CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Linux Kernel Dirty Frag LPE Vulnerability Chain Enables Root Access

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new local privilege escalation (LPE) vulnerability chain dubbed Dirty Frag has been disclosed for the Linux kernel, enabling unprivileged local users to gain root access across major distributions. The flaw combines two page-cache write primitives—xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write—to bypass existing mitigations and achieve deterministic exploitation with high success rates. Affected distributions include Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44. A working proof-of-concept (PoC) allows root access in a single command, though exploitation paths vary by distribution due to module availability and AppArmor restrictions.

Timeline

  1. 08.05.2026 08:12 1 articles · 4h ago

    Dirty Frag LPE Exploit Chain Disclosed with Working PoC

    Dirty Frag, a Linux kernel LPE vulnerability chain combining xfrm-ESP and RxRPC page-cache write primitives, was disclosed on May 8, 2026. The flaw enables unprivileged local users to gain root access across major Linux distributions via a deterministic exploit with high success rates. A working PoC has been released, and mitigation guidance includes blacklisting esp4, esp6, and rxrpc kernel modules until official patches are available.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

High-severity Linux kernel authencesn logic bug (CVE-2026-31431) enables local privilege escalation

A high-severity zero-day vulnerability in the Linux kernel, tracked as CVE-2026-31431 and nicknamed Copy Fail, has been disclosed after existing undetected since 2017. The flaw is a logic bug in the kernel’s authencesn cryptographic template that permits an unprivileged local user to perform a deterministic four-byte write into the page cache of any readable file on the system. Successful exploitation allows an attacker to escalate privileges to root on affected Linux distributions released since 2017, requiring only a local account and physical access to the target machine. The vulnerability affects multi-user shared systems, containerized environments (Kubernetes, Docker), and similar setups, enabling potential unauthorized access to other users’ data. It has been assigned a CVSS score of 7.8 (High severity). CISA added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog on May 3, 2026, after threat actors began exploiting it in the wild following Theori’s public disclosure on April 29, 2026. A Python-based proof-of-concept exploit was released, demonstrating reliable root access across major distributions, and U.S. government agencies were ordered to patch within two weeks under BOD 22-01.

Open in new tab

Linux Kernel Local Privilege Escalation via Copy Fail (CVE-2026-31431)

Active exploitation of the Linux kernel local privilege escalation vulnerability (CVE-2026-31431) has begun, with threat actors targeting systems to gain root access. The flaw, dubbed "Copy Fail," stems from a logic bug in the kernel's authencesn cryptographic template and enables unprivileged local attackers to escalate privileges via a 4-byte write to the page cache of setuid-root binaries. Exploitation occurs entirely in memory, leaving no disk-based traces, and affects all major Linux distributions since 2017. A 10-line Python PoC achieves 100% reliability, and the flaw poses severe risks in containerized environments, enabling Kubernetes pod escapes and CI/CD pipeline compromises. Discovered in 2026 using AI-assisted analysis, the vulnerability was introduced in 2017 through a performance optimization that reused buffers in the crypto path. Upstream patches were released in kernel versions 6.18.22, 6.19.12, and 7.0, but inconsistent advisories across distributions have delayed widespread mitigation. Microsoft reports limited in-the-wild exploitation so far, primarily PoC testing, but warns of the flaw's broad applicability and potential for container breakouts, multi-tenant compromise, and lateral movement in shared environments. CISA added the flaw to its Known Exploited Vulnerabilities catalog on May 2, 2026, requiring federal agencies to patch within two weeks.

Open in new tab