Full Report
Broken disclosure embargo left admins facing a fresh root-level flaw with no CVE
Analysis Summary
# Vulnerability: "Dirty Frag" Linux Kernel Local Privilege Escalation
## CVE Details
- **CVE ID**: Pending/None (As of discovery, disclosure occurred due to a broken embargo before a CVE was assigned)
- **CVSS Score**: Estimated 7.8 (High) - [Base Score based on Local Privilege Escalation]
- **CWE**: CWE-362 (Race Condition) or CWE-787 (Out-of-bounds Write) - *Precise CWE pending final analysis of the memory overwrite mechanism.*
## Affected Systems
- **Products**: Linux Kernel (Multiple distributions)
- **Versions**:
- xfrm-ESP subsystem vulnerability: Introduced in January 2017.
- RxRPC functionality vulnerability: Introduced in 2023.
- **Affected Distributions**:
- Ubuntu
- Red Hat Enterprise Linux (RHEL)
- CentOS Stream
- Fedora
- AlmaLinux
- openSUSE Tumbleweed
- **Configurations**: Systems with `xfrm` (IPsec) and `RxRPC` kernel modules enabled/loadable.
## Vulnerability Description
"Dirty Frag" is a local privilege escalation (LPE) flaw that chains two distinct Linux kernel vulnerabilities to achieve root access. The first flaw resides in the **xfrm-ESP** subsystem (IPsec encapsulation), while the second affects the **RxRPC** (Remote Procedure Call) protocol. By chaining these, an unprivileged local user can trigger a memory corruption primitive that allows for overwriting protected files or structures in memory, ultimately resulting in unauthorized elevation to root privileges.
## Exploitation
- **Status**: **PoC available / Publicly disclosed.** Exploit code has been released on GitHub (e.g., "Copy Fail 2: Electric Boogaloo") due to the broken embargo.
- **Complexity**: Low (Scripted exploits are reportedly functional across major distros).
- **Attack Vector**: Local (Requires local shell access or execution of code on the target machine).
## Impact
- **Confidentiality**: High (Full access to system files).
- **Integrity**: High (Ability to modify system binaries and configurations).
- **Availability**: High (Ability to crash the kernel or delete system data).
## Remediation
### Patches
- **No official patches** were available at the immediate time of disclosure due to the broken embargo. Users must monitor distribution-specific security advisories (RHSA, USN, etc.) for forthcoming updates.
### Workarounds
The researcher (Hyunwoo Kim) suggested a temporary mitigation to reduce the attack surface:
1. **Disable affected modules**: Disable or blacklist the `esp4`, `esp6`, `xfrm`, and `af_rxrpc` kernel modules if they are not required for system operation.
2. **Clear Page Cache**: After disabling modules, clear the system page cache to mitigate memory-resident vectors:
`echo 3 > /proc/sys/vm/drop_caches`
## Detection
- **Indicators of Compromise**:
- Presence of unexpected setuid binaries or unauthorized `root` shells.
- Audit logs showing unusual activity involving `insmod` or `modprobe` for ESP/RxRPC if restricted.
- **Detection methods**: Monitor for exploit attempts involving the xfrm subsystem or unusual RxRPC socket creation from unprivileged users.
## References
- **Disclosure Thread**: hxxps[://]www[.]openwall[.]com/lists/oss-security/2026/05/07/8
- **Public Exploit Repository**: hxxps[://]github[.]com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
- **Kernel Fix Commit (Source of Leak)**: [Link not provided in text, but referenced as public]