From Bleeping Computer (https://www.bleepingcomputer.com/news/security/new-linux-dirty-frag-zero-day-with-poc-exploit-gives-root-privileges/?fbclid=IwY2xjawRqwH1leHRuA2FlbQIxMQBzcnRjBmFwcF9pZBAyMjIwMzkxNzg4MjAwODkyAAEe-t5fRJwzzxxz90gNNv4aUgKJC6Z9OUBwN2I9vbverWIqNxH-WabuzOXwst0_aem_6PpicOHgTJuhWOl4ioI2EA):
QuoteA new Linux zero-day vulnerability, named Dirty Frag, allows local attackers to gain root privileges on most major Linux distributions with a single command.
Security researcher Hyunwoo Kim, who disclosed the flaw earlier today and published a proof-of-concept (PoC) exploit, says this privilege escalation flaw was introduced roughly nine years ago in the Linux kernel's algif_aead cryptographic algorithm interface.
Dirty Frag works by chaining two separate kernel flaws, the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability, to modify protected system files in memory without authorization and achieve privilege escalation.
Also, while Dirty Frag belongs to the same class as the Dirty Pipe (https://www.bleepingcomputer.com/tag/dirty-pipe/) and Copy Fail (https://www.bleepingcomputer.com/tag/copy-fail/) Linux vulnerabilities, it exploits the fragment field of a different kernel data structure.
"As with the previous Copy Fail vulnerability, Dirty Frag likewise allows immediate root privilege escalation on all major distributions, and it
chains two separate vulnerabilities (https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/)," Kim said (https://www.openwall.com/lists/oss-security/2026/05/07/8).
"Dirty Frag is a case that extends the bug class to which Dirty Pipe and Copy Fail belong. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high."
The vulnerability has yet to receive a CVE-ID for tracking and affects a wide range of Linux distros, including Ubuntu, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora, which have not yet received patches.
See the linked article for additional information.