A new Linux zero-day exploit, named Dirty Frag, allows local attackers to gain root privileges on most major Linux distributions with a single command.
Security researcher Hyunwoo Kim, who disclosed it earlier today and published a proof-of-concept (PoC) exploit, says this local privilege escalation was introduced roughly nine years ago in the Linux kernel’s algif_aead cryptographic algorithm interface.
Dirty Frag works by chaining two separate kernel flaws, the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability, to modify protected system files in memory without authorization and achieve privilege escalation.
Also, while Dirty Frag belongs to the same class as the Dirty Pipe and Copy Fail Linux vulnerabilities, it exploits the fragment field of a different kernel data structure.
“As with the previous Copy Fail vulnerability, Dirty Frag likewise allows immediate root privilege escalation on all major distributions, and it chains two separate vulnerabilities,” Kim said.
“Dirty Frag is a case that extends the bug class to which Dirty Pipe and Copy Fail belong. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.”
This kernel privilege escalation affects a wide range of Linux distros, including Ubuntu, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora, which have not yet received patches.
Kim released complete Dirty Frag documentation and a PoC exploit with distribution maintainers’ agreement after an embargo on full public disclosure was broken on May 7, 2026, when an unrelated third party independently published the exploit.
“Because the embargo has currently been broken, no patch or CVE exists. After consultation with the maintainers on [email protected] and at their request, this Dirty Frag document is being published,” Kim said.
To secure systems against attacks, Linux users can use the following command to remove the vulnerable esp4, esp6, and rxrpc kernel modules (however, it’s important to note that this will break IPsec VPNs and AFS distributed network file systems):
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
Depends on the host setup I guess. I have SSH and Remote Desktop disabled on my PC, so I assume they’d need to be in my house to do this.
If you have any other service running, it’s possible that there may be a vulnerability or misconfiguration there which allows an attacker to exploit it and remotely exploit code.
Hackers can get very creative. Just because you don’t have a remote access software running doesn’t necessarily mean you’re safe. Remember log4shell? Triggering specific log messages in many different services could be used to let the machine initiate a connection to another machine for remote code execution.
Companies with Linux desktops and multi user servers are worried, hosting companies are too, this can break out of the containers they lease to CUSTOMERS. And you should too if you don’t roll all your own docker containers, supply chain attacks can break out of containers and hose your system
Ah! Customers jump scare!
You just need to click on the wrong website or email link.