Newly Linux faces a new challenge with the emergence of "Dirty Frag"a number of vulnerabilities also known as Copy Fail 2. This set of high-severity flaws, formally identified under the registries CVE-2026-43284 and CVE-2026-43500, allows an unprivileged local user to gain full administrator access by directly overwriting data in the operating system's page cache.
It is mentioned that The threat has proven to be exceptionally versatile and dangerousbecause a researcher managed to develop a working exploitcapable of compromising virtually all current distributions, forcing system administrators to take immediate action in the face of a problem that came to light sooner than expected due to an accidental leak of information.
Dirty Frag is not an isolated glitch, but rather It encompasses two distinct vulnerabilities that reside in independent subsystems of the Linux kernel:
- The xfrm-ESP module: responsible for accelerating IPsec encryption operations using the Encapsulated Security Payload protocol,
- The RxRPC controller: responsible for managing remote procedure calls over UDP connections.
Although they operate in different areas and were introduced in different years, Both vulnerabilities share the same originating attack vector due to faulty optimizations in memory management. Depending on the security configuration and the modules loaded in each distribution, An attacker can exploit one or the other avenue to escalate their privileges and take control absolute of the affected server.
Faulty optimizations and memory manipulation
The internal mechanics of these vulnerabilities It shares a striking similarity with the recent structural failure Copy FailThe central problem originates during the data decryption process in the same memory space, known as "in-place" operations, through the use of a specific file transfer function.
By moving data between descriptors and pipelines without physically copying it to save resources, the system passes direct references to items stored in the page cache. The critical flaw This occurs because of the writing displacements During this process, calculations were made without applying the appropriate safety checks for this type of direct reference, allowing a meticulously crafted malicious request to overwrite exactly four bytes in the cache of any file loaded into the system.
The risk It lies in how modern operating systems manage file reading efficiencySince any read request first retrieves information from the RAM page cache to accelerate performance, An alteration in this volatile space causes the kernel to deliver counterfeit data instead of the real content. stored securely on the hard drive.
The exploit method leverages this architecture to modify the cached version of a critical executable file that has superuser privileges, injecting malicious code directly into memory. When this compromised tool is executed, the system processes the injected code with absolute privileges, granting instant root access without ever altering the original physical file.
Exploitation and leak of the security patch
To successfully execute this attack, the A malicious actor needs to bypass certain defenses depending on the target moduleThe vulnerability present in the subsystem xfrm-ESP requires that the user have permissions to create namespacesThis is an action that robust distributions like Ubuntu block by default using strict AppArmor rules. However, to counter these shields, researchers developed a combined exploit that also attacks the RxRPC module, which is typically loaded by default on a vast number of systems. This versatility has allowed them to confirm the effectiveness of the escalation attack on the latest stable versions of Linux distributions.
The management of this crisis suffered a serious operational setback when the Essential technical details were leaked before the scheduled release dateAt the end of April, Several corrective patches were sent to public mailing lists network development without warning about its direct relationship to a critical privilege escalation vulnerability.
Un An independent security researcher analyzed these changes. in the repository, He recognized the similarity to the original Copy Fail vulnerability and managed to develop and publish a working exploit.He was completely unaware that a confidentiality embargo was in place. Fortunately, the Corrective kernel versions have already begun to be distributed en masse To address both gaps, and for those systems that cannot yet apply the final updates, it is strongly recommended to block the manual loading of the esp4, esp6, and rxrpc modules as an emergency mitigation measure.
Finally, if you are interested in learning more about this, you can consult the details in the following link.