SECURITY researchers have disclosed a new unpatched Linux kernel vulnerability, codenamed Dirty Frag, which allows an unprivileged local user to gain full root access on most major distributions, including Ubuntu, RHEL, Fedora, AlmaLinux and CentOS Stream. Dirty Frag is linked to the Dirty Pipe family but remains independent of the Copy Fail mitigation, meaning systems already applying the algif_aead blacklist remain exposed.
The flaw chains two vulnerabilities: the xfrm-ESP Page-Cache Write bug in the Linux IPsec subsystem, introduced in a January 2017 commit, and the RxRPC Page-Cache Write bug introduced in June 2023, together providing a reliable path to root with a deterministic logic bug. A working proof-of-concept is already public, and the exploit can be executed with a single command, with no race condition required.
Until patches are released, the recommended workaround is to blocklist the esp4, esp6 and rxrpc kernel modules to prevent loading. The disclosure has been contested, with the embargo breaking early after a third party published detailed information and exploit code without coordination, and no CVE identifier has yet been assigned.