Dirtyfrag: Universal Linux LPE

Posted by flipped 20 hours ago

Dirtyfrag: Universal Linux LPE(www.openwall.com)

726 points | 300 commentspage 6

QuietLedge375 12 hours ago||

[dead]

CalmBirch127 18 hours ago||

[dead]

ftheplan9 19 hours ago||

[flagged]

john_strinlai 19 hours ago|

>2026-05-07: After obtaining agreement from distribution maintainers to fully disclose Dirty Frag, the entire Dirty Frag document was published.

you think the reporters and the distribution maintainers colluded to... get 5 minutes of attention?

that would be exceptionally stupid of the distribution maintainers and destroy all trust.

infrapilot 13 hours ago||

[flagged]

staticassertion 13 hours ago|

> The old “quiet patch before disclosure” model may simply not work anymore in the LLM era.

It never did. Trawling the Linux commit history is a tried and true method for finding n-days.

acedTrex 18 hours ago||

Here we go again

7373737373 17 hours ago||

Tanenbaum was right

TZubiri 15 hours ago|

Go on...

7373737373 7 hours ago||

https://youtube.com/watch?v=oS4UWgHtRDw

xxpor 19 hours ago||

Linux is a single user system and should be treated as such. Run your services as root. Don't rely on unix user primitives for security.

wolttam 19 hours ago||

Running as root opens you up to a class of vulnerabilities (denial of service, mainly) that you can avoid by not running as root.

That said, running every process in its own micro VM is looking more attractive by the minute.

xxpor 19 hours ago||

Half the point is that you should always assume that there exists a complete LPE bug.

But yes, micro VMs are a great idea!

amarant 19 hours ago|||

Everything in this comment is wrong.

xxpor 19 hours ago||

Technically yes. Practically, I disagree.

eqvinox 19 hours ago||

The part where you run everything as root is particularly stupid. But yes, user isolation has been weakened quite a bit.

Sohcahtoa82 19 hours ago|||

This carries the same energy as "People will break into your car no matter what, so just leave your doors unlocked."

bigbuppo 17 hours ago|||

You say that, but I know someone whose house had their front door kicked in by burglars even though it wasn't even locked.

tptacek 18 hours ago|||

The energy here is "so don't leave anything valuable in your car".

angry_octet 18 hours ago||

Unfortunately that is not what they proposed. To stretch the automotive analogy too far, you could say: if you invite a carjacker in, their seatbelt is not going to stop them from carjacking you.

tptacek 18 hours ago||

"Avoid shared-kernel attack surfaces" is not an unreasonable proposition in 2026.

angry_octet 12 hours ago|||

Yes that is reasonable, but dispensing with all on machine controls is not.

__float 17 hours ago||||

It is very good practical advice.

It also saddens me greatly, imagining what computing could look like if systems evolved differently.

JackSlateur 17 hours ago|||

Virtual machines are still the best design and has been for something like 20 years

Containers are good, as long as they all share the same purpose (read: same application, no multi-tenant)

We all know that multi-users systems (and thus, containers) have a very wide attack surface, while VM attack surface is very limited ..

This is why I am totally convinced that:

  - redhat and friends are a terrible idea (licencing forces collocation which reduces segmentation)
  - per-instance pricing (read: cloud public, but not only that) are terrible: for the same reason. Paying per consumed CPU/ram is sane, paying per VM unit is damageful

256_ 19 hours ago|||

I agree with the general sentiment. I treat anything running arbitrary machine code as if it has full access to a machine. I don't know where you get "run your services as root" from that, though. The principle of least privilege doesn't just apply to running malicious code, but running buggy code whose attack surface is exposed to evil-doers.

fragmede 19 hours ago||

https://xkcd.com/1200/

arian_ 19 hours ago|

Every time someone finds a universal Linux privilege escalation, somewhere a sysadmin whispers 'this is why we don't run as root' while nervously checking if their containers are actually isolated.

minimaltom 18 hours ago||

This attack class lets you escalate from any user to UID 0. Not running as root won't save you, in fact, this attack is for those processes not running as root.

However, if you are in a user namespace where UID 0 doesn't map to system-wide capabilities, and you dont share page cache for the setuid binaries on the system, this attack doesn't lead to LPE.

delamon 7 hours ago||

setuid binaries are not the only way to get root. E.g. one can change /etc/crontab or /etc/passwd. Or add trojan to /bin/ls and wait until admin type 'ls'

quantummagic 6 hours ago||

It's not always as easy as you imply. All the attack vectors you mentioned, require root on the host, before you can make the change or install the trojan.

delamon 3 hours ago||

The attack gives you ability to overwrite any cached page. So you don't need to be root to "edit" /etc/passwd.

quantummagic 3 hours ago||

Not of the host system, assuming we're talking about a compromised VM, running as a non-root user.

delamon 2 hours ago||

I assume you mean container, not VM. But yes, container makes it harder.

oncallthrow 18 hours ago||

> this is why we don't run as root

The entire point is that you can escalate to root