New Linux 'Dirty Frag' Zero-Day Gives Root On All Major Distros (bleepingcomputer.com) 44
mrspoonsi shares a report: Dirty Frag is a vulnerability class, first discovered and reported by Hyunwoo Kim (@v4bel), that can obtain root privileges on major Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability. Dirty Frag extends the bug class to which Dirty Pipe and Copy Fail belong. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high. Because the embargo has been broken, no patch or CVE currently exists. "As with the previous Copy Fail vulnerability, Dirty Frag likewise allows immediate root privilege escalation on all major distributions, and it
chains two separate vulnerabilities," Kim said. Detailed technical information can be found here.
BleepingComputer notes that the two vulnerabilities chained by Dirty Frag are "now tracked under the following CVE IDs: the xfrm-ESP one was assigned CVE-2026-43284, and the RxRPC isye is now CVE-2026-43500."
BleepingComputer notes that the two vulnerabilities chained by Dirty Frag are "now tracked under the following CVE IDs: the xfrm-ESP one was assigned CVE-2026-43284, and the RxRPC isye is now CVE-2026-43500."
On your mark, get set... GO! (Score:5, Funny)
Quick - copy and paste all your comments from the "Copy Fail" discussion over here!
Re:On your mark, get set... GO! (Score:5, Informative)
>"Quick - copy and paste all your comments from the "Copy Fail" discussion over here!"
Pretty much :) It is essentially the same issue, found in three other kernel modules. Alma Linux and others already have pages up about it. These are serious issues for multiuser/multitenant servers needing to mitigate immediately. Not so much for single-user or home systems.
Copy Fail used the algif_aead module and for enterprise Linuxes, that is built-into the kernel. So either update the kernel, or mitigate with:
# grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
and reboot. Dirty Frag uses three additional modules: esp4, esp6, and rxrpc. Enterprise Linuxes don't build those in, so all distros should be able to use something like:
# rmmod esp4 esp6 rxrpc /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf"
# sh -c "printf 'install esp4
for immediate mitigation, without rebooting. Of course, disabling those modules has a price, it will disable IPsec ESP, IPsec VPNs (like Swan), and AFS clients. So if you use/need those, you can't mitigate without losing that functionality.
Re:On your mark, get set... GO! (Score:4, Informative)
AlmaLinux has already patched it [almalinux.org].
Re:On your mark, get set... GO! (Score:4, Insightful)
Release the AI virtual flying chaos monkeys! (Score:2)
How do you complain about dupe without saying dupe (or duplicate)? Citing FP and this thread. But at least FP got a Funny, even if'n I can't understand why.
But is it possible that some serious topics will evolve and develop in ways that justify discussions that extend longer than the one-day lifetime of a Slashdot story? Naw, that can't possibly be it.
Of course I shall now diverge. This time I'm wondering about the source of this vulnerability. So far I haven't spotted any insight into causes here on ye anc
Embargo intrigue (Score:5, Interesting)
There's a little more intrigue here on the breaking of the embargo. Basically the bugs were responsibly reported and the finders helped with writing the patch under embargo. Then when the patch commit dropped, someone instantly figured out that it was the same class of bug as Copy Fail. And then someone then wrote new exploit code [afflicted.sh] for the bug before the patch worked it's way through. No one improperly leaked something, but watching new patches for previous exploits was quicker than the patch could work it's way through the system.
Which leaves us where we are with Hyunwoo Kim releasing the original exploit code early and a patch that seems to have made it into the kernel [kernel.org], but without downstream distro's having released their patches.
Here's the link to the mitigation [github.com] for anyone wanting to deal with it before their distro drops their patch. Noting that the mitigation will break IPsec VPNs and AFS distributed network file systems.
Re:Embargo intrigue (Score:4, Interesting)
Re: (Score:2)
Just once, I'd like to see the white hat turn out to be someone like Jisoo [ranker.com]...
