Dirty Frag Exploit: A Brief Overview
The Dirty Frag vulnerability, officially tracked as CVE-2026-43500, has recently dominated discussions in the Linux and open-source communities. This local privilege escalation (LPE) flaw was inadvertently exposed to the public, catching the Linux kernel development team and various distributions off guard. The vulnerability carries a CVSS score of 7.8 (HIGH) on the National Vulnerability Database, underscoring its severity.
Root Cause of the Vulnerability
The issue traces back to a 2019 commit that introduced two unhandled packet types in the rxrpc handling path:
- Packets with pages fed in through the
splice()system call - Packets with fragment chains attached
The kernel failed to treat these packet types as shared memory, meaning it skipped creating a safe copy and instead decrypted them in place. This oversight created a window for a local attacker to manipulate those pages from userspace while decryption was occurring, ultimately allowing root-level access.
The Official Fix: Linux 7.0.6 and Beyond
Fortunately, a proper patch is now available. Authored by Hyunwoo Kim—the same researcher who discovered and disclosed Dirty Frag—the fix extends existing checks in two rxrpc functions to also catch the two previously unaccounted cases. These packet types are now correctly copied to a private buffer before decryption, closing the vulnerability.
Linux creator Linus Torvalds merged the patch on May 10, and the stable kernel 7.0.6 was released the following day. The long-term support (LTS) kernel 6.18.29 also received the fix.
If you have the technical expertise and wish to install Linux 7.0.6 manually, you can download the tarball from kernel.org. Note: This process carries risks; ensure you have backed up your data before proceeding. Ubuntu-based distribution users can refer to our dedicated guide for step-by-step instructions.
Distribution-Specific Updates
Both Fedora and Pop!_OS have already pushed their own fixes, even before the official 7.0.6 release.
Fedora
Fedora kernel maintainer Justin Forbes announced that the fix was pushed to the stable branch early. Fedora 43 and Fedora 44 users receive the patched kernel via version 7.0.4, while Fedora 42 users get it with 6.19.14-101. Forbes noted that they skipped an update to 7.0.5 for F43 and F44 because the fix was already implemented in their 7.0.4 builds.
To update your Fedora system, run the following commands:
- Check for available updates:
sudo dnf update - Verify you are receiving the patched kernel (e.g.,
x86_64 7.0.4-100.fc43), then upgrade:sudo dnf upgrade
Pop!_OS
For users running Pop!_OS LTS versions 22.04 and 24.04, System76 has released kernel updates covering both Dirty Frag CVEs. The esp4 and esp6 modules tied to the second CVE have been patched and are considered safe to re-enable. For the rxrpc module, System76 opted to disable it rather than patch it, and they are holding off on re-enabling it.
To apply the fixes, run:
sudo apt update && sudo apt upgradeAfter the upgrade completes, reboot your system with:
sudo rebootConclusion
The Dirty Frag vulnerability was a serious but quickly addressed threat to Linux systems. With patches now available in Linux 7.0.6, 6.18.29 LTS, Fedora, and Pop!_OS, users are strongly encouraged to update their kernels as soon as possible. For further details, refer to our earlier comprehensive coverage of the Dirty Frag exploit.