Linux has a new headache: the critical Dirty Frag vulnerability lets a local user gain administrator rights on many popular distributions, and there is no patch yet in either releases or the mainline kernel. It is the second major Linux flaw in a month after Copy Fail, and both point to the same weakness: long-lived kernel bugs that went unnoticed for too long.
Ubuntu, Arch, RHEL, Fedora, OpenSUSE, CentOS Stream, Alma, and even WSL2 on Windows 11 are affected. For an ordinary user, the attack is disarmingly simple: a small program runs, and a local account turns into an administrator with no special settings required.
How Dirty Frag works
Technically, the attack follows the same idea as Copy Fail, but uses a different part of the code. An attacker injects a page-cache descriptor into the splice operation through Linux’s zero-copy mechanism, then can write data to files they should not be able to access. After that, it is only a matter of time.
The vulnerable code is tied to IPSec network encryption modules. The xfrm-ESP Page Cache Write flaw appeared in commit cac2661c53f3 in 2017, and the proof of concept also chains a second bug, RxRPC Page-Cache Write from commit 2dc334f1a63a. For Ubuntu users, there is one ironic detail: built-in AppArmor blocks the first hole, so the PoC has to go around it.
What can be disabled right now
The workaround is refreshingly blunt: disable three kernel components – esp4, esp6, and rxrpc. They are mainly used for enterprise VPN scenarios and IPSec encryption, so for most workstations and servers, turning them off should go almost unnoticed. It is not an ideal answer, but it is better than waiting while another local kernel flaw turns into a full system takeover.
The situation gets worse because Linux developers were warned about the issue on April 30, but a third party broke the agreement and disclosed the vulnerability ahead of schedule. Tom’s Hardware says that is why active exploitation in the wild looks likely. And if Linux has historically been hit by rare but loud local privilege-escalation bugs, administrators now face a more boring and more expensive choice: cut features quickly or wait for a fix that still does not exist.
Why Copy Fail was only a warm-up
- Copy Fail already has patches; Dirty Frag does not.
- Both vulnerabilities rely on kernel bugs, not exotic conditions.
- Dirty Frag affects current and updated systems, including the latest Ubuntu and Arch releases.
The lack of a fix in the mainline Linux kernel is the worst part of the story. These kinds of bugs are usually closed quietly before they become a topic outside developer circles, but this chain of events clearly did not go to plan. The next step is likely to be a mix of urgent updates, temporary module disablement, and very nervous system administrators.