Linux Kernel Dirty Frag Local Privilege Escalation Vulnerability

May 13, 2026 GMT+08:00

I. Overview

Huawei Cloud noticed that researchers in the industry have recently disclosed a local privilege escalation vulnerability called Dirty Frag in the Linux kernel. In the independent modules xfrm-ESP and RxRPC, there is a logic bug. This vulnerability allows local low-privilege attackers to tamper with the page cache of any readable file in the system (such as setuid binary programs such as su and sudo) under contention-free and retry conditions. There are limitations if the vulnerability is exploited independently in a single module. In xfrm-ESP, the incubation period of the vulnerability is long (since 2017), while in systems such as Ubuntu, the error cannot be triggered due to AppArmor restrictions. In RxRPC, although there is no namespace permission requirement, the vulnerability is restricted by non-global default loading of modules (except Ubuntu). However, if the vulnerability is exploited in both modules, attacks can perform local privilege escalation on almost all mainstream Linux distributions. In addition, the exploit chain is not affected by the existing Copy Fail mitigation (algif_aead blacklist). The details and POC of this vulnerability have been disclosed and the risk is high.

Linux kernel, core component of the Linux OS, is an open-source, monolithic Unix-like OS core. Check your system and implement timely security hardening.

Reference:

https://github.com/V4bel/dirtyfrag

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III.Affected Products

Affected versions:

Linux Kernel (xfrm-ESP) >= commit cac2661c53f3 (since 2017)

Linux Kernel (RxRPC) >= commit 2dc334f1a63a (since June 2023)

Affected OSs and versions:

Ubuntu 24.04.4 (6.17.0-23-generic)

RHEL 10.1 (6.12.0-124.49.1.el10_1.x86_64)

CentOS Stream 10 (6.12.0-224.el10.x86_64)

AlmaLinux 10 (6.12.0-124.52.3.el10_1.x86_64)

Fedora 44 (6.19.14-300.fc44.x86_64)

openSUSE Tumbleweed (7.0.2-1-default)

Secure versions:

No security patch has been released.

IV. Vulnerability Handling

1. No official security patch has been released currently. For affected users, pay attention to the official patch release for this vulnerability and fix it in a timely manner.

2. Workaround: For affected users, run the following command to disable related kernel modules (esp4, esp6, and rxrpc):

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

Note: Once the preceding modules are disabled, services (such as VPN and Kerberos) that depend on the IPsec (ESP) and RxRPC protocols may be affected. Evaluate the impact first.

Note: Before fixing the vulnerability, back up your files and conduct a thorough test.