A new Linux local privilege escalation (LPE) vulnerability is making the rounds today — and it’s a serious one. Dubbed DirtyFrag, it was discovered by Korean security researcher Hyunwoo Kim and belongs to the same bug class as the notorious Dirty Pipe and Copy.Fail exploits. As of right now, there are no patches available from any major distribution.
What makes DirtyFrag particularly alarming is that the embargo was supposed to hold until May 12 — but an unrelated third party published the ESP exploit code publicly today, forcing the disclosure window shut early. If you’re running a vulnerable system, you need to act now.
How DirtyFrag Works
DirtyFrag chains two distinct Linux kernel page-cache write bugs together, and that combination is what makes it so powerful:
- xfrm-ESP bug — This vulnerability has been lurking in the kernel since January 2017. It provides an arbitrary 4-byte STORE primitive, functionally similar to the bug exploited by Copy.Fail. The long time-in-tree means virtually every production Linux system is affected.
- RxRPC bug — Introduced in June 2023, this bug has a critical advantage over similar exploits: it does not require namespace creation privileges, which is a common prerequisite that limits exploitability in hardened environments.
Together, these two bugs cover each other’s blind spots. The xfrm-ESP bug provides the write primitive; the RxRPC bug provides the privilege foothold without the usual namespace restriction. The result is a reliable path to root.
Unlike many kernel exploits that rely on race conditions, DirtyFrag is a deterministic logic bug. No timing luck required — it works with a high success rate on the first attempt.
Kim had submitted the rxrpc fix to the netdev mailing list on April 29. The coordinated disclosure was set for May 12, but today’s early public release of the ESP exploit code collapsed the embargo.
Affected Systems
DirtyFrag has been confirmed to achieve root on the following systems:
- Ubuntu 24.04.4 (kernel 6.17.0-23-generic)
- RHEL 10.1
- CentOS Stream 10
- AlmaLinux 10
- openSUSE Tumbleweed
- Fedora 44
Given the age of the xfrm-ESP bug (2017), any major Linux distribution running a kernel from the past eight years should be considered potentially vulnerable until patches are confirmed.
Current Status — Why Is There No CVE?
No CVE has been assigned to DirtyFrag as of today. The coordinated disclosure process was in progress — Kim had been working with kernel maintainers and submitted the rxrpc patch to the netdev mailing list on April 29. The embargo was scheduled to lift on May 12, giving distributions time to prepare patches.
That timeline was broken today when an unrelated third party independently published the ESP exploit publicly. With working exploit code now in the open, the embargo became meaningless. The security community is now operating in a forced full-disclosure window with no official patches ready.
A proof-of-concept is publicly available at https://github.com/V4bel/dirtyfrag.
What to Do Right Now
There are no vendor patches available at this time. Until patches land, the recommended interim mitigation is to disable the vulnerable kernel modules entirely. Run the following command as root:
printf 'install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
' > /etc/modprobe.d/dirtyfrag.conf && rmmod esp4 esp6 rxrpc 2>/dev/null
After running the command, reboot or verify the modules have been unloaded. Note that disabling these modules may affect systems using IPsec (esp4/esp6) or AMATUER/kernel-level RxRPC. Evaluate the impact on your environment before applying broadly.
Additionally:
- Monitor your distribution’s security advisories closely — patches are expected within days.
- Restrict local user access on sensitive systems until patches are applied.
- Treat this as an active threat: working exploit code is public.
At Solvanta, we help organizations track, prioritize, and respond to vulnerabilities like DirtyFrag before they become incidents. If you need help assessing your exposure or applying controls at scale, reach out to our team.