Details have emerged about a newly disclosed and currently unpatched local privilege escalation vulnerability in the Linux kernel identified as Dirty Frag. The issue is being described as a successor to Copy Fail (CVE-2026-31431, CVSS score: 7.8), a previously disclosed Linux kernel LPE flaw that has already been observed under active exploitation in real world environments. The vulnerability was reported to Linux kernel maintainers on April 30, 2026, and is considered particularly critical due to its ability to provide root level access across a wide range of Linux distributions without requiring complex exploitation conditions or unstable execution timing.
Security researcher Hyunwoo Kim, known as v4bel, explained that Dirty Frag operates as a vulnerability class that can achieve root privileges on most Linux distributions by chaining two distinct page cache write flaws, specifically the xfrm ESP Page Cache Write vulnerability and the RxRPC Page Cache Write vulnerability. The researcher noted that Dirty Frag extends the same class of kernel weaknesses seen in earlier issues such as Dirty Pipe and Copy Fail, but differs in that it does not rely on race conditions or timing windows, making it deterministic in nature. Because of this design, the kernel does not panic when exploitation fails, and the success rate of successful privilege escalation remains very high, increasing its practical risk in real world attack scenarios.
Successful exploitation of Dirty Frag allows an unprivileged local user to escalate privileges to root across widely used Linux distributions including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44. The researcher traced the origins of the underlying vulnerabilities to different periods in the Linux kernel source code, with the xfrm ESP Page Cache Write issue introduced in a January 2017 commit and the RxRPC Page Cache Write issue introduced in June 2023. Interestingly, the January 2017 commit has also been associated with other historical kernel flaws, including CVE-2022-27666, which affected multiple distributions through a buffer overflow condition.
The exploit chain is based on two complementary mechanisms. The xfrm ESP Page Cache Write vulnerability resides in the IPSec subsystem and provides a small four byte write primitive that enables controlled modification of kernel page cache memory. However, exploitation of this path requires creation of a namespace, which is restricted on some systems such as Ubuntu through AppArmor protections. The second component, RxRPC Page Cache Write, does not require namespace creation but depends on the presence of the rxrpc kernel module, which is not included by default in many distributions such as RHEL 10.1 but is available and loaded in Ubuntu systems. By combining both mechanisms, attackers can bypass environmental restrictions, with one exploit covering the limitations of the other depending on the distribution configuration.
CloudLinx advisory further explains that the vulnerability exists in the ESP in UDP MSG SPLICE PAGES no copy on write fast path and is accessible via the XFRM user netlink interface. Additional analysis from AlmaLinux indicates that the flaw impacts in place decryption fast paths in esp4, esp6, and rxrpc, where socket buffers carrying non privately owned kernel pages are decrypted directly, exposing or corrupting plaintext data accessible to unprivileged processes. A working proof of concept exploit has already been released, reportedly enabling root access in a single command execution. Until vendor patches are available, mitigation guidance includes blocking esp4, esp6, and rxrpc kernel modules to reduce exposure. Researchers also emphasize that Dirty Frag can be triggered even when previous mitigations for Copy Fail, such as algif aead blacklist configurations, are already in place, meaning systems previously considered protected remain vulnerable to this new exploitation path.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
