Linux Kernel Dirty Frag LPE Chains Multiple Page-Cache Vulnerabilities to Enable Root Access

TL;DR — A new local privilege escalation vulnerability dubbed Dirty Frag chains two separate page-cache write flaws in the Linux kernel to gain root access on major distributions. The vulnerability does not require race conditions and has a high success rate. A working proof-of-concept exists, and the Linux kernel maintainers were notified on April 30, 2026. Kernel modules esp4, esp6, and rxrpc should be blocklisted until patches are available.

What happened

Security researcher Hyunwoo Kim disclosed details of Dirty Frag, a local privilege escalation vulnerability that chains two distinct page-cache write flaws: the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability. According to Kim's write-up, the vulnerability achieves root privileges by exploiting weaknesses in how the kernel's in-place decryption fast paths handle externally-backed pages in the ESP (Encapsulating Security Payload) and RxRPC (Reliable Datagram Protocol) subsystems.

The xfrm-ESP variant, rooted in the IPSec subsystem, was introduced in a source code commit made on January 17, 2017. The same commit was the root cause of CVE-2022-27666, a buffer overflow affecting various Linux distributions. The RxRPC variant was introduced in June 2023.

What distinguishes Dirty Frag from earlier page-cache write exploits is its deterministic nature. Unlike vulnerabilities that depend on timing windows or race conditions, Dirty Frag operates as a logic bug. The kernel does not panic when the exploit fails, and the success rate is described as very high.

The vulnerability's strength lies in how the two variants complement each other across different threat models. The xfrm-ESP exploit requires the ability to create a user namespace—a privilege blocked by default on Ubuntu through AppArmor. Conversely, the RxRPC exploit does not require namespace creation but depends on the rxrpc kernel module being loaded. Ubuntu loads this module by default, while RHEL 10.1 does not. By chaining the two exploits, attackers can target environments where either single variant would fail.

A working proof-of-concept has been released that can escalate privileges to root in a single command. The vulnerability was reported to Linux kernel maintainers on April 30, 2026, and remains unpatched.

Why it matters

Dirty Frag represents a critical attack surface for any system where local code execution is already possible. An unprivileged local user—such as an application running under restricted permissions or a user on a shared system—could escalate to root access with minimal complexity. The high success rate and lack of race condition dependency mean exploitation is reliable and repeatable.

The vulnerability is particularly concerning for multi-tenant environments, container hosts, and systems where boundary enforcement between unprivileged and privileged code is relied upon. The availability of a working PoC shortens the window between disclosure and exploitation in the wild.

Notably, existing mitigations deployed in response to Copy Fail (CVE-2026-31431) do not protect against Dirty Frag. The algif_aead module blacklist commonly applied to block Copy Fail is ineffective against this vulnerability, requiring different defensive measures.

Affected systems and CVEs

Ubuntu 24.04.4
RHEL 10.1
openSUSE Tumbleweed
CentOS Stream 10
AlmaLinux 10
Fedora 44
Linux kernel (general)

CVEs:

CVE-2026-31431 (Copy Fail, CVSS 7.8 — predecessor vulnerability with active exploitation)
CVE-2022-27666 (CVSS 7.8 — buffer overflow from the same January 17, 2017 commit)

No CVE identifier has been assigned to Dirty Frag itself at the time of publication.

What to do

Blocklist affected kernel modules immediately. Prevent esp4, esp6, and rxrpc modules from loading. Execute: sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
Monitor for kernel patches. The Linux kernel maintainers have been notified. Check kernel release notes and your distribution's security advisories for patch availability.
Apply patches to commits cac2661c53f3 and 2dc334f1a63a in the kernel repository when available.
Review Copy Fail mitigations. Do not rely solely on algif_aead module blocklisting, as this does not protect against Dirty Frag.

Open questions

No specific CVE identifier for Dirty Frag has been assigned at the time of publication.
The timeline for availability of official kernel patches from maintainers is not stated.
Whether Dirty Frag affects Linux distributions beyond those explicitly listed remains unclear.
The full technical mechanics of how the two page-cache vulnerabilities are chained are not detailed in the source material.
It is not specified whether kernel versions prior to January 2017 are affected.