Dirty Frag: getting root after AF_ALG was blocked and public poc failed
A recent exploit known as Dirty Frag allowed a user to gain root access on a university server despite security measures. The exploit took advantage of a flaw in the kernel's crypto implementation, which was not fully mitigated by blocking the AF_ALG interface. The user successfully reported the vulnerability, leading to a prompt patch by the system administrators.
- ▪The exploit targeted a shared login server at IIT Delhi, running a relatively new version of Ubuntu.
- ▪Despite the server's security measures, the user was able to exploit a flaw in the kernel's crypto implementation.
- ▪The user utilized a feedback loop with a tool called DeepSeek-V4-Flash to successfully gain root access.
Opening excerpt (first ~120 words) tap to expand
May 29, 2026 dirty frag field notes: from a patched server that was "safe" a public Dirty Frag PoC failed, so the server looked safe. a cheap DeepSeek-V4-Flash feedback loop found the missed path -> fcrypt mismatch, nscd cache, and root in ~90 minutes. the short version i got root on my university's shared login server. not because the sysadmins were asleep or because the box was some ancient forgotten machine. they were actually fast. they had read the CVE writeups, blocked the recommended kernel crypto interface, disabled unprivileged user namespaces, tested the public PoC, watched it fail, and moved on. reasonable response tbh. the problem is that public PoCs are not truth oracles. they only tell you one thing: this exact code path, as written, did not work on this exact run.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Shauryaa.
Discussion
0 commentsMore from Shauryaa
