The Security team has detected a vulnerability with a high severity. This document will provide a brief description of the vulnerability, a list of affected operating systems and/or software.
Overview of the Vulnerability:
A write-what-where vulnerability tracked as “DirtyFrag” (CVSS 8.8), exists in the Linux kernel’s ESP (Encapsulating Security Payload) subsystem. The flaw arises from unsafe in-place decryption of shared socket buffer (skb) fragments referencing page cache pages, which can occur when MSG_SPLICE_PAGES attaches pipe pages directly to UDP packets without marking them as shared.
A local attacker with unprivileged access can exploit this vulnerability to gain an arbitrary page cache write primitive, overwrite sensitive files in memory, and achieve full root privilege escalation. The vulnerability also affects RxRPC (used by AFS) via a related code path.
Affected Software:
- Ubuntu 20.04 – 25.10
- Linux kernel 4.11 – 7.0
Immediate Actions Required:
- Apply the latest kernel patch provided by your Linux distribution vendor to remediate this vulnerability.
- If patching is not immediately possible, disable unprivileged user namespaces as a temporary mitigation for the ESP/XFRM variant, or unload/blacklist the rxrpc kernel module to mitigate the RxRPC variant.
Further Information:
For detailed information on the vulnerability, please refer to the following sources:
