Dirty Frag Exploit: How Linux 7.0.6 Finally Patches the Vulnerability
Linux kernel 7.0.6 has arrived, and with it comes a complete fix for the Dirty Frag local privilege escalation (LPE) exploit that sent shockwaves through the open-source community. In this Q&A, we break down what Dirty Frag is, how it works, which systems are affected, and exactly how to secure your machine—whether you run Fedora, Pop!_OS, or another distribution.
What Is Dirty Frag, and Why Was It So Dangerous?
Dirty Frag is a local privilege escalation (LPE) vulnerability that allows an unprivileged attacker to gain root access on a Linux system. Discovered by security researcher Hyunwoo Kim, the flaw was inadvertently disclosed to the public before a patch was ready, catching the Linux kernel team and major distributions off guard. The vulnerability, tracked as CVE-2026-43500, carries a CVSS score of 7.8 (HIGH) on the National Vulnerability Database. It exploits a subtle memory-handling bug in the kernel’s rxrpc code path, which handles remote procedure calls. By tampering with pages in kernel memory during decryption, a local attacker can escalate privileges to root. The patch was merged by Linus Torvalds on May 10 and shipped in Linux 7.0.6 the next day, along with the 6.18.29 LTS kernel.
How Does the Dirty Frag Exploit Work?
At its core, Dirty Frag takes advantage of a memory-management oversight dating back to a 2019 kernel commit. In the rxrpc handling path, two specific packet types were not properly accounted for: those with pages fed in through the splice() system call, and those with fragment chains attached. Normally, shared memory regions are copied to a private buffer before decryption to prevent tampering—but the kernel mistakenly treated these packets as non-shared, skipping that safe copy. This left a window open for a local attacker to modify the decryption targets from userspace while the kernel was still processing them. The result: the attacker could overwrite critical data and escalate privileges to root. The fix extends the existing safety checks in two rxrpc functions to catch both of these overlooked packet types, ensuring they are copied to a private buffer before decryption—exactly as they should have been all along.
Which Kernel Versions Contain the Dirty Frag Patch?
The official patch was merged into the mainline kernel on May 10 by Linus Torvalds and is included in Linux 7.0.6 (released May 11) as well as the long-term support (LTS) kernel 6.18.29. However, some distributions moved faster. Fedora maintainer Justin Forbes announced that Fedora 43 and 44 received the fix through their 7.0.4 kernel builds, while Fedora 42 users got it with 6.19.14‑101. Pop!_OS, from System76, also released kernel updates for its LTS releases (22.04 and 24.04) that address both Dirty Frag CVEs. If you’re building from source, the 7.0.6 tarball is available at kernel.org—but manual installation is risky and recommended only for experienced users who have backed up their data.
How Can Fedora Users Update to Get the Fix?
Updating Fedora is straightforward, but the exact kernel you receive depends on your version. Fedora 43 and 44 users will get the patched 7.0.4‑100.fc43 kernel (the 7.0.5 update was skipped because 7.0.4 already included the fix). Fedora 42 users should see 6.19.14‑101. To check for and apply the update, open a terminal and run:
sudo dnf updateThis lists available updates. Confirm you see the patched kernel, then install it with:
sudo dnf upgradePress Y when prompted. After the upgrade completes, reboot your system to load the new kernel. You can verify the installed kernel version with uname -r. The update is safe and recommended for all Fedora Workstation users.
How Can Pop!_OS Users Secure Their System?
System76 has released kernel updates for Pop!_OS 22.04 and 24.04 LTS that address both Dirty Frag CVEs. For the second CVE, the esp4 and esp6 modules were patched and are safe to re-enable. However, for the rxrpc module, System76 chose to disable it entirely rather than patch it, and they are not enabling it back yet. To apply the updates, open a terminal and run:
sudo apt update && sudo apt upgradeAfter the upgrade completes, you must reboot with:
sudo rebootThis ensures the kernel is replaced with the patched version. As always, it’s a good idea to back up important data before any kernel update, even one that seems routine.
Should I Manually Install the 7.0.6 Kernel from Source?
Manually compiling and installing a kernel from the tarball at kernel.org is an option for advanced users, but it’s not recommended for most people. The process is risky—a mistake can render your system unbootable. Only attempt this if you have a full backup and know how to recover from a failed kernel install. If you’re on an Ubuntu‑based distribution (like Pop!_OS), dedicated guides exist for manual installation, but using your distribution’s package manager is far safer and easier. The official 7.0.6 release is primarily intended for kernel developers and enthusiasts who need the absolute latest code. For everyone else, waiting for your distro’s automatic update is the best course of action.
Where Can I Learn More About Dirty Frag?
For a deeper dive into the vulnerability, including the technical details of the research by Hyunwoo Kim and the complete timeline, check out our earlier Dirty Frag coverage. That article provides the full scoop on how the flaw was discovered, the disclosure process, and what it means for the future of kernel memory handling. In the meantime, ensure your system is updated to one of the patched kernels listed above—and don’t forget to reboot after the update.