Published on May 8, 2026
New Linux ‘Dirty Frag’ Zero-Day Gives Root Access on All Major Distros
Severity
Critical
Detail
A newly discovered Linux zero-day vulnerability called “Dirty Frag” allows local attackers to gain full root privileges on many major Linux distributions using a single command. The vulnerability was disclosed by Hyunwoo Kim, who also released a proof-of-concept (PoC) exploit demonstrating the attack.
The flaw exists in the Linux kernel’s algif_aead cryptographic interface and is believed to have been present for nearly nine years. Dirty Frag works by combining two separate kernel flaws:
- xfrm-ESP Page – Cache Write vulnerability
- RxRPC Page – Cache Write vulnerability
By chaining these vulnerabilities together, attackers can modify protected system files directly in memory without proper permission checks, allowing privilege escalation to root access.
Researchers stated that Dirty Frag belongs to the same class of Linux vulnerabilities as Dirty Pipe and Copy Fail because it abuses Linux page-cache memory handling. However, Dirty Frag targets a different kernel memory structure known as the fragment field.
One of the most dangerous aspects of Dirty Frag is its reliability. The exploit does not require race conditions or precise timing, has a very high success rate, and usually does not crash the Linux kernel during failed attempts, making exploitation more stable and reliable than many traditional Linux privilege escalation vulnerabilities.
How?
The attack starts when a local attacker runs a specially crafted exploit on a vulnerable Linux system. Dirty Frag abuses weaknesses in the Linux kernel’s page-cache memory handling within the xfrm-ESP and RxRPC components. This allows attackers to modify protected files stored temporarily in memory without normal permission checks.
Once critical system files or binaries are modified, the attacker can escalate privileges and gain full root access. Unlike many Linux privilege escalation flaws, Dirty Frag does not rely on timing-based race conditions, making the exploit more stable and reliable.
Affected Product:
The following Linux distributions are confirmed to be affected:
- Ubuntu
- Red Hat Enterprise Linux
- CentOS Stream
- AlmaLinux
- openSUSE Tumbleweed
- Fedora
Mitigation
The vulnerability currently does not have an assigned CVE identifier, and patches are not yet available for affected systems. As a temporary mitigation, Linux administrators can disable the vulnerable kernel modules (esp4, esp6, and rxrpc) using the following command:
sh -c “printf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true”
However, disabling these modules may affect IPsec VPN services and AFS distributed file systems.
Conclusion
Dirty Frag is a serious Linux kernel vulnerability that allows attackers to quickly gain root access with high reliability. Since no official patches are currently available, organizations should apply temporary mitigations, monitor systems for suspicious activity, and follow vendor advisories closely for security updates.
Source