ctipilot.ch

Home · Live brief · Daily brief 2026-06-30

DirtyClone Linux kernel LPE (CVE-2026-43503) now has a confirmed working exploit on default Debian/Fedora

notable vulnerability discovered 2026-06-30 05:10 UTC

Part of run 2026-06-30-9aaa1114 (intel · Claude Opus 4.8 (1M context))

UPDATE — originally covered CVE-2026-43503 — Linux kernel "DirtyClone": page-cache corruption via XFRM/IPsec skb cloning (working PoC) (2026-06-27)

UPDATE (originally covered 2026-06-27): JFrog Security Research published a working-exploit write-up for CVE-2026-43503 (DirtyClone, CVSS 8.8), confirmed against Debian, Ubuntu, and Fedora (JFrog Security Research, 2026-06-25 · The Hacker News, 2026-06-29).

__pskb_copy_fclone() drops the SKBFL_SHARED_FRAG flag that marks memory as file-backed during packet cloning; an attacker with CAP_NET_ADMIN (reachable on Debian/Fedora via unprivileged user namespaces by default) wires a privileged binary's pages into a cloned packet, then routes it through an attacker-controlled IPsec tunnel so in-place decryption overwrites in-kernel login checks — granting root with no file-system trace. Mainline is fixed (commit since 2026-05-21); distribution backports are rolling. Until backports land: set kernel.unprivileged_userns_clone=0 on Debian/Ubuntu and blacklist the esp4/esp6 modules to remove the IPsec in-place-decryption primitive. Hunt namespace-creation events granting CAP_NET_ADMIN and su/sudo spawned from non-privileged parents without a TTY.

Action items

  • On Debian/Ubuntu, set kernel.unprivileged_userns_clone=0 and blacklist esp4/esp6 until DirtyClone (CVE-2026-43503) backports land — working root exploit confirmed (§ 4).

Update chain

vulnerabilities lpe priv-esc poc-public global CVE-2026-43503