[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFTnIiTVpQMbF9vM9lZpLhtGIBAwLzaYrI-Ih1fDkRQo":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"99c066f1-9640-452e-add8-1fe07d32b3dc","New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets","new-dirtyclone-linux-kernel-flaw-lets-local-users-gain-root-via-cloned-packets-e0deea","DirtyClone is a new Linux kernel privilege escalation in the DirtyFrag family. JFrog Security Research published a working exploit walkthrough for the flaw on June 25, the first public demonstration for this variant. Tracked as CVE-2026-43503 (CVSS 8.8), it lets a local user corrupt file-backed memory through a cloned network packet and gain root. The patch landed in","A new Linux kernel vulnerability, dubbed DirtyClone (CVE-2026-43503), allows local users to escalate privileges to root. The flaw, part of the DirtyFrag family, exploits a missing safety flag when copying network packets, enabling attackers to corrupt file-backed memory and overwrite critical binaries like 'su'. JFrog Security Research demonstrated a working exploit, highlighting that the attack bypasses file integrity tools and reboots. The patch is available upstream, and distributions like Ubuntu, Debian, and Fedora are affected if not updated.","Linux kernel flaw CVE-2026-43503 allows local users to gain root via cloned network packets.","New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets Swati KhandelwalJun 26, 2026Linux \u002F Vulnerability DirtyClone is a new Linux kernel privilege escalation in the DirtyFrag family. JFrog Security Research published a working exploit walkthrough for the flaw on June 25, the first public demonstration for this variant. Tracked as CVE-2026-43503 (CVSS 8.8), it lets a local user corrupt file-backed memory through a cloned network packet and gain root. The patch landed in mainline on May 21; if your kernel does not have it, update now. When the kernel copies a network packet internally, two helper functions drop a safety flag that marks the packet's memory as shared with a file on disk. That missing flag is the entire vulnerability. The attacker loads a privileged binary like \u002Fusr\u002Fbin\u002Fsu into memory, wires those memory pages into a network packet, and forces the kernel to clone it. The cloned packet passes through an IPsec tunnel that the attacker controls, and the decryption step overwrites the binary's login checks with attacker-chosen bytes. The next time anyone runs su, it hands over root. The file on disk never changes. The modification lives only in the kernel's in-memory copy, so file-integrity tools miss it, the attack leaves no audit trail, and a reboot restores the original binary. The attacker already has root by the time anyone might think to check. Exploitation requires CAP_NET_ADMIN to configure the loopback IPsec tunnel. On Debian and Fedora, unprivileged user namespaces are enabled by default, so a local user can obtain that capability inside a new namespace. Ubuntu 24.04 and later restrict namespace creation via AppArmor, blocking the default exploit path. Page cache is shared at the host level, so modifications made inside a namespace affect every process on the machine. The exposed systems are multi-tenant servers, CI runners, container hosts, and Kubernetes clusters where untrusted users can create namespaces. JFrog confirmed the exploit on Debian, Ubuntu, and Fedora systems with default namespace configurations. Fourth in a Series This is the fourth recent privilege escalation with the same failure mode: file-backed memory gets treated as packet data, then an in-place network operation writes where it should have copied. Copy Fail (CVE-2026-31431) came first in late April, exploiting the algif_aead module for a four-byte page-cache write. DirtyFrag (CVE-2026-43284 and CVE-2026-43500) followed on May 7, chaining IPsec ESP and RxRPC paths for a full write primitive. Fragnesia (CVE-2026-46300) appeared on May 13, bypassing the DirtyFrag patch through a flag-dropping bug in skb_try_coalesce(). Each fix closed one code path and left others open. DirtyClone's demonstrated exploit centers on __pskb_copy_fclone(), with skb_shift() also affected; the broader CVE fix covers additional frag-transfer helpers where the same flag could be lost. The underlying problem is not one bad helper function. It is a contract problem: every code path that moves skb fragments has to preserve the shared-frag bit, every time. The kernel's zero-copy networking lets file-backed memory serve as packet data, and a single dropped flag anywhere in the chain turns a performance optimization into a write primitive. Each variant found a path where the contract was not honored. The original DirtyFrag researcher, Hyunwoo Kim, had submitted a broader multi-site patch covering several remaining frag-transfer helpers on May 16. The combined fix was merged on May 21 (commit 48f6a5356a33), assigned CVE-2026-43503 on May 23, and shipped in Linux v7.1-rc5 on May 24. What to Do Install your distribution's kernel update. The fix landed upstream in v7.1-rc5 and has been backported to stable and LTS branches. Ubuntu, Debian, and SUSE have published advisories; Red Hat has a Bugzilla tracking entry. If you cannot patch today, two workarounds reduce the attack surface. Restrict unprivileged user namespaces: on Debian and Ubuntu, set kernel.unprivileged_userns_clone=0 (other distributions use different mechanisms). Alternatively, blacklist the esp4, esp6, and rxrpc kernel modules, though that breaks IPsec and AFS and only works when those features are loadable modules rather than compiled into the kernel. Both are temporary controls, not fixes. The DirtyFrag class is probably not done. Any function that moves fragment descriptors without propagating the shared-frag flag is a potential new CVE, and auditing should cover every path that touches skb_shinfo()->flags during fragment transfer. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  DirtyClone, DirtyFrag, IPSec, Kernel Security, Kubernetes, linux, privilege escalation, Vulnerability ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fnew-dirtyclone-linux-kernel-flaw-lets.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEidrcFiZh5KSQ9sYpF7Fafoy8kYny6olyD5WlY_oaAdYt0krMeOL8eNiTItqYmEmJ55wueKdZJlhIKMun7kwQR8AbbFPKTw0Nv-qJbPiaKA1n2J1rUHBV3YuRmdJHQpOTlsKctFMXoO8ogpgHC8rXls3FGamF7p7K1gxc-7dmU2va58Es1c40FV8AZFR-w\u002Fs1600\u002Fdirtyclone.jpg","2026-06-26T11:51:35+00:00","2026-06-26T14:00:37.517005+00:00",9,[18,21,24,27,29],{"name":19,"type":20},"Linux kernel","product",{"name":22,"type":23},"JFrog Security Research","vendor",{"name":25,"type":26},"IPsec","technology",{"name":28,"type":26},"user namespaces",{"name":30,"type":26},"Kubernetes","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":31,"icon":33,"name":34,"slug":35},null,"Vulnerabilities","vulnerabilities",[37,39],{"category":38},{"id":31,"icon":33,"name":34,"slug":35},{"category":40},{"id":41,"icon":33,"name":42,"slug":43},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[45,49,52,55,57],{"type":46,"value":47,"context":48},"cve","CVE-2026-43503","DirtyClone Linux kernel privilege escalation vulnerability",{"type":46,"value":50,"context":51},"CVE-2026-31431","Previous vulnerability in the DirtyFrag family (Copy Fail)",{"type":46,"value":53,"context":54},"CVE-2026-43284","Previous vulnerability in the DirtyFrag family (DirtyFrag)",{"type":46,"value":56,"context":54},"CVE-2026-43500",{"type":46,"value":58,"context":59},"CVE-2026-46300","Previous vulnerability in the DirtyFrag family (Fragnesia)"]