Linux Kernel Dirty Frag LPE Exploit Enables Root Access to All Major Distributions
Details have emerged about a new, undocumented local privilege vulnerability (LPE) affecting the Linux kernel.
It is dipped Dirty Fragdescribed as a successor to Copy Fail (CVE-2026-31431, CVSS score: 7.8), a recently disclosed LPE bug affecting the Linux kernel that has since become widely exploited in the wild. The vulnerability was reported to the Linux kernel maintainers on April 30, 2026.
“Dirty Frag is a vulnerability (class) that gains root privileges on many Linux distributions by binding the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability,” said security researcher Hyunwoo Kim (@v4bel) in a post.
“Dirty Frag is a case that extends the bug category that Dirty Pipe and Copy Failure belong to. Because it is a deterministic logic bug that does not depend on a time window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.”
Successful exploitation of the flaw could allow an unprivileged local user to gain elevated root access on many Linux distributions, including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44.
According to the researcher, the xfrm-ESP Page-Cache Write vulnerability was introduced in a source code commit made in January 2017, while the RxRPC Page-Cache Write vulnerability was introduced in June 2023. Interestingly, the same commit dated January 17, 2017, was the main cause of another buffer overflow score2062,20622CVE 7.8) that affected various Linux distributions.
xfrm-ESP Page-Cache Write, based on the IPSec subsystem (xfrm), provides attackers with a primitive 4-byte store as a Copy Fail and overwrites a small value in the kernel’s page cache.
However, the exploit requires an unprivileged user to create a namespace, a step prevented by Ubuntu with AppArmor. In such a case, xfrm-ESP Page-Cache Write cannot be started. This is where the second exploit, RxRPC Page-Cache Write, comes into play.
“RxRPC Page-Cache Write does not require the right to create a namespace, but the rxrpc.ko module itself is not included in most distributions,” explains Kim. “For example, the default build of RHEL 10.1 does not ship rxrpc.ko. However, on Ubuntu, the rxrpc.ko module is loaded by default.”
“Combining two different types makes the blind spots overlap. In an environment where username space creation is enabled, the ESP exploit works first. Conversely, in Ubuntu, when username space creation is blocked but rxrpc.ko is created, the RxRPC exploit works.”
CloudLinx, in its own advisory, said the bug is in the “ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path and is accessible through the XFRM netlink user interface.”
“The bug resides in the fast decryption methods in the esp4, esp6, and rxrpc environment: when the socket buffer carries fragments with non-private kernel pages (eg, pipe pages attached via splice(2)/sendfile(2)/MSG_SPLICE_PAGES), it finds those extraneous pages directly, privately extracted. text indicating that the unprivileged process is still holding reference,” said AlmaLinux.
Adding to this urgency is the release of a work proof-of-concept (PoC) that can be used to gain root with a single command. Until patches are available, it is advised to list the modules esp4, esp6, and rxrpc so they cannot be loaded –
sudo sh -c “printf ‘install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null”
It is worth mentioning here that Dirty Frag, despite sharing an overlap with Copy Fail, can be used regardless of whether the algif_aead module of the Linux kernel is enabled or not.
“Note that Dirty Frag can be activated regardless of whether the algif_aead module is available,” the researcher said. “In other words, even on systems where the Copy Fail mitigation (algif_aead blacklist) is used, your Linux is still vulnerable to Dirty Frag.”
