Linux Kernel Flaws DirtyClone and pedit COW Enable Root via Page-Cache Poisoning
Two newly disclosed Linux kernel local privilege escalation flaws are enabling attackers to gain root by corrupting file-backed page-cache memory without changing files on disk. DirtyClone (CVE-2026-43503) affects the XFRM/IPsec path and abuses cloned packets after a shared-fragment safety flag is dropped during internal copying, while pedit COW (CVE-2026-46331) affects the traffic-control act_pedit subsystem through an out-of-bounds write. Public exploit material shows both bugs can poison the in-memory copy of privileged binaries such as /usr/bin/su or /bin/su, then execute them to obtain root access while evading file-integrity checks and, in DirtyClone’s case, potentially leaving no on-disk changes or kernel audit evidence.
Exploitation in both cases depends on local access plus CAP_NET_ADMIN, which researchers say can often be obtained through unprivileged user namespaces on distributions such as Debian, Fedora, and RHEL by default. Reported testing showed successful exploitation on Debian 13 and RHEL 10, with Ubuntu 24.04 requiring an AppArmor-permitted path and Ubuntu 26.04 blocking some default routes despite vulnerable kernels. Upstream fixes have already landed in the Linux 7.1 release candidates, and vendors including Ubuntu, Debian, SUSE, and Red Hat have issued advisories or patches; defenders are being urged to deploy patched kernels, reboot affected systems, and consider disabling unprivileged user namespaces or blocking act_pedit where immediate patching is not possible.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
15 events from the most recent confirmed update back to the earliest known activity.
Public DirtyClone exploit repository appears on GitHub
A public GitHub repository for DirtyClone (CVE-2026-43503) was published, providing exploit code and technical details for abusing the nf_dup_ipv4()/__pskb_copy_fclone() path to corrupt page-cache-backed targets such as /usr/bin/su and gain root. The repository also documented the vulnerable kernel window, fixed commit, and mitigations such as blocking xt_TEE or ESP module autoload.
JFrog publishes DirtyClone exploit walkthrough
JFrog Security Research published the first public working exploit walkthrough for DirtyClone, demonstrating root escalation via cloned packets and page-cache corruption without modifying files on disk. The disclosure described exploitation through an attacker-controlled IPsec tunnel and noted that full exploit code was being withheld during patch rollouts.
SUSE publishes advisories for Dirty Frag CVE-2026-43500
SUSE published bug and advisory tracking for CVE-2026-43500, a Linux kernel RxRPC page-cache write vulnerability affecting upstream kernels from Linux 6.5 onward. The advisories said fixes were backported across relevant branches and noted SUSE planned to remove the unsupported rxrpc module from affected extra kernel packages as part of remediation.
Ubuntu lists supported releases as vulnerable to pedit COW
Ubuntu stated that supported releases from 18.04 through 26.04 were vulnerable to CVE-2026-46331. The advisory noted the status as of that date while patching and mitigations were being tracked.
Public pedit COW exploit appears on GitHub
A public proof-of-concept for CVE-2026-46331, PACKET_EDIT_MEME, was published on GitHub and described exploitation against distributions including RHEL 10, Debian 13, and Ubuntu 24.04.4. The repository showed how an unprivileged user could corrupt the cached /bin/su binary to gain root.
Ubuntu publishes advisory for CVE-2026-46331
Ubuntu published a security notice for CVE-2026-46331, describing a Linux kernel net/sched act_pedit flaw that can cause page-cache corruption due to incorrect copy-on-write range handling. The advisory began tracking affected Ubuntu kernel packages and referenced the upstream fix later merged in Linux 7.1-rc7.
pedit COW assigned CVE-2026-46331
The Linux kernel act_pedit privilege-escalation flaw was assigned CVE-2026-46331. The bug affects the traffic-control subsystem and can be used to poison cached setuid binaries in memory.
