Answer Brief
CVE-2026-43503 (CVSS 8.8) allows local users to gain root by corrupting file-backed memory through cloned network packets, exploiting a missing shared-frag flag in kernel packet handling. The flaw affects multi-tenant systems where unprivileged namespaces are enabled, including CI runners and Kubernetes clusters. A patch was merged in Linux v7.1-rc5 on May 21, 2026.
Signal Timeline
A quick visual path for analysts before reading the full brief.
- 1
Hyunwoo Kim submitted broader multi-site patch for frag-transfer helpers
- 2
Combined fix merged into Linux kernel (commit 48f6a5356a33)
- 3
CVE-2026-43503 assigned
- 4
Fix shipped in Linux v7.1-rc5
Executive Summary: CVE-2026-43503 (CVSS 8.8) allows local users to gain root by corrupting file-backed memory through cloned network packets, exploiting a missing shared-frag flag in kernel packet handling. The flaw affects multi-tenant systems where unprivileged namespaces are enabled, including CI runners and Kubernetes clusters. A patch was merged in Linux v7.1-rc5 on May 21, 2026.
Why It Matters
DirtyClone represents a critical Linux kernel vulnerability that enables local privilege escalation to root through a novel abuse of zero-copy networking and packet cloning mechanisms. The flaw, tracked as CVE-2026-43503 with a CVSS score of 8.8, stems from a missing shared-frag flag during internal packet handling, allowing an attacker to corrupt file-backed memory in the kernel’s page cache. By cloning a network packet containing a privileged binary like /usr/bin/su and routing it through an attacker-controlled IPsec tunnel, the decryption process overwrites the binary’s authentication checks in memory. Since the modification exists only in-memory and leaves no trace on disk, traditional file-integrity monitoring and audit logs fail to detect the compromise. The attack becomes effective once any user runs the targeted binary, granting the attacker root access. The vulnerability is particularly dangerous in multi-tenant environments such as CI/CD pipelines, container hosts, and Kubernetes clusters where untrusted users may gain access to namespaces. On distributions like Debian and Fedora, unprivileged user namespaces are enabled by default, allowing local users to acquire the CAP_NET_ADMIN capability required to set up the loopback IPsec tunnel used in the exploit. Although Ubuntu 24.04 and later restrict namespace creation via AppArmor, the underlying flaw remains present in the kernel and could be exploited via alternative paths if namespaces are accessible. The shared nature of the page cache at the host level means that modifications made inside a namespace affect all processes on the machine, amplifying the impact in consolidated environments. From a defensive standpoint, the absence of disk-based changes and audit trails makes this attack stealthy and difficult to detect using conventional security tools. Rebooting the system restores the original binary, but by then the attacker has already achieved persistent root access through other means. This highlights the need for runtime memory integrity monitoring and stricter controls on namespace creation in shared infrastructures. The exploit also underscores risks in environments where performance optimizations like zero-copy networking are used without sufficient validation of memory safety contracts across all code paths. The DirtyClone flaw is part of a broader pattern identified in the DirtyFrag family, where each variant exposes a different code path that fails to preserve the shared-frag flag during skb fragment transfer. Earlier flaws like Copy Fail and DirtyFrag were patched in isolation, but each fix left other paths vulnerable until the comprehensive solution was merged on May 21, 2026. This fix, committed as 48f6a5356a33, addresses multiple fragment-transfer helpers including __pskb_copy_fclone() and skb_shift(), and was backported to stable and LTS kernels. JFrog Security Research confirmed the exploit works on default configurations of Debian, Ubuntu, and Fedora, emphasizing the importance of timely kernel updates. Organizations should prioritize applying the latest kernel updates from their distribution’s security channels. For those unable to patch immediately, restricting unprivileged namespaces or disabling specific kernel modules (esp4, esp6, rxrpc) offers temporary reduction in exposure, though these come with functional trade-offs. Long-term mitigation requires auditing all kernel paths that manipulate skb_shinfo()->flags during fragment transfer to ensure the shared-frag bit is consistently propagated. The discovery of DirtyClone serves as a reminder that complex interactions between networking, memory management, and privilege isolation can create subtle but severe vulnerabilities when interface contracts are not uniformly enforced.
Event Type: security
Importance: high
Affected Companies
- JFrog Security Research
Affected Sectors
- cloud infrastructure
- cybersecurity
- operating systems
Key Numbers
- CVSS Score: 8.8
- CVE Identifier: CVE-2026-43503
- Patch Landed in Mainline: May 21, 2026
- Public Exploit Demo: June 25, 2026
Timeline
- Hyunwoo Kim submitted broader multi-site patch for frag-transfer helpers
- Combined fix merged into Linux kernel (commit 48f6a5356a33)
- CVE-2026-43503 assigned
- Fix shipped in Linux v7.1-rc5
- JFrog Security Research published working exploit walkthrough
- The Hacker News published article on DirtyClone
Frequently Asked Questions
What is DirtyClone and how does it allow local users to gain root?
DirtyClone is a Linux kernel privilege escalation flaw (CVE-2026-43503) in the DirtyFrag family. It lets a local user with CAP_NET_ADMIN corrupt file-backed memory by cloning a network packet that lacks a shared-frag safety flag. The attacker loads a privileged binary like /usr/bin/su into memory, wires it into a packet, forces kernel cloning, and uses an IPsec tunnel they control to overwrite the binary’s login checks in-memory. The next execution of su grants root, with no changes to disk and no audit trail.
Which systems are most at risk from the DirtyClone vulnerability?
Multi-tenant servers, CI runners, container hosts, and Kubernetes clusters where untrusted users can create namespaces are most exposed. On Debian and Fedora, unprivileged user namespaces are enabled by default, allowing local users to obtain CAP_NET_ADMIN inside a new namespace. Ubuntu 24.04 and later restrict this via AppArmor, blocking the default exploit path. The attack affects all processes on the host due to shared page cache at the host level.
What mitigations are available if patching is not immediately possible?
Two temporary workarounds reduce the attack surface: restrict unprivileged user namespaces by setting kernel.unprivileged_userns_clone=0 on Debian and Ubuntu (other distros use different mechanisms), or blacklist the esp4, esp6, and rxrpc kernel modules. However, blacklisting breaks IPsec and AFS and only works if those features are loadable modules. Both are controls, not fixes; updating to a patched kernel is required for full protection.
How does DirtyClone relate to previous vulnerabilities in the DirtyFrag series?
DirtyClone is the fourth in a series of privilege escalations sharing the same root cause: failure to preserve the shared-frag flag during skb fragment transfer. Prior variants include Copy Fail (CVE-2026-31431), DirtyFrag (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300). Each exploited a different code path where the flag was dropped. The underlying issue is a contract violation: every code path moving skb fragments must propagate the shared-frag bit. The May 21 patch closed multiple remaining paths after earlier fixes left others open.