New 'Dirty Frag' Linux Kernel Flaw Grants Root Access; Patches Still Missing

Breaking: Critical Linux Kernel Exploit 'Dirty Frag' Goes Public

A newly discovered Linux kernel privilege escalation exploit, dubbed Dirty Frag, has been released publicly, allowing local attackers to gain full root access on major distributions. No official patches are available from most Linux vendors, with only AlmaLinux testing a fix so far.

Security researcher Hyunwoo Kim (v4bel) reported the vulnerability to the linux-distros mailing list, requesting a five-day embargo to give distributions time to prepare patches. However, an unnamed third party published the exploit code the same day, breaking the embargo and leaving systems exposed.

"The premature disclosure forced the security community into a reactive stance. The five-day window was critical for coordinated patching," said Kim in a statement. "Now, every Linux server and desktop is at risk until updates are deployed."

How Dirty Frag Works

Dirty Frag exploits two distinct vulnerabilities chained together to bypass existing protections. The first, CVE-2026-43284 (xfrm-ESP Page-Cache Write), modifies the in-memory copy of /usr/bin/su, replacing it with a version that spawns a root shell without authentication.

The second, CVE-2026-43500 (RxRPC Page-Cache Write), targets /etc/passwd, clearing the root password field. The Pluggable Authentication Module (PAM) then accepts a blank password, granting root login.

Neither exploit works alone across all systems. The xfrm-ESP variant requires user namespace permissions, which Ubuntu's AppArmor often blocks. The RxRPC variant relies on the rxrpc.ko kernel module, absent from most default builds—except Ubuntu, which ships it. Together, they cover every major distribution.

Background

Dirty Frag follows Copy Fail, a similar Linux exploit disclosed just days earlier. Both exploit a logic flaw in the kernel's page-cache handling to escalate privileges. The pace of disclosure has alarmed security teams, as working exploits are now circulating without reliable patches.

Linux kernel vulnerabilities are notoriously difficult to fix quickly due to the ecosystem's fragmentation. Distributions must backport patches from upstream, build and test new kernels, and deploy them through their update channels—a process that takes days or weeks even in an emergency.

What This Means

This is a critical risk for any system running a vulnerable Linux kernel. Local users—or attackers who have already gained limited access—can instantly become root, compromising the entire system. Cloud servers, enterprise desktops, and IoT devices are all potential targets.

Until patches are available, system administrators must deploy the temporary mitigation provided by Kim: blacklist the three kernel modules involved and clear the page cache.

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"

This command prevents the vulnerable modules from loading and removes any already-corrupted page-cache entries. Canonical has also released mitigation guidelines for Ubuntu users.

Update your kernel and reboot as soon as your distribution provides a patched version. Monitor advisory channels for AlmaLinux, which has testing kernels available, and other vendors as they respond.