惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google Online Security Blog
Google Online Security Blog
S
Security @ Cisco Blogs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
人人都是产品经理
人人都是产品经理
The Hacker News
The Hacker News
W
WeLiveSecurity
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Cloudflare Blog
博客园 - 司徒正美
雷峰网
雷峰网
L
LINUX DO - 最新话题
博客园 - 叶小钗
云风的 BLOG
云风的 BLOG
The Last Watchdog
The Last Watchdog
V2EX - 技术
V2EX - 技术
S
Security Affairs
有赞技术团队
有赞技术团队
月光博客
月光博客
T
Threatpost
T
Tor Project blog
O
OpenAI News
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
V2EX
Know Your Adversary
Know Your Adversary
Project Zero
Project Zero
博客园 - 三生石上(FineUI控件)
D
Docker
AWS News Blog
AWS News Blog
AI
AI
P
Proofpoint News Feed
K
Kaspersky official blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
D
Darknet – Hacking Tools, Hacker News & Cyber Security
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Securelist
F
Fortinet All Blogs
F
Full Disclosure
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
量子位
Hacker News - Newest:
Hacker News - Newest: "LLM"
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
P
Palo Alto Networks Blog
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
美团技术团队
N
News | PayPal Newsroom
T
The Blog of Author Tim Ferriss
MyScale Blog
MyScale Blog

