A new critical Linux vulnerability named Dirty Frag is causing concern among system administrators and Linux distributors. The flaw allows an attacker to gain direct root privileges from a local account on a large number of Linux systems released since 2017. However, the first patches are now available for some distributions.
This is reported by various sources, including Tom’s Hardware and AlmaLinux. Dirty Frag was made public this week after an embargo surrounding the vulnerability was lifted prematurely. According to the information released, the issue involves a flaw in the Linux kernel located in components related to IPsec ESP and rxrpc. The vulnerability is reportedly easy to exploit and affects virtually all major Linux distributions, including Ubuntu, Fedora, RHEL-based systems, Arch Linux, and AlmaLinux.
The attack is technically very similar to the previously discovered Copy Fail vulnerability. In both cases, flaws in so-called zero-copy operations within the kernel are exploited. This allows an attacker to manipulate memory data linked to sensitive system files, ultimately enabling root access.
Initially, it was reported that no patches were yet available, but AlmaLinux has since released its own updated kernels via its testing repositories. In doing so, the distribution uses an upstream fix for the ESP component made available by kernel developers. According to AlmaLinux, the severity of the vulnerability was the reason for not waiting for official updates from Red Hat or CentOS Stream.
AlmaLinux Begins Testing with Modified Kernels
The distribution reports that all supported AlmaLinux versions are vulnerable, but that modified kernels are now ready for testing. Specific kernel versions have been published for AlmaLinux 8, 9, and 10 in which the vulnerability has been fixed. After additional validation by the community, the patches should also become available in the regular production channels.
According to AlmaLinux, Dirty Frag poses a particularly high risk on systems with multiple users, such as shared servers, CI environments, container platforms, and build servers. Since public exploit code is now available, the distribution advises administrators to take immediate action.
For systems that cannot be updated immediately, a temporary mitigation remains available. This involves disabling the kernel modules esp4, esp6, and rxrpc. These modules are linked to IPSec and AFS functionality and are not actively used on many standard installations. AlmaLinux does emphasize, however, that systems dependent on this functionality should switch to a patched kernel immediately.
In addition, the distribution recommends clearing the system’s page cache if there is suspicion that a system has already been compromised. This removes potentially manipulated cache pages so that files are reloaded from disk.
The vulnerability was discovered by researcher Hyunwoo Kim, who was also involved in the disclosure of Copy Fail. According to AlmaLinux, the responsible disclosure was disrupted because a third party prematurely broke the embargo. As a result, details and exploit code became available before distributions could jointly prepare security updates.