JFrog has published a detailed analysis and proof-of-concept (PoC) exploit for a high-severity Linux kernel vulnerability dubbed DirtyClone, tracked as CVE-2026-43503 with a CVSS score of 8.8. The flaw allows any local user with the CAP_NET_ADMIN capability to gain root privileges on affected systems.

A Variant in a Growing Family

DirtyClone is a variant of two related vulnerabilities, DirtyFrag (also known as Copy Fail 2) and Fragnesia, both addressed in mid-May. All three share conceptual roots with Dirty Pipe, the widely publicized Linux kernel defect disclosed in 2022. According to JFrog, these flaws collectively demonstrate a broader exploitation pattern affecting multiple socket buffer (skb) processing paths, indicating that the underlying attack primitive extends beyond any single vulnerable code path.

The core issue lies in how the Linux kernel fails to separate page-cache memory used for executables and files from packet data processed through zero-copy paths. When in-place cryptographic transformations, such as encryption or decryption, write back to the same buffer, the kernel can inadvertently modify memory that remains semantically tied to a file. This leads to corruption of file-backed data in place.

Patch Chain Required for Full Protection

The vulnerability was reported to Linux kernel maintainers and resolved on May 24. Upgrading to Linux kernel version v7.1-rc5 prevents exploitation of DirtyClone, but only if the system carries the complete chain of fixes for the entire DirtyFrag vulnerability family.

  • Systems entirely unpatched for the original flaws (CVE-2026-43284 and CVE-2026-43500) remain broadly exposed.
  • Systems that applied initial mitigations but lack follow-up patches (CVE-2026-46300 and CVE-2026-43503) remain vulnerable to specific bypasses.

JFrog notes that the fix for DirtyFrag sets a metadata flag on spliced UDP packets to prevent direct modification of file-backed pages, while the Fragnesia patch ensures that flag propagates correctly across functions. DirtyClone exploits conditions that slip through when only partial fixes are applied.

Affected Distributions and Risk Scope

Popular Linux distributions that enable unprivileged user namespaces are affected, including Debian, Fedora, and Ubuntu. The practical risk is elevated in multi-tenant cloud environments, Kubernetes clusters, and containerized workloads, where local users or container processes may hold the necessary capability to trigger the exploit.

Security teams running affected kernel versions should prioritize applying the complete patch chain rather than relying on partial mitigations, as incomplete patching leaves systems exposed to the bypass scenarios JFrog has documented.