Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/V4bel/dirtyfrag/llms.txt

Use this file to discover all available pages before exploring further.

Dirty Frag is a Linux kernel Local Privilege Escalation (LPE) vulnerability class discovered and reported by Hyunwoo Kim (@v4bel). It chains the xfrm-ESP Page-Cache Write vulnerability (CVE-2026-43284) and the RxRPC Page-Cache Write vulnerability (CVE-2026-43500) to obtain root privileges on all major Linux distributions — including Ubuntu, RHEL, Fedora, openSUSE, CentOS, and AlmaLinux — without requiring any race condition.
This exploit is published as accurate technical information following consultation with linux-distros maintainers. Do not use it on systems you are not authorized to test.After running the exploit, the page cache is contaminated. Clear it with echo 3 > /proc/sys/vm/drop_caches or reboot.

Introduction

Overview of the Dirty Frag vulnerability class, its relationship to Dirty Pipe and Copy Fail, and how the chain works.

Affected versions

Kernel version ranges and tested distribution versions that are vulnerable to Dirty Frag.

Mitigation

Immediate workarounds to block the vulnerable kernel modules while patches are distributed.

Running the exploit

How to compile and run the PoC exploit, including cleanup steps to restore system stability.

Technical analysis

xfrm-ESP Page-Cache Write

Root cause, exploit flow, and patch for the ESP input path that bypasses skb_cow_data and STOREs 4 bytes into read-only page cache.

RxRPC Page-Cache Write

Root cause, exploit flow, and patch for the RxRPC in-place decrypt that overwrites /etc/passwd page cache via pcbc(fcrypt).

Vulnerability chaining

How chaining the ESP and RxRPC variants eliminates each other’s blind spots to achieve universal distribution coverage.

Exploit internals

Deep dive into the C exploit code: namespace setup, SA registration, splice mechanics, and brute-force key search.

CVEs and status

CVEVulnerabilityStatus
CVE-2026-43284xfrm-ESP Page-Cache WritePatched in mainline (f4c50a4034e6)
CVE-2026-43500RxRPC Page-Cache WriteReserved; no upstream patch yet
Because the embargo was broken by an unrelated third party on 2026-05-07, this full technical disclosure was published at the request of linux-distros maintainers. See the disclosure timeline for details.

Build docs developers (and LLMs) love

Get started for freeTalk to us