this post was submitted on 07 May 2026
58 points (98.3% liked)

Linux

13626 readers
1332 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
58
Dirty Frag: Universal Linux LPE - allows any unprivileged local user to gain root access on a vulnerable Linux system - no patch available (github.com)
submitted 6 days ago by cm0002@europe.pub to c/linux@programming.dev
18 comments fedilink hide all child comments
top 18 comments
sorted by: hot top controversial new old
[–] exu@feditown.com 11 points 6 days ago

No fancy domain, I rate this 7/10

/s

[–] HeyLow@lemmy.blahaj.zone 12 points 6 days ago (5 children)

Oh wow another overblown privilege escalation bug that REQUIRES pre-existing access to a machine in order to actually be used. If someone has enough access to my machines to execute this they already have likely pwned all the information they want without needing root at all..

[–] psud@aussie.zone 1 points 2 days ago

I take it you didn't read it. It's a dry description of what the exploit is, how it works, how to make it happen, how to mitigate it

It doesn't try to invoke worry or panic.

[–] Solemarc@lemmy.world 18 points 6 days ago

It is a bit eye rolling "LOOK AT THIS DISASTER OF AN EXPLOIT!!!" *Requires physical access to the machine

But the major issue is that if you have some other exploit that gets you RCE or a shell you can then use these exploits to pwn someone and we have RCE's and shell exploits come around all the time.

[–] ISO@lemmy.zip 10 points 5 days ago* (last edited 5 days ago)

LPE is in the title. And you sound like someone who doesn't know what that stands for.

This also comes with a good public write-up on github (not some monetized fancy domain), with an explanation why it went public early, which wasn't their fault.

There is a lot of intelligence insulting going on in the security theater industry, which is something I talked about here more than once, despite not being exactly a prolific commentator. But unfortunately for you, this particular case is one of the least offensive.

[–] Ooops@feddit.org 5 points 5 days ago

That may be true for private machines, but having user access to a machine, yet not be allowed admin rights is not actually a rare setup in the wild (read: servers... where the actual money is, not on that boring thing sitting under your desk)

[–] lengau@midwest.social 7 points 6 days ago

Desktop machines aren't really the target of these kinds of attacks.

Also I think the author in this case seems to have been pretty reasonable about what they did. If more of these issues were done this way I wouldn't have nearly as much irritation about "branded bugs."

[–] Keshara@piefed.blahaj.zone 8 points 6 days ago

Well this name was definitely a lesson to double check what you read from a post when just scrolling on by...

[–] entwine@programming.dev 6 points 6 days ago (4 children)

Are there any real life scenarios where an untrusted user is allowed access to a machine with an unprivileged account? I know there are (or were?) some public shared machines where you can ssh in for fun, but those aren't serious.

I'm thinking maybe a POS system or kiosk running Linux, and there's shell access? This could possibly also be useful for jailbreaking devices that ship with Linux, but are locked down... Maybe like a car infotainment system?

[–] mikerenfro@piefed.world 10 points 6 days ago

Every university with an https://en.wikipedia.org/wiki/High-performance_computing system or a lab with Linux workstations gives shell access to what amount to untrusted users. If antivirus or similar software on the system doesn’t proactively catch the exploit, it’s a bad day.

[–] cm0002@europe.pub 7 points 6 days ago

Pretty much all those examples, but the real danger is chaining this exploit with others

Perhaps someone is sitting on a couple exploits to get them into a system, but only to an unprivileged user, this would be a great final act

[–] Dumhuvud@programming.dev 2 points 5 days ago

In the Node.js world adding a dependency may lead to arbitrary code being executed.

It's bad enough on its own because a bad actor can steal SSH-keys this way, but combined with this exploit they will be able to install a rootkit and compromise your entire system.

[–] Nomad@infosec.pub 1 points 5 days ago

Only every local file inclusion bug ever. Include shellcode, run as webserver privs, escalate locally.

[–] Sunspear@piefed.social 4 points 6 days ago (1 children)

Another one? :/

[–] Sunspear@piefed.social 6 points 6 days ago (1 children)
  • 2026-05-07: Submitted detailed information about the vulnerability and the exploit to the linux-distros mailing list. The embargo was set to 5 days, with an agreement that if a third party publishes the exploit on the internet during the embargo period, the Dirty Frag exploit would be published publicly.
  • 2026-05-07: Detailed information and the exploit for this vulnerability were published publicly by an unrelated third party, breaking the embargo.

Well, that's reassuring - hopefully, since the patch for it is also described in the repo, distro maintainers can patch it quickly

[–] Ooops@feddit.org 3 points 5 days ago

Update: Kernel 7.0.5 just released

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")

Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")

Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES")

Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES")

[–] azerial@lemmy.dbzer0.com 1 points 6 days ago (1 children)

Oh interesting I want to try it against my laptop, Fedora

[–] Damage@feddit.it 1 points 5 days ago

works in bazzite which is fedora-based