Tag Archives: Fedora

About Elevation of Privilege vulnerability - Linux Kernel "Dirty Frag" (CVE-2026-43284, CVE-2026-43500) vulnerability

Leave a reply

About Elevation of Privilege vulnerability - Linux Kernel Dirty Frag (CVE-2026-43284, CVE-2026-43500) vulnerability

About Elevation of Privilege vulnerability - Linux Kernel "Dirty Frag" (CVE-2026-43284, CVE-2026-43500) vulnerability. According to information from researcher Hyunwoo Kim (@v4bel), Dirty Frag is a vulnerability (a class of vulnerabilities) that allows a local unprivileged attacker to obtain root privileges on most Linux distributions by combining the xfrm-ESP Page-Cache Write vulnerability (CVE-2026-43284) and the RxRPC Page-Cache Write vulnerability (CVE-2026-43500). Exploitation of this chain enables the attacker to fully compromise the system: gain access to any files, disable protections, establish persistence, and use the host for further attacks.

⚙️🛠 The vulnerability chain description, technical write-up and exploit code were published on May 7. Exploitability has been confirmed on up-to-date distributions including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44. The xfrm-ESP Page-Cache Write vulnerability has been present in the kernel since commit cac2661c53f3 (2017-01-17) and up to the current upstream version, while the RxRPC Page-Cache Write vulnerability has been present in the kernel since commit 2dc334f1a63a (2023-06) and up to the current upstream version. In other words, the actual time span during which these vulnerabilities have existed in the kernel is around 9 years.

Information about the vulnerability and the exploit was published before patches were available in affected Linux distributions. According to the researcher, on May 7 he submitted detailed information about the vulnerability and the exploit to the linux-distros mailing list. The embargo was set for 5 days, with an agreement that if a third party published the exploit on the internet during the embargo period, the "Dirty Frag" exploit would be released publicly. On the same day, this is exactly what happened: the information was leaked to the public, and the embargo was violated. 🤷‍♂️ As a result, the researcher proceeded with full disclosure.

A similar high-profile vulnerability, Elevation of Privilege - Linux Kernel "Copy Fail" (CVE-2026-31431), served as the motivation for this research. As the researcher reports, the xfrm-ESP Page-Cache Write vulnerability in the Dirty Frag chain shares the same sink as Copy Fail. However, it is triggered regardless of whether the algif_aead module is available. In other words, even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, Linux remains vulnerable to Dirty Frag.

Why is a chain of two vulnerabilities used? As the researcher reports, the xfrm-ESP Page-Cache Write vulnerability provides a powerful arbitrary 4-byte STORE primitive, similar to Copy Fail, and is present in most distributions. However, its exploitation requires the privilege to create a namespace. In Ubuntu, unprivileged user namespace creation is sometimes restricted by AppArmor policy. In such an environment, xfrm-ESP Page-Cache Write cannot be triggered. The RxRPC Page-Cache Write vulnerability does not require the privilege to create a namespace, but the rxrpc.ko module itself is not included in most distributions. However, on Ubuntu, the rxrpc.ko module is loaded by default. Chaining the two variants makes the blind spots cover each other, allowing root privileges to be obtained on every major distribution.

As of May 8, the fix for the xfrm-ESP Page-Cache Write (CVE-2026-43284) vulnerability has been merged into the mainline Linux kernel, while the fix for the RxRPC Page-Cache Write (CVE-2026-43500) vulnerability has not yet been merged. It is recommended to monitor the release of security updates for CVE-2026-43284 and CVE-2026-43500 across the Linux distributions in use and apply them promptly. As a workaround, the vulnerability researcher proposes a script that prevents loading of the esp4, esp6, and rxrpc modules, attempts to unload them from the kernel, and clears the Linux memory cache:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"

About Elevation of Privilege - Linux Kernel "Copy Fail" (CVE-2026-31431) vulnerability

Leave a reply

About Elevation of Privilege - Linux Kernel Copy Fail (CVE-2026-31431) vulnerability

About Elevation of Privilege - Linux Kernel "Copy Fail" (CVE-2026-31431) vulnerability. A local privilege escalation vulnerability in the Linux kernel AF_ALG component, which is caused by a memory handling flaw, allows an unprivileged user to escalate privileges to root. By exploiting this vulnerability, an attacker can fully compromise the system: read and modify any files, including passwords and keys, replace system binaries, disable security controls and monitoring tools, stealthily install backdoors and maintain persistence, hide traces of their activity, and use the host as a foothold for attacks on other network assets.

⚙️🛠 On April 1, patches addressing the vulnerability were merged into the main branch of the Linux kernel. On April 22, a CVE identifier was assigned to the vulnerability. On April 29, experts from Theori published an analysis of the vulnerability and a public exploit. The vulnerability's exploitability has been confirmed on up-to-date versions of widely used Linux distributions, including Ubuntu, Amazon Linux, RHEL, and SUSE.

👾 On May 1, the vulnerability was added to the CISA KEV catalog, indicating it is being exploited in the wild.

What distinguishes this vulnerability from similar EOP/LPE issues in Linux?

There have been high-profile privilege escalation vulnerabilities in the Linux kernel. Dirty COW required winning a race condition. Multiple attempts were often needed, and this sometimes led to system crashes. Dirty Pipe was tied to specific versions and required precise pipe buffer manipulation.

But unlike Dirty COW and Dirty Pipe, researchers report that Copy Fail is a straight-line logic flaw. It triggers without races, retries, or crash-prone timing windows.

🧬 Portability. The same exploit script works across all tested distributions and architectures, including Ubuntu, Amazon Linux, Red Hat Enterprise Linux (RHEL), and SUSE Linux Enterprise. No per-distribution offsets. No recompilation. No version checks in the exploit.

✧ Minimalism. The entire exploit is a short Python script using only standard library modules (os, socket, zlib). It requires Python 3.10+ for os.splice. No compiled payloads, no dependency installation.

🥷 Stealth. The write bypasses the ordinary VFS write path. The corrupted page is never marked dirty by the kernel's writeback machinery. Standard file integrity tools that compare on-disk checksums will not detect it, because the on-disk file remains unchanged. Only the in-memory page cache is corrupted.

📦 Cross-container impact. The page cache is shared across all processes on the system, including across container boundaries. Copy Fail is not just a local privilege escalation. It is a container escape primitive and a vector for Kubernetes node compromise.

How to fix the vulnerability?

To remediate the vulnerability, users need to update to Linux kernel versions 6.18.22, 6.19.12, and 7.0. The kernel can be built manually, or users can wait for their Linux distribution vendor to release updated kernel packages. As of May 4, updates have been released for Ubuntu, Debian, RHEL, Fedora, SUSE, CloudLinux, Arch Linux, and ROSA Linux.

As a workaround, researchers suggest blocking the creation of AF_ALG sockets:

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/null