The Dirty Frag vulnerability exploits Linux kernel page cache fragmentation by creating writable aliases to protected memory through zero-copy optimizations, allowing any user to escalate to root privileges by reusing page fragments that point to critical system binaries like 'su', demonstrating how modern kernel exploits increasingly target ownership confusion rather than classic memory corruption.
Install our extension to search inside any video instantly.
How Linux Page Cache Bugs Keep HappeningAdded:
Mind-blown.
For the second time in a week, Linux kernel showed a universal LP.
Local privilege escalation. Anyone, any user on your system can become root just by issuing one line of command.
See?
I have this only one line. If you're a professional or no wise, you will see that this is not one line. Technically, I'm fetching one project from the Git, going into it, compile it, run it, and I am root. And this is the second time that this happened. And I'm sure more cases will happen soon. This is called dirty frag frag.
Frag, like fragmentation.
Not like exactly fragmentation.
After we had dirty cow, dirty pipe, then we had copy fail. I covered copy fail.
Now we have this dirty frag inspired by copy fail, a security researcher have shown this. It's here. Let's me show it to you.
Uh Hyunwoon Kim uh Rebel or Rebel showed this and said after seeing the copy fail he started researching this one and we will have more and more of this.
Second time in a week. Very strange.
Uh in this video, I will show you on technical level. We will check the code, what is happening there. This is more complicated than dirty uh copy fail. Also, I'm going to the hike without electricity, water, and it I have water, anything other things network off the grid off the grid is the correct word for a few days, so I'm at here, so I've thought it's better to cover this before leaving.
I will show you what's going on on the code level and we have some chat on to stand the behind the scene environment. This is happening because of five different things hand to hand.
Also, he's very cleverly using two different uh CVEs, two different exploits to get this root access.
Technically, these are not chained as I understand, these are two different directions. On some systems, one work, on some systems, the other one work. And this looks like a new trend. People just show that this can be used on the all different systems at the same time, same code. In my case, you saw this is my own daily driver computer.
And this works. I haven't updated it.
Maybe after update, I hopefully it should stop working. I will tell you here.
No, there.
Maybe there.
Anyway.
So, what's going on?
As I've told you, this is the combination of uh five different things. The first one is page cache structure in the Linux kernel world. I've talked about this on the previous video, copy fail, in more depth, but in general, it's very direct.
Whatever you do in Linux, for example, when you read something from a disk, it goes into a page cache in your memory.
And whenever other people or the same process or other processes needs the same data, this will be used as the source of truth. This is very good because you are not going directly to the disk all the time.
safe enough. The second one is pipes in Linux. In many cases, when you want to do something, you create pipes. The command is splice. Again, we had this in the copy file video in a little bit more detail. But what this does is it creates buffers from your data. And you have some kind of different access and more access there. In the previous video, so this is not real tree, this is a fake tree, we had some uh cryptographic algorithms working on this buffer and changing them in place. So, technically now tree should be zero copy. Let me show you some code for this and this. That would be more fun. Seeing code is always good and also most of us do not need to understand to the last command in these exploits. But it's good to use them to learn more about the Linux kernel. If you want to check Linux kernel, you can always go to github.com Torvalds Linux. The development doesn't happen here. This is just a mirror of the kernel, but very easy to search or use. So, I wanted to show you the struct of a page.
When you have a page in the memory, this is not the one. We need the header files.
Mhm.
Okay, let's go from here. We will dive into some page.
Where do we have a page? Struck page, for example.
This comes from here on MM types header.
See, this is kind of complicated, more data. You have a struct called page. When you read something, this goes into the memory in this structure. You have some flags, atomic flags. You have a union of different structs, so you can have different things in your page. And also another union of the page type. And also you have some ref counts. When you are creating a page there, you say, "Okay, this is my page.
It has some different kind of data into it." You saw the unions. And also you have a ref counts. How many references I have to this one? If you have this and someone wants to use it, you add one.
