Skip to content

OSG-SEC-2026-06-26 Critical vulnerability in the Linux kernel (DirtyClone) could allow a local user to gain full administrative (root) access

Dear OSG Security Contacts,

A critical vulnerability in the Linux kernel ("DirtyClone" CVE-2026-43503) could allow a local user to gain full administrative (root) access to affected systems. This is a variant of the DirtyFrag vulnerability that utilizes a different packet processing path. It is critical that the mitigations described below are applied immediately to prevent unauthorized root access by local unprivileged users. [1]

WHAT ARE THE VULNERABILITIES:

A vulnerability in the Linux kernel's networking subsystem has been resolved by ensuring the SKBFL_SHARED_FRAG flag is correctly preserved when shared packet fragments are transferred between socket buffers (SKBs). Under certain conditions, this can cause the kernel to incorrectly treat shared memory pages as private. As a result, kernel components that perform in-place modifications such as the ESP (Encapsulating Security Payload) input path may modify shared or page cache-backed memory without first creating a private copy.

IMPACTED VERSIONS:

This vulnerability affects a wide range of modern Linux distributions running impacted kernel versions and configurations. Affected distributions: The vulnerability has been confirmed on popular Linux distributions that enable unprivileged user namespaces by default, including RHEL, Debian, Ubuntu, and Fedora. Affected kernels: Systems remain vulnerable if they are missing the complete set of patches addressing the DirtyFrag vulnerability family. Kernels that have not been updated for the original vulnerabilities (CVE-2026-43284 and CVE-2026-43500) are broadly exposed. In addition, mainline, stable, and Long Term Support (LTS) kernel branches that include the initial mitigations but do not incorporate the follow-up fixes (CVE-2026-46300 and CVE-2026-43503) may still be susceptible to known bypass techniques. Full protection requires installation of the entire patch series. Who is at risk: Exploitation is possible by a local user on a system running a vulnerable kernel who possesses- or can obtain the CAP_NET_ADMIN capability, which is often achievable through unprivileged user namespaces. The greatest risk exists in jump hosts, multi-tenant cloud environments, Kubernetes clusters, and containerized workloads where user namespaces are enabled or privileged containers are in use. [2]

WHAT YOU SHOULD DO:

The vulnerability was addressed in the Linux kernel and merged into the mainline branch on May 21, 2026. Recommended Action: Organizations should update affected systems to a patched Linux kernel version as soon as possible and reboot affected systems. This includes upgrading to Linux kernel v7.1-rc5 or installing a vendor-supplied kernel that includes the backported fix for CVE-2026-43503. Mitigation Options: If patching cannot be performed immediately, exposure can be reduced by disabling unprivileged user namespaces (kernel.unprivileged_userns_clone=0) to prevent acquisition of the CAP_NET_ADMIN capability. Administrators may also mitigate the issue by blacklisting the esp4, esp6, and rxrpc kernel modules, which disables the in-place decryption mechanisms leveraged during exploitation.

REFERENCES

[1] https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/ [2] https://app.opencve.io/cve/CVE-2026-43503 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-43503 [4] https://access.redhat.com/security/cve/cve-2026-43503 [5] https://security-tracker.debian.org/tracker/CVE-2026-43503 Please contact the OSG security team at [email protected] if you have any questions or concerns. OSG Security Team