Dirty Frag: When optimizing Linux performance becomes a security nightmare
Overview
For many years, Linux has been regarded as a symbol of stability and security in the world of operating systems. From enterprise servers and cloud infrastructure to Kubernetes containers and supercomputers, Linux is present at nearly every level of the modern Internet. However, behind the powerful performance optimization mechanisms of the kernel lies a dangerous "gray area"—where even a small error in the page cache or zero-copy optimization can compromise the entire security boundary of the system. Following Dirty COW, Dirty Pipe, and Copy Fail, the security community is once again shaken by a new name: Dirty Frag. This is not just a typical Local Privilege Escalation vulnerability, but an exploit chain capable of reliably elevating a regular user to root without race conditions, without causing kernel panic, and notably, a PoC was publicly available shortly after disclosure.
This article will analyze in detail the mechanism of Dirty Frag, how the exploit chain is constructed, the underlying causes in the Linux kernel page cache, and the serious impacts this vulnerability has on the modern Linux ecosystem.
Era of Dirty
Before Dirty Frag emerged, the Linux kernel had repeatedly faced serious vulnerabilities related to memory management and the page cache. Among these, the most notable names are Dirty COW, Dirty Pipe, and Copy Fail—vulnerabilities that once shook the security community due to their almost "classic" privilege escalation capabilities on Linux.
Dirty COW
This is considered the beginning of the Dirty era. Announced in 2016 with the identifier CVE-2016-5195, Dirty COW is one of the most famous Linux vulnerabilities in history. The name "COW" comes from the kernel's Copy-On-Write mechanism—a technique that optimizes by allowing multiple processes to share memory until data changes. The flaw occurs due to a race condition in the memory management subsystem, allowing attackers to write data to read-only files (read-only mapping). As a result, regular users can modify system files, overwrite SUID binaries, and ultimately escalate to root privileges.
Dirty COW caused a stir because:
It existed silently in the kernel for nearly 9 years,
Affected almost every Linux distribution,
The exploit worked on Android as well,
Extremely easy to weaponize after the PoC was made public.
Dirty Pipe
In 2022, the Linux community faced a new "descendant" named Dirty Pipe (CVE-2022-0847). While Dirty COW exploited a race condition, Dirty Pipe is more dangerous due to its stable and much easier exploitation. The flaw lies in the pipe_buffer management mechanism of the Linux kernel. Because a flag variable is not properly initialized, an attacker can write arbitrary data to the page cache of read-only files without directly modifying the file on disk.
This allows: modifying system files, inserting SSH keys, and changing special SUID binaries that can bypass the read-only filesystem mechanism. Dirty Pipe is particularly dangerous because: it doesn't require a race condition, the exploit is deterministic, highly stable, and affects Linux kernel 5.8 and above. Many experts consider Dirty Pipe to be a "more perfect version of Dirty COW."
Copy Fail
In early 2026, Copy Fail (CVE-2026-31431) emerged as a new warning about exploiting the page cache in modern Linux. Unlike Dirty COW or Dirty Pipe, Copy Fail focuses on data copy mechanisms and zero-copy optimization in the kernel. The vulnerability allows data from userspace to be illegally overwritten onto the page cache through performance optimization pathways.
Although the Copy Fail exploit is not as stable as Dirty Pipe, it highlights a dangerous trend:
The Linux kernel increasingly relies on zero-copy paths,
Networking stack and memory subsystem have become extremely complex, and the boundaries between userspace and kernelspace are more easily breached than before.
Dirty Frag
If Dirty COW was the beginning and Dirty Pipe the improvement, then Dirty Frag is considered the "mature" stage of the page-cache corruption exploit class on Linux.
Dirty Frag inherits most of the most dangerous characteristics of its predecessors:
Overwriting the page cache,
Stable exploit,
No need for a race condition,
Extremely fast privilege escalation,
Suitable for container escape and cloud attacks.
