Skip to main content
Emerging Threats

Linux 'Dirty Frag' Zero-Day Exposes Root Flaw in Major Distros

Linux terminal on a laptop in a research setting with code on the screen.
"As with the previous Copy Fail vulnerability, Dirty Frag likewise allows immediate root privilege escalation on all major distributions, and it chains two separate vulnerabilities," Hyunwoo Kim said.

How Dirty Frag chains kernel flaws to win root

Dirty Frag is a local privilege-escalation zero-day that chains two separate kernel vulnerabilities to alter protected system files in memory without authorization. According to security researcher Hyunwoo Kim—who disclosed the flaw and published a proof-of-concept (PoC) exploit—the exploit combines the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability. The chain targets a logic defect that was introduced roughly nine years ago in the Linux kernel's algif_aead cryptographic algorithm interface.

Kim described the bug as deterministic: "Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high." That determinism separates Dirty Frag from many ephemeral race-based exploits and is central to the exploit's reliability, according to the researcher.

Which distributions are affected and patch status

The disclosure names a broad set of major distributions as vulnerable: Ubuntu, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora. As of the published disclosure, those distributions "have not yet received patches," the report states. The vulnerability has not yet been assigned a CVE identifier for tracking.

How this relates to Copy Fail, Dirty Pipe, and recent Linux fixes

Dirty Frag sits in the same family as past page-cache write vulnerabilities such as Dirty Pipe and the more recent Copy Fail, but it differs in technical detail: it exploits the fragment field of a different kernel data structure. The disclosure comes while maintainers are still rolling out patches for Copy Fail, another root privilege-escalation vulnerability that is already being actively exploited in attacks.

Federal attention to the class of flaws has stepped up: the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Copy Fail to its Known Exploited Vulnerabilities (KEV) Catalog last Friday, ordering federal agencies to secure affected Linux devices within two weeks, by May 15. CISA warned that "this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."

Mitigation available now: module removal command

Because no patch nor CVE exists at disclosure time, Kim and maintainers provided an immediate mitigation that disables the vulnerable kernel modules. The command published in the disclosure is:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

That command writes a modprobe configuration to prevent the esp4, esp6 and rxrpc modules from being loaded and then attempts to remove those modules from a running kernel. It is presented in the disclosure as a stop-gap until vendor patches are available.

What Linux distribution maintainers, federal agencies, and enterprises should watch

  • Linux distribution maintainers and sysadmins: The researcher published the PoC after consultation with maintainers on linux-distros@vs.openwall.org and at their request. Maintain awareness of official vendor advisories and prepare for coordinated patch releases; in the interim, the modprobe-based mitigation is the immediate countermeasure distributed with the disclosure.
  • Federal agencies and CISA: CISA's recent KEV action on Copy Fail — which ordered agencies to secure Linux devices by May 15 — frames a narrow remediation window for similarly classed flaws. With Dirty Frag unpatched and without a CVE, agencies will need to consider available mitigations and vendor guidance in short order.
  • Enterprises and end users: With a deterministic PoC public and no patch yet available for Dirty Frag, organizations that cannot immediately patch should evaluate the provided module-disable mitigation and follow downstream vendor instructions as they are issued. The disclosure explicitly notes the exploit grants immediate root privileges when successful.

Hyunwoo Kim said the embargo on full public disclosure was broken on May 7, 2026, when an unrelated third party independently published the exploit; after that break, Kim released complete Dirty Frag documentation and a PoC with maintainers' agreement. Until vendors issue patches and a CVE is assigned, the community is left to balance the risk of public PoCs against the need to protect systems now.

The immediate technical fact is stark: a nearly decade-old logic bug in algif_aead, chained with two page-cache write flaws, yields a straightforward path to root on unpatched systems. The operational fact is equally urgent: no CVE and no universal vendor fix at disclosure time mean defenders must act on mitigation instructions and vendor advisories rather than waiting for a conventional patch cycle.

Original report