Dirty Frag is a Linux kernel vulnerability that can allow an attacker to gain administrator privileges, known as root privileges.

To exploit this vulnerability, the attacker first needs some form of access to the system, even if it's low-level. For example, it could be a regular user account, a compromised application, a vulnerable container, or a service that has already been attacked.

The problem is that if the attacker manages to become root, they can take complete control of the system. With these privileges, they could disable security tools, access passwords or credentials, modify system registries, move to other machines on the network, and maintain access for longer periods.

Where the flaw lies?

Linux stores temporary copies of some files in memory to make the system run faster. This area is known as the page cache.

Under normal circumstances, a user shouldn't be able to modify these copies without permission to change the original files. However, Dirty Frag breaks this protection.

The flaw appears in certain network and encryption-related operations. The kernel processes some data directly in memory to improve performance, but it doesn't properly check whether that memory could be safely modified. As a result, parts of the file cache that should be protected could be altered.

Linux was trying to save time by processing data directly in memory, but this optimization opened the door to modifying information that shouldn't be touched.

Relationship to Copy Fail
Before Dirty Frag, another similar vulnerability called Copy Fail, identified as CVE-2026-31431, was made public. It was disclosed on April 29, 2026. Copy Fail also allows someone with limited access to a Linux system to gain administrator privileges. In this case, the flaw is in a part of the kernel related to cryptographic functions.

The problem originated from a performance improvement introduced in 2017. The idea was to avoid unnecessary data copies to make the system faster. But this improvement could cause the kernel to modify memory areas that shouldn't be modifiable. What they have in common

Copy Fail and Dirty Frag belong to the same family of problems.
In both cases, the kernel tries to be more efficient by avoiding copying data from one place to another. The problem is that, in doing so, it can end up modifying shared or protected areas of memory.

This is especially serious because it can allow the alteration of important system files or special binaries that run with higher privileges. If exploited correctly, the attacker can end up executing code as root.
Important point

Applying a mitigation against Copy Fail does not mean that the system is protected against Dirty Frag.
They are related vulnerabilities, but they are not the same. 

Therefore, a system that has already been protected against Copy Fail may still be vulnerable to Dirty Frag.

Severity of the problem

Dirty Frag is not a direct remote vulnerability. That is, it is not enough for the computer to be connected to the Internet for someone to exploit it without further ado. 

Even so, it is still serious. If an attacker has already gained access to the system with limited privileges, this vulnerability can be used to gain administrator privileges and complete control of the machine.

Recommendations:
1. Identify all Linux systems that may be at risk, especially servers with local users, SSH access, CI/CD environments, containers, Kubernetes, shared hosting, or third-party workloads.
2. Apply kernel patches released by each vendor and restart systems when necessary.
3. Until a patch is available, block the esp4, esp6, and rxrpc modules if they are not in use.
4. Do not assume that a mitigation applied against Copy Fail also protects against Dirty Frag.
5. Verify the integrity of sensitive files and binaries with special permissions if exploitation is suspected.
6. Prioritize systems where an attacker can execute local code, even with limited permissions.