Skip to content
hacker_posts

Linux DirtyClone CVE-2026-43503: working LPE PoC from JFrog

JFrog published a full local-root exploit for the DirtyFrag-family kernel flaw CVE-2026-43503 on June 25. Patched in v7.1-rc5. Container hosts are the priority.

Published 5 min read
cvelinuxkernelexploitexplainer

JFrog Security Research published a working proof-of-concept exploit on June 25, 2026 for CVE-2026-43503 — a high-severity local privilege escalation in the Linux kernel networking stack, dubbed DirtyClone. It is the latest variant in the DirtyFrag family of socket-buffer fragment bugs that started with CVE-2026-43284 and CVE-2026-43500. The fix landed in mainline on May 21, 2026 and shipped in Linux v7.1-rc5 (May 24). NVD rates the flaw CVSS 8.8.

If you run multi-tenant Linux hosts, Kubernetes nodes, or anything with unprivileged user namespaces enabled, treat this as a kernel-patch fire drill, not a low-priority LPE.

The bug

DirtyClone is a re-emergence of the DirtyFrag class. When the kernel internally clones a network packet, two helper functions in the skb path — __pskb_copy_fclone() and skb_shift() — drop the SKBFL_SHARED_FRAG safety flag that marks the packet's memory as referencing the file-backed page cache. That missing flag is the entire bug. The original DirtyFrag mitigation introduced SKBFL_SHARED_FRAG specifically to prevent the kernel from later treating those shared fragments as private and writable; CVE-2026-43503 reopens the door.

JFrog's PoC weaponises this in the usual way for the family: load a privileged binary (/usr/bin/su is the canonical target) into memory, wire its mapped pages into a network packet's fragment array, and force the kernel to clone the packet. The cloned packet then traverses an IPsec tunnel the attacker controls; the decrypt step lands attacker-chosen bytes over the binary's login checks on disk-backed memory. Run su, get root.

What turns the kernel logic bug into a usable exploit is CAP_NET_ADMIN — frequently obtainable on default-config distributions through unprivileged user namespaces. Cloud, multi-tenant, Kubernetes, and container deployments where user namespaces are enabled are the highest-risk shape.

Affected versions and patch status

Per JFrog and the corroborating Hacker News writeup, any kernel that does not carry the full DirtyFrag chain — original mitigations plus the CVE-2026-43503 follow-up — remains exposed. The fix is in:

  • Linux mainline as of May 21, 2026; first fixed tag v7.1-rc5 (May 24, 2026).
  • openSUSE Leap 15.6 and SUSE Linux Enterprise — backports shipped.
  • Debian — covered in the kernel security advisories that follow Debian's normal LTS / stable cadence.
  • Ubuntu — 24.04+ benefits from AppArmor namespace restrictions, but is still listed as affected and requires the kernel update.

Distributions that left unprivileged user namespaces enabled (Debian and Fedora defaults) and never enforced kernel.unprivileged_userns_clone = 0 carry the largest exposed surface. Verify your running kernel with uname -r against your distro's CVE tracker; a patched package on disk is not a patched kernel until you reboot.

Exploitation status

No remote vector. The attacker needs local code execution — a shell, a foothold from another bug, or a tenant on a shared kernel. From there the chain takes them to root, and on container hosts, out of the container.

JFrog's June 25 post is the first public, fully-working PoC for this variant. No CISA KEV listing as of this writing, and no public attribution of in-the-wild use. Historically the DirtyFrag family has been weaponised inside weeks of public PoC publication — the original Dirty Pipe and Dirty COW lineage compressed that window to days.

Action checklist

  1. Inventory kernels by uname -r, not package version. A host whose kernel package was updated but never rebooted is still vulnerable.
  2. Patch and reboot multi-tenant nodes first — Kubernetes worker nodes, CI build farms, shared developer servers, anything where a low-privilege foothold is plausible.
  3. Disable unprivileged user namespaces where you don't need them. sysctl -w kernel.unprivileged_userns_clone=0 on Debian/Ubuntu, or user.max_user_namespaces=0 per-namespace. Stopgap only — patch is the real fix.
  4. Tighten CAP_NET_ADMIN distribution. Audit container security profiles (Pod Security Standards, seccomp, AppArmor) for workloads that grant NET_ADMIN without reason.
  5. For container platforms, confirm the host kernel under your nodes is patched. A patched container image does not protect a vulnerable host kernel — the kernel is shared.
  6. Hunt for the setup phase in audit logs. Unexpected unshare(CLONE_NEWUSER | CLONE_NEWNET) calls from non-root processes, sudden IPsec/XFRM configuration changes from user code, and su invocations from service accounts that have no business running them.

Context

This is the fourth public CVE in the DirtyFrag family (CVE-2026-43284, CVE-2026-43500, CVE-2026-46300, now CVE-2026-43503), each one a narrow logic gap in how the skb fragment-sharing flags propagate through copy and shift paths. The class is the natural successor to Dirty Pipe — same primitive (overwrite of file-backed page cache from an unprivileged user), different plumbing.

The structural lesson, again: unprivileged user namespaces + a network-stack code path that takes user input is the kernel's most weaponisable surface in 2026. Fleets that turned off unprivileged_userns_clone years ago, and never turned it back on, paid down most of this risk before it materialised. See our coverage of CVE-2026-23111 — the nf_tables UAF Exodus dropped a full chain for earlier this month — for the same shape from a different subsystem.

JFrog's writeup is the primary source; the research blog post and the team's X announcement are the canonical references until upstream advisories catch up.

Related stories