INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

DirtyClone Exploit Flaw Lets Local Users Gain Root

| 2026-06-27 09:12 CRITICAL LOW
JSON
Executive Summary AI-generated
The latest incident data reveals a sophisticated Linux kernel privilege escalation called DirtyClone, which has been escalating to root access for six weeks. The vulnerability allows any unprivileged local user to gain "root" access by manipulating the Linux page cache. This critical issue was first reported on June 27 and has since been patched in multiple releases of the Linux operating system. However, some distributions with default namespace configurations are still exposed to this exploit. Experts recommend updating kernels immediately if patching is not an option due to potential security risks.
Technical Mitigations AI-generated
* Set kernel.unprivileged_userns_clone=0: This option can be used on Debian and Ubuntu to block the namespace-based path to CAP_NET_ADMIN, which is required for the DirtyClone exploit. However, this may also break IPsec and AFS. * Blacklist esp4, esp6, and rxrpc kernel modules: Removing these kernel modules can help reduce the attack surface by removing the in-place decryption primitives needed for the exploit. * Use AppArmor with namespace restrictions: Ubuntu 24.04 and later restrict namespace creation via AppArmor, blocking the default exploit path. However, every other distribution with default namespace configurations is exposed to this vulnerability. * Implement a secure page cache management system: Ensuring that file-backed pages are not modified through shared mappings can help prevent the effects of DirtyClone from propagating to other processes using those pages. * Use a secure IPsec environment configuration: Configuring IPsec to use a loopback IPsec tunnel for network packets can help block the exploitation of DirtyClone.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-31431CVE-2026-31431 CVE-2026-43500CVE-2026-43500 CVE-2026-43284CVE-2026-43284 CVE-2026-46300CVE-2026-46300 CVE-2026-43503CVE-2026-43503
Target & Sectors
Global Scope
Incident Timeline
‎May 7
Threat actors exploited a previously unknown vulnerability in the Linux kernel, specifically CVE-2026-43284 and CVE-2026-43500, to gain root access within six weeks.
vulnerability CVE-2026-43284
DirtyFrag ( CVE-2026-43284 and CVE-2026-43500 ) followed on May 7.
DirtyFrag  (CVE-2026-43284 and CVE-2026-43500) followed on May 7, chaining IPsec ESP and RxRPC paths for a full write primitive.
vulnerability CVE-2026-43500
DirtyFrag ( CVE-2026-43284 and CVE-2026-43500 ) followed on May 7.
DirtyFrag  (CVE-2026-43284 and CVE-2026-43500) followed on May 7, chaining IPsec ESP and RxRPC paths for a full write primitive.
organisation CVE-2026
DirtyFrag ( CVE-2026-43284 and CVE-2026-43500 ) followed on May 7.
DirtyFrag  (CVE-2026-43284 and CVE-2026-43500) followed on May 7, chaining IPsec ESP and RxRPC paths for a full write primitive.
‎May 13
Threat actors used a CVE-2026-46300 exploit to target an affected Linux kernel patch, specifically the DirtyFrag vulnerability.
vulnerability CVE-2026-46300
Fragnesia (CVE-2026-46300) appeared on May 13, bypassing the DirtyFrag patch through a flag-dropping bug in skb_try_coalesce().
Fragnesia  (CVE-2026-46300) appeared on May 13, bypassing the DirtyFrag patch through a flag-dropping bug in skb_try_coalesce().
organisation DirtyFrag
Fragnesia (CVE-2026-46300) appeared on May 13, bypassing the DirtyFrag patch through a flag-dropping bug in skb_try_coalesce().
Fragnesia  (CVE-2026-46300) appeared on May 13, bypassing the DirtyFrag patch through a flag-dropping bug in skb_try_coalesce().
organisation Fragnesia
Fragnesia  (CVE-2026-46300) appeared on May 13, bypassing the DirtyFrag patch through a flag-dropping bug in skb_try_coalesce().
‎May 16
The original DirtyFrag researcher Hyunwoo Kim submitted a broader multi-site patch on May 16 covering several remaining fragment-transfer helpers.
‎May 19
JFrog independently rediscovered one of the affected functions on May 19 and built a working exploit.
‎May 21
The patch for the Linux kernel flaw CVE-2026-43503 was released on May 21.
infrastructure Linux
The combined fix merged on May 21, CVE-2026-43503 was published on May 23, and Linux v7.1-rc5 shipped on May 24 as the first fixed release.
The combined fix was merged on May 21 (commit 48f6a5356a33), assigned CVE-2026-43503 on May 23, and shipped in Linux v7.1-rc5 on May 24.
vulnerability CVE-2026-43503
The combined fix merged on May 21, CVE-2026-43503 was published on May 23, and Linux v7.1-rc5 shipped on May 24 as the first fixed release.
The combined fix was merged on May 21 (commit 48f6a5356a33), assigned CVE-2026-43503 on May 23, and shipped in Linux v7.1-rc5 on May 24.
