Dirty Frag: Universal Linux LPE - proxmox vulnerable (in the wild already)

[xyzulu]

See: https://github.com/V4bel/dirtyfrag/tree/master
(patch is included)
Proof: https://github.com/V4bel/dirtyfrag/issues/11#issue-4402742566

TLDR: Anyone with ssh access to your proxmox servers can become root

I have reported this to security@proxmox.com but since this is in the wild now, everyone should be patching asap.

 

[dcsapak]

Until there is a patch available, here is a documented mitigation:

https://github.com/V4bel/dirtyfrag/tree/master#mitigation

(EDIT: i know the link was in the first post already, but wanted to explicitly mention the mitigation section)

 

[leesteken]

I'm not too worried about Proxmox, which out of the box has no user accounts besides root. I do worry about unprivileged containers: the exploit does switch from a user to root inside an unprivileged container. However, it does appear to be the fake root (id 100000). Are we safe or did I miss something?

 

[rulezz]

fwiw the announcement looks quite suspicious w/o CVE assigned. Yep, they explained, but according to the timeline the moratory is already broken. So I'd rather avoid running exploit PoCs provided, or at least use a disposable VM for it.
The announcement author only has recent activity in their repo starting in March 2026. Absence of history doesn't look trustworthy either

 

[ce3rd]

some extra info https://thehackernews.com/2026/05/linux-kernel-dirty-frag-lpe-exploit.html

 

[fabian]

fwiw the announcement looks quite suspicious w/o CVE assigned. Yep, they explained, but according to the timeline the moratory is already broken. So I'd rather avoid running exploit PoCs provided, or at least use a disposable VM for it.
The announcement author only has recent activity in their repo starting in March 2026. Absence of history doesn't look trustworthy either

the issue is legit, applying the mitigation (which looks almost identical to the one for the related recent copy.fail issue) is recommended until fixed kernels are available.

 

[fabian]

I'm not too worried about Proxmox, which out of the box has no user accounts besides root. I do worry about unprivileged containers: the exploit does switch from a user to root inside an unprivileged container. However, it does appear to be the fake root (id 100000). Are we safe or did I miss something?

it is currently unclear if this allows container escape from a standard, unprivileged container. the mitigation applies to containers as well in any case, since the kernel is shared.

 

[Deerom]

The mitigation seems to blacklist 3 modules at once (esp4, esp6 & rxrpc). Can Proxmox confirm that it is safe to blacklist & rmmod these 3 modules?

 

[rulezz]

The mitigation seems to blacklist 3 modules at once (esp4, esp6 & rxrpc). Can Proxmox confirm that it is safe to blacklist & rmmod these 3 modules?

afair, the first two mostly are for ipsec, so if you use it you probably need them. You can always check with `lsmod` if you have any of them loaded, and if not it's safe to block them

 

[Neobin]

Post in thread 'Proxmox Virtual Environment - Security Advisories'

Today at 09:47

Subject: PSA-2026-00019-1: "DirtyFrag" Local Privilege Escalation​

Advisory date: 2026-05-08

Packages: proxmox-kernel-*

Details:

Two vulnerabilities in the Linux kernel were discovered, which when combined, allow an unprivileged local user to obtain root privileges.

Mitigation:

Until fixed kernel packages are available, disabling loading of the affected kernel modules mitigates the vulnerability.

Check if the modules are loaded:

# lsmod | grep -e esp4 -e esp6 -e rxrpc

If this command displays output and you are not aware of benign usage of AFS...

• ProxmoxSecurityAdvisory

 

[fabian]

afair, the first two mostly are for ipsec, so if you use it you probably need them. You can always check with `lsmod` if you have any of them loaded, and if not it's safe to block them

yes, see the referenced advisory

 

[xyzulu]

Thanks for getting the word out about this so quickly Proxmox team.