Security patches for the high-severity DirtyClone Linux kernel local privilege escalation vulnerability are now available for most supported Ubuntu releases. The flaw allows local unprivileged users to gain full root access on unpatched systems, per the official Linux kernel project. The vulnerability is tracked as CVE-2026-43503, with a CVSS 3.1 HIGH severity score of 8.8.

Security firm JFrog first published public research into the flaw on June 25, 2026, naming it DirtyClone. The flaw impacts the same kernel components as the earlier Dirty Frag and Fragnesia vulnerabilities. Users who already applied module-blocking mitigations for those prior issues are automatically protected against DirtyClone, per Canonical’s security advisory Ubuntu Security Blog.
What the Ubuntu Patches DirtyClone Linux Privilege Escalation Flaw Means for Users
DirtyClone is a local privilege escalation bug. A local unprivileged user on a vulnerable host can obtain full root permissions.
The CVSS 3.1 score of 8.8 places it in the HIGH severity band. Canonical confirmed the identifier CVE-2026-43503 in its advisory Ubuntu Security Blog.
The name DirtyClone was assigned by JFrog on June 25, 2026. The bug shares attack surface with Dirty Frag and Fragnesia.
Specifically, administrators who blocked the affected kernel modules for those older flaws already blocked DirtyClone. That means the practical exposure is limited to systems without those mitigations.
Ubuntu Patches DirtyClone Linux Privilege Escalation Flaw: Patch Status for Releases
Canonical has released Ubuntu security updates for DirtyClone, with patches available for most actively supported LTS and interim releases Ubuntu Security Blog. Focal Fossa (20.04 LTS) users running the 5.15 kernel stream received fixes in version 5.15.0-181.191~20.04.1. Jammy Jellyfish (22.04 LTS) got the same kernel build for its default 5.15 series.
Newer supported releases are also patched. Noble Numbat (24.04 LTS) is fixed in kernel 6.8.0-124.124. Questing Quokka (25.10) is fixed in 6.17.0-35.35. The upcoming Resolute Raccoon (26.04 LTS) is fixed in 7.0.0-22.22.
For example, a Noble system must show 6.8.0-124.124 or higher after the uname -r command to be safe. Focal Fossa (20.04 LTS) systems running the 5.4 kernel stream remain affected, per Canonical’s advisory Ubuntu Security Blog.
Older Ubuntu 14.04 LTS (Trusty Tahr), 16.04 LTS (Xenial Xerus), and 18.04 LTS (Bionic Beaver) remain unpatched and affected Ubuntu Security Blog. That is a total of three end-of-life releases plus one specific kernel stream still exposed.
Container and Host Risk Profile
For non-containerized deployments, the published exploit grants a local unprivileged user full root access to the host Ubuntu Security Blog. In containerized environments running untrusted third-party workloads, DirtyClone additionally enables container escape.
No public proof-of-concept for the container escape variant has been released, per Canonical’s advisory Ubuntu Security Blog. Canonical notes the published exploit only targets non-container hosts for now Ubuntu Security Blog.
Specifically, a shared tenant on a bare-metal Ubuntu 22.04 server without the 5.15 patch could escalate to root. A container escape would require the untrusted workload path, which is not yet public as of June 25, 2026.
Patching and Verification Steps
Administrators can check their running kernel version with the uname -r command. They can then cross-reference it against Canonical’s patched version list Ubuntu Security Blog.
The recommended remediation is a full system upgrade via sudo apt update && sudo apt upgrade, followed by a required reboot to load the patched kernel. For environments where full upgrades are not feasible, administrators can target only kernel meta-packages.
They can use dpkg-query to filter for linux-meta packages. Then they run install –only-upgrade for those entries. Ubuntu systems with unattended-upgrades enabled (default for 16.04 LTS and newer zbrandco.com/git-worktrees-default-github-copilot-parallel-coding/) will automatically apply patches.
A reboot is still required to activate the fix Ubuntu Security Blog. For example, a Focal 5.15 system must reboot after installing 5.15.0-181.191~20.04.1 to clear the CVE-2026-43503 exposure.
