Dirty Frag is a new Linux zero-day that chains kernel flaws for deterministic local root access on many major distros.
A new Linux zero-day named Dirty Frag is being described as a fast route to full system control: a local attacker can gain root privileges on most major Linux distributions using a single command.
The disclosure comes from security researcher Hyunwoo Kim, who released both details and a proof-of-concept (PoC) exploit.. Kim said the privilege escalation was introduced about nine years ago inside the Linux kernel’s algif_aead cryptographic algorithm interface. meaning the underlying weakness has likely been present through multiple kernel releases.
Dirty Frag does not rely on a timing race.. Instead. Kim said it works by chaining two separate kernel flaws: an xfrm-ESP Page-Cache Write vulnerability and an RxRPC Page-Cache Write vulnerability.. The combined technique lets the attacker modify protected system files in memory without authorization. which is what enables the jump to elevated privileges.
While Dirty Frag is described as belonging to the same broader class as earlier Linux vulnerabilities such as Dirty Pipe and Copy Fail. Kim said it targets a different part of the kernel’s data structures.. He characterized Dirty Frag as a deterministic logic issue that does not require a timing window. with an exploit flow that “does not depend on a race condition.” That determinism is also part of why the researcher expects a very high success rate.
The affected scope is wide.. Kim’s write-up states that Dirty Frag impacts a range of popular Linux distributions. including Ubuntu. Red Hat Enterprise Linux. CentOS Stream. AlmaLinux. openSUSE Tumbleweed. and Fedora.. As of the disclosure. those systems “have not yet received patches. ” leaving administrators to treat the issue as unmitigated in the immediate term.
The PoC publication followed a broken embargo.. Kim released complete Dirty Frag documentation and an exploit after an embargo on full public disclosure was lifted on May 7. 2026. when a separate third party independently published the exploit.. Kim said that, because the embargo has already been broken, there is currently no patch and no CVE assigned.. After consulting with maintainers on linux-distros@vs.openwall.org and at their request, the document was made public.
For Linux users looking for immediate risk reduction. the researcher provided a mitigation command intended to remove specific kernel modules associated with the vulnerable functionality.. The instructions call for disabling the esp4. esp6. and rxrpc modules. using a command that writes a modprobe configuration to block loading. removes the modules. and suppresses errors.. It also includes an important warning: doing so can break IPsec VPNs and AFS distributed network file systems.
This disclosure arrives while the Linux ecosystem is still working through other root-privilege vulnerabilities.. Dirty Frag was reported as emerging at the same time maintainers continue rolling out fixes for “Copy Fail. ” another Linux root escalation flaw that has also been actively targeted in real attacks.
Copy Fail has now been added to the U.S.. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog.. The action orders federal agencies to secure their Linux devices within two weeks, with a deadline of May 15.. CISA previously warned that this type of vulnerability is a frequent entry point for malicious actors and urged agencies to apply vendor mitigations. follow cloud guidance where applicable. or discontinue use of products if mitigation options are unavailable.
There is also a longer history in the category. In April, Linux distributions patched a root-privilege escalation vulnerability called Pack2TheRoot, which had been introduced in the PackageKit daemon roughly a decade earlier before it was discovered.
As the Dirty Frag details evolved, tracking information was updated. In a May 8 update, the two page-cache write vulnerabilities chained by Dirty Frag were assigned CVE IDs: the xfrm-ESP page-cache issue received CVE-2026-43284, and the RxRPC issue was assigned CVE-2026-43500.
One theme connecting these recent incidents is how kernel-level primitives are being turned into reliable privilege escalations.. Even when each bug is individually subtle. the ability to chain them—and to do so deterministically—raises the practical risk for systems that aren’t patched quickly.. It also underscores why defenders have been focusing not only on “known exploited” listings. but on fast mitigation paths when fixes are still in progress.
For administrators, the immediate challenge is balancing containment with operational requirements.. The provided module-removal mitigation can reduce exposure. but it may also disrupt common services relying on IPsec VPNs and AFS networking. so teams may need to weigh which environments can safely apply the workaround while waiting for official updates.
Dirty Frag zero-day Linux privilege escalation kernel vulnerability local root exploit Copy Fail KEV cybersecurity patching