Skip to content
Verified DirtyClone Linux kernel page-cache corruption privilege escalation
REPRO-2026-00212 Linux kernel · linux Privilege Escalation Jul 3, 2026 .txt
Severity CRITICAL
Confidence HIGH
Reproduced in 70m 55s
Tool calls 218
Spend $3.79
$ pruva-verify REPRO-2026-00212
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00212/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

CVE-2026-43503 (DirtyClone) is a local privilege escalation flaw in the Linux kernel networking stack. When socket-buffer (skb) fragment descriptors are transferred between skbs by __pskb_copy_fclone(), skb_shift(), skb_gro_receive(), skb_gro_receive_list(), tcp_clone_payload(), and skb_segment(), the kernel fails to propagate the SKBFL_SHARED_FRAG flag in skb_shinfo()->flags. A cloned skb can therefore keep a reference to file-backed page-cache memory while reporting skb_has_shared_frag() as false. This bypasses the XFRM/IPsec skb_cow_data() copy-on-write safeguard, allowing an unprivileged local attacker to write decrypted bytes into a root-owned read-only binary's page cache and ultimately gain root code execution.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.