A vulnerability was recently discovered in the Linux Kernel named "Dirty Frag", which allows for Local Privilege Escalation (LPE) to the root user. "Dirty Frag" is a similar exploit to the recent "Copy/Fail" (CVE-2026-31431) vulnerability disclosed recently, and is a continuation of a previous vulnerability named "Dirty Pipe" (CVE-2022-0847). This vulnerability is found in the Linux Kernel itself, and thus is present in multiple Linux distributions.
Impact
All servers running a kernel version after 2017 (starting around Linux version 4.14) are vulnerable to this issue. It is possible for a local user to obtain root level access to a Linux server by modifying the page cache the kernel reads when it loads a binary.As this is a new vulnerability that was only disclosed today, May 7th, 2026, statements from many upstream maintainers of various Operating Systems have not been released yet.
CloudLinux: https://blog.cloudlinux.com/dirty-frag-mitigation-and-kernel-update
AlmaLinux: https://almalinux.org/blog/2026-05-07-dirty-frag/
This currently impacts the following Operating Systems:
- CloudLinux 7 Hybrid
- AlmaLinux/Rocky Linux 8
- CloudLinux 8
- AlmaLinux/Rocky Linux 9
- CloudLinux 9
- AlmaLinux 10
- CloudLinux 10
- Ubuntu 20.04
- Ubuntu 22.04
- Ubuntu 24.04
Call to Action
At this time we are waiting for a patch to be provided by the various kernel maintainers.In the meantime, the vulnerability can be mitigated by disabling various Linux kernel modules.
- To disable the modules, run the following as root:
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true" - Next, flush the kernel caches using the following command to ensure the binary page-cache is not modified:
echo 3 > /proc/sys/vm/drop_caches
