Linux Done DIRTY: 4 Page Cache Exploits Running Amok
In just a few weeks, researchers have exposed a string of related Linux local privilege escalation bugs. This video breaks down four of them: copy-fail, dirty-frag, fragnesia, and dirty decrypt. You will see live demonstrations on an unpatched Ubuntu 24.04 system showing how a normal local user can become root without entering a password.
We dive into the proof-of-concept scripts to explain the core issue: page-cache corruption. These bugs are not identical vulnerabilities, and they do not all live in the same kernel code. But they point to the same dangerous pattern: kernel paths that can corrupt shared page-cache-backed memory when they should first make a private copy.
That matters because privileged binaries like su may be read from the page cache. If an exploit poisons the cached in-memory copy of /usr/bin/su, Linux may execute attacker-controlled bytes while the real file on disk remains untouched. This also explains the repeated su behavior in the demo: after the exploit runs once, exiting the root shell does not necessarily clear the poisoned cached page. Running su again may still hit the altered in-memory version. That is not traditional on-disk persistence. It is page-cache poisoning.
We also explain why these are local privilege escalation bugs, not remote internet-to-root bugs by themselves. An attacker usually needs an initial foothold first, such as a low-privilege account, malware execution, a vulnerable web application, a web shell, or a compromised container. But once they have local code execution, turning that access into root can be devastating.
If you run Linux servers, cloud workloads, shared systems, or environments where untrusted local code might execute, this is exactly the kind of kernel security trend worth watching. Patch status matters, kernel versions matter, distribution mitigations matter, and local root exploits should not be dismissed as harmless.
// Sources //
BleepingComputer — DirtyDecrypt / DirtyCBC news report - https://www.bleepingcomputer.com/news/security/exploit-available-for-new-dirtydecrypt-linux-root-escalation-flaw/
Theori — Copy Fail PoC repository - https://github.com/theori-io/copy-fail-CVE-2026-31431
Xint — Copy Fail technical write-up - https://xint.io/blog/copy-fail-linux-distributions
Ubuntu — Copy Fail advisory and mitigation guidance -https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available
Microsoft Security Blog — Copy Fail analysis - https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/
V4bel — Dirty Frag PoC repository and write-up - https://github.com/V4bel/dirtyfrag
Ubuntu — Dirty Frag advisory and mitigation guidance - https://ubuntu.com/blog/dirty-frag-linux-vulnerability-fixes-available
V12 Security — Fragnesia PoC write-up - https://github.com/v12-security/pocs/blob/main/fragnesia/README.md
Ubuntu — Fragnesia advisory and mitigation guidance - https://ubuntu.com/blog/fragnesia-linux-vulnerability-fixes-available
V12 Security — DirtyDecrypt / DirtyCBC PoC write-up - https://github.com/v12-security/pocs/tree/main/dirtydecrypt
Ikotas Labs — RxGK variant / DirtyDecrypt background - https://ikotaslabs.com/news/2026-05-11
Linux Kernel Documentation — AF_ALG userspace crypto interface - https://docs.kernel.org/crypto/userspace-if.html
Linux Kernel Page Cache Documentation - https://docs.kernel.org/mm/page_cache.html
// David's SOCIAL //
Discord: https://discord.com/invite/usKSyzb
X: https://www.twitter.com/davidbombal
Instagram: https://www.instagram.com/davidbombal
LinkedIn: https://www.linkedin.com/in/davidbombal
Facebook: https://www.facebook.com/davidbombal.co
TikTok: http://tiktok.com/@davidbombal
YouTube: https://www.youtube.com/@davidbombal
Spotify: https://open.spotify.com/show/3f6k6gERfuriI96efWWLQQ
SoundCloud: https://soundcloud.com/davidbombal
Apple Podcast: https://podcasts.apple.com/us/podcast/david-bombal/id1466865532
// MY STUFF //
https://www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
// MENU //
0:00 - Linux vulnerabilities
0:19 - Copy Fail quick demo
02:20 - Vulnerabiltiy summary
03:10 - DirtyDecrypt explained
03:53 - Linux cache explained
04:40 - Copy Fail demo
05:28 - Copy Fail script explained
09:45 - Dirty Frag demo
11:48 - Fragnesia demo
12:42 - Summary
12:59 - DirtyDecrypt demo
14:31 - Vulnerabilities summary
15:25 - Conclusion
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Disclaimer: This video is for educational purposes only.
