DirtyClone (CVE-2026-43503) is a critical Linux kernel privilege escalation vulnerability belonging to the DirtyFrag family. Discovered by JFrog Security Research, this flaw allows a local user with CAP_NET_ADMIN capabilities to gain root access by corrupting file-backed memory. The exploit leverages a specific bug where the kernel, when cloning a network packet, fails to properly propagate a safety flag indicating shared memory. An attacker can set up an IPsec tunnel to overwrite sensitive parts of a privileged binary like /usr/bin/su in memory, bypassing login checks and granting root.
The attack is stealthy, leaving no audit trail on disk as modifications occur only in the kernel's in-memory copy, which is reset on reboot. Exploitation typically requires unprivileged user namespaces, which are enabled by default on many distributions like Debian and Fedora, though Ubuntu 24.04 and later mitigate this via AppArmor. Multi-tenant servers, container hosts, and Kubernetes clusters where untrusted users can create namespaces are particularly at risk.
DirtyClone represents the fourth in a series of similar "frag-transfer" vulnerabilities, where zero-copy networking optimizations lead to write primitives due to a dropped shared-frag bit. The fix, merged into mainline Linux v7.1-rc5 and backported to stable branches, is crucial. Users are urged to install kernel updates from their distributions, or apply temporary workarounds like restricting unprivileged user namespaces or blacklisting IPsec modules, though these are not permanent solutions. The DirtyFrag class of vulnerabilities is likely not exhausted, necessitating ongoing auditing.
Top comments (0)