JFrog Security Research published a working exploit on June 25 for CVE-2026-43503, a Linux kernel privilege escalation dubbed “DirtyClone.” It’s rated CVSS 8.8 and lets a local user gain root by corrupting file-backed memory through cloned network packets. The file on disk never changes, so file-integrity tools won’t detect it.
Here’s how it works. The attacker loads a privileged binary like /usr/bin/su into memory, wires those pages into a network packet, and forces the kernel to clone it. The cloned packet passes through a controlled IPsec tunnel, and the decryption step overwrites login checks in the binary. The next time anyone runs su, they get root.
This is the fourth in a series of similar bugs. Copy Fail (CVE-2026-31431) came first in late April, exploiting the algif_aead module for a four-byte page-cache write. Then DirtyFrag (CVE-2026-43284 and CVE-2026-43500) followed on May 7, combining IPsec ESP and RxRPC paths. Fragnesia (CVE-2026-46300) appeared on May 13, bypassing the DirtyFrag patch through a flag-dropping bug in skb_try_coalesce().
The underlying pattern is the same in every case: a kernel fast path writes into a page it doesn’t exclusively own, and the page cache absorbs the hit. Each fix has closed one code path and left others open. The CVE-2026-43503 fix landed upstream in Linux v7.1-rc5 on May 24 and has been backported to stable and LTS branches. Ubuntu, Debian, and SUSE have published advisories.
If you can patch today, do that. If you can’t, restrict unprivileged user namespaces (kernel.unprivileged_userns_clone=0 on Debian and Ubuntu). Alternatively, blacklist the esp4, esp6, and rxrpc modules, though that breaks IPsec and AFS functionality. Treat these as temporary controls.
