Advisory: Linux Kernel LPE - Dirty Frag

Overview

On 7 May 2026, a high-severity Linux kernel vulnerability class referred to as “Dirty Frag” was publicly disclosed. The issue affects networking-related components of the kernel, specifically within the xfrm-ESP and RxRPC subsystems, and arises from improper handling of page cache operations in certain data processing paths. Exploitation requires local access to the system.

The vulnerability enables a local unprivileged user to perform controlled modifications to the kernel page cache. By chaining multiple flawed code paths, an attacker can alter the in-memory representation of protected files, including setuid binaries, and achieve reliable local privilege escalation to root.

The issue originates from logic flaws introduced in different parts of the kernel over time, with affected code paths dating back to 2017. It impacts a wide range of Linux kernel versions across major distributions. At the time of disclosure, no official patches or CVE identifiers were available due to a broken coordinated disclosure process.

Are Sophos products affected?

The following products have been reviewed against Dirty Frag:

Related information:

• https://github.com/V4bel/dirtyfrag/blob/master/assets/write-up.md