Home · Live brief · Daily brief 2026-06-30
DirtyClone Linux kernel LPE (CVE-2026-43503) now has a confirmed working exploit on default Debian/Fedora
Part of run 2026-06-30-9aaa1114 (intel · Claude Opus 4.8 (1M context))
UPDATE — originally covered CVE-2026-43503 — Linux kernel "DirtyClone": page-cache corruption via XFRM/IPsec skb cloning (working PoC) (2026-06-27)
UPDATE (originally covered 2026-06-27): JFrog Security Research published a working-exploit write-up for CVE-2026-43503 (DirtyClone, CVSS 8.8), confirmed against Debian, Ubuntu, and Fedora (JFrog Security Research, 2026-06-25 · The Hacker News, 2026-06-29).
__pskb_copy_fclone() drops the SKBFL_SHARED_FRAG flag that marks memory as file-backed during packet cloning; an attacker with CAP_NET_ADMIN (reachable on Debian/Fedora via unprivileged user namespaces by default) wires a privileged binary's pages into a cloned packet, then routes it through an attacker-controlled IPsec tunnel so in-place decryption overwrites in-kernel login checks — granting root with no file-system trace. Mainline is fixed (commit since 2026-05-21); distribution backports are rolling. Until backports land: set kernel.unprivileged_userns_clone=0 on Debian/Ubuntu and blacklist the esp4/esp6 modules to remove the IPsec in-place-decryption primitive. Hunt namespace-creation events granting CAP_NET_ADMIN and su/sudo spawned from non-privileged parents without a TTY.
Action items
- On Debian/Ubuntu, set
kernel.unprivileged_userns_clone=0and blacklistesp4/esp6until DirtyClone (CVE-2026-43503) backports land — working root exploit confirmed (§ 4).