Security researchers at JFrog disclosed a new Linux kernel local privilege escalation vulnerability named DirtyClone (CVE-2026-43503), which allows unprivileged local users to gain root access by exploiting a flaw in socket buffer cloning that loses the SKBFL_SHARED_FRAG flag. This vulnerability is critical because it affects widely-used Linux distributions with default unprivileged user namespaces, such as Debian, Ubuntu, and Fedora, and can be exploited without leaving kernel logs or audit traces, making it especially dangerous for multi-tenant cloud environments and Kubernetes clusters. The vulnerability was patched in Linux kernel v7.1-rc5 on May 21, 2026; mitigations include disabling unprivileged user namespaces via kernel.unprivileged_userns_clone=0 or blocking the esp4, esp6, and rxrpc kernel modules.
Background
Socket buffers (SKBs) are used by the Linux kernel to manage network packet data. When cloning an SKB, the kernel may reuse the same data buffer to avoid copying. The SKBFL_SHARED_FRAG flag marks fragments that are shared with the page cache and should not be written to in-place. DirtyClone is a variant of the DirtyFrag family, which involves IPsec processing (ESP) that can trigger the flaw through local IPsec traffic.