Full Report
A new Linux zero-day vulnerability, named Dirty Frag, allows local attackers to gain root privileges on most major Linux distributions with a single command. [...]
Analysis Summary
# Vulnerability: Dirty Frag Privilege Escalation
## CVE Details
- **CVE ID:** Pending (Not yet assigned)
- **CVSS Score:** N/A (Projected High/Critical due to root access)
- **CWE:** CWE-822 (Untrusted Pointer Dereference) / CWE-787 (Out-of-bounds Write) - *Reflecting logic flaw in page-cache modification.*
## Affected Systems
- **Products:** Major Linux Kernel Distributions.
- **Versions:** Introduced approximately 9 years ago (circa 2017); affects kernel versions up to current releases.
- **Configurations:** Systems utilizing the `algif_aead` cryptographic algorithm interface. Affected distributions include:
- Ubuntu
- Red Hat Enterprise Linux (RHEL)
- CentOS Stream
- AlmaLinux
- openSUSE Tumbleweed
- Fedora
## Vulnerability Description
Dirty Frag is a local privilege escalation (LPE) vulnerability stemming from a deterministic logic bug in the Linux kernel’s fragmentation handling. Specifically, it targets the `algif_aead` cryptographic interface.
The exploit chains two distinct kernel flaws—an **xfrm-ESP Page-Cache Write** and an **RxRPC Page-Cache Write**—to bypass existing kernel protections. By manipulating the fragment field of a specific kernel data structure, an attacker can write to protected system files residing in the page cache (memory) without proper authorization. Unlike many LPEs, this is not a race condition; it is a logic error that consistently allows for unauthorized modification of memory-mapped files.
## Exploitation
- **Status:** PoC available; disclosed following an embargo break. Public documentation and exploit code have been released.
- **Complexity:** Low (Deterministic; does not rely on timing or race conditions).
- **Attack Vector:** Local (Requires initial access to the system).
## Impact
- **Confidentiality:** High (Total access to system files).
- **Integrity:** High (Ability to modify any file in memory, including `/etc/passwd` or system binaries).
- **Availability:** High (Attacker can compromise system stability or lock out users).
## Remediation
### Patches
- **As of May 8, 2026:** No official patches have been released by major distributions due to the unexpected disclosure of the vulnerability. Users must monitor official vendor security advisories (RHSA, USN, etc.) for kernel updates.
### Workarounds
- **Restrict Unprivileged User Namespaces:** Many similar exploits can be mitigated by disabling unprivileged user namespaces (`sysctl -w kernel.unprivileged_userns_clone=0`), though its effectiveness against this specific flaw is pending verification.
- **Module Blacklisting:** If not required, disabling `algif_aead` or related cryptographic modules may reduce the attack surface.
## Detection
- **Indicators of Compromise:** Unusual modifications to sensitive system files in memory; presence of unauthorized root shells.
- **Detection methods and tools:** Monitoring for suspicious calls to `algif_aead`. Use of Auditd to track unauthorized file access/modifications to system configuration files.
## References
- **Researcher Disclosure:** hxxps[://]www[.]openwall[.]com/lists/oss-security/2026/05/07/8
- **PoC Repository:** hxxps[://]github[.]com/V4bel/dirtyfrag
- **Technical Analysis:** hxxps[://]github[.]com/V4bel/dirtyfrag/blob/master/assets/write-up[.]md
- **Researcher Social Media:** hxxps[://]x[.]com/v4bel/status/2052464007857185136