New Linux Zero-Day Flaw ‘Dirty Frag’ With Root Access To All Major Distributions

With just one command, a new Linux zero-day exploit called “Dirty Frag” seems to enable local attackers to take over the majority of major Linux distributions.

An important and Local Privilege Escalation (LPE) vulnerability chain in the Linux kernel called “Dirty Frag” gives any unprivileged local user immediate, deterministic root privileges.

The Linux kernel’s algif_aead cryptographic algorithm interface enabled this local privilege escalation almost nine years ago, according to security researcher Hyunwoo Kim, who revealed it earlier today and published a proof-of-concept (PoC) hack.

The xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability are two distinct kernel weaknesses that Dirty Frag uses to modify protected system files in memory without authorization and accomplish privilege escalation.

Furthermore, Dirty Frag attacks the fragment field of a different kernel data structure, even though it is in the same class as the Dirty Pipe and Copy Fail Linux vulnerabilities.

Kim stated that as with the previous copy fail vulnerability, Dirty Frag likewise allows immediate root privilege escalation on all major distributions, and it chains two separate vulnerabilities. The bug class that includes Dirty Pipe and Copy Fail is expanded by the case Dirty Frag. The kernel does not panic when the exploit fails, the success rate is extremely high, and no race condition is necessary because it is a deterministic logic issue that does not rely on a timing window.”

Numerous Linux distributions, including Ubuntu, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora, are impacted by this kernel privilege escalation and have not yet been patched. 

After an embargo on full public disclosure was breached on May 7, 2026, when an unconnected third party independently published the exploit, Kim released the full Dirty Frag documentation and a PoC exploit with distribution maintainers’ consent. There is presently no fix or CVE because the embargo has been breached. This Dirty Frag document is being released following discussion with the maintainers on linux-distros@vs.openwall.org and with their permission, according to Kim.

Linux users can use the following command to eliminate the susceptible esp4, esp6, and rxrpc kernel modules in order to protect systems from attacks; however, it should be noted that this will disrupt AFS distributed network file systems and IPsec VPNs: 

The Linux distro maintainers are still releasing patches for “Copy Fail,” another root privilege escalation vulnerability that is currently being actively used in attacks, at the time of this new zero-day revelation.

Last Friday, CISA had added CopyFail to its Known Exploited Vulnerabilities (KEV) Catalogue, requiring government entities to safeguard their Linux machines by May 15, a two-week deadline. The U.S. cybersecurity agency had cautioned at the time that the kind of vulnerability that were present were serious dangers to the government organization and is a common attack vector for malevolent cyber actors.  “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” 

Another root-privilege escalation vulnerability, known as Pack2TheRoot, was discovered in April by Linux distributions. It had been present in the PackageKit daemon for ten years.

The update as of May 8, 09:58 EDT, shows that the two page-cache write vulnerabilities that Dirty Frag chained have been granted CVE IDs: CVE-2026-43284 for the xfrm-ESP vulnerability and CVE-2026-43500 for the RxRPC vulnerability.