upvote

points

by john_strinlai15 hours ago |
comments
upvoteby progval14 hours ago|
next
[-]
"sudo" in "sudo echo 3 > /prox/sys/vm/drop_caches" does not do anything because only runs echo, not the write.

And if a machine is already exploited, it's too late to do just that. You need to rebuild the whole disk image because anything on it could be compromised.

reply
upvoteby john_strinlai14 hours ago|
parent|
[-]
>And if a machine is already exploited, it's too late to do just that. You need to rebuild the whole disk image because anything on it could be compromised.

this is more targeted at the people who run the PoC to see if their machine is vulnerable.

just transcribing some relevant stuff from https://github.com/V4bel/dirtyfrag/issues/1 so that people visiting this thread dont need to poke around a bunch of different places.

reply
upvoteby sounds8 hours ago|
prev|
next
[-]
Is there any additional info on where it was "published publicly by an unrelated third party"? From the timeline in the writeup:

> 2026-05-07: Submitted detailed information about the vulnerability and the exploit to the linux-distros mailing list. The embargo was set to 5 days, with an agreement that if a third party publishes the exploit on the internet during the embargo period, the Dirty Frag exploit would be published publicly.

> 2026-05-07: Detailed information and the exploit for this vulnerability were published publicly by an unrelated third party, breaking the embargo.

Edit: nevermind, details are further down in the thread:

https://openwall.com/lists/oss-security/2026/05/07/12

And

https://news.ycombinator.com/item?id=48055863

reply
upvoteby alecco45 minutes ago|
parent|
[-]
People are blaming the guy who wrote the exploit for breaking the embargo but it was actually broken in Linux by publishing a fix [1]:

> on 2026-05-05 Steffen Klassert pushed f4c50a4034 to netdev/net.git with Cc: stable@vger.kernel.org.

Once a fix is out it's usual for researchers to race to make the first exploit out of it.

[1] https://afflicted.sh/blog/posts/copy-fail-2.html

reply
upvoteby dundarious14 hours ago|
prev|
next
[-]
You can't sudo echo and redirect from the non-sudo shell like that.

    echo 3 | sudo tee /proc/sys/vm/drop_caches
or

    sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'
Also fixed your typo in /proc...
reply
upvoteby throw0101c13 hours ago|
parent|
next
[-]
Also try:

     sudo sysctl -w vm.drop_caches=3
reply
upvoteby wpollock13 hours ago|
parent|
prev|
next
[-]
Or more simply, use

   su -c 'echo 3 > /proc/sys/vm/drop_caches'
reply
upvoteby seba_dos113 hours ago|
parent|
[-]
echo 3 | sudo tee /proc/sys/vm/drop_caches
reply
upvoteby john_strinlai14 hours ago|
parent|
prev|
[-]
thanks. copy pasting from the github via my phone, and should have taken the extra few mins
reply
upvoteby dundarious12 hours ago|
parent|
[-]
No worries, overall a very useful summary comment.
reply
upvoteby danudey13 hours ago|
prev|
[-]
Just FYI, you can also mitigate it with `echo 1 > ...`; you don't need to drop everything, dropping `1` clears the page cache and that's enough.

Tested locally on Ubuntu 26.04:

1. Ran the exploit and got root

2. Configured the mitigations

3. Ran `su` again with no parameters and immediately got root again unprompted

4. Cleared the page cache

5. `su` asked for a password

reply