New 'DirtyClone' Linux Vulnerability Lets Attackers Gain Root Access — CVSS 8.8

Another week, another Linux kernel bug with roots in how the system handles memory. This time it’s DirtyClone, tracked as CVE-2026-43503 and carrying a CVSS score of 8.8 — high severity, local privilege escalation, and potentially worse.

Disclosed by JFrog security researchers and reported by Linuxiac, DirtyClone is a local privilege escalation flaw in the Linux kernel. Like its predecessor DirtyFrag (disclosed this past May), it can’t be exploited remotely. An attacker needs local access first. Once they have it, the bug lets them elevate privileges all the way to root — and in certain configurations, break out of containers entirely.

The root cause lives inside the kernel’s handling of socket buffer fragments. After the kernel processes these fragments, certain auxiliary functions fail to properly preserve shared memory or file-backed memory markers. This leaves the kernel confused about which memory regions are supposed to be read-only. Under the right conditions, an attacker can exploit this confusion to modify data inside the kernel’s page cache — effectively altering the in-memory copies of files owned by root that should be immutable.

The good news: patches are already rolling out. Ubuntu has shipped fixes across multiple supported releases. Ubuntu 26.04 LTS users get the fix in kernel 7.0.0-22.22, while Ubuntu 22.04 LTS (still widely deployed in production) is patched in 5.15.0-181.191. Ubuntu 24.04 LTS and 25.10 are covered too.

Debian and Red Hat are tracking the issue as well. Debian’s security tracker lists updated packages for Bullseye, Bookworm, and Trixie branches. If you’re running any major Linux distribution in production — especially with container workloads — this is one to patch proactively rather than wait for the next maintenance window.