EXECUTIVE SUMMARY
A high-severity Linux kernel vulnerability, dubbed “DirtyClone,” has been identified that could allow a local attacker to escalate privileges and obtain root access on affected systems. The vulnerability exists in the Linux kernel’s networking (XFRM/IPsec) subsystem due to improper handling of cloned network packet fragments referencing file-backed memory. Successful exploitation enables an attacker with local code execution to modify privileged executables in the kernel page cache without altering the underlying files on disk, making the attack difficult to detect using traditional file integrity monitoring solutions. A public proof-of-concept (PoC) exploit has been released, increasing the likelihood of exploitation against unpatched systems.
- Vulnerability Name: DirtyClone
- CVE ID: CVE-2026-43503
- CVSS Score: 8.8 (High)
- Threat Type: Local Privilege Escalation
- Affected Product: Linux Kernel (Networking/XFRM-IPsec Subsystem)
- Active Region: Global
- Severity: High
- Published Date: June 26, 2026
TECHNICAL DETAILS
The vulnerability stems from improper handling of cloned socket buffer (skb) fragments that reference file-backed memory. During packet cloning, the kernel fails to preserve the skb_shared_info page state, allowing an attacker to overwrite file-backed pages stored in the kernel page cache. By targeting privileged executables cached in memory, an attacker can modify their in-memory contents without changing the underlying files on disk, enabling execution of attacker-controlled code with root privileges while evading traditional file integrity monitoring. A public proof-of-concept (PoC) demonstrating successful exploitation has been released.
- Target: Linux systems running vulnerable kernel versions, particularly enterprise servers, cloud workloads, container hosts, Kubernetes nodes, and multi-user environments utilizing the XFRM/IPsec networking subsystem.
- Root cause: The vulnerability is caused by improper handling of cloned socket buffer (skb) frag-ments referencing file-backed pages within the Linux kernel’s networking subsystem. During packet cloning, the kernel fails to correctly preserve the page state associated with cloned frag-ments, enabling modification of cached executable pages residing in the kernel page cache with-out altering the original files stored on disk.
- Prerequisites for exploitation: Successful exploitation requires local code execution on the tar-get system. An attacker must be able to create an unprivileged user……



