sudo

Better Than Grep

grenade, rock, nikon, grenade, grenade, grenade, grenade, grenade

“Dirty Frag” Linux Root Access Vulnerability

by

grep
in

“Dirty Frag” is a Linux kernel local privilege escalation vulnerability that chains flaws in the kernel’s fragment handling (notably in xfrm‑ESP and RxRPC code paths) to let a local unprivileged attacker corrupt page‑cache fragments and modify in‑memory copies of protected files, enabling them to gain root access. It matters because it affects and is exploitable on many distributions. Root access vulnerabilities are generally the worst case scenario for any compromise. Flaws that grant attackers local code execution, mean that immediate patching or module‑level mitigations are essential to prevent a full system hack.

Key points

  • Name: “Dirty Frag” is a chained Linux kernel local privilege escalation (LPE) combining bugs in xfrm‑ESP (esp4/esp6) and RxRPC; tracked as CVE‑2026‑43284 and CVE‑2026‑43500.
  • Impact: Local unprivileged user (or attacker with limited local execution) can obtain root by corrupting page‑cache fragments to modify protected files in memory (e.g., /usr/bin/su, /etc/passwd). This attack is more reliable than race‑condition exploits.
  • Affected: Many mainstream kernels/distributions (Ubuntu, RHEL/CentOS Stream, AlmaLinux, Fedora, openSUSE, etc.) exact exposure depends on whether esp4/esp6 or rxrpc modules are present/enabled.
  • Exploitation: Public PoC and reports of limited in‑the‑wild use exist; exploitation often follows initial access (SSH/webshell/container escape).

What You Can Do

  1. Patch asap: apply vendor/distribution kernel updates as soon as they are available. Prioritize hosts that allow local accounts, developer VMs, build servers and VMs with shared access.
  2. Temporary mitigation: Disable modules you do not need
    • Disable esp4/esp6 and rxrpc via modprobe config and remove modules:
    • Warning: disabling esp4/esp6 may break IPsec/VPN; disabling rxrpc may impact AFS. Test before wide rollout.
  3. Harden local attack surface:
    • Restrict unnecessary shell logins and sudo access.
    • Remove CAP_NET_ADMIN and other unnecessary capabilities from containers and services.
    • Ensure SELinux/AppArmor is enabled and enforcing.
    • Run containers with least privilege (no root where possible), default seccomp profiles and restricted capabilities.
  4. Increase detection and monitoring
    • Monitor for abnormal file edits, suspicious deletions of session files and compilation or shell artifacts on servers.
  5. Post‑compromise response:
    • Treat as root compromise: isolate the host, collect forensic evidence, rotate credentials/keys, rebuild from clean images after patching and review logs for lateral movement.