DirtyClone: The Linux Flaw That Silently Grants Root Access

On June 25, 2026, researchers at JFrog Security Research published the first working exploit for DirtyClone (CVE-2026-43503), a local Linux privilege escalation vulnerability. Any unprivileged local user can become root on Debian, Ubuntu, or Fedora by manipulating the Linux kernel page cache. The attack is silent and leaves nothing on disk. Here is what we know.

A closer look at CVE-2026-43503, also known as DirtyClone

DirtyClone is not an isolated flaw. It is the latest variant in the DirtyFrag family, a series of Linux kernel vulnerabilities that all share a common trait: memory backed by a file on disk (known as the page cache) ends up being treated like a writable network buffer. I have already covered the previous flaws, with the Dirty Frag vulnerability and then the workaround dubbed Fragnesia (CVE-2026-46300).

The attack scenario described by JFrog comes down to a few steps. Here is how an attacker could exploit the DirtyClone flaw.

When the kernel internally copies a network packet, some functions forget to carry over a small security flag, especially the one that indicates the packet memory is actually shared with a file on disk. That missing flag points the way forward.

The attacker then loads a privileged binary such as /usr/bin/su into memory, points the network packet at those memory pages, and then forces the kernel to clone it. The cloned packet travels through an IPsec tunnel fully controlled by the attacker (because they set it up on the local loopback interface), and the decryption step rewrites the binary's authentication checks with attacker-chosen bytes. That change is enough to achieve privilege escalation on its own, because the next time /usr/bin/su is launched, it will open a root session.

The locally configured IPsec tunnel is a mandatory condition for this flaw to be exploitable. However, setting up that local IPsec tunnel requires the CAP_NET_ADMIN capability. Exploitation therefore depends on the system configuration (we will come back to that later).

"The TEE is essential: it duplicates outgoing packets within the kernel. Internally, this triggers the nf_dup_ipv4 function, which causes the SKB to be cloned via the __pskb_copy_fclone() function.", the researchers explain.

It is important to note that the SKBFL_SHARED_FRAG flag is the patch introduced by the DirtyFrag fix released in May 2026. The problem, and what makes DirtyClone exploitable, is that it can be "lost" as packet fragment handling functions process it. Fragnesia exploited its disappearance during a merge operation, while DirtyClone does the same during cloning.

Rightly so, the researchers at JFrog highlight the links between these three vulnerabilities.

The DirtyClone attack leaves no obvious trace. In fact, the file on disk does not change by a single byte. The modification is only visible in the kernel's in-memory copy: file integrity tools see nothing, the attack leaves no logs, and a simple reboot restores the original binary. By then, the attacker will already have been root for a long time....

Debian, Ubuntu, Fedora affected: who needs to patch, and how

According to JFrog, the attack has been confirmed on distributions where unprivileged user namespaces are enabled. This would impact, at a minimum:

• Debian and Fedora: vulnerable in their default configuration,
• Ubuntu 24.04 and later: partially mitigated through AppArmor restrictions on namespaces, but still considered affected,
• Cloud environments and containers: Kubernetes clusters, multi-tenant hosting, and containerized resources are among the most exposed targets, as soon as a local user can obtain the CAP_NET_ADMIN capability (often accessible through user namespaces).

This is a good opportunity to point you to our article about the main security risks related to Docker containers.

What must also be understood is that a system is fully protected only once the entire DirtyFrag patch chain has been applied (CVE-2026-43284, CVE-2026-43500, CVE-2026-46300, and then CVE-2026-43503). A kernel that has only received the first patches remains vulnerable to this new bypass.

The best approach is to update the Linux kernel to a patched version or apply the backported fix provided by the distribution. Note that the fix was first introduced in version v7.1-rc5, released on May 24, 2026. You can check the kernel version with uname -r and compare it with the fixed version published by your distribution.

If that is not possible, here are the recommendations from JFrog's researchers to protect Linux machines:

• Block CAP_NET_ADMIN by setting kernel.unprivileged_userns_clone=0,
• Blacklist the esp4, esp6, and rxrpc modules if IPsec is not used.

Looking at Debian, the security fix for CVE-2026-43503 was introduced in version 6.12.94-1, published in the Debian 13 Trixie security updates repository.

As of today, no active exploitation in the wild has been spotted for DirtyClone, and JFrog says it has kept its full exploit code private. Still, be careful, because the details and demonstration shown in the researchers' published report provide plenty of information that an attacker could use to try to reproduce the attack.

Florian Burnel Co-founder of IT-Connect

Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

See Full Bio