‎May 23
Threat actors used a previously unknown Linux kernel flaw to target the combined fix for CVE-2026-43503.
infrastructure Linux
The combined fix merged on May 21, CVE-2026-43503 was published on May 23, and Linux v7.1-rc5 shipped on May 24 as the first fixed release.
The combined fix was merged on May 21 (commit 48f6a5356a33), assigned CVE-2026-43503 on May 23, and shipped in Linux v7.1-rc5 on May 24.
vulnerability CVE-2026-43503
The combined fix merged on May 21, CVE-2026-43503 was published on May 23, and Linux v7.1-rc5 shipped on May 24 as the first fixed release.
The combined fix was merged on May 21 (commit 48f6a5356a33), assigned CVE-2026-43503 on May 23, and shipped in Linux v7.1-rc5 on May 24.
‎May 24
The Linux kernel was updated to version 7.1-rc5 on May 24, with the CVE-2026-43503 vulnerability being fixed in a combined patch released five days earlier.
infrastructure Linux
The combined fix merged on May 21, CVE-2026-43503 was published on May 23, and Linux v7.1-rc5 shipped on May 24 as the first fixed release.
The combined fix was merged on May 21 (commit 48f6a5356a33), assigned CVE-2026-43503 on May 23, and shipped in Linux v7.1-rc5 on May 24.
vulnerability CVE-2026-43503
The combined fix merged on May 21, CVE-2026-43503 was published on May 23, and Linux v7.1-rc5 shipped on May 24 as the first fixed release.
The combined fix was merged on May 21 (commit 48f6a5356a33), assigned CVE-2026-43503 on May 23, and shipped in Linux v7.1-rc5 on May 24.
‎June 25
The threat actors used a Linux kernel privilege escalation vulnerability, CVE-2026-43503, to target the DirtyClone exploit.
tactic Privilege Escalation
JFrog Security Research published a working exploit walkthrough on June 25 for CVE-2026-43503 (CVSS score of 8.8), a Linux kernel privilege escalation they call DirtyClone.
infrastructure Linux
JFrog Security Research published a working exploit walkthrough on June 25 for CVE-2026-43503 (CVSS score of 8.8), a Linux kernel privilege escalation they call DirtyClone.
organisation CVE-2026-43503
JFrog Security Research published a working exploit walkthrough on June 25 for CVE-2026-43503 (CVSS score of 8.8), a Linux kernel privilege escalation they call DirtyClone.
vulnerability CVSS score of 8.8
JFrog Security Research published a working exploit walkthrough on June 25 for CVE-2026-43503 (CVSS score of 8.8), a Linux kernel privilege escalation they call DirtyClone.
organisation JFrog Security Research
JFrog Security Research published a working exploit walkthrough on June 25 for CVE-2026-43503 (CVSS score of 8.8), a Linux kernel privilege escalation they call DirtyClone.
JFrog Security Research published a working exploit walkthrough for the flaw on June 25, the first public demonstration for this variant.
‎Jun 26, 2026
Threat actors exploited a previously unknown vulnerability in the fourth Linux kernel, which went undetected for six weeks before being patched.
‎2026/06/26
Threat actors exploited a previously unknown vulnerability in the fourth Linux kernel, which had been released six weeks prior.
‎2026/06/27
Threat actors used a known vulnerability in the fourth Linux kernel to gain unauthorized access.
‎2026/06/27
The threat actors used a Linux kernel privilege escalation exploit called DirtyClone to target vulnerable systems by rewriting executables in memory, leaving no disk trace.
infrastructure Linux
DirtyClone: Fourth Linux Kernel Flaw in Six Weeks Escalates to Root DirtyClone: a Linux kernel privilege escalation that silently rewrites executables in memory, leaving no disk trace.
 Swati Khandelwal  Jun 26, 2026 Linux / Vulnerability DirtyClone is a new Linux kernel privilege escalation in the DirtyFrag family.
DirtyClone: Fourth Linux Kernel Flaw in Six Weeks Escalates to Root.
“The severity of this issue is significant because it allows any unprivileged local user to gain  root access  (LPE) by manipulating the Linux page cache.” reads the report published by JFrog.
“DirtyFrag is a family of Linux kernel memory corruption vulnerabilities in the core networking stack affecting how socket buffers (skb) reference shared page-cache memory, which are subsequently weaponized through in-place cryptographic transformations in subsystems like XFRM/IPsec or RxRPC.” continues the report.
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Linux)
New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets.
organisation Root DirtyClone
DirtyClone: Fourth Linux Kernel Flaw in Six Weeks Escalates to Root DirtyClone: a Linux kernel privilege escalation that silently rewrites executables in memory, leaving no disk trace.
organisation Linux / Vulnerability
 Swati Khandelwal  Jun 26, 2026 Linux / Vulnerability DirtyClone is a new Linux kernel privilege escalation in the DirtyFrag family.
organisation DirtyClone
DirtyClone: Fourth Linux Kernel Flaw in Six Weeks Escalates to Root.
