# Universal Linux LPE

> **TL;DR.** Universal Linux LPE describes a local privilege escalation exploit that gains root access across every major Linux distribution — no race condition required, no kernel-version-specific offsets, no elevated capabilities.

- **Category:** Security / Linux / Exploit Research
- **Stage:** validating
- **Age:** 40 days
- **Origin date:** 2026-05-07
- **First detected:** 2026-05-07
- **Canonical URL:** https://earlyterms.com/term/universal-linux
- **Sources:** 7 primary URLs

## Definition

Universal Linux LPE describes a local privilege escalation exploit that gains root access across every major Linux distribution — no race condition required, no kernel-version-specific offsets, no elevated capabilities. Any unprivileged shell user becomes an instant root threat on a deterministic first attempt.

The label crystallized on May 7, 2026 when Korean researcher Hyunwoo Kim disclosed [Dirty Frag](https://www.openwall.com/lists/oss-security/2026/05/07/8) on the oss-security mailing list: a chained kernel exploit (CVE pending) working on Ubuntu 24.04, RHEL 10.1, Fedora 44, and AlmaLinux. Dirty Frag followed Copy Fail (CVE-2026-31431) by one week and bypassed its primary mitigation.

## Example

Dirty Frag chains two page-cache write bugs — an xfrm-ESP flaw present since January 2017 and an RxRPC flaw since June 2023 — to overwrite `/usr/bin/su` or `/etc/passwd`. A single 2,000-line C proof-of-concept, compiled with `gcc -O0`, reliably roots Ubuntu, RHEL, CentOS Stream, and openSUSE in one attempt.

## Analogy

Think of it as a master key that opens every lock in a building — designed for different eras but sharing the same flawed barrel.

## Why it's emerging now

Researcher Hyunwoo Kim disclosed Dirty Frag on May 7, 2026 after a third party broke the coordinated embargo — leaving every major Linux distribution exposed with no patches or CVE identifiers. The exploit requires no race condition, no compiled modules, and no elevated capabilities, making any shell user an instant root threat.

## Related terms

- *alias:* Dirty Frag
- *alias:* DirtyFrag
- *related:* Copy Fail
- *related:* Dirty Cow
- *related:* Dirty Pipe
- *related:* CVE-2026-31431
- *parent:* Linux kernel LPE
- *parent:* local privilege escalation
- *child:* xfrm ESP page-cache write
- *child:* RxRPC page-cache write
- *related:* coordinated vulnerability disclosure
- *related:* ps5-linux

## Sources

1. [Hyunwoo Kim — Dirty Frag: Universal Linux LPE (oss-security disclosure)](https://www.openwall.com/lists/oss-security/2026/05/07/8)
2. [V4bel/dirtyfrag — proof-of-concept exploit (GitHub)](https://github.com/V4bel/dirtyfrag)
3. [Dirtyfrag: Universal Linux LPE — Hacker News thread (397 pts, 186 comments)](https://news.ycombinator.com/item?id=48053623)
4. [Dirty Frag: a zero-day universal Linux LPE — LWN.net](https://lwn.net/Articles/1071719/)
5. [Dirty Frag — mitigation and kernel update status (CloudLinux Blog)](https://blog.cloudlinux.com/dirty-frag-mitigation-and-kernel-update)
6. [Dirty Frag: No Patch, No Warning — Root Access on Every Major Linux Distro (Cyber Kendra)](https://www.cyberkendra.com/2026/05/dirty-frag-no-patch-no-warning-root.html)
7. [Dirtyfrag: Universal Linux LPE Uncovered (The Coders Blog)](https://thecodersblog.com/dirtyfrag-universal-linux-lpe-exploit-2026/)

---
_Generated by EarlyTerms · https://earlyterms.com/term/universal-linux_