Skip to content

DirtyClone Vulnerability (CVE-2026-43503) Enables Local Privilege Escalation on Linux

Bottom line: The Linux vulnerability CVE-2026-43503 enables local attackers to escalate privileges to root through memory manipulation during network packet processing, leaves no traces, and is particularly critical in container and multi-tenant environments.

Security researchers at JFrog have released a working exploit for the Linux kernel vulnerability DirtyClone, which enables local attackers to gain root access. The vulnerability (CVSS 8.8) exploits faulty zero-copy network processing to bypass memory protection flags and manipulate sensitive system files in RAM.

CVE-2026-43503 is part of the DirtyFrag family of kernel vulnerabilities and arises during internal copying of network packets: kernel helper functions lose a security flag that marks which memory areas are shared with files on disk. This allows local attackers to bypass integrity checks.

The attack flow works as follows: an attacker loads a privileged binary file such as su into memory, embeds these memory pages into a network packet, and forces the kernel to clone it. When the cloned packet passes through an IPsec tunnel controlled by the attacker, the decryption step overwrites login checks directly in RAM. Because the original file on disk remains untouched, integrity tools (such as Aide or Tripwire) do not detect the change. The attack generates no log entries and is automatically reversed by a reboot.

To exploit the vulnerability, the attacker requires certain network privileges to configure a loopback IPsec tunnel. On Debian and Fedora, unprivileged users can create these privileges themselves within their own user namespace. Ubuntu from version 24.04 restricts this through AppArmor and thus blocks the standard exploit path. The vulnerability is particularly critical in multi-tenant environments, CI/CD systems, container hosts, and Kubernetes clusters, since the page cache is shared at the host level and changes affect all system processes.

DirtyClone is the fourth documented vulnerability of this kind in a short time; predecessors include Copy Fail, DirtyFrag, and Fragnesia. The root cause lies in faulty handling of zero-copy networking in the kernel – every code path during fragment transfer must correctly propagate the security flag.

A comprehensive patch has been integrated into the Linux kernel since May 21, 2026 and is available with kernel version v7.1-rc5. Backports have already been merged into stable LTS branches. Ubuntu, Debian, and SUSE have issued security warnings. Until the kernel update, the attack surface can be reduced by two measures: disabling unprivileged user namespaces via kernel variable or blacklisting the modules esp4, esp6, and rxrpc if these are available as loadable modules.


Source: www.it-daily.net · Published June 29, 2026
Lumi AI News — AI-assisted curation according to Article 50 EU AI Act. Paraphrase and classification through Lumi News Pipeline v1.7.2.

Share on: