Another major Linux security flaw revealed: 'Dirty Frag' allows root on all major distributions, with no patches or fixes available yet

Researcher Hyunwoo Kim reveals dirty fragmenta nine-year-old kernel flaw that allows root privilege escalation on major Linux distributions
The exploit chains two page cache write misses, works reliably without race conditions, and is currently unpatched and CVE-free.
Mitigation requires disabling vulnerable kernel modules, but this breaks IPsec and AFS VPNs, leaving systems exposed until fixes arrive.

Some of the most used and influential Linux distributions are vulnerable to a zero-day flaw that allows threat actors to gain root privileges, and a patch has yet to be made public, experts warned.

Security researcher Hyunwoo Kim revealed he found a nine-year-old flaw and published a proof-of-concept (PoC) exploit.

He called the vulnerability Dirty Frag and explained that it works by chaining together two kernel flaws, the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability. This allowed him to modify protected system files in memory without having proper authorization.

Mitigations available

Kim explained that he shared his findings with the maintainers of different embargoed Linux distributions so that everyone had time to fix things. However, that embargo was apparently broken on May 7, when a third party published the exploit.

“Because the embargo is currently broken, no patch or CVE exists. After consulting with the maintainers at [email protected] and at their request, this Dirty Frag document is released,” Kim said.

In addition to not having a CVE, the bug has not yet received a severity score. However, since this is an unauthenticated privilege escalation flaw, it is safe to assume that it will receive a critical severity rating (9.0 and above).

So far it has been confirmed that Ubuntu, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, openSUSE Tumbleweed and Fedora are all vulnerable and have not yet received patches.

“As with the previous Copy Fail vulnerability, Dirty Frag also allows immediate escalation of root privileges on all major distributions and chains two separate vulnerabilities,” Kim said. “Because it is a deterministic logic error that does not depend on a time window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.”

Current mitigation includes removal of the vulnerable esp4, esp6, and rxrpc kernel modules, but this breaks IPsec VPNs and AFS distributed network file systems.

Through beepcomputer