You add one. You add one. Then this one says, "Okay, I'm done. I don't need it anymore." You say, "Okay, I'll remove one." So you have two references. This says, "Okay, I'm finished." You remove another one. So you have only one reference. When your reference is zero, it means you can just omit this one. You nobody needs it anymore. This is fun and cool. Still it's cache. It's not very clear, but this is how reference counting works. So, what we had uh we had the page cache, we had the pipes using the supplies, we had the zero copy concept.
Now, the here many of the fails are happening because of this. When you have this memory here, read something, it's in memory, and you want to do something on it.
Normal, old school, non-optimized people may copy the data here and just do whatever they want with this. This is very safe because you are not touching the original data, but it's very slow because this is very expensive.
So, or expensive if you are in Europe.
So, what happens is many optimization procedures try to do zero copies. They use the same memory slot to do what they want to do, especially on the cryptographic. If you have a list of numbers, 1 2 3 4 1, and want to add to what add two to each of them, a normal non-optimized person would copy everything there, would use double the memory, would pay for one whole copy of the memory, then go through and add to this. But, a zero copy would just go one by one and add directly here.
This is a zero copy method.
You can see it starts to be a little bit frightening. What happened in copy fail was we were doing a zero copy encryption on the su command. Now, that part is fixed. This guy tried to find a new method and find an amazing method. So, uh page cache pipe zero copy, he started using or abusing fragment pages, which is called frags. [snorts] That's why the whole thing is called a dirty frag.
As you remember, we previously had dirty cow. Cow is copy on right. It used to be used to be a group of hacks we seen some time ago. Uh you know the idea. I have the copy. Everyone is using this. No problem. Everyone, you don't need to copy it somewhere to use it. Zero copy.
As soon as you want to write on it, you copy it. Copy on right.
So, this is now safe. As soon as you want to edit, you copy it.
But, what happens with fragments? These pages are huge. They are not huge. I think in modern kernel they are 4K, which is still large. If you're reading a file, this is not super large. But, you're if you're working with a network interface, 4K is large. When you're reading data from network, your chunks are much smaller. So, what Linux does is when you request for some data, instead of the whole page, it gives you a fragment of the page. How?
It creates a page.
Some data is here. Another data is here.
Another data is here. And now, if you ask for a page frag, it will tell you, "Okay, page frag, I'm giving you this page, but you will start from this. So, this is called offset.
And this is your size. So, I created a fragment here. Let's have a look to the page and page fragments structures in Linux kernel.
You just saw the page.
Right?
And you see page had some flags, had some complicated structures, had things like uh reference counts, and those kind of stuff. Also, you have the type. You will keep if this page is writable for this user. But, if you go to the struct uh page frag uh and types Yeah, it's good enough.
Here you can see, it's much more simple.
A page frag points to a page, has an offset, and has a size. This is also cool how kernel will uh programmers to write code. If you are on a U32 or if you are U blah blah, you're you have that kind of offset based on your bits per long or page size size.
So, what happened is now you can see the problem.
You have a page with lots of information about how people can access if it's writable or not, but you have fragments which are very simple.
Only points to one specific page, points to an offset, and points to a size.
The attacker started thinking, "What happens if I create a Sorry, I'm not very good with this screen writer I'm using. I tried to update to something which works on Wayland.
Uh so, what happens? The hacker started thinking.
What happens if I ask for a fragment of the page, then give it back, then someone else uses the same thing.
There might be a confusion about right access. And again, if we find something that can change the memory with zero copy, we might be able to write something in memory where, for example, the su command resists.
exists resides It is there.
Resist means to resist.
But there is a word close to this one.
So, this is how this attack in general works.
It loads an important binary like su, so kernel knows that su is here, then reuses the same fragment for something writable and asks something which does a zero copy to write whatever I want over the su.
Very clever and the strange and fun part is he also introduced two different uh methods for that writing. If you go to the assets, there is write-up here which discusses everything in much more detail, even more detail than what I'm discussing. He mentions that this alkif or interface a eid which we were using in copy fail is not valid anymore, so who cares? I added two new CVEs.
