2 Linux kernel flaw PoCs published, enabling local privilege escalation

Two proof-of-concept exploits for Linux kernel vulnerabilities were recently published, both of which could lead to local privilege escalation if left unpatched.

One of the flaws, DirtyClone, tracked as CVE-2026-43503, is a variant of class of Linux vulnerabilities known as DirtyFrag. The variant was discovered by the JFrog Security Research team, which published their PoC on Thursday. The team previously reported the flaw to the Linux kernel maintainers, who issued a patch on May 19, 2026.

DirtyFrag, and other similar flaws such as Fragnesia, abuse the cryptographic processes of networking subsystems to overwrite page-cache versions of key read-only files, like /usr/bin/su, in memory.

This is achieved by loading the targeted file into a page cache, crafting a network packet that is backed by that page cache using splice and vmsplice, and manipulating the in-place packet decryption steps of subsystems like XFRM/IPsec and RxRPC to overwrite bytes of the targeted file within the page-cache-backed packet buffer.  

This exploit tricks the kernel into treating the read-only page cache as a writable network buffer during decryption, according to JFrog. The attacker can control cryptographic inputs to direct predictable outputs to specific offsets, modifying the page-cache version of /usr/bin/su to achieve root privileges.  

The patches for DirtyFrag and its previous variants add a metadata flag SKBFL_SHARED_FRAG to spliced UDP packets to mark packets that reference page-cache memory and trigger a safe Copy-on-Write (COW) on these flagged packets prior to in-place decryption, JFrog explained. This prevents modifications made to these packets during decryption from also being made to their corresponding page-cache files.

DirtyClone circumvents this fix by configuring an IPsec processing tunnel with a netfilter rule that uses a TEE target to duplicate UDP packets via _pskb_copy_fclone(). JFrog found that this function does not preserve the SKBFL_SHARED_FRAG flag during cloning, allowing the DirtyFrag exploit to be performed on the cloned version.

JFrog noted that this exploit requires the local attacker to have the CAP_NET_ADMIN capability, which is needed to set the vulnerable XFRM/IPsec configuration.

The DirtyClone exploit was confirmed to work against popular Linux distros including Debian, Ubuntu and Fedora. The flaw is fixed in Linux kernel v7.1-rc5; those who cannot immediately patch can mitigate by blocking CAP_NET_ADMIN acquisition or blacklisting the esp4, esp6 and rxrpc kernel modules to prevent in-place decryption, JFrog said.

Another local privilege escalation vulnerability, tracked as CVE-2026-46331, also had a PoC exploit published recently by GitHub user sgkdev. This exploit targets the Linux kernel’s traffic control packet editing (pedit) subsystem, which contains an out-of-bounds write flaw that enables corruption of page cache memory, according to Red Hat.

The packet editing function tcf_pedit_act() uses the function skb_ensure_writable() to compute a safe COW range, but this range does not account for runtime header offsets added by typed keys, Red Hat stated.

“This can leave part of the target write region without a proper copy-on-write, leading to an out-of-bounds write that corrupts page cache memory. A local attacker with the ability to configure traffic control rules could exploit this to escalate privileges or crash the system,” the Red Hat advisory warns.

This flaw was fixed in the Linux kernel by a commit on June 4. Where patches are not available, the issue can be mitigated by blocking the act_pedit module, according to Red Hat.