isc.sans.edu 5/8/2026, 9:49:52 AM · via preferred

Linux Kernel Flaw Lets Users Gain Root via Page Cache Corruption

Linux Kernel Flaw Lets Users Gain Root via Page Cache Corruption
Developing story vulnerability 12 articles tracked
Dirty Frag Linux kernel flaw (CVE-2026-43284) allows local root via page cache corruption
CyberSIXT Evidence Panel
Primary Source github.com
CISA KEV Listed in KEV
Patch Patch Available

LESS than two weeks after Copy Fail’s public disclosure (CVE-2026-31431), SANS ISC reports a new Linux local privilege escalation vulnerability, dubbed Dirty Frag, discovered by Hyunwoo Kim (@v4bel). The flaw comprises two sub-vulnerabilities in the xfrm ESP decryption fast paths (esp4, esp6) and the RxRPC module, which can chain to achieve immediate root on many major Linux distributions, with no CVE assigned because the embargo was broken.

Dirty Frag enables an unprivileged user to escalate to root via in-place cryptographic operations on page-cache pages that are readable but not writable, effectively corrupting the page cache of files such as /etc/passwd or /usr/bin/su. Remediation steps include denylisting vulnerable modules (esp4, esp6, rxrpc), applying live patches where available, and installing patched kernels from testing repositories, with cautions about potential disruption to IPsec and RxRPC-dependent services.

The advisory notes that Dirty Frag resembles Copy Fail in its root cause—kernel page-cache handling and in-place operations—though the two exploit different kernel subsystems and have separate discoverers and disclosure timelines.

View Primary Source Via isc.sans.edu

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline