DirtyClone (CVE-2026-43503): Linux local root with no log trail, by overwriting /usr/bin/su

JFrog Security Research disclosed CVE-2026-43503 (DirtyClone) on June 26 — a CVSS 8.8 Linux kernel hole that lets any local user escalate to root on Debian, Ubuntu and Fedora, without leaving a single line in dmesg or audit. JFrog and Hyunwoo Kim independently reported it (May 16/19); the fix landed in mainline on May 21 (commit 48f6a5356a33), first shipping in Linux v7.1-rc5.

Root cause: __pskb_copy_fclone() drops the SKBFL_SHARED_FRAG flag when cloning packets. That flag — added by the previous DirtyFrag fix — was the only thing telling IPsec to copy-on-write when a buffer points at file-backed memory. With it gone, esp_input decrypts in place, treating page-cache file data as packet data on the same physical page.

The exploit is trivial. The attacker controls the IPsec IV and key, which becomes control over arbitrary bytes written into the page cache. Target /usr/bin/su, patch a few instructions, and any local user becomes root. No oops, no kallsyms read, no kptr_restrict bypass — the entire chain rides legitimate network packet flows.

The entry bar is low too: only CAP_NET_ADMIN is needed, and unprivileged user namespaces hand that to any local user. Debian and Fedora are vulnerable out of the box; Ubuntu 24.04+ is only partially mitigated by AppArmor.

This is the fifth member of the «Dirty» family (DirtyCow → DirtyPipe → DirtyCred → DirtyFrag → DirtyClone) — all exploits of shared page-cache memory between user data and a kernel subsystem.

Action: bump to kernel ≥7.1-rc5, or set kernel.unprivileged_userns_clone=0, or blacklist esp4 esp6 rxrpc if you don't use IPsec. A public PoC is likely within months — the diff makes the exploit easy to reconstruct.

via JFrog Research / The Hacker News