Dirtyfrag: Universal Linux LPE

May 7, 2026 · systems security devtools · Source ↗

Researcher Hyunwoo Kim disclosed Dirtyfrag on May 8, 2026—a universal Linux LPE achieving root on all major distros, with no patches yet because responsible disclosure embargo was broken.

What Matters

Chains two bugs: an xfrm/ESP page-cache out-of-bounds write and an RxRPC flaw; mitigation is blacklisting esp4, esp6, and rxrpc modules.
Exploit overwrites /usr/bin/su with a 192-byte x86_64 ELF via vmsplice+splice+UDP-encapsulated ESP packets, requiring only unprivileged user namespaces.
Shares the same authencesn write sink as Copy Fail; [HN: @eqvinox] notes authencesn was never fixed after that disclosure, making this a predictable follow-on.
[HN: @drmpeg] confirms esp4/esp6 fixes pushed to kernel trees 7.0, 6.18, 6.12, and 6.6 as of May 8; rxrpc fix status unclear.
Disabling unprivileged user namespaces (kernel.unprivileged_userns_clone=0) blocks this and a broad class of Linux LPEs, at the cost of rootless container support.

Original | Discuss on HN

Bentos

Topics

Dirtyfrag: Universal Linux LPE

What Matters

Bentos

Topics

What Matters

Related coverage

GitHub's take on age assurance for developers

Show HN: Dari-docs – Optimize your docs using parallel coding agents

GitHub confirms breach of 3,800 repos via malicious VSCode extension

Flipper One Tech Specs