Two Linux kernel page-cache write vulnerabilities — in the xfrm ESP and RxRPC subsystems — can be chained to achieve deterministic local privilege escalation to root on every major Linux distribution. The exploit, dubbed "DirtyFrag," does not rely on race conditions or timing windows and has a very high success rate.
Until a patched kernel is available from your distribution vendor, apply one or more of the following workarounds:
Blacklist the vulnerable kernel modules (recommended for most systems):
cat <<'EOF' | sudo tee /etc/modprobe.d/dirtyfrag.conf
install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
EOF
sudo modprobe -r esp4 esp6 rxrpc 2>/dev/null || true
Note: Disabling esp4/esp6 will break IPsec VPN connectivity. Disabling rxrpc will break AFS file system access. Only apply to systems that do not use these features.
Restrict unprivileged user namespace creation where feasible. The xfrm ESP variant requires CAP_NET_ADMIN obtained through user namespaces.
Deploy seccomp profiles blocking AF_RXRPC (family 33) socket creation in containers and sandboxes to prevent the RxRPC variant.
Once available, apply the patched kernel from your distribution vendor and reboot. The upstream fix is mainline commit f4c50a4034e6 ("skb: set SKBFL_SHARED_FRAG on splice-originated frags").
Variant 1 — xfrm ESP page-cache write: Exploits a logic flaw in esp_input() that allows 4-byte controlled writes into the page cache via AEAD decryption preprocessing. Requires CAP_NET_ADMIN (obtainable via unprivileged user namespace creation). Present since January 2017 (commit cac2661c53f3).
Variant 2 — RxRPC page-cache write: Targets rxkad_verify_packet_1() with in-place pcbc(fcrypt) decryption, enabling 8-byte writes via brute-forced key material. Does not require namespace privileges. Present since June 2023 (commit...
Exploitability
AV:LAC:LPR:LUI:NScope
S:UImpact
C:HI:HA:H7.8/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H