Stable kernel patch lands for pedit partial COW flaw
A Linux stable-tree commit updated net/sched/act_pedit.c to fix partial copy-on-write behavior that could lead to page-cache corruption, adding stricter bounds and overflow checks and safer packet memory handling. The patch represents a concrete upstream remediation step for the pedit COW vulnerability later tracked as CVE-2026-46331.
Linux v7.1-rc5 ships with DirtyClone fix
Linux v7.1-rc5 was identified as the first release containing the DirtyClone fix. This made the upstream remediation available in a kernel release.
Ubuntu publishes advisory for CVE-2026-43503
Ubuntu published a security notice for CVE-2026-43503, describing the Linux kernel SKBFL_SHARED_FRAG propagation flaw in the XFRM ESP-in-TCP path and warning it could allow local privilege escalation or possible container escape. The advisory listed affected Ubuntu releases and kernel package fix status across supported versions.
DirtyClone assigned CVE-2026-43503
The DirtyClone vulnerability received the identifier CVE-2026-43503. This marked formal tracking of the Linux kernel privilege-escalation bug.
DirtyClone fix merged into Linux mainline
A patch for the DirtyClone Linux kernel local privilege escalation flaw (CVE-2026-43503) was merged upstream in commit 48f6a5356a33. The fix addressed the packet-cloning issue that could enable page-cache corruption and root escalation.
JFrog reports DirtyClone to Linux maintainers
JFrog Security Research reported the DirtyClone local privilege-escalation vulnerability to the Linux kernel maintainers after independently rediscovering the vulnerable __pskb_copy_fclone path. This vendor report preceded the upstream fix and later public exploit walkthrough.
DirtyClone fix submitted to netdev mailing list
Hyunwoo Kim submitted a Linux kernel networking patch to fix improper propagation of the SKBFL_SHARED_FRAG marker, describing how the flaw could enable page-cache writes and root escalation through affected packet paths such as ESP input. The patch was sent to the netdev mailing list and CCed for stable backporting.
PEdit-CoW fixes released across Linux kernel branches
The reference states that the act_pedit copy-on-write flaw CVE-2026-46331 was fixed in Linux kernel releases 7.1, 7.0.13, 6.18.36, and 6.12.94. This adds concrete upstream remediation versions for the privilege-escalation bug.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
23 references tracked. Mallory keeps watching after this page renders.
DirtyClone: A Linux Privilege Escalation That Leaves No Trace on Disk
securityaffairs.com
Open source2 Linux kernel flaw PoCs published, enabling local privilege escalation | news | SC Media
scworld.com
Open sourceNew DirtyClone Linux Vulnerability Allows Attackers to Gain Root Access Via Cloned Packets
cybersecuritynews.com
Open sourceNew Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries
thehackernews.com
Open source[PATCH net v5] net: skbuff: propagate shared-frag marker through frag-transfer helpers - Hyunwoo Kim
lore.kernel.org
Open sourceCVE-2026-43503
security-tracker.debian.org
Open sourcePEdit-CoW � DirtyClone - ���������� � ���� Linux, ����������� �������� root ����� ��������� ����������� ����
opennet.ru
Open sourcePEdit-CoW � DirtyClone - ���������� � ���� Linux, ����������� �������� root ����� ��������� ����������� ����
opennet.me
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Linux kernel LPE exploits DirtyDecrypt and PinTheft expose root access paths
Public proof-of-concept exploit code was released for **DirtyDecrypt** (`CVE-2026-31635`), a high-severity Linux kernel local privilege escalation flaw caused by a missing copy-on-write guard in `rxgk_decrypt_skb()` within the RxGK subsystem. The bug allows unprivileged local users to corrupt shared page-cache memory tied to privileged files or processes, potentially overwriting targets such as `/etc/shadow`, `/etc/sudoers`, or SUID binaries to gain **root**. Reports said the issue was quietly patched upstream in late April and primarily affects systems using mainline or rolling-release kernels with `CONFIG_RXGK` enabled, including **Fedora**, **Arch Linux**, and **openSUSE Tumbleweed**; the risk is elevated on Kubernetes worker nodes and developer workstations because exploitation can also enable container escape and theft of secrets or runtime sockets. At the same time, researchers disclosed **PinTheft**, another Linux local privilege escalation exploit that abuses a double-free or refcount bug in the **RDS zerocopy send path** and uses `io_uring` fixed buffers to turn the flaw into a page-cache overwrite against a SUID-root binary. The exploit, credited to Aaron Esau of V12 Security, reportedly drains page references through failed RDS zerocopy sends, frees the page, reclaims it as page cache, and overwrites it with a malicious ELF payload that yields a root shell when executed. Mailing list discussion said a patch and proof of concept are available, with exploitability depending on the `rds` kernel module being present or autoloadable; **Arch Linux** was reported to enable it by default, while Fedora may also be exposed and Debian and Ubuntu appear to have mitigations that restrict autoloading.
