Dirty Frag: Linux Kernel Vulnerability Chain Exploited in the Wild for Root Access

Dirty Frag chains two Linux kernel flaws to achieve deterministic local privilege escalation. With a public PoC available and active exploitation detected by M…

Dirty Frag: Linux Kernel Vulnerability Chain Exploited in the Wild for Root Access

On May 7, 2026, security researcher Hyunwoo Kim disclosed "Dirty Frag," a vulnerability chain demonstrating how two flaws in the Linux kernel—tracked as CVE-2026-43284 and CVE-2026-43500—can be used to achieve root escalation across multiple major distributions. The exploit utilizes a deterministic page-cache write primitive to compromise systems. A public proof-of-concept (PoC) is already circulating, and Microsoft has confirmed limited in-the-wild exploitation where attackers used an ELF binary to breach servers before stable patches were widely available. The deterministic nature of the flaw, coupled with its ability to bypass distribution-specific mitigations, poses an immediate risk to production servers, virtualized workloads, and containers.

Key Takeaways
  • The chain exploits two page-cache write primitives within the xfrm-ESP (IPsec) and RxRPC subsystems, present in the kernel since January 2017 and June 2023, respectively.
  • The public PoC allows for one-command root escalation and does not rely on race conditions, ensuring a near-perfect success rate.
  • Microsoft has detected active exploitation featuring an ELF binary named ./update, which triggers escalation via the su command followed by the tampering of GLPI files.
  • While patches have been merged into the kernel mainline, many stable distributions had not yet released them at the time of disclosure; AlmaLinux 10, for example, currently lists them only in testing repositories.

Two Network Paths, One Target: The Page-Cache Write

At the core of Dirty Frag is a class of bugs allowing for deterministic writes to the kernel's page cache without requiring precise timing or race conditions. The chain links two distinct flaws: one in the xfrm-ESP subsystem (IPsec in Encapsulating Security Payload over UDP mode), tracked as CVE-2026-43284, and another in RxRPC, identified as CVE-2026-43500. Both paths exploit in-place decryption operations that write directly to memory pages not exclusively owned by the kernel, reachable via system calls such as splice() and sendfile().

An unprivileged process can use these flaws to corrupt files held in the page cache—including SUID binaries—overwriting specific segments to gain execution with root privileges. While the ESP component is limited to writing 4 bytes at a time, this is sufficient to inject an escalation payload when chained with the RxRPC exploit path.

"Both flaws allow modification of page-cache-backed memory that is not exclusively owned by the kernel, enabling corruption of sensitive files and ultimately privilege escalation" — Merav Bar and Rami McCarthy (Wiz)

Mitigation Blind Spots: The RxRPC Factor on Ubuntu

Linux distributions employ various hardening measures that, in the case of Dirty Frag, can create reciprocal blind spots. On Ubuntu, the creation of unprivileged user namespaces is restricted by default. This prevents the activation of the xfrm-ESP primitive, which requires that specific isolated context. However, the rxrpc.ko module is often loaded by default, providing attackers with an alternative path to complete the chain without needing additional namespaces.

Conversely, other major distributions may allow user namespaces while lacking the RxRPC module. This modular attack architecture allows threat actors to mix and match primitives to bypass partial defenses. By chaining these two vulnerabilities, the exploit covers nearly every major distribution mentioned in the disclosure, including RHEL 10.1, Fedora 44, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Ubuntu 24.04.4.

"Dirty Frag is a vulnerability (class) that achieves root privileges on most Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability" — Hyunwoo Kim (@v4bel)

Active Exploitation Detected Prior to Stable Patches

The threat is not merely theoretical. Microsoft confirmed it has observed a limited campaign leveraging the Dirty Frag chain for local privilege escalation on Linux servers that had already suffered initial compromise. Attackers deploy an ELF binary named ./update and trigger the escalation through the su command.

Upon gaining root access, the observed campaign proceeds to tamper with GLPI files and delete PHP sessions, likely to hide the intrusion and solidify control over the host. Attribution remains unknown, as no specific threat actor has been identified. Critically, this exploitation was detected before stable patches were finalized for most affected distributions, significantly narrowing the response window for system administrators.

"Dirty Frag is notable because it introduces multiple kernel attack paths involving rxrpc and esp/xfrm networking components to improve exploitation reliability" — Microsoft

Reliability and Bypass Capabilities

Unlike historic vulnerabilities like Dirty Cow, which depend on hard-to-stabilize race conditions that often cause system crashes, Dirty Frag relies on a purely deterministic logic error. Researcher Hyunwoo Kim emphasizes that the exploit does not depend on a timing window, does not trigger a kernel panic upon failure, and boasts a very high success rate. This reliability makes it ideal for automated mass campaigns or lateral movement within breached infrastructures.

"Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high" — Hyunwoo Kim (@v4bel)

Furthermore, the chain remains effective on systems where "Copy Fail" mitigations (such as blacklisting the algif_aead module) are already in place. The underlying page-cache write mechanisms in ESP (introduced in 2017) and RxRPC (introduced in 2023) have survived multiple hardening cycles without being identified as a joint attack surface until now.

Mitigation and Response Strategies

  1. Inspect active kernel modules and consider blacklisting rxrpc.ko and non-essential xfrm-ESP components until stable updates are applied. This limits the attack surface available to unprivileged processes. On Ubuntu systems, where RxRPC is loaded by default, this is a high priority.
  2. Monitor authentication logs and running processes for anomalies matching Microsoft’s observations: ELF binaries named ./update, unexpected su escalations, and the unauthorized alteration of GLPI files or PHP session deletions.
  3. Deploy mainline kernel patches as soon as they reach your distribution's stable repositories. Note that at the time of reporting, AlmaLinux 10 and other releases had only made them available in testing or non-production branches.
  4. Ensure that containers and shared hosts do not grant excessive network privileges, such as CAP_NET_ADMIN, to untrusted workloads. Preparing the exploit context requires configuring network interfaces or tunnels that unprivileged users should not normally control.

Dirty Frag highlights a concerning trend: attackers are moving beyond single-bug exploits toward complex chains that weaponize the discrepancies between distribution-specific mitigations. The speed of active exploitation prior to patch availability suggests that the window for administrator reaction is shrinking. In this environment, network privilege segmentation and the strict management of kernel modules are no longer just best practices—they are essential survival measures.

Frequently Asked Questions

Is removing rxrpc.ko on Ubuntu enough to mitigate the risk?

Removing rxrpc.ko blocks the second primitive in the chain, but full mitigation requires applying the stable kernel patches released by your distribution. On systems where other mitigations already block user namespaces, the RxRPC module represents the primary exploit path.

How does Dirty Frag differ from the Copy Fail mitigation?

While Copy Fail can be mitigated by blacklisting the algif_aead module, Dirty Frag exploits network components (xfrm-ESP and RxRPC) not covered by that defense, necessitating these new specific countermeasures.

Does the exploitation detected by Microsoft affect desktop users?

While observed campaigns targeted Linux servers via SSH, the local nature of the vulnerability technically exposes any system allowing unprivileged code execution, including containerized environments with permissive network configurations.

Information has been verified against cited sources and is current as of the time of publication.

Sources