Particulars have emerged a couple of new, unpatched native privilege escalation (LPE) vulnerability impacting the Linux kernel.
Dubbed Soiled Frag, it has been described as a successor to Copy Fail (CVE-2026-31431, CVSS rating: 7.8), a just lately disclosed LPE flaw impacting the Linux kernel that has since come beneath lively exploitation within the wild. The vulnerability was reported to Linux kernel maintainers on April 30, 2026.
“Soiled Frag is a vulnerability (class) that achieves root privileges on most Linux distributions by chaining the xfrm-ESP Web page-Cache Write vulnerability and the RxRPC Web page-Cache Write vulnerability,” security researcher Hyunwoo Kim (@v4bel) stated in a write-up.
“Soiled Frag is a case that extends the bug class to which Soiled Pipe and Copy Fail belong. As a result of it’s a deterministic logic bug that doesn’t rely on a timing window, no race situation is required, the kernel doesn’t panic when the exploit fails, and the success price could be very excessive.”
Profitable exploitation of the flaw may permit an unprivileged native person to achieve elevated root entry on most Linux distributions, together with Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44.
Based on the researcher, the xfrm-ESP Web page-Cache Write vulnerability was launched in a supply code commit made in January 2017, whereas the RxRPC Web page-Cache Write vulnerability was launched in June 2023. Curiously, the identical January 17, 2017, commit was the foundation trigger behind one other buffer overflow (CVE-2022-27666, CVSS rating: 7.8) that affected varied Linux distributions.
xfrm-ESP Web page-Cache Write, which is rooted within the IPSec (xfrm) subsystem, offers attackers with a 4-byte retailer primitive like Copy Fail and overwrites a small quantity within the kernel’s web page cache.
Nonetheless, the exploit requires the unprivileged person to create a namespace, a step that is blocked by Ubuntu by AppArmor. In such an surroundings, xfrm-ESP Web page-Cache Write can’t be triggered. That is the place the second exploit, RxRPC Web page-Cache Write, is available in.
“RxRPC Web page-Cache Write doesn’t require the privilege to create a namespace, however the rxrpc.ko module itself will not be included in most distributions,” Kim defined. “For instance, the default construct of RHEL 10.1 doesn’t ship rxrpc.ko. Nonetheless, on Ubuntu, the rxrpc.ko module is loaded by default.”
“Chaining the 2 variants makes the blind spots cowl one another. In an surroundings the place person namespace creation is allowed, the ESP exploit runs first. Conversely, on Ubuntu, the place person namespace creation is blocked however rxrpc.ko is constructed, the RxRPC exploit works.”
CloudLinx, in an advisory of its personal, stated the flaw resides within the “ESP-in-UDP MSG_SPLICE_PAGES no-COW quick path and is reachable by way of the XFRM person netlink interface.”
“The bug lives within the in-place decryption quick paths of esp4, esp6, and rxrpc: when a socket buffer carries paged fragments that aren’t privately owned by the kernel (e.g., pipe pages hooked up by way of splice(2)/sendfile(2)/MSG_SPLICE_PAGES), the obtain path decrypts immediately over these externally-backed pages, exposing or corrupting plaintext that an unprivileged course of nonetheless holds a reference to,” AlmaLinux stated.
Including to the urgency is the discharge of a working proof-of-concept (PoC) that may be exploited to achieve root in a single command. Till the patches can be found, it is suggested to blocklist esp4, esp6, and rxrpc modules so that they can’t be loaded –
sudo sh -c “printf ‘set up esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen’ > /and so forth/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true”
It is value mentioning right here that Soiled Frag, regardless of sharing some overlaps with Copy Fail, might be exploited no matter whether or not the Linux kernel’s algif_aead module is enabled or not.
“Be aware that Soiled Frag might be triggered no matter whether or not the algif_aead module is offered,” the researcher stated. “In different phrases, even on programs the place the publicly recognized Copy Fail mitigation (algif_aead blacklist) is utilized, your Linux remains to be weak to Soiled Frag.”