May 25, 2026
Linux Privilege Escalation Flaws Spur Dirty Frag Alerts and Kernel Killswitch Proposal
Linux kernel developers are reviewing an emergency runtime mitigation called **Killswitch** after public disclosure of multiple local privilege escalation flaws, including **Copy Fail** (`CVE-2026-31431`) and the chained **Dirty Frag** bugs (`CVE-2026-43284`, `CVE-2026-43500`). Dirty Frag, disclosed by researcher Hyunwoo Kim and discussed by Red Hat and other outlets, affects kernel networking paths tied to IPSec ESP and `RxRPC` and can let an unprivileged local user gain root on many distributions. Copy Fail, a separate nine-year-old flaw in `AF_ALG` cryptographic sockets, was also reported as enabling reliable local root escalation by allowing controlled writes into the kernel page cache of readable files. Government and vendor guidance warned that public proof-of-concept exploit code is available and that risk increases if the local flaws are paired with remote code execution. The Canadian Centre for Cyber Security said no universal fix was immediately available across all stable kernels and urged defenders to identify exposed systems, restrict local access, reduce privileges, regenerate `initramfs`, and disable vulnerable modules where possible. In parallel, a GitHub project circulated shell-based stopgap patching to disable or rename affected modules on running systems, while the proposed Killswitch mechanism would let administrators force selected kernel functions to return safely without executing until patched kernels can be deployed.
Jun 8, 2026
Dirty Frag Linux Kernel LPE Enables Immediate Root Access Across Major Distros
Researchers publicly disclosed **Dirty Frag**, a Linux kernel local privilege escalation chain that can give an unprivileged local user immediate root access across major distributions. The disclosure said the issue combines flaws in the in-place decryption fast paths for **`esp4`**, **`esp6`**, and **`rxrpc`**, allowing page-cache corruption or plaintext exposure in externally backed paged fragments. Public write-ups and exploit repositories described two working paths: overwriting **`/usr/bin/su`** with a root shell via the ESP/XFRM stack, or corrupting **`/etc/passwd`** through RXRPC/RXKAD behavior so a UID 0 account can be used without a password. The bug was published without patches or CVE assignments after an embargo was reportedly broken, and exploit code was quickly made public through oss-sec, GitHub, and security forums. A related GitHub proof of concept, **Copy Fail 2: Electric Boogaloo**, tied the ESP path to the **`MSG_SPLICE_PAGES`** no-copy-on-write fast path and reported successful exploitation on Debian, Arch, Fedora, and newer Ubuntu releases, while noting older Ubuntu 22.04 kernels were not affected by that specific path. AlmaLinux said all supported releases were affected, issued patched kernels in testing by backporting the upstream ESP fix, and recommended temporary mitigations including blacklisting or unloading **`esp4`**, **`esp6`**, and **`rxrpc`** modules and dropping page cache if compromise is suspected.
May 25, 2026