Particulars have emerged a couple of new, unpatched native privilege escalation (LPE) vulnerability impacting the Linux kernel.
Dubbed Soiled Frag, it has been described as a successor to Copy Fail (CVE-2026-31431, CVSS rating: 7.8), a not too long ago disclosed LPE flaw impacting the Linux kernel that has since come beneath energetic exploitation within the wild. The vulnerability was reported to Linux kernel maintainers on April 30, 2026.
“Soiled Frag is a vulnerability (class) that achieves root privileges on most Linux distributions by chaining the xfrm-ESP Web page-Cache Write vulnerability and the RxRPC Web page-Cache Write vulnerability,” safety researcher Hyunwoo Kim (@v4bel) stated in a write-up.
“Soiled Frag is a case that extends the bug class to which Soiled Pipe and Copy Fail belong. As a result of it’s a deterministic logic bug that doesn’t depend upon a timing window, no race situation is required, the kernel doesn’t panic when the exploit fails, and the success price may be very excessive.”
Profitable exploitation of the flaw may enable an unprivileged native person to realize elevated root entry on most Linux distributions, together with Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44.
In line with the researcher, the xfrm-ESP Web page-Cache Write vulnerability was launched in a supply code commit made in January 2017, whereas the RxRPC Web page-Cache Write vulnerability was launched in June 2023. Curiously, the identical January 17, 2017, commit was the basis trigger behind one other buffer overflow (CVE-2022-27666, CVSS rating: 7.8) that affected varied Linux distributions.
xfrm-ESP Web page-Cache Write, which is rooted within the IPSec (xfrm) subsystem, offers attackers with a 4-byte retailer primitive like Copy Fail and overwrites a small quantity within the kernel’s web page cache.
Nevertheless, the exploit requires the unprivileged person to create a namespace, a step that is blocked by Ubuntu by AppArmor. In such an surroundings, xfrm-ESP Web page-Cache Write can’t be triggered. That is the place the second exploit, RxRPC Web page-Cache Write, is available in.
“RxRPC Web page-Cache Write doesn’t require the privilege to create a namespace, however the rxrpc.ko module itself is just not included in most distributions,” Kim defined. “For instance, the default construct of RHEL 10.1 doesn’t ship rxrpc.ko. Nevertheless, on Ubuntu, the rxrpc.ko module is loaded by default.”
“Chaining the 2 variants makes the blind spots cowl one another. In an surroundings the place person namespace creation is allowed, the ESP exploit runs first. Conversely, on Ubuntu, the place person namespace creation is blocked however rxrpc.ko is constructed, the RxRPC exploit works.”
CloudLinx, in an advisory of its personal, stated the flaw resides within the “ESP-in-UDP MSG_SPLICE_PAGES no-COW quick path and is reachable through the XFRM person netlink interface.”
“The bug lives within the in-place decryption quick paths of esp4, esp6, and rxrpc: when a socket buffer carries paged fragments that aren’t privately owned by the kernel (e.g., pipe pages connected through splice(2)/sendfile(2)/MSG_SPLICE_PAGES), the obtain path decrypts immediately over these externally-backed pages, exposing or corrupting plaintext that an unprivileged course of nonetheless holds a reference to,” AlmaLinux stated.
Including to the urgency is the discharge of a working proof-of-concept (PoC) that may be exploited to realize root in a single command. Till the patches can be found, it is suggested to blocklist esp4, esp6, and rxrpc modules so that they can’t be loaded –
sudo sh -c “printf ‘set up esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen’ > /and many others/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true”
It is value mentioning right here that Soiled Frag, regardless of sharing some overlaps with Copy Fail, might be exploited regardless of whether or not the Linux kernel’s algif_aead module is enabled or not.
“Be aware that Soiled Frag might be triggered no matter whether or not the algif_aead module is out there,” the researcher stated. “In different phrases, even on methods the place the publicly recognized Copy Fail mitigation (algif_aead blacklist) is utilized, your Linux remains to be susceptible to Soiled Frag.”