Description of the vulnerability
CVE ID: CVE-2026-31431
CVSS v3.1 Score: 7.8 (High) - AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type: Out-of-bounds Write / Logic Error
Affected range: Most Linux kernels released from 2017 (Kernel 4.12) until April 2026. Major confirmed distributions include:
Ubuntu 24.04 LTS, 22.04 LTS
RHEL 8, 9, 10
Amazon Linux 2023
SUSE Linux Enterprise 15, 16
Exploit mechanism
DirtyFrag is not a simple buffer overflow. It results from a flawed optimization in the "in-place" design of the Linux kernel. It is also considered a trick on the operating system's memory.
To make it easier to understand, imagine your Linux system as a Library:
Files on the hard drive: These are the original books stored securely in the archive (Master Copy).
Page Cache: This is a copy of the book placed on the reading table for everyone to view (Display Copy). The operating system always prioritizes reading this copy to save time retrieving the book from the archive.
System processes (like su): These are special "instruction manuals." If you follow the instructions correctly, you gain administrative privileges (Root).
How DirtyFrag "alters the truth":
Tampering with the copy: Normally, the library monitors closely, and if you use an eraser or write over a book, they immediately notice (marking the page as "dirty"). But DirtyFrag acts like an invisible pen. The attacker exploits a cryptographic flaw to overwrite new data onto the copy on the reading table.
In terms of protection: The operating system is unaware that this copy has been altered. It still believes it is a clean copy from the archive. Security checks, when looking at the original book in the archive, still see it as intact. Activating the "fake instructions": When the attacker runs the su command, the operating system reads the "Instruction Manual" right on the table (the altered version). Instead of saying "Check the password," the manual now reads "Grant this person Root access immediately." Result: The attacker gains Root access without needing a password.
MITRE ATT&CK Mapping
| ID | Technique | Description |
|---|---|---|
| T1068 | Exploitation for Privilege Escalation | Exploiting a logic flaw in the kernel for privilege escalation. |
| T1548.001 | Abuse Mechanism: Setuid and Setgid | Modify the cache of setuid binaries to execute code with root privileges. |
| T1611 | Escape to Host | Cross container boundaries due to the page cache being shared with the host. |
Expert opinion
DirtyFrag highlights the lesson of "vulnerability at the intersection." Individually, AF_ALG, splice, or authencesn function as designed. However, when combined, they create a vulnerability with absolute reliability. In our observation, this vulnerability is particularly dangerous in Cloud and Kubernetes environments. Due to the shared page cache mechanism between Host and Container, a compromised process in a Pod can modify the page cache of binaries on the Host, enabling container escape without any user misconfiguration. Compared to Dirty COW or Dirty Pipe, DirtyFrag is "cleaner," harder to detect, and much more stable.
Recommended actions
Patching the DirtyFrag vulnerability requires updating the kernel and rebooting the system for the new kernel to take effect.
Check the current version
Before updating, check the current running kernel version using the command: uname -r
Compare this version with the announcement from your vendor. If your kernel was built before April 2026, the system is almost certainly at risk.
Update for Ubuntu / Debian
For systems using apt, follow these steps:
Update the package list: sudo apt update
Update only the Kernel package and its dependencies: sudo apt install --only-upgrade linux-image-generic linux-headers-generic
Update the entire system (Recommended): sudo apt upgrade -y
Reboot (Mandatory): sudo reboot
Update for RHEL / AlmaLinux / Rocky Linux / Amazon Linux
For systems using dnf or yum:
Check for available kernel updates: sudo dnf check-update kernel
Update the kernel: sudo dnf update kernel -y
Reboot (Mandatory): sudo reboot
Update for SUSE / openSUSE
Use the package manager zypper
sudo zypper ref
sudo zypper up kernel-default
sudo reboot
Emergency Mitigation Measures (If Reboot Is Not Possible)
In case the system is running critical services and cannot be rebooted immediately, block the main attack vector by disabling the algif_aead module:
Step 1: Prevent the module from loading in the future: echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf
Step 2: Remove the module from memory (if running): sudo rmmod algif_aead
Tham khảo
Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions
Warning: Copy Fail, Getting Root on Major Linux Distributions, Patch Immediately! | CCB Belgium
New 'Dirty Frag' Linux Vulnerability Possibly Exploited in Attacks - SecurityWeek