SANS Internet Storm Center, InfoCON: green

From a VHDX File to a Remcos RAT - SANS Internet Storm Center ISC Stormcast For Tuesday, June 16th, 2026 https://isc.sans.edu/podcastdetail/9974 Evil MSI Background: BASE64 Statistical Analysis - SANS ISC ISC Stormcast For Monday, June 15th, 2026 https://isc.sans.edu/podcastdetail/9972 ISC Stormcast For Friday, June 12th, 2026 https://isc.sans.edu/podcastdetail/9970 ISC Stormcast For Thursday, June 11th, 2026 https://isc.sans.edu/podcastdetail/9968 How has use of framing protection security headers changed in the past 3 years? ISC Stormcast For Wednesday, June 10th, 2026 https://isc.sans.edu/podcastdetail/9966 Microsoft June 2026 Patch Tuesday - SANS Internet Storm Center ISC Stormcast For Tuesday, June 9th, 2026 https://isc.sans.edu/podcastdetail/9964 TeamPCP Supply Chain Campaign: Activity Through 2026-06-07 ISC Stormcast For Monday, June 8th, 2026 https://isc.sans.edu/podcastdetail/9962 The Evil MSI Background is Back! - SANS Internet Storm Center ISC Stormcast For Friday, June 5th, 2026 https://isc.sans.edu/podcastdetail/9960 Microsoft's Coreutils for Windows - SANS Internet Storm Center ISC Stormcast For Thursday, June 4th, 2026 https://isc.sans.edu/podcastdetail/9958 Continuing Scans for swagger.json - SANS Internet Storm Center ISC Stormcast For Wednesday, June 3rd, 2026 https://isc.sans.edu/podcastdetail/9956 New Wave Of Phishing Emails with SVG Files - SANS ISC ISC Stormcast For Tuesday, June 2nd, 2026 https://isc.sans.edu/podcastdetail/9954 ISC Stormcast For Monday, June 1st, 2026 https://isc.sans.edu/podcastdetail/9952 Unidentified RAT pushes NetSupport RAT - SANS ISC YARA-X 1.17.0 Release - SANS Internet Storm Center ISC Stormcast For Friday, May 29th, 2026 https://isc.sans.edu/podcastdetail/9950 Analysis of a Year of Files Uploaded to DShield Sensors ISC Stormcast For Thursday, May 28th, 2026 https://isc.sans.edu/podcastdetail/9948 Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs ISC Stormcast For Wednesday, May 27th, 2026 https://isc.sans.edu/podcastdetail/9946 ISC Stormcast For Tuesday, May 26th, 2026 https://isc.sans.edu/podcastdetail/9944 Possible ACR Stealer From Page Impersonating Claude Microsoft Access VBA - SANS Internet Storm Center Wireshark 4.6.6 Released - SANS Internet Storm Center An Example of Stack String in High Level Language - SANS ISC Cross-Platform NPM Stealer - SANS Internet Storm Center ISC Stormcast For Friday, May 22nd, 2026 https://isc.sans.edu/podcastdetail/9942 Selective HTTP Proxying in Linux - SANS Internet Storm Center ISC Stormcast For Thursday, May 21st, 2026 https://isc.sans.edu/podcastdetail/9940 ISC Stormcast For Wednesday, May 20th, 2026 https://isc.sans.edu/podcastdetail/9938 ISC Stormcast For Tuesday, May 19th, 2026 https://isc.sans.edu/podcastdetail/9936 TeamPCP Supply Chain Campaign: Activity Through 2026-05-17 [Guest Diary] New Malware Libraries means New Signatures ISC Stormcast For Friday, May 15th, 2026 https://isc.sans.edu/podcastdetail/9934 Simple bypass of the link preview function in Outlook Junk folder ISC Stormcast For Thursday, May 14th, 2026 https://isc.sans.edu/podcastdetail/9932 [GUEST DIARY] Tearing apart website fraud to see how it works. ISC Stormcast For Wednesday, May 13th, 2026 https://isc.sans.edu/podcastdetail/9930 Proxying the Unproxyable? Sending EXE traffic to a Proxy Microsoft May 2026 Patch Tuesday - SANS Internet Storm Center ISC Stormcast For Tuesday, May 12th, 2026 https://isc.sans.edu/podcastdetail/9928 Apple Patches Everything - SANS Internet Storm Center Why we use CAPTCHAs - SANS Internet Storm Center ISC Stormcast For Monday, May 11th, 2026 https://isc.sans.edu/podcastdetail/9926 YARA-X 1.16.0 Release - SANS Internet Storm Center ISC Stormcast For Friday, May 8th, 2026 https://isc.sans.edu/podcastdetail/9924 ISC Stormcast For Wednesday, May 6th, 2026 https://isc.sans.edu/podcastdetail/9920 Cleartext Passwords in MS Edge? In 2026? - SANS ISC SSL.com rotates their root certificate today - SANS ISC ISC Stormcast For Tuesday, May 5th, 2026 https://isc.sans.edu/podcastdetail/9918 TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03) DShield Honeypot Update - SANS Internet Storm Center ISC Stormcast For Monday, May 4th, 2026 https://isc.sans.edu/podcastdetail/9916 Wireshark 4.6.5 Released - SANS Internet Storm Center Malicious Ad for Homebrew Leads to MacSync Stealer ISC Stormcast For Friday, May 1st, 2026 https://isc.sans.edu/podcastdetail/9914 ISC Stormcast For Thursday, April 30th, 2026 https://isc.sans.edu/podcastdetail/9912 Danger of Libredtail [Guest Diary] - SANS Internet Storm Center Today's Odd Web Requests - SANS Internet Storm Center ISC Stormcast For Wednesday, April 29th, 2026 https://isc.sans.edu/podcastdetail/9910 HTTP Requests with X-Vercel-Set-Bypass-Cookie Header ISC Stormcast For Tuesday, April 28th, 2026 https://isc.sans.edu/podcastdetail/9908 TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns ISC Stormcast For Friday, April 24th, 2026 https://isc.sans.edu/podcastdetail/9906 Apple Patches Exploited Notification Flaw - SANS ISC ISC Stormcast For Thursday, April 23rd, 2026 https://isc.sans.edu/podcastdetail/9904 ISC Stormcast For Wednesday, April 22nd, 2026 https://isc.sans.edu/podcastdetail/9902 [Guest Diary] Beyond Cryptojacking: Telegram tdata as a Credential Harvesting Vector, Lessons from a Honeypot Incident, (Wed, Apr 22nd) A .WAV With A Payload - SANS Internet Storm Center ISC Stormcast For Tuesday, April 21st, 2026 https://isc.sans.edu/podcastdetail/9900 Handling the CVE Flood With EPSS - SANS Internet Storm Center ISC Stormcast For Monday, April 20th, 2026 https://isc.sans.edu/podcastdetail/9898 ISC Stormcast For Friday, April 17th, 2026 https://isc.sans.edu/podcastdetail/9896 Lumma Stealer infection with Sectop RAT (ArechClient2) ISC Stormcast For Thursday, April 16th, 2026 https://isc.sans.edu/podcastdetail/9894 [Guest Diary] Compromised DVRs and Finding Them in the Wild ISC Stormcast For Wednesday, April 15th, 2026 https://isc.sans.edu/podcastdetail/9892 Scanning for AI Models - SANS Internet Storm Center Microsoft Patch Tuesday April 2026. - SANS ISC ISC Stormcast For Tuesday, April 14th, 2026 https://isc.sans.edu/podcastdetail/9890 Scans for EncystPHP Webshell - SANS Internet Storm Center ISC Stormcast For Monday, April 13th, 2026 https://isc.sans.edu/podcastdetail/9888 Obfuscated JavaScript or Nothing - SANS Internet Storm Center ISC Stormcast For Thursday, April 9th, 2026 https://isc.sans.edu/podcastdetail/9886 Number Usage in Passwords: Take Two - SANS ISC TeamPCP Supply Chain Campaign: Update 007 - Cisco Source Code Stolen via Trivy-Linked Breach, Google GTIG Tracks TeamPCP as UNC6780, and CISA KEV Deadline Arrives with No Standalone Advisory More Honeypot Fingerprinting Scans - SANS Internet Storm Center ISC Stormcast For Wednesday, April 8th, 2026 https://isc.sans.edu/podcastdetail/9884 A Little Bit Pivoting: What Web Shells are Attackers Looking for? ISC Stormcast For Tuesday, April 7th, 2026 https://isc.sans.edu/podcastdetail/9882 How often are redirects used in phishing in 2026? - SANS ISC ISC Stormcast For Monday, April 6th, 2026 https://isc.sans.edu/podcastdetail/9880
Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag
2026-05-08 · via SANS Internet Storm Center, InfoCON: green

