Linux kernel 'DirtyClone' LPE — XFRM/IPsec skb-clone page-cache corruption (DirtyFrag family); public PoC

cve · CVE-2026-43503

Coverage timeline

first 2026-06-27 → last 2026-06-27

Briefs

1 distinct

Sources cited

145

68 hosts

Sections touched

trending_vulns

Co-occurring entities

see Related entities below

Story timeline

2026-06-27CTI Daily Brief — 2026-06-27
trending_vulnsFirst coverage. JFrog working PoC: __pskb_copy_fclone drops SKBFL_SHARED_FRAG; XFRM/IPsec in-place decrypt poisons page-cache copy of setuid binary. CVSS 8.8, reachable via unprivileged userns; fix mainline v7.1-rc5 (commit 48f6a5356a33), distro kernels pending. Silent/audit-blind. § 2 + § 5 context.

Where this entity is cited

trending_vulns1

Source distribution

attack.mitre.org20 (14%)
thehackernews.com19 (13%)
bleepingcomputer.com9 (6%)
access.redhat.com4 (3%)
microsoft.com4 (3%)
cisa.gov3 (2%)
helpnetsecurity.com3 (2%)
isc.sans.edu3 (2%)
other80 (55%)

Related entities

SANS ISC: Linux process-name masquerading via prctl(PR_SET_NAME) and detection
campaignresearch:linux-prctl-process-masquerading×1

External references

NVD · cve.org · CISA KEV

All cited sources (145)

Items in briefs about Linux kernel 'DirtyClone' LPE — XFRM/IPsec skb-clone page-cache corruption (DirtyFrag family); public PoC (1)

CVE-2026-43503 — Linux kernel "DirtyClone": page-cache corruption via XFRM/IPsec skb cloning (working PoC)

From CTI Daily Brief — 2026-06-27 · published 2026-06-27 · view item permalink →

JFrog Security Research published a full working-exploit walkthrough on 2026-06-25 for DirtyClone, the latest residual variant of the DirtyFrag family (JFrog Security Research, 2026-06-25). The flaw lives in __pskb_copy_fclone(), which fails to preserve the SKBFL_SHARED_FRAG safety flag when cloning a socket buffer; the cloned buffer, still referencing shared file-backed page-cache memory, is then passed through the XFRM/IPsec in-place decryption path, letting attacker-controlled bytes land in the cached image of a setuid binary such as /usr/bin/su (Red Hat, 2026-06-23). Earlier DirtyFrag fixes (CVE-2026-43284, CVE-2026-43500, CVE-2026-46300) do not close this code path; the fix is mainline commit 48f6a5356a33 (Linux v7.1-rc5, merged 2026-05-21), and most distributions had not yet shipped patched kernels at disclosure. The attack leaves no kernel-log or audit-trail artefacts.