Skip to content
Tech News
← Back to articles

Devastating 'Dirty Frag' exploit leaks out, gives immediate root access on most Linux machines since 2017, no patches available, no warning given — Copy Fail-like vulnerability had its embargo broken

2026-05-08 | original
read original get Linux Kernel Security Patch → more articles
Why This Matters

The Dirty Frag exploit exposes a critical security vulnerability affecting nearly all Linux systems since 2017, allowing local users to gain immediate root access without patches available. This highlights the urgent need for prompt patching and increased vigilance in Linux security management, especially given the widespread impact and lack of current fixes.

Key Takeaways

Here's a question for the systems administrators in the crowd: what's better than one instant-root™️Linux vulnerability that affects most every system since 2017? Two of them, of course. Today's bag of bad news comes by way of the Dirty Frag vulnerability, which uses a mechanism similar to the Copy Fail exploit that's currently setting the Linux server world on fire. This vulnerability affects nearly every Linux install since 2017, and no advance warning was given, so there is no patch available. This appears to be due to a broken embargo that revealed the vulerability before preparations were made.

As a refresher, any local user can instantly get root (administrator) access on an affected box, just by running a small program. The attack does not depend on specific system conditions or timing, as it's a straightforward logic bug. Most every popular Linux distribution since 2017 is affected, including but not limited to current versions of Ubuntu (24 and 26), Arch, RHEL, OpenSUSE, CentOS Stream, Fedora, and Alma. We even tested WSL2 ourselves and sure enough, "root" was the word.

Dirty Frag one-ups its cousin, though, as there are currently zero patches for it at the time of this writing, making it spectacularly dangerous. Even the mainline Linux kernel itself doesn't appear to have any patches, as one colleague of mine reported a successful trigger of the exploit on a CachyOS machine running kernel 7.0.3-1-cachyos, and also on an updated Arch box. Needless to say, keep your eyes peeled for updates and patch your servers the second they're available.

Latest Videos From

Mercifully, though, the machine gods made the mitigation easy and unlikely to affect the functioning of the vast majority of servers. One needs only to disable the esp4, esp6, and rxrpc modules. These are all related in various degrees to IPSec networking and unlikely to be used unless the machine in question is an IPSec client or server. You can disable the modules in question with:

sh -c "printf 'install esp4 /bin/false

install esp6 /bin/false

install rxrpc /bin/false

' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

The reason why Dirty Frag is catching everyone flat-footed is because although the vulnerability was reported to the Linux kernel team in April 30, an "unrelated third party" broke the embargo for the reveal. The website offers no more detail, but our best theory is that it means the exploit is already in use by malicious actors, prompting the embargo breakage. If you want to test your boxen, you can use:

... continue reading

Explore topics: linux kernel dirty frag copy fail ubuntu rhel
Related:
Linux bitten by second severe vulnerability in as many weeks
Ubuntu 26.04 vs. Fedora 44: After years of testing both Linux distros, here's my verdict
Dirty Frag is a new Linux bug putting your system at risk - and there's no easy fix yet
Linux is getting a security wake-up call - why it was inevitable and I'm not worried
'Dirty Frag' Exploit Poised to Blow Up on Enterprise Linux Distros

© 2026 GoKawiil

About | Editorial Policy | Contact