Less than two weeks after the public disclosure of the Copy Fail vulnerability (CVE-2026-31431), another local privilege escalation (LPE) vulnerability in the Linux kernel has been revealed. Referred to as "Dirty Frag," this vulnerability was discovered and reported by Hyunwoo Kim (@v4bel) [1]. In this diary, I will provide a brief background on Dirty Frag, and discuss its relationship to Copy Fail. I will then discuss how to mitigate Dirty Frag and outline recommended next steps for system owners.

The existence of Dirty Frag was revealed after the coordinated disclosure embargo was broken by an unrelated third party [1]. Just like Copy Fail [2], Dirty Frag allows an unprivileged local user to escalate to root on most major Linux distributions. Due to the premature disclosure of Dirty Frag, no CVE IDs were assigned [3].

Dirty Frag chains two distinct vulnerabilities:

  1. xfrm-ESP Page-Cache Write - residing in the IPsec ESP decryption fast paths (esp4, esp6)
  2. RxRPC Page-Cache Write - residing in the RxRPC module

Both sub-vulnerabilities share a common root cause: on a zero-copy send path where splice() plants a reference to a page cache page that an attacker only has read access to into the frag slot of the sender-side skb, the receiver-side kernel code performs in-place crypto on top of that frag. As a result, the page cache of files that an unprivileged user only has read access to (such as /etc/passwd or /usr/bin/su) is modified in RAM, and every subsequent read sees the modified copy [1].

While both Dirty Frag and Copy Fail belong to the same broad vulnerability class (page-cache corruption via kernel crypto in-place operations), they were discovered by different researchers and reside in different kernel subsystems. Copy Fail (CVE-2026-31431) was discovered by researchers at Theori and abuses the algif_aead module in the AF_ALG crypto interface. Dirty Frag, on the other hand, exploits the ESP and RxRPC in-place decryption fast paths directly.

With reference to Table 1, the key differences of each vulnerability are shown.

Factors Copy Fail (CVE-2026-31431) Dirty Frag
Kernel Subsystem AF_ALG / algif_aead xfrm ESP (esp4, esp6) and RxRPC
CVE Assigned Yes (CVE-2026-31431) No (embargo broken before allocation)
Controlled Bytes Written 4 bytes 4 bytes (per sub-vulnerability)
Chaining Required No (single vulnerability) Yes (two sub-vulnerabilities chained)
Discoverer Theori (Research Team) Hyunwoo Kim (@v4bel)
Public Disclosure Date 29 April 2026 7 May 2026
Table 1: Comparison of Copy Fail and Dirty Frag


An interesting factor of Dirty Frag is that chaining the two sub-vulnerabilities covers each other's blind spots. As described in the write-up, neither the xfrm-ESP Page-Cache Write nor the RxRPC Page-Cache Write alone provides a sufficiently reliable primitive for full root escalation. However, when combined, the chained exploit achieves immediate root on most distributions.

