Mitigation for Dirty Frag Linux local privilege escalation vulnerability

fln · 2026-05-07T14:33:55-0600

Yes another local privilege escalation vulnerability was recently publicly announced - dirtyfrag.io.

Mitigation does not require server reboot, only making sure kernel modules esp4, esp6 and rxrpc are disabled.

Code:

: > /etc/modprobe.d/dirtyfrag.conf
echo 'install esp4 /bin/false' >> /etc/modprobe.d/dirtyfrag.conf
echo 'install esp6 /bin/false' >> /etc/modprobe.d/dirtyfrag.conf
echo 'install rxrpc /bin/false' >> /etc/modprobe.d/dirtyfrag.conf
rmmod esp4 esp6 rxrpc 2>/dev/null

Note: The esp4 and esp6 modules are used by IPSEC. If your server is using IPSEC unloading them will break the connections over IPSEC or unload operation will fail. Quick check to make sure modules are unloaded - command lsmod | grep -F -e esp4 -e esp6 -e rxrpc should return no results.

sparek · 2026-05-07T15:16:17-0600

Did you test the PoC on this?

Doesn't seem to mitigate the issue for me. But maybe I'm doing something wrong. See if other's chime in.

sparek · 2026-05-07T15:21:03-0600

Update:

If you've run the PoC before applying the mitigation, then you either need to reboot or drop caches:

echo 3 > /proc/sys/vm/drop_caches

Mitigation doesn't stop exploit · Issue #1 · V4bel/dirtyfrag

$ cat /etc/modprobe.d/dirtyfrag.conf install esp4 /bin/false install esp6 /bin/false install rxrpc /bin/false $ sudo rmmod esp4 esp6 rxrpc rmmod: ERROR: Module esp4 is not currently loaded rmmod: E...

github.com

sparek · 2026-05-07T15:28:20-0600

The PoC seems to have worked on AlmaLinux 8.

I would assume AlmaLinux 9 is vulnerable as well. (and RHEL8 and RHEL9).

sparek · 2026-05-07T15:36:48-0600

AlmaLinux 9 vulnerable as well.

Same story though, you either need to drop caches or reboot after applying mitigation steps.

Richard G · 2026-05-07T15:58:22-0600

I haven't done anything yet for mitigation or whatever but when I run this command on the servers:
lsmod | grep -F -e esp4 -e esp6 -e rxrpc
it gives no result so they are not loaded.

I presume I still need to do the fix.

sparek said:
The PoC seems to have worked on AlmaLinux 8.

What's a PoC?

nathany · 2026-05-07T16:07:25-0600

PoC = Proof of Concept, there is one posted here... https://github.com/V4bel/dirtyfrag

Richard G · 2026-05-07T16:09:15-0600

Yes I see that link, but didn't remember the short name. Thanks!
I just used the mitigation on all servers, better safe than sorry.

Mitigation for Dirty Frag Linux local privilege escalation vulnerability

fln

Administrator

sparek

Verified User

sparek

Verified User

Mitigation doesn't stop exploit · Issue #1 · V4bel/dirtyfrag

sparek

Verified User

sparek

Verified User

Richard G

Verified User

nathany

Verified User

Richard G

Verified User