New Linux 'Dirty Frag' Zero-Day Gives Root On All Major Distros (bleepingcomputer.com)
- Reference: 0183162832
- News link: https://linux.slashdot.org/story/26/05/08/1913238/new-linux-dirty-frag-zero-day-gives-root-on-all-major-distros
- Source link: https://www.bleepingcomputer.com/news/security/new-linux-dirty-frag-zero-day-with-poc-exploit-gives-root-privileges/
> [2]Dirty Frag is a vulnerability class, first [3]discovered and reported by Hyunwoo Kim (@v4bel), that can obtain root privileges on major Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability. Dirty Frag extends the bug class to which [4]Dirty Pipe and [5]Copy Fail belong. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high. Because the embargo has been broken, no patch or CVE currently exists.
"As with the previous Copy Fail vulnerability, Dirty Frag likewise allows immediate root privilege escalation on all major distributions, and it chains two separate vulnerabilities," Kim said. Detailed technical information can be found [6]here .
BleepingComputer notes that the two vulnerabilities chained by Dirty Frag are "now tracked under the following CVE IDs: the xfrm-ESP one was assigned [7]CVE-2026-43284 , and the RxRPC isye is now [8]CVE-2026-43500 ."
[1] https://slashdot.org/~mrspoonsi
[2] https://github.com/V4bel/dirtyfrag/blob/master/README.md
[3] https://www.openwall.com/lists/oss-security/2026/05/07/8
[4] https://www.hackthebox.com/blog/Dirty-Pipe-Explained-CVE-2022-0847
[5] https://it.slashdot.org/story/26/04/30/207231/new-linux-copy-fail-vulnerability-enables-root-access-on-major-distros
[6] https://github.com/V4bel/dirtyfrag/blob/master/assets/write-up.md
[7] https://nvd.nist.gov/vuln/detail/CVE-2026-43284
[8] https://nvd.nist.gov/vuln/detail/CVE-2026-43284
Embargo intrigue (Score:2)
There's a little more intrigue here on the breaking of the embargo. Basically the bugs were responsibly reported and the finders helped with writing the patch under embargo. Then when the patch commit dropped, someone instantly figured out that it was the same class of bug as Copy Fail. And then [1]someone then wrote new exploit code [afflicted.sh] for the bug before the patch worked it's way through. No one improperly leaked something, but watching new patches for previous exploits was quicker than the patch could work it's
[1] https://afflicted.sh/blog/posts/copy-fail-2.html
Re: (Score:2)
Also intriguing is that it's a [1]Michael Bolton situation [youtube.com] with Hyunwoo Kim's name shared by a [2]K-Pop Star / Actor [wikipedia.org]
[1] https://www.youtube.com/watch?v=fhxRAsnizbk
[2] https://en.wikipedia.org/wiki/Hyun_Woo
Re: (Score:2)
Just once, I'd like to see the white hat turn out to be someone like [1]Jisoo [ranker.com]...
[1] https://www.ranker.com/review/jisoo/85372364?l=3229691
how ironic! (Score:2)
The post itself has an error. The last link's URL points to the same page as the predecessor. There is no record for 43500
Re: (Score:2)
According to [1]Alma Foundation [almalinux.org] that is the reserved CVE number but it's pending publication.
Probably because it was released before the embargo was supposed to be lifted.
[1] https://almalinux.org/blog/2026-05-07-dirty-frag/
On your mark, get set... GO! (Score:3)
Quick - copy and paste all your comments from the "Copy Fail" discussion over here!
Re: (Score:3)
> "Quick - copy and paste all your comments from the "Copy Fail" discussion over here!"
Pretty much :) It is essentially the same issue, found in three other kernel modules. Alma Linux and others already have pages up about it. These are serious issues for multiuser/multitenant servers needing to mitigate immediately. Not so much for single-user or home systems.
Copy Fail used the algif_aead module and for enterprise Linuxes, that is built-into the kernel. So either update the kernel, or mitigate with:
Re: (Score:2)
[1]AlmaLinux has already patched it [almalinux.org].
[1] https://almalinux.org/blog/2026-05-07-dirty-frag/