New DirtyClone Vulnerability Allows Local Privilege Escalation in Linux Kernel

A new local privilege escalation vulnerability, DirtyClone (CVE-2026-43503), was disclosed, allowing unprivileged local users to gain root access by manipulating cloned network packets through the XFRM/IPsec subsystem. This flaw is a high-severity variant of the DirtyFrag vulnerability family, which exploits the corruption of file-backed memory. The exploit requires the attacker to have the CAP_NET_ADMIN capability and can affect popular Linux distributions, including Debian, Ubuntu, and Fedora. A proof-of-concept (PoC) was published on June 26, 2026, prompting urgent patching. The Linux kernel maintainers released a fix in version 7.1-rc5, but users are advised to mitigate risks by blocking certain kernel module acquisitions. Another related vulnerability, CVE-2026-46331, was also disclosed recently, highlighting ongoing security concerns in the Linux kernel.

Key Points: • DirtyClone (CVE-2026-43503) allows local users to gain root access via cloned packets. • The vulnerability affects major Linux distributions including Debian, Ubuntu, and Fedora. • A patch was released on June 26, 2026, but immediate mitigation is recommended for unpatched systems.