Newly disclosed "Dirty Frag" vulnerability left Linux exposed for nearly a decade

Alfonso Maruccia

Posts: 2,564   +954
Staff
Facepalm: The open-source community is once again facing a major security incident tied to an "unprecedented" vulnerability. The new flaw could give attackers a reliable way to escalate user privileges, and no patch is available yet. Fortunately, the mitigation process is relatively straightforward. Still, kernel developers are already growing frustrated with the seemingly endless stream of critical bugs.

Hyunwoo Kim, also known as "V4bel," recently disclosed "Dirty Frag," a dangerous security vulnerability that provides local attackers with root access on Linux-based systems. All major – and likely many minor – Linux distributions are affected by the issue, which currently can only be mitigated because no patch is available yet. In fact, Kim had planned to disclose the bug at a later date, but someone intervened and forced the issue into the open before fixes could be prepared.

Dirty Frag is the second critical Linux root exploit disclosed in two weeks, affecting Ubuntu, RHEL, Fedora, openSUSE, and most other major distributions.

Dirty Frag is a universal local privilege escalation vulnerability that belongs to the same class as Dirty Pipe and the recently disclosed Copy Fail, V4bel explained. The exploit chains together two separate vulnerabilities – xfrm-ESP Page-Cache Write (CVE-2026-43284) and RxRPC Page-Cache Write (CVE-2026-43500) – to create a deterministic exploitation method that does not crash the kernel and has a high success rate.

Dirty Frag has existed in the Linux kernel for at least nine years, as the xfrm-ESP Page-Cache Write vulnerability was first introduced in 2017. V4bel successfully tested the exploit on recent versions of Ubuntu Linux, RHEL, openSUSE Tumbleweed, CentOS Stream, AlmaLinux, and Fedora. Most modern Linux distributions are likely affected by the issue.

After discovering Dirty Frag, Hyunwoo Kim was reportedly working with Linux developers to fix the issue before publicly disclosing it. However, an unnamed third party published a working proof of concept earlier than anticipated, forcing the researcher to disclose the vulnerability more than a month ahead of schedule.

Dirty Frag has yet to receive an official tracking CVE, but the Linux community is already scrambling to mitigate the issue. The vulnerability can be neutralized with a single console command that removes the vulnerable esp4, esp6, and rxrpc modules from the kernel. However, the mitigation also disables functionality related to IPsec-based VPN services and the AFS distributed file system.

In his detailed write-up, V4bel also shared code designed to fully neutralize Dirty Frag within the affected cryptographic modules. The researcher warned that even after applying mitigations for Copy Fail, the Linux kernel remains vulnerable to Dirty Frag until additional countermeasures – either mitigations or a full patch – are implemented.

Major kernel-level security vulnerabilities are appearing at an increasingly alarming pace, and Linux maintainers are now working on a significant change aimed at reducing the window of exploitability. Kernel developers are proposing a "Killswitch" feature that would temporarily disable specific kernel functions affected by critical flaws, giving system administrators a way to keep systems – and businesses – running while proper patches are developed.

Permalink to story:

 
Paths are available already: https://www.phoronix.com/news/Linux-7.0.6-Released, mitigation were available 2 days ago.

What is important, and what was not mentioned in this article, was the way how the critical vulnerability was exposed. Usually, information is send privately to the interested parties, but a third party simply broke the embargo, causing all this crap. And no, there were no exploits. Additionally, it doesn't really affect the local systems, so normal users are safe.
 
Within 1 month of news surfacing that Claude's Project Mythos is too dangerous to release, two of Linux's most severe vulnerabilities that are decades-old became public. Researchers were already working with Linux to solve them. This is not a coincidence. Expect more to come.

https://www.techspot.com/news/111991-anthropic-deploys-unreleased-ai-model-hunt-software-flaws.html/
https://red.anthropic.com/2026/mythos-preview/

Anthropic said:
As we discuss below, we’re limited in what we can report here. Over 99% of the vulnerabilities we’ve found have not yet been patched, so it would be irresponsible for us to disclose details about them (per our coordinated vulnerability disclosure process). Yet even the 1% of bugs we are able to discuss give a clear picture of a substantial leap in what we believe to be the next generation of models’ cybersecurity capabilities. [...]

During our testing, we found that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so. The vulnerabilities it finds are often subtle or difficult to detect. Many of them are ten or twenty years old, with the oldest we have found so far being a now-patched 27-year-old bug in OpenBSD—an operating system known primarily for its security.
FRT-Blog-Chart-CMP-Firefox-exploit@2x.png
 
Last edited:
Linux doesn't have bullet proof security after all, NO big surprise!! The security of "all eyes on the code" was debunked years ago, but still clung to by Linux users despite the evidence. It is ridiculous to think that with so many altering Linux code in so many distros (over 600 active distros), there could be any semblance of code quality control.
 
Linux doesn't have bullet proof security after all, NO big surprise!! The security of "all eyes on the code" was debunked years ago, but still clung to by Linux users despite the evidence. It is ridiculous to think that with so many altering Linux code in so many distros (over 600 active distros), there could be any semblance of code quality control.

Techno-tribalism only serves to hinder one’s progress by limiting to one set of ideas. In the professional world, we don't care about the sticker on the laptop; we care about the reliability of the output. If loyalty to a brand is keeping someone from using the best tool available, they’re not an expert—they’re just a customer.

Arguing that the number of distros prevents quality control is either a fundamental misunderstanding of how kernel development and upstream security actually function, or suggestive of a narrow view of how the computing environment operates in practice.

Computers are tools. Each platform has individual strengths. Use the right tool for the task.
 
Linux doesn't have bullet proof security after all, NO big surprise!! The security of "all eyes on the code" was debunked years ago, but still clung to by Linux users despite the evidence. It is ridiculous to think that with so many altering Linux code in so many distros (over 600 active distros), there could be any semblance of code quality control.
Linux is open source, so it often has more publicly reported vulnerabilities than proprietary operating systems. That doesn’t necessarily mean it’s less secure; vulnerabilities are simply more likely to be discovered, disclosed, and patched in the open.

It’s a double edged sword that helps both defenders and attackers, and that’s been true for many decades.
 
Linux doesn't have bullet proof security after all, NO big surprise!! The security of "all eyes on the code" was debunked years ago, but still clung to by Linux users despite the evidence. It is ridiculous to think that with so many altering Linux code in so many distros (over 600 active distros), there could be any semblance of code quality control.

https://madaidans-insecurities.github.io/linux.html
 
Within 1 month of news surfacing that Claude's Project Mythos is too dangerous to release, two of Linux's most severe vulnerabilities that are decades-old became public. Researchers were already working with Linux to solve them. This is not a coincidence. Expect more to come.

https://www.techspot.com/news/111991-anthropic-deploys-unreleased-ai-model-hunt-software-flaws.html/
https://red.anthropic.com/2026/mythos-preview/


FRT-Blog-Chart-CMP-Firefox-exploit@2x.png
But if it wasn't released then how was it used?

Maybe I'm not understanding what ur saying
 
Last edited:
Back