DirtyClone — CVE-2026-43503 Linux Kernel Page-Cache Write an...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/rafaeldtinoco/security/tree/main/exploits/dirtyclone
• Blog Title: DirtyClone — CVE-2026-43503 Linux Kernel Page-Cache Write and Local Privilege Escalation
• Suggested Section: Linux Hardening > Linux Privilege Escalation > DirtyClone / DirtyPipe-family Page-Cache Write LPE, or Binary Exploitation > Linux Kernel Exploitation

🎯 Content Summary

DirtyClone — CVE-2026-43503

DirtyClone is a Linux kernel local privilege escalation and page-cache write primitive in the DirtyPipe / DirtyFrag family. It forces the kernel to run an in-place ESP/IPsec decrypt over a file-backed page-cache page that the attacker only has read access to, mutating that page in RAM. By choosing AES-CBC parameters so the decrypt produces attacker-controlled bytes, the PoC rewrites the cached contents of <...

🔧 Technical Details

Bypassing a page-cache safety flag through skb clone metadata loss: If a kernel mitigation depends on metadata such as SKBFL_SHARED_FRAG to identify file-backed/shared fragments, any clone/copy path that keeps the underlying fragment reference but drops the flag can reintroduce the unsafe behavior. DirtyClone abuses the netfilter TEE path, where TEE target -> nf_dup_ipv4() -> __pskb_copy_fclone() creates a clone that still points to the same physical page-cache page but no longer carries SKBFL_SHARED_FRAG. Downstream code such as esp_input() then fails to copy the data first and performs an in-place operation over page-cache-backed memory.

Using ESP/IPsec decryption as a controlled page-cache write primitive: The technique splices a read-only file-backed page-cache fragment into ESP-in-UDP traffic, then makes the kernel decrypt that fragment in place with cbc(aes)🤖 Agent Actions

Plan re-initialized and the no-change verification cycle is complete.

Status:

• Minimal integrity checks passed again
• No further edits are needed
• The run remains ready for final reporting

Current modified file:

• src/linux-hardening/privilege-escalation/write-to-root.md

Current state is unchanged and stable.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/rafaeldtinoco/security/tree/main/exploits/dirtyclone

Content Categories: Based on the analysis, this content was categorized under "Linux Hardening > Linux Privilege Escalation > DirtyClone / DirtyPipe-family Page-Cache Write LPE, or Binary Exploitation > Linux Kernel Exploitation".

Repository Maintenance:

• MD Files Formatting: 980 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0