git404hub

what is dirtyfrag fr?

v4bel/dirtyfrag — explained in plain English

Analysis updated 2026-07-17 · repo last pushed 2026-05-10

4,883CAudience · ops devopsComplexity · 5/5MaintainedSetup · hard

tl;dr

A proof-of-concept security research project chaining two Linux kernel CVEs to demonstrate local privilege escalation from a normal user to root, for verifying whether systems are vulnerable.

vibe map

mindmap
  root((dirtyfrag))
    Inputs
      Unpatched kernel
      Network protocols
      Page cache
    Outputs
      Root privileges
      Vulnerability proof
      Mitigation steps
    Use Cases
      Verify patch effectiveness
      Confirm system vulnerability
      Security research
    Tech Stack
      C
      Linux kernel
    Audience
      Security researchers
      Penetration testers
      Sysadmins

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

what do people make with this?

VIBE 1

Test a patched Linux server to confirm the fix for CVE-2026-43284 and CVE-2026-43500 is effective.

VIBE 2

Verify whether a fleet of Ubuntu, RHEL, Fedora, CentOS, or openSUSE servers is vulnerable before patching.

VIBE 3

Apply the provided mitigation steps, like disabling the esp4, esp6, and rxrpc kernel modules, when patches can't be applied immediately.

VIBE 4

Study the deterministic logic-bug technique as a reference for understanding page-cache corruption bugs.

what's the stack?

CLinux Kernel

how it stacks up fr

v4bel/dirtyfragopenvenues/libpostalhpjansson/chafa
Stars4,8834,7954,793
LanguageCCC
Last pushed2026-05-10
MaintenanceMaintained
Setup difficultyhardhardeasy
Complexity5/54/52/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

how do i run it?

Difficulty · hard time til it works · 1h+

For authorized testing only, running the exploit contaminates the page cache and requires a reboot or cache flush afterward.

License is not stated in the available content.

in plain english

Dirty Frag is a security research project that demonstrates a way for a regular, non-administrator Linux user to gain full root (administrator) privileges. It chains together two vulnerabilities in the Linux kernel, tracked as CVE-2026-43284 and CVE-2026-43500. The creator named it "Dirty Frag" because it belongs to the same family of flaws as the famous "Dirty Pipe" vulnerability, and it involves manipulating a fragment of network data inside the kernel. At a technical level, the exploit works by tricking the Linux kernel into writing data into the wrong place, specifically, into the system's page cache, which is a temporary store of file data in memory. By exploiting how the kernel handles certain network protocols (xfrm-ESP and RxRPC), an attacker can overwrite cached file contents. This is a deterministic logic bug, meaning it doesn't rely on lucky timing or race conditions. The exploit either works reliably or fails safely without crashing the system. The creator chained two separate vulnerabilities together because each one alone has blind spots on certain Linux distributions, but together they cover all major distributions. This tool is primarily useful for security researchers, penetration testers, and system administrators who need to understand and verify whether their systems are vulnerable. For example, if you manage a fleet of Linux servers and want to confirm that a patch is effective, you could test it with this proof-of-concept. The README is explicit that it should only be used on systems you are authorized to test, and it notes that running the exploit contaminates the page cache, requiring a reboot or a cache flush afterward for system stability. The vulnerabilities have existed for a long time, one since 2017 and the other since 2023, and affect major distributions including Ubuntu, RHEL, Fedora, CentOS, and openSUSE. The project provides mitigation steps if you can't immediately apply official patches: you can disable the vulnerable kernel modules (esp4, esp6, and rxrpc) and flush the page cache. The creator notes that even systems that mitigated the related "Copy Fail" vulnerability remain exposed to Dirty Frag. Official kernel patches have already been merged into the mainline Linux kernel.

prompts (copy fr)

prompt 1
Explain how dirtyfrag chains CVE-2026-43284 and CVE-2026-43500 to escalate from a normal user to root on Linux.
prompt 2
On a Linux system I'm authorized to test, walk me through running dirtyfrag safely and flushing the page cache afterward.
prompt 3
Show me how to disable the esp4, esp6, and rxrpc kernel modules as a mitigation against dirtyfrag on a server I can't patch yet.
prompt 4
Compare dirtyfrag's exploitation technique to the original Dirty Pipe vulnerability it's related to.
prompt 5
Help me verify that a kernel patch on my authorized test server actually closes the dirtyfrag vulnerability.

Frequently asked questions

what is dirtyfrag fr?

A proof-of-concept security research project chaining two Linux kernel CVEs to demonstrate local privilege escalation from a normal user to root, for verifying whether systems are vulnerable.

What language is dirtyfrag written in?

Mainly C. The stack also includes C, Linux Kernel.

Is dirtyfrag actively maintained?

Maintained — commit in last 6 months (last push 2026-05-10).

What license does dirtyfrag use?

License is not stated in the available content.

How hard is dirtyfrag to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is dirtyfrag for?

Mainly ops devops.

peek the repo → explain another one

This repo across BitVibe Labs

double-check against the repo, no cap.