smith
May 8, 2026, 7:49am
1
As soon as CVE-2026-31431 was finally fixed. There is a new exploit (without CVE classification yet), which grants immediate root access
Contribute to V4bel/dirtyfrag development by creating an account on GitHub.
I could test it successfully on our machines (RockyLinux 8.10 and 9.7). Furthermore as mitigation
sudo sh -c “printf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true”
seems to work. I couldn’t find yet a post concerning this topic. I hope I did not overlook something
I cannot see these modules anywhere in a default 8.10 install. Are we actually affected?
grep -e esp -e rxrpc "/lib/modules/$(uname -r)/modules.builtin"
lsmod | grep -e esp -e rxrpc
Also, you can flush the caches with the following command:
sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'
Which makes the tainted su (and others) reload from disk. Useful if you think your system has been compromised, or if you yourself tried the exploit.
alain
May 11, 2026, 3:41pm
5
Hi all,
For information, for those who may, like me, fall on this subject, RockyLinux has created a new repository for urgent securuty updates, not waiting for RHEL to publish their new packages. See Rocky Linux Security Repository and Dirty Frag Security Update
So, ti update your servers, do:
$ sudo dnf --enablerepo=security update
Alain