New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets.
organisation Fourth Linux Kernel Flaw
DirtyClone: Fourth Linux Kernel Flaw in Six Weeks Escalates to Root.
organisation LPE
“The severity of this issue is significant because it allows any unprivileged local user to gain  root access  (LPE) by manipulating the Linux page cache.” reads the report published by JFrog.
organisation JFrog
“The severity of this issue is significant because it allows any unprivileged local user to gain  root access  (LPE) by manipulating the Linux page cache.” reads the report published by JFrog.
organisation XFRM/IPsec
“DirtyFrag is a family of Linux kernel memory corruption vulnerabilities in the core networking stack affecting how socket buffers (skb) reference shared page-cache memory, which are subsequently weaponized through in-place cryptographic transformations in subsystems like XFRM/IPsec or RxRPC.” continues the report.
organisation RxRPC
“DirtyFrag is a family of Linux kernel memory corruption vulnerabilities in the core networking stack affecting how socket buffers (skb) reference shared page-cache memory, which are subsequently weaponized through in-place cryptographic transformations in subsystems like XFRM/IPsec or RxRPC.” continues the report.
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Linux)
organisation Copy Fail
Copy Fail ( CVE-2026-31431 ) arrived in late April.
Copy Fail  (CVE-2026-31431) came first in late April, exploiting the algif_aead module for a four-byte page-cache write.
organisation CVE-2026-31431
Copy Fail  (CVE-2026-31431) came first in late April, exploiting the algif_aead module for a four-byte page-cache write.
organisation /usr/bin/su
The attacker loads a privileged binary like /usr/bin/su into memory, wires those pages into a network packet, and forces the kernel to clone it through a loopback IPsec tunnel they control.
The attacker loads a privileged binary like /usr/bin/su into memory, wires those memory pages into a network packet, and forces the kernel to clone it.
organisation IPsec
The attacker loads a privileged binary like /usr/bin/su into memory, wires those pages into a network packet, and forces the kernel to clone it through a loopback IPsec tunnel they control.
The cloned packet passes through an IPsec tunnel that the attacker controls, and the decryption step overwrites the binary's login checks with attacker-chosen bytes.
organisation AppArmor
Ubuntu 24.04 and later restrict namespace creation via AppArmor, blocking the default exploit path, but every other distribution with default namespace configurations is exposed.
Ubuntu 24.04 and later restrict namespace creation via AppArmor, blocking the default exploit path.
organisation SUSE
Ubuntu, Debian, and SUSE have published advisories; Red Hat has a Bugzilla tracking entry.
organisation Red Hat
Ubuntu, Debian, and SUSE have published advisories; Red Hat has a Bugzilla tracking entry.
organisation CI
The exposed systems are multi-tenant servers, CI runners, container hosts, and Kubernetes clusters where untrusted users can create namespaces.
organisation Kubernetes
The exposed systems are multi-tenant servers, CI runners, container hosts, and Kubernetes clusters where untrusted users can create namespaces.
organisation LTS
The fix landed upstream in v7.1-rc5 and has been backported to stable and LTS branches.
organisation CVE
Any function that moves fragment descriptors without propagating the shared-frag flag is a potential new CVE, and auditing should cover every path that touches skb_shinfo()->flags during fragment transfer.
Tactical Metrics
Metrics
infrastructure
‎Linux
Affected Product
DirtyClone: Fourth Linux Kernel Flaw in Six Weeks Escalates to Root DirtyClone: a Linux kernel privilege escalation that silently rewrites executables in memory, leaving no disk trace.
JFrog Security Research published a working exploit walkthrough on June 25 for CVE-2026-43503 (CVSS score of 8.8), a Linux kernel privilege escalation they call DirtyClone.
DirtyClone: Fourth Linux Kernel Flaw in Six Weeks Escalates to Root.
“The severity of this issue is significant because it allows any unprivileged local user to gain  root access  (LPE) by manipulating the Linux page cache.” reads the report published by JFrog.
“DirtyFrag is a family of Linux kernel memory corruption vulnerabilities in the core networking stack affecting how socket buffers (skb) reference shared page-cache memory, which are subsequently weaponized through in-place cryptographic transformations in subsystems like XFRM/IPsec or RxRPC.” continues the report.
The combined fix merged on May 21, CVE-2026-43503 was published on May 23, and Linux v7.1-rc5 shipped on May 24 as the first fixed release.
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Linux)
 Swati Khandelwal  Jun 26, 2026 Linux / Vulnerability DirtyClone is a new Linux kernel privilege escalation in the DirtyFrag family.
New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets.
The combined fix was merged on May 21 (commit 48f6a5356a33), assigned CVE-2026-43503 on May 23, and shipped in Linux v7.1-rc5 on May 24.
Intelligence Sources
The Hacker News 2026-06-26
Security Affairs 2026-06-27