Re: Embargo intrigue (Score:2)
Yeah, and the person who released the information first was operating in an "if I noticed this, doing only as much as I'm doing, surely attackers would also notice" mode. Possibly some patches these days are sufficiently obvious as to their correctness and also effect that they should first become public as a set of stable releases. This was a kind of special case, as CopyFail was the combination of some code doing something strange with one user not being prepared for it, and fixed the user. If there are o
how ironic! (Score:2)
The post itself has an error. The last link's URL points to the same page as the predecessor. There is no record for 43500
Re:how ironic! (Score:4, Informative)
According to Alma Foundation [almalinux.org] that is the reserved CVE number but it's pending publication.
Probably because it was released before the embargo was supposed to be lifted.
Re: (Score:2)
hmmm... Providing a link to something not yet published is questionable (at least without mentioning that.) But having the link point to the -wrong- page is just bogus.
Deja Vu (Score:5, Insightful)
I'm expecting this next year to be rough for patching systems with AI getting good at this. I'd guess at least one new zero of a similar urgency every 2 weeks for Linux.
So 16 until the end of the year.
I think we will be more secure at the end of it.. but it could be rough.
Re: Deja Vu (Score:2)
It will certainly force users/providers/administrator to review their patching processes, and velocity.
Re: (Score:2)
If this puts companies like Celebrite out of business, then I'll happily accept, that I have to update my servers 16 times a year until 2028. At least the linux branches of these companies can go, I don't care much about the others.
Don't care (Score:2)
Was already patched in my distro before the embargo was broken.
Re:Don't care (Score:4, Informative)
Interesting which distro? Is it running a pre-mainline kernel?
The embargo was broken yesterday 6:09PM UTC [github.com] and the Linux kernel patch was released today at 6:42 AM UTC [kernel.org].
Re: (Score:2)
If the distro is that good at timing why does it exist? Presumably the maintainer of the distro would use their time machine to get rich and be laying on an island somewhere given how the vulnerability was "disclosed" before the mainline kernel even had the patch in place.
what access is required? (Score:2)
What access is required to use these vulns?
Re: (Score:2)
Re: (Score:3)
Local access, unless you haven't patched apache this week, then it's remote access.
Re: (Score:2)
Local access, unless you haven't patched apache this week, then it's remote access.
What if you're using OpenLiteSpeed instead of Apache? Asking for a friend.
Re: (Score:2)
Arbitrary code execution - a type of access that is ubiquitous in the bugs of countless programs (which is why we don't allow them to run with privileges in the first place)
Android (Score:4, Interesting)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
The phone is only more secure than your server if you choose to setup your server so poorly. SELinux was introduced 25 years ago and is the mitigation here.
Auditing suggestions? (Score:2)
Are there any tools to watch my lsmod, walk /lib/modules, and configure modprobe.d to deny loading anything I'm not using?
All of these exploits are in distro modules I'd never use.
Re: (Score:3)
Re: (Score:2)
You can delete the modules or move them some place else. What the kernel does not find, it does not load.
OMG (Score:3)
Heck (Score:2)
Re: (Score:1)
well you got time to post on slashdot so hey
Re: (Score:1)
Code's compiling.
https://xkcd.com/303/ [xkcd.com]
Re: (Score:2)
Either you get faster and faster at it, or 2026 is the year we work on pen and paper until the storm is over...
What am I missing? (Score:2)
Re: (Score:2)
Anyway in my case in theory my clients could try to get out of the git-shell I guess.
Server patched and rebooted
Re: (Score:2)
Re: (Score:2)
You are missing the fact that a remote exploit to run unprivileged commands is a far lower bar to achieve than priveleged. And that there are many, many, MANY systems that intentionally give access to unpriveleged commands through web interfaces to a wide audience.
X^W in no major distro? (Score:2)
The class of bugs for PipeFail can be prevented in principle with X^W [wikipedia.org], which is implemented in PaX, Exec Shield, and some SELinux configs.
Is any distribution that comes with these in the default installation protected against these exploits? If not, what is missing in terms of mitigation protections against this class of bugs?
mitigation while keeping ipsec functional (Score:1)
blacklisting the rpc module and disabling user namespaces seem to block the exploit on older kernels without having to blacklist ipsec modules according to my limited testing, YMMV. it probably breaks eg. rootless docker user mapping so there is a tradeoff