← Back to Product Feed

GitHub Open Source V4bel/dirtyfrag

No tagline provided.

4,687
Traction Score
745
Forks
May 7, 2026
Launch Date
View Origin Link

Product Positioning & Context

AI Executive Synthesis
Effectiveness of mitigation strategies (disabling kernel modules, reboot, page cache drop)
This discussion reveals critical insights into `dirtyfrag` mitigation challenges. Disabling `esp4`, `esp6`, and `rxrpc` modules is effective *only* if applied before exploitation or followed by a reboot. Post-exploitation, the exploit persists due to page cache manipulation, specifically `/bin/su`. A key finding is that dropping the page cache (`echo 3 > /proc/sys/vm/drop_caches`) can restore `su` functionality without a full reboot. This highlights a significant operational pain point for incident response: immediate mitigation requires more than just module removal. SaaS security vendors must integrate sophisticated post-exploitation remediation techniques, beyond simple configuration changes, to address such persistent vulnerabilities effectively. This impacts the market for real-time threat response and endpoint remediation tools.

Related Ecosystem & Alternatives

Discover adjacent products, open-source repositories, and developer tools sharing similar technical architecture.

Hacker News
Show HN: Fabro – open-source dark sof...
Hi — I created Fabro to free myself from supervising a fleet of Claude Code tabs runnin...

Deep-Dive FAQs

What is V4bel/dirtyfrag?
V4bel/dirtyfrag is analyzed by our AI as: Effectiveness of mitigation strategies (disabling kernel modules, reboot, page cache drop). It focuses on This discussion reveals critical insights into `dirtyfrag` mitigation challenges. Disabling `esp4`, `esp6`, and `rxrpc` modules is effective *only*...
Where did V4bel/dirtyfrag originate?
Data for V4bel/dirtyfrag was aggregated directly from the GitHub Open Source community ecosystem, representing raw developer and early-adopter sentiment.
When was V4bel/dirtyfrag publicly launched?
The initial public indexing or launch date for V4bel/dirtyfrag within our tracked developer communities was recorded on May 7, 2026.
How popular is V4bel/dirtyfrag?
V4bel/dirtyfrag has achieved measurable traction, logging over 4,687 traction score and facilitating 745 recorded discussions or engagements.
Are there active development issues for V4bel/dirtyfrag?
Yes, we are currently tracking open architectural debates and bug reports for this project on GitHub. There are currently 5 active high-priority issues logged recently.

Active Developer Issues (GitHub)

open Ubuntu on Raspberry Pi
Logged: May 8, 2026
open Gento base are not vulnerable?
Logged: May 8, 2026
open Proxmox
Logged: May 8, 2026
open EL7 (CentOS 7.9) compilation errors - Not exploitable?
Logged: May 7, 2026
open Ubuntu 26.04
Logged: May 7, 2026

Community Voice & Feedback

traktofon • May 8, 2026
RedHat still offer security support for RHEL7 ("extended lifecycle support"). It is possible to compile the exploit on RHEL7.9. You need a newer GCC but it's not uncommon to have that available. Here using GCC 10.2.0.

Copy header from kernel sources:
```
mkdir -p include/linux
cp /usr/src/kernels/$(uname -r)/include/linux/rxrpc.h include/linux/
```

Patch the exploit code to make it compile:
```
diff --git a/exp.c b/exp.c
index d8d5711..25b5e1c 100644
--- a/exp.c
+++ b/exp.c
@@ -1,3 +1,5 @@
+typedef unsigned short u16;
+
#define _GNU_SOURCE
#include
#include
@@ -16,7 +18,7 @@
#include
#include
#include
-#include
+// #include
#include
#include
#include
```

Compile with
```
gcc --std=c99 -I./include -O0 -Wall -o exp exp.c -lutil
```

However, running the exploit fails. Tested on kernel `3.10.0-1160.147.1.el7.x86_64`.

