‘DirtyClone’ Linux Kernel Vulnerability Leads to Root Access

JFrog has published technical details and a proof of concept (PoC) targeting a recent high-severity Linux kernel vulnerability that could allow any local user to gain root privileges. Tracked as CVE-2026-43503 (CVSS score of 8.8) and referred to as DirtyClone, the local privilege escalation bug was resolved on May 24, shortly after being reported to the Linux kernel maintainers. Now, JFrog explains that the flaw is a variant of DirtyFrag (also known as Copy Fail 2) and Fragnesia, which were addressed in mid-May. They share similarities with Dirty Pipe, a Linux kernel defect disclosed in 2022. These memory corruption security defects affecting the Linux kernel’s core networking stack are rooted in how socket buffers (skb) reference shared page-cache memory, and can be weaponized using in-place cryptographic transformations in various subsystems. The flaws demonstrate “a broader exploitation pattern affecting multiple skb (socket buffer) processing paths, showing that the underlying attack primitive is not limited to a single vulnerable code path”, JFrog says. At a high level, the vulnerabilities exist because the kernel does not separate the page cache used for executables and files from packet data processed via zero-copy paths, and in-place transformations such as encryption/decryption that write back to the same buffer. “When these three contexts intersect, the kernel may modify memory that is still semantically tied to a file, leading to corruption of file-backed data in place,” JFrog says. According to the cybersecurity firm, while the fix for DirtyFrag sets a metadata flag for spliced UDP packets to prevent direct modification of file-backed pages, the patch for Fragnesia ensures that the flag propagates across functions. Updating to Linux kernel version v7.1-rc5 prevents the exploitation of DirtyClone. Only kernels that contain the complete chain of fixes for the DirtyFrag vulnerability family are protected. “Systems entirely unpatched for the original flaws (CVE-2026-43284 and CVE-2026-43500) remain broadly exposed. Additionally, any mainline, stable, or Long Term Support (LTS) kernel branch that applied the initial mitigations but lacks the subsequent follow-up patches (CVE-2026-46300 and CVE-2026-43503) remains vulnerable to specific bypasses,” JFrog explains. Popular Linux distributions that enable unprivileged user namespaces, such as Debian, Fedora, and Ubuntu, are affected. Any local user with the CAP_NET_ADMIN capability on a server or device running an affected kernel version can gain root privileges. This poses a high risk to multi-tenant cloud environments, Kubernetes clusters, and containerized workloads, the company says. Related: Eight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices to Kernel Attacks Related: Organizations Warned of Exploited Linux Kernel Vulnerability Related: 19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access Related: PoC Released for DirtyDecrypt Linux Kernel Vulnerability WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Linux Foundation Unveils New Open Source Security Project Akrites Russian APT Deploys ‘StockStay’ Backdoor Against Ukrainian Targets Runlayer Raises $30 Million in Series A Funding GitLab Patches Code Execution, Information Disclosure Vulnerabilities 25-Year-Old Vulnerability Patched in Curl NIST Opens Updated IoT Security Guidance to Public Review Chrome 149 Update Resolves 18 Severe Vulnerabilities Critical Ubiquiti Vulnerabilities in Attackers’ Crosshairs Latest News OpenAI and Anthropic Limit New AI Models to Trump-Approved Customers During Cybersecurity Review US Offers $10 Million Bounty for Russian State Hackers as Messaging App Attacks Evolve OpenAI Unveils GPT-5.6 Sol as Its Most Advanced Cybersecurity AI Chinese Framework Powers 200,000 Scam Sites Amazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories More Klue Breach Victims Identified as Hackers Get Hacked In Other News: Chinese Mythos-Like AI, Tata Electronics Breach, Snyk Layoffs Nebulock Raises $25 Million for AI-Native Contextual Security Trending Webinar: Why Email Security Keeps Failing (And What Has To Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the Move Mark Carter has been appointed Chief Information Security Officer at Socure. Spektrum Labs has named Mark Cravotta Chief Operating Officer. Philip Martin has joined Uber as Chief Information Security Officer. More People On The Move Expert Insights When Information Becomes The Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What The Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told The Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Email