Dirty Frag is an unpatched universal Linux local privilege escalation chaining two bugs in IPsec ESP and RxRPC kernel modules, with full exploit code released.
Key Takeaways
Affects all major Linux distributions; no patches or CVEs exist because the responsible disclosure embargo was broken before fixes landed.
Chains two vulnerabilities: one in the netdev ESP path and one in RxRPC, both reachable from unprivileged user namespaces.
Exploit overwrites /usr/bin/su with a minimal ELF shell payload using XFRM netlink, UDP ESP-in-UDP encap, splice, and vmsplice primitives.
Immediate mitigation: block and unload esp4, esp6, and rxrpc modules via /etc/modprobe.d/dirtyfrag.conf.
Root cause overlaps with the earlier Copy Fail vulnerability; specifically the authencesn cipher mode’s handling of high 32 bits of Extended Sequence Numbers.
Hacker News Comment Review
Technical consensus: this is the same authencesn out-of-bounds write sink as Copy Fail; the wrong component (AF_ALG) was blamed and fixed last time, leaving the real bug open and reachable via plain network sockets.
Commenters debate whether distros are negligent for shipping esp4/esp6/rxrpc enabled by default for a tiny fraction of users, drawing comparisons to 1999-era default-open network services.
A dispute emerged over whether LLMs help or hinder vuln research creativity, with one camp arguing AI flattens exploratory paths and another pointing out LLMs identified similar bugs first.
Notable Comments
@eqvinox: Confirms same authencesn root cause as Copy Fail; ESP issue, not the RxRPC chain, is the direct continuation of the unfixed bug.
@tptacek: “LLMs spotted these bugs in the first place” – pushes back directly on the claim that AI hampers vuln discovery.