But that doesn't mea...
John-Doggett • May 8, 2026
You're running CentOS 7 so you're already screwed regardless of _this_ vulnerability.
maxpoulin64 • May 7, 2026
They usually backport security fixes, not entire features. If it's not essential, it's not backported. I can't see why they would have backported that stuff unless it was breaking something else important and that bad code was part of the fix.
flakrat • May 7, 2026
It's true that 3.10 was released in 2013 (with LTS thru 2017 I think).

That said, Red Hat does a lot of back porting into their EL kernels and 3.10.0-1160 was released in 2020 (still old) with end of maintenance in 2024 and of extended support ending in 2028.

It's the back porting that may make it vulnerable. 🤷
maxpoulin64 • May 7, 2026
That kernel is way too old for that. The bug was introduced in a commit from 2017-01-17, your kernel is from 2013.
Oreeeee • May 7, 2026
Android's SELinux setup blocks weird socket types. Additionally Android has no suid binaries.
maxpoulin64 • May 7, 2026
It shouldn't be. I'm not aware that Android kernels have either loadable kernel modules nor XFRM/RXRPC support, and most definitely not accessible to regular user apps.

Android also doesn't really have SUID binaries, so while it potentially could be used to exploit something else to one's advantage, it ain't gonna give you a root shell on Android. The exploit relies on `su` being a SUID binary. The exploit only rewrites `su` to not check password and exploit its existing ability to become root by virtue of being a SUID binary.
rollerozxa • May 7, 2026
[Comment thread on HN about it](https://news.ycombinator.com/item?id=48054201). The Linux kernel used by Android may be hardened to make it not possible (I don't know if Copy Fail was ever possible on Android). But time will tell I suppose.
rouault • May 7, 2026
> But it does not mean they are not affected, just that this specific code does not work for those targets

the particular exploit contains x86_64 binary code (see https://github.com/V4bel/dirtyfrag/blob/892d9a31d391b7f0fccb333855f6289507186748/exp.c#L43), so can't work verbatim on ARM
KaruroChori • May 7, 2026
It does not on any of the devices I have tested. But it does not mean they are not affected, just that this specific code does not work for those targets. They might still be vulnerable.
n0rc • May 7, 2026
> Can you try to drop the page cache after the exploit? This should work without a reboot.
>
> ```
> sudo echo 3 > /prox/sys/vm/drop_caches
> ```

That seems to work here. `su` asks for a password again after dropping the cache.
hussamnasir • May 7, 2026
Well the exploit says Ubuntu 24, but i have tried both the latest HWE kernel (6.17.0-23) and non HWE kernel (6.8.0-111) and neither seems to be affected. On the oterh hand Ubuntu 26.04 running 7.0.0-15 is affected and the mitigation worked after a reboot.
cambid • May 7, 2026
Can you try to drop the page cache after the exploit? This should work without a reboot.
```
sudo echo 3 > /prox/sys/vm/drop_caches
```
jine • May 7, 2026
Correct - i can confirm that, exploited hosts / tests the mitigation (removing/disabling esp4 esp6 and rxrpc) do need a reboot.

Just removing the kernel modules without rebooting does not affect already exploited machines (i'm guessing cause of how the exploit works, with overwriting the page-cache for /bin/su).



https://github.com/V4bel/dirtyfrag/blob/3099b8a3c79b8f0ad53e68ba9b2c9e89d38bc971/exp.c#L1640-L1659
treydock • May 7, 2026
Seems once a host as run the exploit, it won't stop until rebooted.

```
[tdockendorf@OMIT dirtyfrag]$ ./exp
dirtyfrag: failed (rc=1)
```

On mitigated host that hadn't been exploited yet.

Discovery Source

GitHub Open Source GitHub Open Source

Aggregated via automated community intelligence tracking.

Tech Stack Dependencies

No direct open-source NPM package mentions detected in the product documentation.

Media Tractions & Mentions

No mainstream media stories specifically mentioning this product name have been intercepted yet.

Deep Research & Science

No direct peer-reviewed scientific literature matched with this product's architecture.