- This is revealed by researcher Hyunwoo Kim Dirty Fraga nine-year-old kernel bug that enables escalation of root privileges across major Linux distros
- The exploit chains two page cache write faults, works reliably without race issues, and currently has no CVE or patch
- Mitigation requires disabling vulnerable kernel modules, but this breaks IPsec VPNs and AFS, leaving systems exposed until fixes arrive
Some of the most widely used and influential Linux distributions are vulnerable to a zero-day flaw that allows threat actors to gain root privileges, and a patch has yet to be published, experts have warned.
Security researcher Hyunwoo Kim disclosed finding a nine-year-old flaw and published a proof-of-concept (PoC) exploit.
He named the vulnerability Dirty Frag and explained that it works by concatenating two kernel flaws, the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability. This allowed him to customize protected system files in memory without having the proper authorization.
Possible mitigations
Kim explained that he shared his findings with maintainers of various embargoed Linux distros to give everyone time to patch up. However, that embargo was apparently broken on May 7 when a third party made the exploit public.
“Because the embargo has currently been broken, no patch or CVE exists. After consultation with the maintainers at [email protected] and at their request, this Dirty Frag document is being published,” Kim said.
In addition to having a CVE, the bug has also yet to be given a severity score. However, since this is an unauthorized escalation error, it is safe to assume that it will receive a critical severity rating (9.0 and higher).
So far, Ubuntu, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora have all been confirmed to be vulnerable and have yet to receive patches.
“As with the previous Copy Fail vulnerability, Dirty Frag also allows immediate escalation of root privileges on all major distributions, chaining two separate vulnerabilities,” Kim said. “Because it’s a deterministic logic bug that doesn’t depend on a timing window, no race condition is required, the kernel doesn’t panic when the exploit fails, and the success rate is very high.”
Current mitigation includes removing vulnerable esp4, esp6 and rxrpc core modules, but this breaks IPsec VPNs and AFS distributed network file systems.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
