Create dirtyfrag.py

[SleepTheGod]

Dirty Frag is a Linux privilege-escalation vulnerability class chaining CVE-2026-43284 and CVE-2026-43500 to gain root privileges on major distributions. Related to Dirty Pipe and Copy Fail, it is a deterministic logic flaw with high reliability and no race condition requirement this is a pure python3 port of the code from https://github.com/V4bel/dirtyfrag/ the python code was ported by Taylor Christian Newsome.

[SleepTheGod]

The Dirty Frag vulnerability class, first identified and reported by Hyunwoo Kim, enables attackers to gain root privileges on major Linux distributions by chaining two vulnerabilities: the xfrm-ESP Page-Cache Write flaw (CVE-2026-43284) and the RxRPC Page-Cache Write flaw (CVE-2026-43500). Dirty Frag extends the same bug class as Dirty Pipe and Copy Fail, but unlike race-condition exploits, it is a deterministic logic flaw that does not rely on timing windows, rarely causes kernel panics when unsuccessful, and achieves a very high success rate. The xfrm-ESP vulnerability was patched in mainline commit f4c50a4034e6, while the RxRPC issue was fixed in aa54b1d27fe0. When the research was initially disclosed on May 7, 2026, no official patches or CVEs existed because the embargo had already been broken due to external circumstances, prompting maintainers on linux-distros@vs.openwall.org to request public disclosure. The provided proof-of-concept exploit can compile and run with a single command, though it should only be used on systems authorized for testing. After exploitation, the page cache becomes contaminated, requiring either echo 3 > /proc/sys/vm/drop_caches or a full reboot to restore stability. The vulnerabilities affected kernels dating back as far as 2017 for xfrm-ESP and 2023 for RxRPC, creating an effective exposure window of roughly nine years across distributions such as Ubuntu, Fedora, RHEL, AlmaLinux, CentOS Stream, and openSUSE. Temporary mitigation involves blacklisting the vulnerable esp4, esp6, and rxrpc kernel modules, unloading them, and clearing the page cache until patched kernels are installed. The researchers chained both vulnerabilities because each compensates for the limitations of the other: xfrm-ESP requires namespace creation privileges, which some Ubuntu configurations restrict through AppArmor, while RxRPC does not require namespace privileges but depends on the rxrpc.ko module being loaded by default. Together, they provide reliable privilege escalation coverage across nearly all major Linux distributions. Dirty Frag is also closely related to the earlier Copy Fail vulnerability, sharing the same sink in the xfrm-ESP variant, but remaining exploitable even when known Copy Fail mitigations, such as blacklisting algif_aead, are applied.