#linux #pagecache #dirtydecrypt
We dive into the proof-of-concept scripts to explain the core issue: page-cache corruption. These bugs are not identical vulnerabilities, and they do not all live in the same kernel code. But they point to the same dangerous pattern: kernel paths that can corrupt shared page-cache-backed memory when they should first make a private copy.
That matters because privileged binaries like su may be read from the page cache. If an exploit poisons the cached in-memory copy of /usr/bin/su, Linux may execute attacker-controlled bytes while the real file on disk remains untouched. This also explains the repeated su behavior in the demo: after the exploit runs once, exiting the root shell does not necessarily clear the poisoned cached page. Running su again may still hit the altered in-memory version. That is not traditional on-disk persistence. It is page-cache poisoning.
We also explain why these are local privilege escalation bugs, not remote internet-to-root bugs by themselves. An attacker usually needs an initial foothold first, such as a low-privilege account, malware execution, a vulnerable web application, a web shell, or a compromised container. But once they have local code execution, turning that access into root can be devastating.
If you run Linux servers, cloud workloads, shared systems, or environments where untrusted local code might execute, this is exactly the kind of kernel security trend worth watching. Patch status matters, kernel versions matter, distribution mitigations matter, and local root exploits should not be dismissed as harmless.
// Sources //
BleepingComputer — DirtyDecrypt / DirtyCBC news report - https://www.bleepingcomputer.com/news/security/exploit-available-for-new-dirtydecrypt-linux-root-escalation-flaw/
Theori — Copy Fail PoC repository - https://github.com/theori-io/copy-fail-CVE-2026-31431
Xint — Copy Fail technical write-up - https://xint.io/blog/copy-fail-linux-distributions
Ubuntu — Copy Fail advisory and mitigation guidance -https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available
Microsoft Security Blog — Copy Fail analysis - https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/
V4bel — Dirty Frag PoC repository and write-up - https://github.com/V4bel/dirtyfrag
Ubuntu — Dirty Frag advisory and mitigation guidance - https://ubuntu.com/blog/dirty-frag-linux-vulnerability-fixes-available
V12 Security — Fragnesia PoC write-up - https://github.com/v12-security/pocs/blob/main/fragnesia/README.md
Ubuntu — Fragnesia advisory and mitigation guidance - https://ubuntu.com/blog/fragnesia-linux-vulnerability-fixes-available
V12 Security — DirtyDecrypt / DirtyCBC PoC write-up - https://github.com/v12-security/pocs/tree/main/dirtydecrypt
Ikotas Labs — RxGK variant / DirtyDecrypt background - https://ikotaslabs.com/news/2026-05-11
Linux Kernel Documentation — AF_ALG userspace crypto interface - https://docs.kernel.org/crypto/userspace-if.html
Linux Kernel Page Cache Documentation - https://docs.kernel.org/mm/page_cache.html
// David's SOCIAL //
Discord: https://discord.com/invite/usKSyzb
X: https://www.twitter.com/davidbombal
Instagram: https://www.instagram.com/davidbombal
LinkedIn: https://www.linkedin.com/in/davidbombal
Facebook: https://www.facebook.com/davidbombal.co
TikTok: http://tiktok.com/@davidbombal
YouTube: https://www.youtube.com/@davidbombal
Spotify: https://open.spotify.com/show/3f6k6gERfuriI96efWWLQQ
SoundCloud: https://soundcloud.com/davidbombal
Apple Podcast: https://podcasts.apple.com/us/podcast/david-bombal/id1466865532
// MY STUFF //
https://www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
// MENU //
0:00 - Linux vulnerabilities
0:19 - Copy Fail quick demo
02:20 - Vulnerabiltiy summary
03:10 - DirtyDecrypt explained
03:53 - Linux cache explained
04:40 - Copy Fail demo
05:28 - Copy Fail script explained
09:45 - Dirty Frag demo
11:48 - Fragnesia demo
12:42 - Summary
12:59 - DirtyDecrypt demo
14:31 - Vulnerabilities summary
15:25 - Conclusion
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Disclaimer: This video is for educational purposes only.
#linux #pagecache #dirtydecrypt
David Bombal
Want to learn about IT? Want to get ahead in your career? Well, this is the right place!
On this channel, I discuss Linux, Python, Ethical Hacking, Networking, CCNA, Virtualization and other IT related topics.
This YouTube channel has new videos upload...