The CVE-2026-43503 vulnerability (CVSS 8.8), dubbed DirtyClone, allows a local user to corrupt file contents in the Linux kernel page cache via cloning of network packets and gain root privileges. On June 25, JFrog Security Research published a working exploit with a step-by-step description of the attack. The patch was merged into the mainline kernel on May 21; Ubuntu, Debian, SUSE and Red Hat have already released updates or are tracking the fix. The highest risk is to multi-user servers, containerization hosts, CI runners and Kubernetes clusters where unprivileged users can create namespaces.
Vulnerability mechanism
According to JFrog researchers, the root cause of DirtyClone is the loss of a flag that marks network packet memory as shared with a file on disk. When the kernel internally copies a network packet, the helper functions __pskb_copy_fclone() and skb_shift() clear this security flag. A single lost bit is enough to turn a zero-copy optimization into a write primitive.
The exploitation chain, as reported, looks as follows:
- The attacker loads a privileged binary (for example,
/usr/bin/su) into memory and binds the corresponding memory pages to a network packet. - The kernel clones this packet, losing the shared-fragmentation flag.
- The cloned packet passes through an IPsec tunnel controlled by the attacker.
- At the decryption stage, the contents are overwritten with arbitrary bytes — authentication checks in the binary are replaced with the attacker’s code.
- On the next run of
suby any user on the system, root privileges are granted.
A critical aspect of the attack: the file on disk remains unchanged. The modification exists only in the kernel page cache, so file integrity monitoring tools do not detect the tampering, and a reboot restores the original binary. By the time any check might be performed, the attacker already has root rights.
Prerequisites for exploitation
Setting up an IPsec tunnel on the loopback interface requires the CAP_NET_ADMIN capability. According to the researchers, on Debian and Fedora unprivileged user namespaces are enabled by default, which allows a local user to obtain this capability inside a new namespace. Since the page cache is shared at the host level, modifications made inside a namespace affect all processes on the machine.
Ubuntu 24.04 and later versions restrict namespace creation via AppArmor, which, according to JFrog, blocks the standard exploitation path. However, the kernel vulnerability remains, and alternative attack vectors cannot be ruled out.
JFrog confirmed that the exploit works on Debian, Ubuntu and Fedora systems with default namespace configurations.
Fourth vulnerability in the series
DirtyClone is the fourth privilege escalation vulnerability with an identical failure mechanism in the last two months. All of them involve cases where file-backed memory is treated as packet data, and a network operation writes where it was supposed to copy:
- Copy Fail (CVE-2026-31431) — late April, a four-byte write into the page cache via the algif_aead module.
- DirtyFrag (CVE-2026-43284, CVE-2026-43500) — May 7, full arbitrary write primitive via IPsec ESP and RxRPC.
- Fragnesia (CVE-2026-46300) — May 13, bypass of the DirtyFrag patch via a flag-reset bug in
skb_try_coalesce().
Each fix closed one code path while leaving others open. The fundamental problem is contractual in nature: every code path that moves skb fragments is required to preserve the shared-fragment bit. The zero-copy mechanism in the kernel’s network stack allows file-backed memory to serve as packet data, and a single lost flag anywhere in the chain turns a performance optimization into a vulnerability.
Researcher Hyunwoo Kim, who discovered the original DirtyFrag, on May 16 proposed an extended patch covering several remaining helper functions for fragment transfer. The combined fix was accepted on May 21 (commit 48f6a5356a33), CVE-2026-43503 was assigned on May 23, and the fix landed in Linux v7.1-rc5.
Impact assessment
The highest risk is to environments with multi-user access:
- Multi-user servers with shared SSH access
- Containerization hosts and Kubernetes clusters where users can create namespaces
- CI/CD runners executing code from untrusted repositories
- Any systems on Debian or Fedora with default namespace configuration
The absence of traces in audit logs and invisibility to file integrity monitoring tools make this vulnerability particularly dangerous for infrastructures that rely on these detection mechanisms.
Mitigation recommendations
The primary action is to install the kernel update provided by your distribution. The fix is included in the mainline (v7.1-rc5) and has been backported to stable and LTS branches. Advisories have been published by Ubuntu, Debian and SUSE.
If immediate updating is not possible, two temporary workarounds are available:
- Restrict unprivileged user namespaces: on Debian and Ubuntu, set
kernel.unprivileged_userns_clone=0. Other distributions use different mechanisms. - Block kernel modules: blacklist the
esp4,esp6andrxrpcmodules. This will break IPsec and AFS functionality and is only applicable if these components are loaded as modules rather than built into the kernel.
Both workarounds are temporary measures that do not eliminate the vulnerability.
The DirtyFrag series highlights a systemic issue in the Linux kernel’s network stack: any function that moves fragment descriptors without preserving the shared-fragment flag is potentially a new vulnerability. Organizations operating multi-user Linux systems should not only apply the current patch, but also incorporate monitoring of kernel updates related to handling of skb_shinfo()->flags during fragment transfer into their regular vulnerability management process.
