem remains untouched and appears normal. The exploit chains two separate vulnerabilities: CVE-2026-43284 (xfrm-ESP Page-Cache Write) and CVE-2026-43500 (RxRPC Page-Cache Write). Alone, each flaw may fail on some systems, but together they cover all major Linux distributions, granting an attacker a root shell or a password-less root login.

Understanding Dirty Frag: The No-Patch Linux Privilege Escalation Exploit — Source: itsfoss.com

How Does Dirty Frag Actually Work?

The exploit operates by manipulating the kernel’s page cache—a memory area that holds copies of disk data for faster access. Using the first vulnerability, CVE-2026-43284, the attacker replaces the in-memory copy of /usr/bin/su with a modified version that, when executed, spawns a root shell. The second flaw, CVE-2026-43500, targets /etc/passwd and empties the root password field. The Pluggable Authentication Module (PAM) then accepts a blank password and grants root login. Because neither vulnerability works universally alone, the exploit chains them: the first requires a user namespace (blocked by some Ubuntu AppArmor profiles), while the second depends on the rxrpc.ko module, which is only shipped by default on a few distributions (notably Ubuntu).

Which Specific CVEs Are Exploited?

Dirty Frag leverages two distinct Common Vulnerabilities and Exposures (CVEs):

CVE-2026-43284 – Known as the “xfrm-ESP Page-Cache Write” flaw. It allows an attacker to overwrite the in-memory page cache of /usr/bin/su. By substituting the binary’s memory image with a version that grants root privileges, the attacker can execute su and immediately become root.
CVE-2026-43500 – Referred to as the “RxRPC Page-Cache Write” flaw. This one targets /etc/passwd and clears the root user’s password field from the page cache. When PAM reads the password, it sees an empty entry and allows a root login without authentication.

These two exploits were discovered by Hyunwoo Kim and reported to the Linux kernel mailing list. Unfortunately, an unnamed third party published a working proof-of-concept the same day the disclosure embargo was set, leaving minimal time for patches to be prepared.

Which Linux Distributions Are Affected?

All major Linux distributions that run a vulnerable kernel are affected by Dirty Frag. However, the exploit’s success depends on specific kernel modules and configurations. The first CVE (xfrm-ESP) requires the esp4 and esp6 modules, which are available on most distros. The second CVE (RxRPC) needs the rxrpc module—this is rarely compiled by default except on Ubuntu. Because the two flaws are chained, they cover every major distro: if one path is blocked, the other works. As of the exploit’s public disclosure, only AlmaLinux has released patched kernels in its testing repositories. Canonical has provided mitigation guidelines for Ubuntu, but other distributions such as Debian, Fedora, and RHEL are still awaiting official patches.

What Can Administrators Do Right Now?

Until official kernel updates are released, the most effective immediate mitigation is to blacklist the three kernel modules exploited by Dirty Frag. Run the following command as root:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"

This does two things: first, it prevents the modules from ever loading (by redirecting the install command to /bin/false); second, it clears the entire page cache via drop_caches. Clearing the cache removes any tampered in-memory copies that may have already been introduced. Hyunwoo Kim also recommends updating the kernel and rebooting as soon as your distribution releases a patch. For Ubuntu users, Canonical has published specific mitigation guidelines that include enabling AppArmor profiles that restrict user namespaces.

Are There Specific Steps for Ubuntu Users?

Yes, Canonical has issued advice for Ubuntu systems. Because the second vulnerability (RxRPC) relies on the rxrpc kernel module, which Ubuntu ships by default, Ubuntu is particularly exposed if the first path (xfrm-ESP) is blocked. The recommended steps for Ubuntu include:

Blacklisting the esp4, esp6, and rxrpc modules as shown in the general mitigation command above.
Enforcing AppArmor profiles that restrict user namespaces. Ubuntu’s default AppArmor policy already blocks the xfrm-ESP path in some cases, but administrators should ensure this is active.
Applying any kernel updates from Canonical’s repositories as soon as they are available. Monitor Ubuntu security notices for official patches.
After applying mitigations, reboot the system to ensure the page cache is fully cleared and no tampered files remain in memory.

These measures should reduce the attack surface until a proper kernel fix is deployed.

How Is Dirty Frag Different from the Earlier Copy Fail Exploit?

Dirty Frag and the earlier Copy Fail exploit both target the Linux kernel’s page cache and achieve root privilege escalation. However, they differ in several ways:

Vulnerability count: Dirty Frag chains two separate flaws (CVE-2026-43284 and CVE-2026-43500), while Copy Fail exploited a single logic error.
Attack surface: Copy Fail modified /usr/bin/su in memory; Dirty Frag goes further by also corrupting /etc/passwd to allow password‑less root logins.
Coverage: Dirty Frag’s dual‑flaw approach ensures that if one method fails (e.g., due to user‑namespace restrictions), the other still works on a different distribution. Copy Fail’s single method was more limited in scope.
Mitigation: The blacklist applied for Copy Fail (targeting the algif_aead module) does nothing against Dirty Frag. A new set of three modules must be blacklisted.

Understanding these differences helps security teams adjust their defensive strategies appropriately.