← Back to Product Feed

GitHub Open Source V4bel/dirtyfrag

No tagline provided.

4,687
Traction Score
745
Forks
May 7, 2026
Launch Date
View Origin Link

Product Positioning & Context

AI Executive Synthesis
Effectiveness of mitigation strategies (disabling kernel modules, reboot, page cache drop)
This discussion reveals critical insights into `dirtyfrag` mitigation challenges. Disabling `esp4`, `esp6`, and `rxrpc` modules is effective *only* if applied before exploitation or followed by a reboot. Post-exploitation, the exploit persists due to page cache manipulation, specifically `/bin/su`. A key finding is that dropping the page cache (`echo 3 > /proc/sys/vm/drop_caches`) can restore `su` functionality without a full reboot. This highlights a significant operational pain point for incident response: immediate mitigation requires more than just module removal. SaaS security vendors must integrate sophisticated post-exploitation remediation techniques, beyond simple configuration changes, to address such persistent vulnerabilities effectively. This impacts the market for real-time threat response and endpoint remediation tools.

Related Ecosystem & Alternatives

Discover adjacent products, open-source repositories, and developer tools sharing similar technical architecture.

Deep-Dive FAQs

What is V4bel/dirtyfrag?
V4bel/dirtyfrag is analyzed by our AI as: Effectiveness of mitigation strategies (disabling kernel modules, reboot, page cache drop). It focuses on This discussion reveals critical insights into `dirtyfrag` mitigation challenges. Disabling `esp4`, `esp6`, and `rxrpc` modules is effective *only*...
Where did V4bel/dirtyfrag originate?
Data for V4bel/dirtyfrag was aggregated directly from the GitHub Open Source community ecosystem, representing raw developer and early-adopter sentiment.
When was V4bel/dirtyfrag publicly launched?
The initial public indexing or launch date for V4bel/dirtyfrag within our tracked developer communities was recorded on May 7, 2026.
How popular is V4bel/dirtyfrag?
V4bel/dirtyfrag has achieved measurable traction, logging over 4,687 traction score and facilitating 745 recorded discussions or engagements.
Are there active development issues for V4bel/dirtyfrag?
Yes, we are currently tracking open architectural debates and bug reports for this project on GitHub. There are currently 5 active high-priority issues logged recently.

Active Developer Issues (GitHub)

open Ubuntu on Raspberry Pi
Logged: May 8, 2026
open Gento base are not vulnerable?
Logged: May 8, 2026
open Proxmox
Logged: May 8, 2026
open EL7 (CentOS 7.9) compilation errors - Not exploitable?
Logged: May 7, 2026
open Ubuntu 26.04
Logged: May 7, 2026

Community Voice & Feedback

danielzgtg • May 8, 2026
Tracked at https://bugs.launchpad.net/ubuntu/+source/kmod/+bug/2151831
clementnuss • May 8, 2026
as pointed out by @ChrisTX, if you can corrupt the page cache of any file you have `READ` permission, then it would be fairly easy to build an escape by identifying a privileged container on the node and messing with it's container image content. I've described 2 such exploits over here https://github.com/clementnuss/copyfail-cve-exploits

I'm currently trying to see if `dirtyfrag` can do the same but I expect it to be the case. I'll update this post in a few hours!
WLaoDuo • May 8, 2026
Tested on `PVE 5.15.143-1 (2024-02-08T18:12Z) x86_64 Linux` seems not vulnerable.It is too old. :>
traktofon • May 8, 2026
RedHat still offer security support for RHEL7 ("extended lifecycle support"). It is possible to compile the exploit on RHEL7.9. You need a newer GCC but it's not uncommon to have that available. Here using GCC 10.2.0.

Copy header from kernel sources:
```
mkdir -p include/linux
cp /usr/src/kernels/$(uname -r)/include/linux/rxrpc.h include/linux/
```

Patch the exploit code to make it compile:
```
diff --git a/exp.c b/exp.c
index d8d5711..25b5e1c 100644
--- a/exp.c
+++ b/exp.c
@@ -1,3 +1,5 @@
+typedef unsigned short u16;
+
#define _GNU_SOURCE
#include
#include
@@ -16,7 +18,7 @@
#include
#include
#include
-#include
+// #include
#include
#include
#include
```

Compile with
```
gcc --std=c99 -I./include -O0 -Wall -o exp exp.c -lutil
```

However, running the exploit fails. Tested on kernel `3.10.0-1160.147.1.el7.x86_64`.

But that doesn't mea...
snullp • May 8, 2026
On rootless containers like "unprivileged LXC" if the rootfs of the container is isolated, it cannot escape.
John-Doggett • May 8, 2026
You're running CentOS 7 so you're already screwed regardless of _this_ vulnerability.
Percivalll • May 8, 2026
I have tested it on GKE and ACK clusters. All failed.

On ACK default node image:
user.max_user_namespaces is set 0, so unprivileged user can't use CLONE_NEWUSER unshare.
On GKE default node image (COS):
user.max_user_namespaces is 15426, but kubelet enables --seccomp-default, the default seccomp policy disable unshare syscall.
xyzulu • May 8, 2026
In my quick tests unprivileged LXC are not exploitable even if the proxmox host is.
ExplodingDragon • May 8, 2026
Maybe we should evaluate the unprivileged LXC case: if it's blocked by seccomp/AppArmor, the risk is likely low.
zarlo • May 8, 2026
The kernel is Ubuntu and user space is Debian
xyzulu • May 8, 2026
No surprise.. proxmox kernels are based heavily on Debian.
Just in case you had not already done this, I have emailed proxmox security team to alert them. Also posted here since there is no point in hiding this information: https://forum.proxmox.com/threads/dirty-frag-universal-linux-lpe-proxmox-vulnerable-in-the-wild-already.183363/
maxpoulin64 • May 7, 2026
They usually backport security fixes, not entire features. If it's not essential, it's not backported. I can't see why they would have backported that stuff unless it was breaking something else important and that bad code was part of the fix.
flakrat • May 7, 2026
It's true that 3.10 was released in 2013 (with LTS thru 2017 I think).

That said, Red Hat does a lot of back porting into their EL kernels and 3.10.0-1160 was released in 2020 (still old) with end of maintenance in 2024 and of extended support ending in 2028.

It's the back porting that may make it vulnerable. 🤷
maxpoulin64 • May 7, 2026
That kernel is way too old for that. The bug was introduced in a commit from 2017-01-17, your kernel is from 2013.
neofutur • May 7, 2026
yes here too
mitigation :

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

works on all my servers, including ubuntu 26.04, after a reboot

Discovery Source

GitHub Open Source GitHub Open Source

Aggregated via automated community intelligence tracking.

Tech Stack Dependencies

No direct open-source NPM package mentions detected in the product documentation.

Media Tractions & Mentions

No mainstream media stories specifically mentioning this product name have been intercepted yet.

Deep Research & Science

No direct peer-reviewed scientific literature matched with this product's architecture.