Linux DirtyClone CVE-2026-43503 local privilege escalation

Summary

CVE-2026-43503, dubbed DirtyClone by JFrog Security Research, is a high-severity Linux kernel local privilege-escalation flaw in the DirtyFrag vulnerability family. JFrog published a working exploit walkthrough on June 25, 2026 showing that a local unprivileged user can gain root by manipulating shared page-cache memory through socket-buffer (skb) processing paths.

JFrog says the issue persisted after earlier DirtyFrag fixes because the same Copy-on-Write protection gap could be reached through a different packet-processing path in the XFRM/IPsec subsystem. The flaw was reported to Linux kernel maintainers in May 2026, patched in mainline, and assigned CVSS 8.8.

Tags

• ops
• operations
• vulnerability
• exploitation
• Linux
• Linux kernel
• DirtyClone
• DirtyFrag
• CVE-2026-43503
• CVE-2026-46300
• CVE-2026-43284
• CVE-2026-43500
• local privilege escalation
• container escape
• user namespaces
• CAP_NET_ADMIN
• page cache
• XFRM
• IPsec
• skb
• JFrog Security Research

Why this matters

• This is a post-compromise root path: low-privileged local shells, compromised containers, shared CI runners, research boxes, and multi-user systems become higher risk when kernels are missing the full DirtyFrag patch chain.
• JFrog reports the exploit can be silent, leaving no kernel logs or audit traces, and can bypass common on-disk integrity checks because the primitive corrupts shared page-cache memory rather than simply modifying files through normal writes.
• The highest-risk environments are multi-tenant Linux systems, Kubernetes/container hosts, and systems where unprivileged user namespaces let local users acquire CAP_NET_ADMIN inside a namespace.
• DirtyClone reinforces that partial patching of a vulnerability family can leave sibling code paths exploitable; defenders should verify complete distribution backports rather than only checking the first DirtyFrag CVEs.

Public vulnerability detail

• Name: DirtyClone.
• CVE: CVE-2026-43503.
• Family: DirtyFrag-style Linux kernel networking / skb page-cache Copy-on-Write flaws.
• Impact: local privilege escalation to root.
• Severity: CVSS 8.8, per JFrog.
• Affected shape: kernels missing the complete DirtyFrag fix chain, including systems that patched the initial CVE-2026-43284 / CVE-2026-43500 issues but not later bypass fixes such as CVE-2026-46300 and CVE-2026-43503.
• Reachability: local users who hold or can acquire CAP_NET_ADMIN; JFrog highlights unprivileged user namespaces as a common route.
• Confirmed distributions in JFrog testing/context: Debian, Ubuntu, and Fedora configurations with unprivileged user namespaces enabled.
• Patch timeline: JFrog says relevant fixes were merged in May 2026, with Linux v7.1-rc5 as the first fixed tag for this variant; production systems should follow their distribution kernel advisories and reboot into the fixed kernel.

Defender heuristics

1. Prioritize kernel updates for container hosts, Kubernetes nodes, shared build agents, developer workstations, jump hosts, HPC/research systems, and any multi-user Linux server where untrusted users or workloads execute code.
2. Confirm the running kernel, not just installed packages, includes the distribution backport for CVE-2026-43503 and related DirtyFrag fixes (CVE-2026-43284, CVE-2026-43500, CVE-2026-46300). Reboot after patching.
3. If patching is delayed, evaluate temporary reduction of exposed preconditions: disable unprivileged user namespaces where business impact permits (kernel.unprivileged_userns_clone=0 on supporting distributions), restrict privileged containers, and reduce paths for untrusted workloads to gain CAP_NET_ADMIN.
4. JFrog also points to blacklisting esp4, esp6, and rxrpc kernel modules as a workaround for the in-place decryption primitives; validate this carefully against IPsec/RxRPC business requirements before applying.
5. Hunt for suspicious namespace and networking setup from unexpected users or workloads: unshare, clone, ip netns, tc, XFRM/IPsec configuration, unusual CAP_NET_ADMIN grants, and short-lived local-root transitions from service or CI accounts.
6. Treat successful exploitation as possible host-root compromise even if file-integrity tools look clean; preserve volatile evidence, container runtime state, audit/process telemetry, kernel version evidence, and recent workload provenance.
7. For Kubernetes and CI fleets, scope secrets mounted into affected nodes/runners and rotate credentials exposed to workloads that could have reached the vulnerable kernel.

Related pages

• Linux nftables CVE-2026-23111 public LPE exploits
• Linux Kernel CVE-2022-0492 cgroup release_agent exploitation

Sources

• JFrog Security Research: https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/
• The Hacker News: https://thehackernews.com/2026/06/new-dirtyclone-linux-kernel-flaw-lets.html