To the UCB-Security community,
This is a notice from the Information Security Office to alert you to critical vulnerabilities that impact Linux systems. Please share this alert internally with IT admins and service owners who run Linux so they are prepared to take action when patches become available.
This is a preliminary announcement. More information will follow when we have it.
SUMMARY
ISO is aware of two critical vulnerabilities that affect Linux systems. At this time, it is believed that nearly all Linux distributions and kernels are universally affected until confirmed otherwise.
The vulnerabilities, together called Dirty Frag [1], can be chained to obtain Local Privilege Escalation that allows any local user to escalate their privileges to root. Similar to its predecessors, Dirty Pipe and Copy Fail, Dirty Frag exploits the Linux kernel's page cache. The affected kernel modules are esp4 & esp6 (IPSec ESP), and rxrpc (AFS distributed filesystem).
Working exploits were published on May 7th, 2026, and currently there are no assigned CVE numbers or official security patches from Linux distributions.
IMPACT
A local logged-in user can exploit these vulnerabilities to gain root access to the system, including breaking out of a container.
WHAT IS VULNERABLE
At this time, all versions of Linux, including various distributions and kernel versions, appear to be affected until confirmed otherwise. The vulnerabilities in the affected kernel modules date back as early as 2017. We encourage admins to treat their Linux systems as vulnerable until you can verify otherwise.
Researchers have confirmed that the exploit works on various versions of the following Linux distributions (not an exhaustive list): RedHat, Debian, Ubuntu, openSUSE, Fedora, Alma, and CentOS.
Please note that if you applied mitigations or patches for the Copy Fail vulnerability [2], it does not prevent exploitation of the Dirty Frag vulnerabilities.
RECOMMENDATIONS
Due to the unavailability of official security patches at this time, we encourage system admins to explore the MITIGATION section below to see if temporary mitigation is feasible for your environment.
MITIGATION
Ensuring that local users can not log in to the system unless they are system administrators will temporarily reduce the attack surface.
Prevent the affected modules from loading by creating a file in /etc/modprobe.d containing:
install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
Ensure the affected modules are not current loaded:
/sbin/rmmod esp4 esp6 rxrpc
-
NOTE: Removing esp4 and esp6 will break IPSec on systems utilizing it.
-
NOTE: Removing rxrpc will break the AFS distributed filesystem on systems utilizing it.
-
Carefully weigh the tradeoffs of disabling these kernel modules on systems that use IPSec and/or AFS.
REFERENCES
[1] https://github.com/V4bel/dirtyfrag/[2] https://security.berkeley.edu/news/cve-2026-31431-linux-kernel-local-privilege-escalation
If you have any questions about the vulnerability or would like some assistance mitigating it, please contact security@berkeley.edu