CVE-2026-43503 (CVSS 8.8) lets a local user corrupt file-backed memory through a cloned network packet and gain root, according to a public exploit walkthrough published June 25 by JFrog Security Research.
How DirtyClone corrupts file-backed memory
DirtyClone is a kernel privilege-escalation that arises when the Linux networking stack treats file-backed memory as packet data but drops a safety flag that marks that memory as shared with a file on disk. When the kernel copies a network packet internally, two helper functions fail to preserve that shared-frag bit; the missing flag is the entire vulnerability.
The demonstrated exploit loads a privileged binary such as /usr/bin/su into memory, wires those pages into a network packet, and forces the kernel to clone it. The cloned packet is sent through an IPsec tunnel the attacker controls; the decryption step writes attacker-chosen bytes into the in-memory copy of the binary, overwriting login checks so the next run of su grants root. The file on disk is never modified — the change lives only in kernel memory, so file-integrity tools miss it, the attack leaves no audit trail, and a reboot restores the original binary. By then, the attacker already has root.
Exploit prerequisites: CAP_NET_ADMIN, namespaces, and platform differences
Exploitation requires CAP_NET_ADMIN to create the loopback IPsec tunnel used in the demonstration. On Debian and Fedora systems where unprivileged user namespaces are enabled by default, a local user can obtain that capability inside a newly created namespace. By contrast, Ubuntu 24.04 and later restrict namespace creation via AppArmor, which the researchers say blocks the default exploit path.
Page cache is shared at the host level; therefore, modifications made inside a namespace affect every process on the machine. JFrog Security Research confirmed the exploit on Debian, Ubuntu, and Fedora systems that retain default namespace configurations.
Where systems are exposed
- Multi-tenant servers where untrusted users can create namespaces
- Continuous integration (CI) runners that accept untrusted jobs
- Container hosts and Kubernetes clusters allowing untrusted namespace creation
These environments are singled out because they commonly allow users to create namespaces or run workloads that can request capabilities such as CAP_NET_ADMIN.
This is the fourth variant in a class of frag-transfer failures
DirtyClone is the fourth recent privilege escalation in the DirtyFrag family. The sequence of public disclosures began in late April and continued through May and June:
- Copy Fail — CVE-2026-31431, disclosed in late April, exploited the algif_aead module for a four-byte page-cache write.
- DirtyFrag — CVE-2026-43284 and CVE-2026-43500, published May 7, chained IPsec ESP and RxRPC paths to gain a full write primitive.
- Fragnesia — CVE-2026-46300, disclosed May 13, bypassed the initial DirtyFrag patch via a flag-dropping bug in skb_try_coalesce().
Each fix closed a code path but left others open. DirtyClone’s demonstrated exploit centers on __pskb_copy_fclone() and skb_shift(); the broader CVE fix covers additional frag-transfer helpers where the same shared-frag flag could be lost. The underlying defect is a contract problem: every code path that moves skb fragments must preserve the shared-frag bit every time.
Hyunwoo Kim, the original DirtyFrag researcher, submitted a broader multi-site patch on May 16. The combined fix was merged on May 21 (commit 48f6a5356a33), assigned CVE-2026-43503 on May 23, and shipped in Linux v7.1-rc5 on May 24. The initial public exploit walkthrough appeared June 25 from JFrog Security Research.
Mitigation: patch now; fallbacks if you cannot
Install your distribution’s kernel update. The fix landed upstream in v7.1-rc5 and has been backported to stable and LTS branches; Ubuntu, Debian, and SUSE have published advisories and Red Hat maintains a Bugzilla tracking entry.
If you cannot patch immediately, two temporary controls reduce the attack surface. First, restrict unprivileged user namespaces — on Debian and Ubuntu set kernel.unprivileged_userns_clone=0 (other distributions use different mechanisms). Second, blacklist the esp4, esp6, and rxrpc kernel modules; this mitigates the IPsec and AFS attack paths but breaks those features and only works when the relevant code is a loadable module rather than built into the kernel. Both are stopgaps, not fixes.
The DirtyFrag class is probably not finished: any function that moves fragment descriptors without propagating the shared-frag flag is a potential new CVE. Auditing should cover every path that touches skb_shinfo()->flags during fragment transfer.
DirtyClone demonstrates how a single dropped flag in the kernel’s zero-copy networking path can transform a performance optimization into a remote write primitive — and how quickly that primitive can yield full root on shared systems. If you operate multi-tenant or CI infrastructure, patching and careful namespace controls should be treated as immediate priorities.
