Two vulnerabilities similar to the Copy Fail vulnerability have been discovered in the Linux kernel, specifically in the xfrm-ESP and RxRPC subsystems. Known as Dirty Frag, these vulnerabilities allow unprivileged users to gain root privileges by overwriting process data in the page cache. An exploit has been developed that works on all current Linux distributions. While patches have not yet been released, there is a workaround available to mitigate the issue.
Dirty Frag encompasses two distinct vulnerabilities: one in the xfrm-ESP module, utilized for speeding up encryption operations in IPsec using the ESP protocol, and the other in RxRPC, which implements the AF_RXRPC family of sockets and the RPC protocol on top of UDP. Each vulnerability on its own grants root privileges. The xfrm-ESP vulnerability has been present in the Linux kernel since January 2017, while the RxRPC vulnerability has been around since June 2023. Both vulnerabilities stem from optimizations that permit direct writes to the page cache.
To exploit the xfrm-ESP vulnerability, the user must have the ability to create namespaces, while exploiting the RxRPC vulnerability requires the capability to load the rxrpc.ko kernel module. Some distributions, like Ubuntu, have AppArmor rules that prevent unprivileged users from creating namespaces, but the rxrpc.ko module is still loaded by default. On the other hand, certain distributions lack the rxrpc.ko module but do not restrict the creation of namespaces. A combined exploit targeting both vulnerabilities has been developed, allowing for exploitation across major distributions.
The exploit has been successfully tested on Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44, all running different kernel versions. Similar to the Copy Fail vulnerability, the issues in xfrm-ESP and RxRPC are due to optimizations that allow for direct writes to the page cache.