explaingit

q1uf3ng/dirty-merge

Analysis updated 2026-05-18

29ShellAudience · developerComplexity · 5/5Setup · hard

TLDR

A public proof-of-concept exploit for a Linux kernel bug that lets a local user gain root access on unpatched systems.

Mindmap

mindmap
  root((Dirty Merge))
    What it does
      Local privilege escalation
      Exploits kernel merge bug
      Gains root shell
    Tech stack
      C exploit code
      Shell build script
      Linux kernel
    Use cases
      Kernel vulnerability research
      Patch verification testing
    Audience
      Security researchers
      Kernel developers
    Requirements
      Specific kernel config flags
      Unprivileged namespaces enabled

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Study a proof-of-concept for a local privilege escalation bug in the Linux kernel's skb_gro_receive function.

USE CASE 2

Test whether a Linux system is vulnerable to this specific unpatched kernel flaw.

USE CASE 3

Reference the required kernel config options and conditions for reproducing the issue in a lab environment.

What is it built with?

CShellLinux Kernel

How does it compare?

q1uf3ng/dirty-mergechristitustech/zed-titusfree-nodes/shadowrocket
Stars292930
LanguageShellShellShell
Setup difficultyhardeasyeasy
Complexity5/52/51/5
Audiencedeveloperdevelopergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires a Linux kernel built with specific config options and unprivileged user namespaces enabled, no CVE or vendor patch is referenced.

In plain English

Dirty Merge is a public proof of concept for a local privilege escalation flaw in the Linux kernel. The bug sits in a kernel network function called skb_gro_receive, which is the part of the kernel that merges small incoming packet fragments together for efficiency. The author says the function fails to carry across an internal flag called SKBFL_SHARED_FRAG during that merge, and that gap lets an ordinary local user on the machine end up running code as root. The build step is one line. The exploit is a single C source file, gro_fragnesia.c, that the README compiles with gcc into a static binary called dirty_merge. Aside from a standard C toolchain, there is nothing else to install. There are a few conditions for the target machine. The Linux kernel has to be built with three options turned on: CONFIG_XFRM, CONFIG_INET_ESPINTCP, and CONFIG_USER_NS. Unprivileged user namespaces have to be allowed, which on Ubuntu means undoing the default AppArmor restriction with a sysctl tweak. The ip command from iproute2 and the ethtool program have to be on the path, and the veth kernel module has to be loaded. The usage section is short. A normal user runs the compiled binary. According to the README it modifies the in memory page cache copy of /usr/bin/su, swapping it for a shell ELF, then runs the corrupted su, which lands the user in a root shell. To undo the damage to the page cache, root writes 3 into /proc/sys/vm/drop_caches. The author lists Ubuntu 24.04 LTS with kernel 6.8.0-49-generic as a confirmed target, and says the same flaw affects Linux 7.1-rc3 and any other kernel where skb_gro_receive has not been patched. The repo language is Shell because of the build snippet, but the real exploit logic is in the C file. There is no CVE number, patch link, or vendor advisory referenced in the README.

Copy-paste prompts

Prompt 1
Explain the kernel bug in skb_gro_receive that Dirty Merge exploits.
Prompt 2
What kernel configuration options does a machine need for this exploit to work?
Prompt 3
Walk me through how Dirty Merge modifies the page cache copy of /usr/bin/su.
Prompt 4
Which Linux kernel versions does the README say are affected by this flaw?

Frequently asked questions

What is dirty-merge?

A public proof-of-concept exploit for a Linux kernel bug that lets a local user gain root access on unpatched systems.

What language is dirty-merge written in?

Mainly Shell. The stack also includes C, Shell, Linux Kernel.

How hard is dirty-merge to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is dirty-merge for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.