JFrog Security Research disclosed technical details of a Linux kernel local privilege escalation vulnerability on June 25, 2026, tracked as CVE-2026-43503 and named DirtyClone. The flaw carries a CVSS 8.8 score and represents a bypass of existing DirtyFrag mitigations through a previously unaddressed code path in the kernel’s network packet cloning subsystem.

What Happened

The vulnerability exists in the __pskb_copy_fclone() function, which fails to preserve the SKBFL_SHARED_FRAG safety flag when transferring fragment descriptors during IPsec packet cloning operations. An unprivileged local user with CAP_NET_ADMIN capability, which is obtainable through unprivileged user namespaces enabled by default on Debian and Fedora, can exploit this path to write controlled bytes into file-backed page cache memory without any corresponding disk operation. JFrog researchers demonstrated the attack modifying a privileged binary in memory to achieve root access. The fix was merged into Linux mainline on May 21, 2026, and the CVE was assigned on May 23. Affected distributions include Debian, Ubuntu 24.04, and Fedora in default configurations.

Why It Matters

The attack is entirely in-memory and leaves no kernel logs or audit traces. File integrity monitoring tools report affected binaries as clean because the exploit modifies only the in-memory page cache copy, not the file on disk. This renders conventional on-disk integrity monitoring unreliable for detecting post-exploitation activity against this vulnerability. No confirmed in-the-wild exploitation has been reported as of publication. Workarounds include setting kernel.unprivileged_userns_clone=0 and blacklisting esp4, esp6, and rxrpc kernel modules where feasible.

One Original Insight

The highest-risk environments are multi-tenant cloud instances and Kubernetes clusters where co-tenants share a kernel and unprivileged namespace access is common. Unlike network-facing vulnerabilities, a local privilege escalation in a shared-kernel environment enables cross-tenant escalation, a risk class that typically receives less security investment than perimeter-facing flaws despite its potential to undermine tenancy isolation entirely. Security teams running shared-kernel cloud workloads should cross-reference this advisory with CyberTech’s earlier coverage of CVE-2026-46331, a related Linux kernel privilege escalation in the traffic control subsystem reported this week.

Source: JFrog Security Research