[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fi00KjB57VaQXLc9NPCxcQ5La5-PyjO1atbwIzoauyOM":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"59b88109-956d-4e56-a62d-b48c2805f117","‘DirtyClone’ Linux Kernel Vulnerability Leads to Root Access","dirtyclone-linux-kernel-vulnerability-leads-to-root-access-c78a28","A variant of DirtyFrag, the flaw allows unprivileged local users to manipulate the Linux page cache and gain root privileges. The post ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root Access appeared first on SecurityWeek.","A new Linux kernel vulnerability, dubbed DirtyClone (CVE-2026-43503), allows unprivileged local users to gain root privileges by manipulating the page cache. This flaw is a variant of previously disclosed vulnerabilities like DirtyFrag and Fragnesia, sharing similarities with Dirty Pipe. The vulnerability arises from the kernel's handling of shared page-cache memory and packet data, particularly when zero-copy paths and in-place transformations like encryption are involved. While patches exist, incomplete application of fixes across different kernel branches leaves systems vulnerable.","Linux kernel vulnerability CVE-2026-43503 allows local users to gain root privileges.","JFrog has published technical details and a proof of concept (PoC) targeting a recent high-severity Linux kernel vulnerability that could allow any local user to gain root privileges. Tracked as CVE-2026-43503 (CVSS score of 8.8) and referred to as DirtyClone, the local privilege escalation bug was resolved on May 24, shortly after being reported to the Linux kernel maintainers. Now, JFrog explains that the flaw is a variant of DirtyFrag (also known as Copy Fail 2) and Fragnesia, which were addressed in mid-May. They share similarities with Dirty Pipe, a Linux kernel defect disclosed in 2022. These memory corruption security defects affecting the Linux kernel’s core networking stack are rooted in how socket buffers (skb) reference shared page-cache memory, and can be weaponized using in-place cryptographic transformations in various subsystems. The flaws demonstrate “a broader exploitation pattern affecting multiple skb (socket buffer) processing paths, showing that the underlying attack primitive is not limited to a single vulnerable code path”, JFrog says. At a high level, the vulnerabilities exist because the kernel does not separate the page cache used for executables and files from packet data processed via zero-copy paths, and in-place transformations such as encryption\u002Fdecryption that write back to the same buffer.Advertisement. Scroll to continue reading. “When these three contexts intersect, the kernel may modify memory that is still semantically tied to a file, leading to corruption of file-backed data in place,” JFrog says. According to the cybersecurity firm, while the fix for DirtyFrag sets a metadata flag for spliced UDP packets to prevent direct modification of file-backed pages, the patch for Fragnesia ensures that the flag propagates across functions. Updating to Linux kernel version v7.1-rc5 prevents the exploitation of DirtyClone. Only kernels that contain the complete chain of fixes for the DirtyFrag vulnerability family are protected. “Systems entirely unpatched for the original flaws (CVE-2026-43284 and CVE-2026-43500) remain broadly exposed. Additionally, any mainline, stable, or Long Term Support (LTS) kernel branch that applied the initial mitigations but lacks the subsequent follow-up patches (CVE-2026-46300 and CVE-2026-43503) remains vulnerable to specific bypasses,” JFrog explains. Popular Linux distributions that enable unprivileged user namespaces, such as Debian, Fedora, and Ubuntu, are affected. Any local user with the CAP_NET_ADMIN capability on a server or device running an affected kernel version can gain root privileges. This poses a high risk to multi-tenant cloud environments, Kubernetes clusters, and containerized workloads, the company says. Related: Eight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices to Kernel Attacks Related: Organizations Warned of Exploited Linux Kernel Vulnerability Related: 19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access Related: PoC Released for DirtyDecrypt Linux Kernel Vulnerability Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Linux Foundation Unveils New Open Source Security Project AkritesRussian APT Deploys ‘StockStay’ Backdoor Against Ukrainian TargetsRunlayer Raises $30 Million in Series A FundingGitLab Patches Code Execution, Information Disclosure Vulnerabilities25-Year-Old Vulnerability Patched in CurlNIST Opens Updated IoT Security Guidance to Public ReviewChrome 149 Update Resolves 18 Severe VulnerabilitiesCritical Ubiquiti Vulnerabilities in Attackers’ Crosshairs Latest News OpenAI and Anthropic Limit New AI Models to Trump-Approved Customers During Cybersecurity ReviewUS Offers $10 Million Bounty for Russian State Hackers as Messaging App Attacks EvolveOpenAI Unveils GPT-5.6 Sol as Its Most Advanced Cybersecurity AIChinese Framework Powers 200,000 Scam SitesAmazon Q Flaw Enabled Cloud Credential Theft via Malicious RepositoriesMore Klue Breach Victims Identified as Hackers Get HackedIn Other News: Chinese Mythos-Like AI, Tata Electronics Breach, Snyk LayoffsNebulock Raises $25 Million for AI-Native Contextual Security Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveMark Carter has been appointed Chief Information Security Officer at Socure.Spektrum Labs has named Mark Cravotta Chief Operating Officer.Philip Martin has joined Uber as Chief Information Security Officer.More People On The MoveExpert Insights When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email","https:\u002F\u002Fwww.securityweek.com\u002Fdirtyclone-linux-kernel-vulnerability-leads-to-root-access\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002FLinux-vulnerability-malware.jpeg","2026-06-29T11:20:13+00:00","2026-06-29T12:00:05.298333+00:00",9,[18,21,24,27,29],{"name":19,"type":20},"Linux kernel","product",{"name":22,"type":23},"JFrog","vendor",{"name":25,"type":26},"page cache","technology",{"name":28,"type":26},"socket buffers",{"name":30,"type":26},"zero-copy","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":31,"icon":33,"name":34,"slug":35},null,"Vulnerabilities","vulnerabilities",[37,39],{"category":38},{"id":31,"icon":33,"name":34,"slug":35},{"category":40},{"id":41,"icon":33,"name":42,"slug":43},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[45,49,52,54],{"type":46,"value":47,"context":48},"cve","CVE-2026-43503","DirtyClone Linux kernel vulnerability",{"type":46,"value":50,"context":51},"CVE-2026-43284","Original DirtyFrag vulnerability",{"type":46,"value":53,"context":51},"CVE-2026-43500",{"type":46,"value":55,"context":56},"CVE-2026-46300","Follow-up patch for DirtyFrag family"]