Dirtyfrag: A Universal Linux Local Privilege Escalation, No Patch Yet

Disclosure Without a Patch

A new Linux kernel vulnerability dubbed Dirtyfrag was publicly disclosed after the responsible disclosure process reportedly broke down, meaning no patches and no CVE numbers exist at time of public release. The vulnerability allows unprivileged users to gain root on all major Linux distributions.

How It Works

Dirtyfrag chains two separate kernel flaws. The ESP Path exploits a vulnerability in the ESP (Encapsulating Security Payload) network stack to overwrite the first 160 bytes of /usr/bin/su page cache with a static x86_64 root shell ELF binary, bypassing PAM entirely. The rxrpc Fallback Path exploits an rxrpc/rxkad authentication flaw to patch /etc/passwd, creating an empty password field for the root entry and allowing authentication without credentials via PAM nullok flag.

Immediate Mitigation

Until official patches arrive, disable the vulnerable kernel modules by running:

printf 'install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
' > /etc/modprobe.d/dirtyfrag.conf

Impact

All major distributions including Ubuntu, Debian, Fedora, and Arch Linux are affected. The exploit demonstrates escalation from uid=1000 to root immediately. Linux system administrators should apply the modprobe mitigation now while waiting for kernel patches.