A new Linux zero-day vulnerability called Dirty Frag can allow local attackers to gain root privileges on most major Linux distributions using just a single command.
Security researcher Hyunwoo Kim disclosed the flaw earlier today and also released a proof-of-concept exploit. According to Kim, the privilege escalation bug was introduced around nine years ago in the Linux kernel’s algif_aead cryptographic algorithm interface.
Dirty Frag works by chaining two separate kernel vulnerabilities known as the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability. Together, they allow attackers to modify protected system files in memory without permission, which can then be used to gain root access.
Kim said Dirty Frag belongs to the same vulnerability class as Dirty Pipe and Copy Fail, but it abuses the fragment field of a different kernel data structure. Like Copy Fail, the flaw can allow immediate root privilege escalation on major Linux distributions by combining two separate bugs.
The researcher also explained that Dirty Frag is a deterministic logic bug, meaning it does not rely on a timing window or race condition. Because of this, failed exploit attempts do not crash the kernel, and the exploit has a very high success rate.
The vulnerability has not yet received a CVE ID. It affects several major Linux distributions, including Ubuntu, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora. Patches are not yet available for these affected systems.
Kim published full Dirty Frag documentation and a working PoC exploit after the disclosure embargo was broken on May 7, 2026. According to Kim, an unrelated third party independently published the exploit, forcing the information to be released before a patch or CVE was ready.
To reduce the risk of attacks, Linux users can disable the vulnerable esp4, esp6, and rxrpc kernel modules. However, this mitigation can break IPsec VPNs and AFS distributed network file systems, so it should be applied carefully, especially on production systems.
The Dirty Frag disclosure comes while Linux distribution maintainers are still rolling out fixes for Copy Fail, another Linux root privilege escalation flaw that is already being exploited in attacks.
CISA recently added Copy Fail to its Known Exploited Vulnerabilities catalog and ordered U.S. federal agencies to secure affected Linux systems by May 15. The agency warned that this type of vulnerability is commonly used by malicious actors and can pose serious risks to enterprise environments.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Earlier in April, Linux distributions also patched another root privilege escalation vulnerability called Pack2TheRoot, which had remained in the PackageKit daemon for nearly a decade before being discovered.
