Dirty Frag: The Universal Linux LPE That Chains Two Zero-Days Into One Unstoppable Root Exploit + Video

Listen to this Post

Featured Image

Introduction

A critical local privilege escalation (LPE) vulnerability class named “Dirty Frag” has been publicly disclosed, affecting virtually every major Linux distribution since 2017. Part of the same dangerous family as Dirty Pipe and Copy Fail, Dirty Frag leverages a deterministic logic bug to overwrite the page cache of system files, granting unprivileged local users full root access with near-100% reliability. With no official patches yet available and exploit code already in the wild, understanding this vulnerability is a priority for security professionals.

Learning Objectives

  • Understand the core mechanism of Dirty Frag and how it chains two separate kernel vulnerabilities.
  • Learn how to verify system exposure and apply immediate mitigation commands.
  • Differentiate Dirty Frag from legacy bugs like Dirty Pipe, and recognize its capability to bypass existing mitigations.

You Should Know

  1. How Dirty Frag Chains Two Flaws to Defeat Modern Defenses

Dirty Frag chains two independent kernel vulnerabilities to create a universal exploit. The first is the xfrm-ESP Page-Cache Write, present in 2017 (commit cac2661c53f3). When a socket buffer carries splice()‑pinned page cache pages, `esp_input()` skips the copy‑on‑write check and writes 4‑byte values directly into read‑only files such as `/etc/passwd` or /usr/bin/su. This variant requires unprivileged user namespace creation, a capability sometimes blocked by Ubuntu AppArmor.

The second is the RxRPC Page-Cache Write, found in the `rxrpc` subsystem since 2023. It performs an 8‑byte in‑place decrypt on the same type of splice‑pinned page, requiring no namespace privileges at all, but the `rxrpc.ko` module is missing on many distributions. By running both exploits in sequence, the exploit covers each vulnerability’s blind spot, achieving root on Ubuntu, RHEL, Fedora, CentOS Stream, AlmaLinux, openSUSE, and even WSL2. Even systems that blacklisted the `algif_aead` module as a mitigation for Copy Fail remain vulnerable.

2. Verify Exposure and Apply Immediate Mitigations

Because no patches exist for any distribution, immediate mitigation is required. Use the following command as root or with sudo to disable the vulnerable kernel modules, then verify the change:

 Mitigation command (run as root)
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

Verify that the modules are no longer loaded
lsmod | grep -E 'esp4|esp6|rxrpc'
 No output means the system is protected

If exploit code was previously executed, clear the page cache
echo 3 | sudo tee /proc/sys/vm/drop_caches

Most servers do not use IPsec ESP or AFS, so disabling these modules is unlikely to disrupt normal operations. If `lsmod` still shows loaded modules, a VPN or network mount may be using them – stop those services first before re‑running rmmod.

3. Understanding the Attack Vectors and Scope

Dirty Frag targets the kernel’s page cache, an in‑memory copy of files. Because the kernel performs in‑place crypto operations on memory that the attacker only has read access to, the page cache of files like `/etc/passwd` or `/usr/bin/su` can be corrupted in RAM – the actual file on disk remains untouched. Two specific attack paths are documented:
– Overwriting `/usr/bin/su` – The exploit writes a small root‑shell ELF binary (192 bytes) into the page cache of the `su` command. When a legitimate user later invokes su, the malicious in‑memory version hands over a root shell.
– Modifying `/etc/passwd` – The exploit twists the page cache of the passwd file so the root password field becomes empty, allowing `su` to bypass authentication.

The technique works on all major distributions with near‑100% reliability, does not crash the kernel on failure, and requires no timing window. Since the exploit code is already public, in‑the‑wild usage is expected to follow shortly.

4. Windows, Cloud Hardening, and Detection Strategies

Although Dirty Frag is Linux‑specific, the underlying zero‑copy disaster class has analogues on Windows (e.g., Win32k page‑cache issues) and in cloud hypervisors. Security teams should treat this as a local boundary‑breaking vulnerability and apply containment measures:

  • Linux detection: Monitor kernel module loads using auditd rules on `init_module` and `finit_module` syscalls. Watch for unusual activity on /proc/sys/vm/drop_caches, which an attacker may invoke to clean up evidence.
  • Windows hardening: If you run WSL2, the same vulnerability applies. Ensure guest VMs have minimal local user accounts, and consider restricting user namespace creation (sudo sysctl -w kernel.unprivileged_userns_clone=0) as a defense‑in‑depth measure.
  • Cloud container mitigation: In containerised environments, a successful exploit could break isolation and affect other tenants on the same host. Use seccomp profiles to block `splice(2)` and `sendfile(2)` syscalls where possible, and enforce immutable root filesystems.
  1. Why No Patch Exists Yet and What to Expect Next

The responsible‑disclosure embargo was broken by an “unrelated third party” before distributions could coordinate, forcing public release without any patches ready. As of today, there are no assigned CVEs for either of the two bugs, and the upstream Linux kernel has not yet landed a fix. However, the AlmaLinux team has already built patched kernels by backporting the mainline ESP commit (f4c50a4034e6) and made them available in their testing repository. Other distributions are expected to follow with their own out‑of‑band updates. Until an official patch arrives, the module‑blacklist mitigation remains the only reliable protection. The vulnerability has been present for roughly nine years, so expect widespread scanning and attempted exploitation in the coming days.

6. Forensic Indicators and Post‑Exploit Cleanup

After a Dirty Frag attack, the disk copy of system binaries is unchanged, but the in‑memory page cache is corrupted. This makes classic file‑integrity checking (e.g., aide, tripwire) useless – they will report the file is clean while the running system uses a malicious copy. To detect a successful compromise:
– Reboot the system to force a fresh page cache (the attack does not survive reboot unless the attacker installed persistence separately).
– Compare `sha256sum` of the on‑disk binary with its runtime memory content. A mismatch suggests page‑cache corruption.
– Check `/var/log/auth.log` for unusual `su` or `sudo` invocations from unprivileged users.
– If the exploit was executed prior to mitigation, run `echo 3 | sudo tee /proc/sys/vm/drop_caches` to purge any lingering malicious entries from the page cache.

What Undercode Say:

  • Deterministic logic bugs are more dangerous than race conditions. Dirty Frag fails silently and never panics the kernel, making detection and forensic analysis far more difficult.
  • Chaining partial vulnerabilities creates universal exploitation. By covering each other’s blind spots, two average flaws become a single, unstoppable weapon.
  • The broken embargo is a warning. The infosec ecosystem suffers when coordination fails; defenders must be prepared for the possibility that “patch day” may never arrive.

Prediction

Dirty Frag will drive a wave of opportunistic scanning and low‑skill exploitation within 72 hours, targeting exposed developer workstations, CI/CD runners, and shared hosting environments. Because the module‑level mitigation is simple, most administrators will apply it, but organisations relying on IPsec VPNs or AFS will face a painful trade‑off between security and business functionality. In the longer term, this vulnerability will accelerate the industry’s move toward seccomp‑filtered Linux containers and immutable infrastructure, as attackers demonstrate that traditional file‑permission models are insufficient against kernel‑level page‑cache corruption. Expect at least one more “Dirty” class vulnerability to surface this year, as researchers continue to audit every zero‑copy send path in the kernel.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: 0xfrost Dirty – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky