Particulars have emerged a few new, unpatched native privilege escalation (LPE) vulnerability impacting the Linux kernel.
Dubbed Soiled Frag, it has been described as a successor to Copy Fail (CVE-2026-31431, CVSS rating: 7.8), a not too long ago disclosed LPE flaw impacting the Linux kernel that has since come underneath energetic exploitation within the wild. The vulnerability was reported to Linux kernel maintainers on April 30, 2026.
“Soiled Frag is a vulnerability (class) that achieves root privileges on most Linux distributions by chaining the xfrm-ESP Web page-Cache Write vulnerability and the RxRPC Web page-Cache Write vulnerability,” safety researcher Hyunwoo Kim (@v4bel) mentioned in a write-up.
“Soiled Frag is a case that extends the bug class to which Soiled Pipe and Copy Fail belong. As a result of it’s a deterministic logic bug that doesn’t depend upon a timing window, no race situation is required, the kernel doesn’t panic when the exploit fails, and the success fee may be very excessive.”
Profitable exploitation of the flaw may permit an unprivileged native consumer to realize elevated root entry on most Linux distributions, together with Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44.
In keeping with the researcher, the xfrm-ESP Web page-Cache Write vulnerability was launched in a supply code commit made in January 2017, whereas the RxRPC Web page-Cache Write vulnerability was launched in June 2023. Curiously, the identical January 17, 2017, commit was the foundation trigger behind one other buffer overflow (CVE-2022-27666, CVSS rating: 7.8) that affected varied Linux distributions.
xfrm-ESP Web page-Cache Write, which is rooted within the IPSec (xfrm) subsystem, supplies attackers with a 4-byte retailer primitive like Copy Fail and overwrites a small quantity within the kernel’s web page cache.
Nevertheless, the exploit requires the unprivileged consumer to create a namespace, a step that is blocked by Ubuntu by way of AppArmor. In such an setting, xfrm-ESP Web page-Cache Write can’t be triggered. That is the place the second exploit, RxRPC Web page-Cache Write, is available in.
“RxRPC Web page-Cache Write doesn’t require the privilege to create a namespace, however the rxrpc.ko module itself is just not included in most distributions,” Kim defined. “For instance, the default construct of RHEL 10.1 doesn’t ship rxrpc.ko. Nevertheless, on Ubuntu, the rxrpc.ko module is loaded by default.”
“Chaining the 2 variants makes the blind spots cowl one another. In an setting the place consumer namespace creation is allowed, the ESP exploit runs first. Conversely, on Ubuntu, the place consumer namespace creation is blocked however rxrpc.ko is constructed, the RxRPC exploit works.”
CloudLinx, in an advisory of its personal, mentioned the flaw resides within the “ESP-in-UDP MSG_SPLICE_PAGES no-COW quick path and is reachable by way of the XFRM consumer netlink interface.”
“The bug lives within the in-place decryption quick paths of esp4, esp6, and rxrpc: when a socket buffer carries paged fragments that aren’t privately owned by the kernel (e.g., pipe pages connected by way of splice(2)/sendfile(2)/MSG_SPLICE_PAGES), the obtain path decrypts straight over these externally-backed pages, exposing or corrupting plaintext that an unprivileged course of nonetheless holds a reference to,” AlmaLinux mentioned.
Including to the urgency is the discharge of a working proof-of-concept (PoC) that may be exploited to realize root in a single command. Till the patches can be found, it is suggested to blocklist esp4, esp6, and rxrpc modules in order that they can’t be loaded –
sudo sh -c “printf ‘set up esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen’ > /and so on/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true”
It is price mentioning right here that Soiled Frag, regardless of sharing some overlaps with Copy Fail, may be exploited no matter whether or not the Linux kernel’s algif_aead module is enabled or not.
“Observe that Soiled Frag may be triggered no matter whether or not the algif_aead module is offered,” the researcher mentioned. “In different phrases, even on techniques the place the publicly recognized Copy Fail mitigation (algif_aead blacklist) is utilized, your Linux continues to be weak to Soiled Frag.”