The Dirty Frag vulnerability is significant (beyond its possible utility in Capture-the-Flag challenges). Firstly, the vulnerability affects many major Linux distributions with kernels dating back to approximately 2017, similar to Copy Fail. Secondly, due to the unfortunate embargo breach, the working exploit code is publicly available. Thirdly, since no CVE identifier was assigned, any automated workflow or systems tracking vulnerabilities by CVE identifers would not be able to show Dirty Frag automatically. Finally, in the case of containerized environments, an adversary may be able to leverage Dirty Frag, override relevant binaries in the base layer and escape to host.

Currently, patched kernels and live patches are in active build and testing for several distributions [4, 5]. Until a patched kernel or live patch is installed, the following mitigations could be applied:

1. Denylist and unload vulnerable kernel modules

This is the most immediate mitigation available. The vulnerable modules (esp4, esp6, rxrpc) can be denylisted to prevent them from being loaded:

# Unload modules if currently loaded
modprobe -r esp4 esp6 rxrpc

# Denylist modules to prevent loading on boot
echo "Denylist esp4" >> /etc/modprobe.d/dirtyfrag-mitigation.conf
echo "Denylist esp6" >> /etc/modprobe.d/dirtyfrag-mitigation.conf
echo "Denylist rxrpc" >> /etc/modprobe.d/dirtyfrag-mitigation.conf

Important caveat: Denylisting esp4 and esp6 will disable IPsec ESP functionality. If your environment relies on IPsec VPN tunnels or IPsec-encrypted communication, this mitigation will cause disruption. Similarly, unloading rxrpc will affect services that depend on RxRPC (such as AFS filesystems). System administrators should assess the impact before applying this mitigation.

2. Apply live patches where available

CloudLinux KernelCare live patches are being made available for affected CloudLinux versions [4]. This allows patching without rebooting, which may be preferable for production environments where downtime windows are limited.

3. Install patched kernels from testing repositories

AlmaLinux has published patched kernels in their testing repository [5]. Once stable kernels are released for your distribution, apply them promptly and reboot.

4. Revert denylists after patching

After a patched kernel is installed and the system has been rebooted, the denylists can be removed:

rm /etc/modprobe.d/dirtyfrag-mitigation.conf

Dirty Frag joins a growing list of universal Linux LPE vulnerabilities that exploit kernel page-cache handling or memory management primitives. Notable related vulnerabilities include:

  • Dirty COW (CVE-2016-5195): Exploited a race condition in copy-on-write memory handling to modify read-only file mappings
  • Dirty Pipe (CVE-2022-0847): Exploited uninitialized flags in pipe_buffer to overwrite page cache pages of read-only files
  • Copy Fail (CVE-2026-31431): Exploited AF_ALG crypto interface to write controlled bytes into page cache

It appears that kernel optimizations which perform in-place operations on shared page-cache-backed pages without verifying exclusive ownership introduce exploitable primitives (the ability to corrupt the global page cache by tricking the kernel into treating a shared/read-only page as a private, writable buffer). This suggests that closer attention to zero-copy and in-place operation paths in the kernel are required.

As Dirty Frag does not have a CVE ID yet, defenders have to rely on distribution advisories and direct monitoring of security mailing lists rather than automated CVE-based alerting. If you have not yet addressed Copy Fail (CVE-2026-31431), now would be a good time to treat both vulnerabilities as a combined remediation effort, given their similarity and overlapping mitigation steps.

References:
[1] https://github.com/V4bel/dirtyfrag/blob/master/assets/write-up.md
[2] https://xint.io/blog/copy-fail-linux-distributions
[3] https://www.openwall.com/lists/oss-security/2026/05/07/8
[4] https://blog.cloudlinux.com/dirty-frag-mitigation-and-kernel-update
[5] https://almalinux.org/blog/2026-05-07-dirty-frag/

-----------
Yee Ching Tok, Ph.D., ISC Handler
Personal Site
Mastodon
Twitter