We are reviewing the recently disclosed Linux local privilege escalation issue being discussed on oss-security (“Dirty Frag”, posted 2026-05-07).
oss-security - Dirty Frag: Universal Linux LPE
Anyone already looking into that too?
It is and will remain vulnerable to Copy Fail and Dirty Frag and anything after because the OS is no longer receiving updates. My advice to you is to update to FreePBX 17 which (if setup according to Sangoma direction) runs on Debian Bookworm. You can apply the mitigations, but mitigations are not a permanent fix, and with today’s security environment I would expect to see a succession of vulnerabilities like this over the next year or two.
All of these are currently mitigated in the Debian 12 kernel:
Users who install the FreePBX v17 Distro ISO using either FOG or OSO spice levels should be able to update to these latest Debian 12 bookworm kernels. However, if you are using DAHDI hardware (or otherwise chose the PUB, UPG or INT spice levels) then please know that we are still in the QA process with these latest kernels. In the interim, users should heed the common suggestions (per our published security advisories on GitHub) to mitigate exposure of the Administrator Control Panel to only known, trusted users. This is because the ACP runs processes as the asterisk user, which can get elevated to root by way of these CVEs.*
*But you can already do lots of systems admin-level things once somebody logs in to the ACP - like upload PHP code modules, which (generally) still falls in the feature not bug category.
Note also that if you run FreePBX as a VM, as I do, the hypervisor can be attacked. For example I run FreePBX in a KVM+qemu hypervisor on Ubuntu. The Debian 12 guest OS that FreePBX runs on is fully patched, the hypervisor under Ubuntu Server has only had kernel patches released for Copy Fail (they are working on Dirty Frag but it’s not been released yet)
I agree with ccampbell also on this - we ARE going to see a succession of security vulnerabilities like this over the next year or so. Xinit boasted about this here - from:
Copy Fail: 732 Bytes to Root on Every Major Linux Distribution. - Xint
“…The scan also identified other high severity vulnerabilities, including another privilege escalation bug. These other bugs are still in the responsible disclosure process…”
It is quite likely the “another privilege escalation bug” was, in fact, Dirty Frag. Dirty Frag was rushed out by a different security researcher group than Xinit and did NOT go through so-called “responsible disclosure process” although I would hardly call waiting for 4 days after the kernel patch went in at kernel.org to disclose, “responsible disclosure”
If it was, I’m sure Xinit was PISSED that the other group got out in front of them.
Remember that all of the White Hats out there are just like the Black Hats out there they are all competing with each other. The WH’s are doing it for street cred, which they monetize via FUD. The BH’s are doing it just so they can monetize it via theft. Neither group are composed of the type of people you would want your daughters to go out on dates with… sigh.
Both these vulnerabilities and how they were disclosed “threw the gauntlet down” and it’s now “game on” Responsible Disclosure is now totally out the window, so don’t trust that will save your keister and expect more zero days.