The first one, this is the kernel code, uses ESP input.
And this is the problematic part, at least for part. It says, "If SKB is non-linear SKB is socket buffer.
Number of frags is one, skip the call.
So, if you are doing changes, copy-on-write, skip it. Just do the change in place.
This is a problem with that reference counting I told you.
And he created an exploit for this. But this needs user to be able to create namespaces in the kernel. Ubuntu, by default, doesn't allow this. So, he bravely introduced another CV page cache write.
He found another place with with which can do kind of the same thing, calling a crypto cipher to just do the in-place change. So, if that doesn't work, this will work. He created the exploit, also created a patch, and submitted for both cases. He says the disclosure timeline.
Both are found on this specific date or day after. I think this is the first one. The second one is on 13th.
And 13th. And he says, "Inspired by the copy fail, he started finding these." Obviously, he used I don't know what. I guess my guess is he used AI. And this is happening more and more. Now we have very, very, very strong exploit finders using AIs.
Even many projects and sites which are giving out bounties are saying, "Okay, pause. We are getting too much noise and real data. And I think Anthropic uh introduced a new tool to find bugs. He says this is very dangerous. So, at the moment only companies do have access. After some time, we will see how it works. He disclosed it, provided the patch, and now giving out the code. Also, on the code you can see the actual exploit.
It's a little bit Not little bit, it's difficult to understand. He says what it does, it's kind of replaces the whole thing with a new shell for the root, which is a nice idea. Replaces the su as I understood it.
Um if you want to start studying it, do one right. There were some place which was more readable.
Ah, this is the main place to start. su LPE, local privilege escalation, main.
And you can go forward from here and see how it works. It starts two different branches based on which works. As soon as it sees that you have the root, starts the root. Also, you can run it with some flags for some more visibility on what is happening. I think it's was in the same place I was.
Yeah, you can have a verbose mode, or you can set some environment variables like this to make sure that it tells you what it's doing.
Amazing work.
And we will see more and more of this.
Linux kernel exploitation today is more about abusing all these performance optimization we had in previous years. This is not like a hackers doing strange magic or a bad line of code in kernel. This is using some different legit modules combining them in each other and exploiting the functionality. So, it's very difficult by understanding the possibility of such a thing with reading different modules. It's about complexity of the code, zero copies, and this shared memory ownership. It happens because of this complexity complexity in the kernel. For the defense, obviously, we have to update. I will update the my machine just after this video to make sure to will add to the video that if updates works at the moment or not. Also, some other important factor is this can jump out of containers because this is happening in the kernel when you have different contact kind of containers. Beneath your kernel, this can affect all of them. So, whatever you have, update. Maybe in the near future, people will go for less optimization, more security.
Let's see how this works. Hope you liked it. Try the code for educational purposes.
Related Videos
Agentforce NOW AMA: Build with React and Salesforce Multi-Framework
SalesforceDevs
490 viewsβ’2026-05-28
How agent o11y differs from traditional o11y β Phil Hetzel, Braintrust
aiDotEngineer
450 viewsβ’2026-05-28
Re: π£οΈπthepropheduπ2026 GST 103 CLASS (E-EXAM REVISION)
theprophedu
636 viewsβ’2026-06-04
WEB TECHNOLOGIES UNIT-2 | Degree 4th sem BCOM Computers web technologies unit-2 full explanationπ―β
LearnwithSahera
1K viewsβ’2026-05-29
More tests are always better? How to use AI to identify tests that bring little value
Alliance4Qualification
335 viewsβ’2026-05-29
Search Algorithms Explained in 60 Seconds! π€π¨
samarthtuliofficial
218 viewsβ’2026-06-01
People of Game of Thrones using JavaScript DOM
AltCampus
296 viewsβ’2026-05-30
Instagram accounts got PWNed
EricParker
13K viewsβ’2026-06-03
