The page cache in Linux is a system memory area where frequently accessed file data is temporarily stored. <\/p>\n\n\n\n
It speeds up file operations because reading from memory is faster than reading from disk. <\/p>\n\n\n\n
However, if an attacker can manipulate the page cache incorrectly, they can sometimes modify memory in ways they shouldn\u2019t, bypassing normal permissions.<\/p>\n\n\n\n
So, the dirty Frag uses two Linux kernel bugs (xfrm-ESP Page-Cache Write<\/strong> and RxRPC Page-Cache Write<\/strong>) together and tricks the kernel\u2019s page cache to gain root access.<\/p>\n\n\n\n xfrm-ESP Page-Cache Write \u2014<\/strong>The bug exists in Linux\u2019s IPsec networking code, where it skips an important memory safety check. <\/p>\n\n\n\n This bug lets an attacker change a specific part of the kernel\u2019s memory cache, giving them control over that memory, which is a key part of how the Dirty Frag exploit works.<\/p>\n\n\n\n RxRPC Page-Cache Write \u2014<\/strong><\/p>\n\n\n\n Another part of Dirty Frag exploits a bug in the RxRPC networking subsystem.<\/p>\n\n\n\n The attacker calculates a key outside the kernel, then uses it to safely overwrite memory, making the exploit work every time. <\/p>\n\n\n\n The (xfrm-ESP Page-Cache Write<\/strong>) vulnerability affects all recent Linux versions released since 2017. Any unprivileged local user can exploit it to gain full root (administrative) control.<\/p>\n\n\n\n The xfrm-ESP Page-Cache Write vulnerability has existed since 2017, while the RxRPC Page-Cache Write vulnerability appeared in June 2023<\/p>\n\n\n\n To exploit the Dirty Frag vulnerability, an attacker needs some level of initial access to the system. This could include:<\/p>\n\n\n\n Once an attacker has this initial foothold, they can attempt to escalate privileges to root using Dirty Frag.<\/p>\n\n\n\n The following are the kernel versions where researchers successfully tested the Dirty Frag exploit:<\/p>\n\n\n\n This means that if your server is running one of these kernels, it is likely vulnerable.<\/p>\n\n\n\n Temporary workaround until the official patch is released :<\/em><\/strong><\/p>\n\n\n\n Since no official patch was available when Dirty Frag was disclosed, a temporary workaround can help reduce risk. <\/p>\n\n\n\n This involves disabling the vulnerable kernel modules (esp4, esp6, and rxrpc) and clearing the page cache to prevent potential exploits.<\/p>\n\n\n\n This may affect VPN or IPsec services. The permanent fix is to update our systems with the patched kernel once your Linux distribution releases it<\/p>\n\n\n\n You can use the following command to disable the vulnerable kernel modules and clear the page cache:<\/p>\n\n\n\n sh -c “printf ‘install esp4 \/bin\/false\\ninstall esp6 \/bin\/false\\ninstall rxrpc \/bin\/false\\n’ > \/etc\/modprobe.d\/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>\/dev\/null; echo 3 > \/proc\/sys\/vm\/drop_caches; true”<\/p>\n<\/blockquote>\n\n\n\n However, this mitigation comes with a drawback: it disables the esp4, esp6, and rxrpc kernel modules by preventing them from loading<\/p>\n\n\n\n This will break IPsec and RxRPC, which is chiefly used by the AFS distributed file system. <\/p>\n\n\n\n For most desktop systems and general-purpose servers, this has little to no practical impact. <\/p>\n\n\n\n However, organisations that rely on IPsec VPN tunnels using ESP mode should carefully evaluate the tradeoffs before applying this mitigation.<\/p>\n\n\n\n So if this is acceptable, we can mitigate this vulnerability.<\/p>\n\n\n\n Dirty Frag Mitigation on CloudLinux :<\/strong><\/p>\n\n\n\n In terms of CloudLinux, the affected versions are :<\/p>\n\n\n\n CL7h, CL8 \u2192 CloudLinux kernel<\/p>\n\n\n\n CL9, CL10 \u2192 AlmaLinux kernel used by CloudLinux<\/p>\n<\/blockquote>\n\n\n\n We can also apply the temporary workaround mentioned above until a patched kernel is applied, but as mentioned before , applying this workaround may affect VPN or IPsec services.<\/p>\n\n\n\n For a permanent fix, you have to update to the patched kernel once it\u2019s available in your CloudLinux stream.<\/p>\n\n\n\n Amazon has also acknowledged that the Linux kernel vulnerabilities related to Dirty Frag may affect systems with certain kernel modules loaded, such as esp4, esp6, ipcomp4, ipcomp6, or rxrpc.<\/p>\n\n\n\n Amazon\u2019s suggested mitigations include:<\/p>\n\n\n\n (lsmod | grep -E “esp4|esp6|ipcomp4|ipcomp6|rxrpc”).<\/p>\n<\/blockquote>\n\n\n\n 2. Disabling modules if they are not needed.<\/p>\n\n\n\n echo ‘install esp4 \/bin\/false’ >> \/etc\/modprobe.d\/cve-copyfail2.conf<\/p>\n\n\n\n echo ‘install esp6 \/bin\/false’ >> \/etc\/modprobe.d\/cve-copyfail2.conf<\/p>\n\n\n\n echo ‘install ipcomp4 \/bin\/false’ >> \/etc\/modprobe.d\/cve-copyfail2.conf<\/p>\n\n\n\n echo ‘install ipcomp6 \/bin\/false’ >> \/etc\/modprobe.d\/cve-copyfail2.conf <\/p>\n\n\n\n echo ‘install rxrpc \/bin\/false’ >> \/etc\/modprobe.d\/cve-copyfail2.conf<\/p>\n<\/blockquote>\n\n\n\n 3. Restricting creation of user namespaces (sysctl -w user.max_user_namespaces=0).<\/p>\n\n\n\n Since an official patch is not yet available, the recommended approach for now is to apply the suggested workarounds to mitigate the vulnerability. At the same time, staying aware of potential risks and promptly applying patches as soon as they are released is essential for maintaining system security.<\/p>\n\n\n\n Dirty Frag: Universal Linux LPE<\/strong> highlights the importance of strong Linux security practices. While Linux remains one of the most secure operating systems available, no platform is immune to vulnerabilities. Local privilege escalation flaws can become extremely dangerous when systems remain unpatched or poorly configured.<\/p>\n\n\n\n Organisations should focus on:<\/p>\n\n\n\n By combining proactive defence strategies with modern monitoring tools, administrators can significantly reduce the risk posed by Linux privilege escalation attacks.<\/p>\n\n\n\n Facing issues? <\/p>\n\n\n\n Our technical support![\"\"](\"https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2026\/05\/image-5.jpg\")
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n\n
\n
\n
\n
\n
<\/ol>\n\n\n\n
\n
\n
\n
engineers can solve it. <\/p>\n\n\n\n<\/a><\/span>