q1uf3ng/dirty-merge

Dirty Merge is a public proof of concept for a local privilege escalation flaw in the Linux kernel. The bug sits in a kernel network function called skb_gro_receive, which is the part of the kernel that merges small incoming packet fragments together for efficiency. The author says the function fails to carry across an internal flag called SKBFL_SHARED_FRAG during that merge, and that gap lets an ordinary local user on the machine end up running code as root. The build step is one line. The exploit is a single C source file, gro_fragnesia.c, that the README compiles with gcc into a static binary called dirty_merge. Aside from a standard C toolchain, there is nothing else to install. There are a few conditions for the target machine. The Linux kernel has to be built with three options turned on: CONFIG_XFRM, CONFIG_INET_ESPINTCP, and CONFIG_USER_NS. Unprivileged user namespaces have to be allowed, which on Ubuntu means undoing the default AppArmor restriction with a sysctl tweak. The ip command from iproute2 and the ethtool program have to be on the path, and the veth kernel module has to be loaded. The usage section is short. A normal user runs the compiled binary. According to the README it modifies the in memory page cache copy of /usr/bin/su, swapping it for a shell ELF, then runs the corrupted su, which lands the user in a root shell. To undo the damage to the page cache, root writes 3 into /proc/sys/vm/drop_caches. The author lists Ubuntu 24.04 LTS with kernel 6.8.0-49-generic as a confirmed target, and says the same flaw affects Linux 7.1-rc3 and any other kernel where skb_gro_receive has not been patched. The repo language is Shell because of the build snippet, but the real exploit logic is in the C file. There is no CVE number, patch link, or vendor advisory referenced in the README.