UPDATE: DirtyClone Linux kernel LPE (CVE-2026-43503) now has a confirmed working exploit on default Debian/Fedora

UPDATE (originally covered 2026-06-27): JFrog Security Research published a working-exploit write-up for CVE-2026-43503 (DirtyClone, CVSS 8.8), confirmed against Debian, Ubuntu, and Fedora (JFrog Security Research, 2026-06-25 · The Hacker News, 2026-06-29).

__pskb_copy_fclone() drops the SKBFL_SHARED_FRAG flag that marks memory as file-backed during packet cloning; an attacker with CAP_NET_ADMIN (reachable on Debian/Fedora via unprivileged user namespaces by default) wires a privileged binary's pages into a cloned packet, then routes it through an attacker-controlled IPsec tunnel so in-place decryption overwrites in-kernel login checks — granting root with no file-system trace. Mainline is fixed (commit since 2026-05-21); distribution backports are rolling. Until backports land: set kernel.unprivileged_userns_clone=0 on Debian/Ubuntu and blacklist the esp4/esp6 modules to remove the IPsec in-place-decryption primitive. Hunt namespace-creation events granting CAP_NET_ADMIN and su/sudo spawned from non-privileged parents without a TTY.