Dirty Frag: Universal Linux LPE

May 8, 2026 · security systems devtools · Source ↗

Researcher Hyunwoo Kim (@v4bel) dropped a working root exploit for all major Linux distros before any patch exists—embargo broken, PoC live, CVE assigned but unpatched.

What Matters

Chains xfrm-ESP Page-Cache Write (CVE-2026-43284, patched mainline) with RxRPC Page-Cache Write (CVE-2026-43500, no patch anywhere yet).
xfrm-ESP bug has been exploitable since commit cac2661c53f3 on 2017-01-17—roughly 9 years of exposure.
No race condition required; deterministic logic bug means near-100% success rate and no kernel panic on failure.
Bypasses the publicly known Copy Fail mitigation (algif_aead blacklist); same sink, different trigger path.
Tested confirmed-working on Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed 7.0.2, Fedora 44, AlmaLinux 10, CentOS Stream 10.
Immediate mitigation: blacklist esp4, esp6, rxrpc modules via /etc/modprobe.d/dirtyfrag.conf and drop page cache; one shell command provided.
After exploit runs, page cache is contaminated; must run echo 3 > /proc/sys/vm/drop_caches or reboot to restore stability.

Original | Discuss on HN

Bentos

Topics

Dirty Frag: Universal Linux LPE

What Matters

Bentos

Topics

What Matters

Related coverage

Removing fsync from our local storage engine

Killswitch: Per-function short-circuit mitigation primitive

Boosting multimodal inference performance by >10% with a single Python dict

I built GitHub Store to 12,500 stars in 6 months – I started at 16