Overview
Recently, NSFOCUS CERT has detected a Linux kernel privilege escalation vulnerability (Dirty Frag) disclosed online. Attackers use the logical defects of splice system calls in conjunction with xfrm-ESP or RxRPC protocol stacks to tamper with the page cache of any read-only file without race conditions to obtain system root permissions. In multi-tenant servers, jump servers or container cloud environments, Ordinary users and processes in containers can use this to achieve local privilege escalation or container escape. The CVSS score is 7.8. At present, the vulnerability details and PoC have been made public. Relevant users are requested to take measures to protect themselves as soon as possible.
Xfrm-ESP Page-Cache Write: Due to a logical flaw in the esp4/esp6 module, a local attacker with permissions to create user namespaces can construct a specially crafted ESP packet tampering page cache through the Netlink interface, thereby modifying key system files and gaining root privileges.
RxRPC Page-Cache Write: Due to a logical defect in the rxrpc module, a local attacker with ordinary privileges can tamper with the page cache by creating a special RxRPC call to construct an AF_RXRPC socket, thereby modifying key system files and gaining root privileges.
Note: This vulnerability is highly stable and concealed. Attackers can accurately tamper with the page cache of any read-only file in the system by running simple scripts; because this exploitation process is triggered by deterministic logic, does not rely on race conditions, and only tampers with memory data without destroying the original disk files, it is difficult for traditional security tools based on disk scanning to discover in real time.
The Linux kernel is the core component of the operating system, responsible for key functions such as process management, memory management, device drivers, file systems and network protocol stacks. It is widely deployed in servers, desktop systems and embedded devices. The esp4 and esp6 modules are the core components of the IPsec protocol stack, responsible for processing ESP (Encapsulating Security Payload) protocol packets for IPv4 and IPv6 respectively. They are key mechanisms for encrypting, authenticating and encapsulating traffic for IPsec. The rxrpc module is a core component that implements the RxRPC (Remote Procedure Call over unreliable datagram networks) protocol and is designed to provide reliable remote procedure call (RPC) communication over unreliable UDP networks.
This vulnerability has been replicated in multiple Linux distributions:
Reference link: https://www.openwall.com/lists/oss-security/2026/05/07/8
Scope of Impact
xfrm-ESP Page-Cache Write:
- Linux kernel >= 4.11 (commit cac2661c53f3, introduced on 2017-01-17)
RxRPC Page-Cache Write:
- Linux kernel >= 6.5 (commit 2dc334f1a63a, introduced on 2023-06)
Note: It affects most Linux distributions such as Ubuntu, Debian, RHEL, openSUSE, CentOS, AlmaLinux, Fedora and Arch Linux.
Detection
Manual inspection
Linux system users can determine whether the current system is within the affected range by checking the kernel version. The command to check the operating system version information is as follows:
| cat /proc/version |
The status of the esp4/esp6/rxrpc module can be checked using the following command:
| lsmod | grep -E ‘^(esp4|esp6|rxrpc) |
Note: If the system kernel is within the affected range and relevant modules are loaded, there will be a security risk.
Mitigation
Official upgrade
At present, the official update has not been officially released to fix the above vulnerabilities. Affected users are requested to pay attention to the latest version dynamics and update them in time. Download link: https://kernel.org/
Other protective measures
The following measures can be used for temporary protection without affecting business:
1. Relevant users can block the attack surface by disabling esp4/esp6/rxrpc modules:
| sh -c “printf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true” |
2. In a container or cloud environment, it is recommended to prohibit the process from creating AF_ALG type sockets through Seccomp configuration and intercept non-privileged user namespace creation to prevent escape risks.
3. Monitor abnormal tampering of key files such as /etc/passwd, /etc/sudoers, /etc/shadow and /usr/bin/su, and restrict high-risk calls such as splice, add_key and unshare by ordinary users.
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, a pioneering leader in cybersecurity, is dedicated to safeguarding telecommunications, Internet service providers, hosting providers, and enterprises from sophisticated cyberattacks.
Founded in 2000, NSFOCUS operates globally with over 3000 employees at two headquarters in Beijing, China, and Santa Clara, CA, USA, and over 50 offices worldwide. It has a proven track record of protecting over 25% of the Fortune Global 500 companies, including four of the five largest banks and six of the world’s top ten telecommunications companies.
Leveraging technical prowess and innovation, NSFOCUS delivers a comprehensive suite of security solutions, including the Intelligent Security Operations Platform (ISOP) for modern SOC, DDoS Protection, Continuous Threat Exposure Management (CTEM) Service and Web Application and API Protection (WAAP). All the solutions and services are augmented by the Security Large Language Model (SecLLM), ML, patented algorithms and other cutting-edge research achievements developed by NSFOCUS.
