Situation:
A vulnerability was recently discovered in the Linux Kernel named “Dirty Frag”, which allows for Local Privilege Escalation (LPE) to the root user. “Dirty Frag” is a similar exploit to the recent “Copy/Fail” (CVE-2026-31431) vulnerability disclosed recently and is a continuation of a previous vulnerability named “Dirty Pipe” (CVE-2022-0847). This vulnerability is found in the Linux Kernel itself and thus is present in multiple Linux distributions.
Impact:
All servers running a kernel version later than 2017 (starting around Linux 4.14) are vulnerable to this issue. It is possible for a local user to obtain root-level access to a Linux server by modifying the page cache the kernel uses when loading a binary.
As this is a new vulnerability disclosed today, May 7th, 2026, statements from many upstream maintainers of various Operating Systems have not yet been released.
Mitigation Steps:
At this time, we are waiting for the various kernel maintainers to provide a patch.
In the meantime, the vulnerability can be mitigated by disabling various Linux kernel modules if you don’t use IPsec or RxRPC:
sh -c “printf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true”
------------------------------------------------
Next, flush the kernel caches using the following command to ensure the binary page-cache is not modified:
----------------------------------------------
echo 3 > /proc/sys/vm/drop_caches
----------------------------------------------