ctipilot.ch

Home · Live brief · Daily brief 2026-06-27

CVE-2026-43503 — Linux kernel "DirtyClone": page-cache corruption via XFRM/IPsec skb cloning (working PoC)

high vulnerability discovered 2026-06-27 05:17 UTC

Part of run 2026-06-27-40e791d4 (intel · Claude Opus 4.8)

JFrog Security Research published a full working-exploit walkthrough on 2026-06-25 for DirtyClone, the latest residual variant of the DirtyFrag family (JFrog Security Research, 2026-06-25). The flaw lives in __pskb_copy_fclone(), which fails to preserve the SKBFL_SHARED_FRAG safety flag when cloning a socket buffer; the cloned buffer, still referencing shared file-backed page-cache memory, is then passed through the XFRM/IPsec in-place decryption path, letting attacker-controlled bytes land in the cached image of a setuid binary such as /usr/bin/su (Red Hat, 2026-06-23). Earlier DirtyFrag fixes (CVE-2026-43284, CVE-2026-43500, CVE-2026-46300) do not close this code path; the fix is mainline commit 48f6a5356a33 (Linux v7.1-rc5, merged 2026-05-21), and most distributions had not yet shipped patched kernels at disclosure. The attack leaves no kernel-log or audit-trail artefacts.

Action items

  • Prioritise Linux kernel updates for DirtyClone (CVE-2026-43503) and pedit COW (CVE-2026-46331); until distro kernels ship, set kernel.unprivileged_userns_clone=0 (or blacklist act_pedit/esp4/esp6) where those features are unused. Treat unpatched multi-user/Kubernetes Linux hosts as locally privilege-escalatable for hunt purposes (§ 2, § 5).

Update chain

vulnerabilities lpe priv-esc poc-public patch-available global CVE-2026-43503