DirtyFree is a novel exploitation technique that simplifies Data-Oriented Programming (DOP) attacks in the Linux kernel through the arbitrary free primitive.

Traditional DOP attacks require three complex stages: heap address leakage, arbitrary address read (AAR), and arbitrary address write (AAW). DirtyFree simplifies this by leveraging the arbitrary free primitive, which enables attackers to forcibly free kernel objects at controlled memory addresses. This approach:

• Reduces complexity: Often requires only a single primitive instead of three
• Lowers exploitability requirements: Can work with as little as a 1-byte overwrite
• Broadens applicability: Successfully exploited 24 out of 31 real-world CVEs

.
├── exploits/                    # Real-world CVE exploits using DirtyFree
│   ├── CVE-2023-3390/           # nf_tables use-after-free
│   ├── CVE-2023-4004/           # nf_tables pipapo double-free
│   ├── CVE-2023-5345/           # overlayfs double-free
│   ├── CVE-2023-6111/           # nf_tables anonymous set UAF
│   ├── CVE-2024-26581/          # nf_tables race condition
│   └── CVE-2024-53141/          # nf_tables out-of-bounds write
├── Proof-of-Concept/            # Self-contained PoC with ToyExample (QEMU)
│   ├── exploit/                 # DirtyFree exploit source
│   └── src/                     # Vulnerable kernel module source
├── afo/                         # Examples of Arbitrary Free Object
└── README.md                    # This file

DirtyFree follows a two-stage process:

1. User Cred Spray: Spray user-privilege credential objects using io_uring
2. Heap Layout: Position vulnerable object adjacent to arbitrary free object
3. Pointer Corruption: Partially overwrite pointer to target user cred object

1. Arbitrary Free: Trigger cross-cache free to create use-after-free on cred object
2. Root Cred Spray: Spray root-privilege credentials (via sudo processes)
3. Cred Replacement: Reclaim freed user cred slot with root cred
4. Post-Exploitation: Identify elevated io_uring instance and spawn root shell

We identified 14 arbitrary free objects across different kernel caches:

Successfully exploited 24 real-world vulnerabilities including:

• CVE-2023-3390: nf_tables use-after-free
• CVE-2023-4004: nf_tables pipapo double-free
• CVE-2023-5345: overlayfs double-free
• CVE-2023-6111: nf_tables anonymous set UAF
• CVE-2024-26581: nf_tables race condition
• CVE-2024-53141: nf_tables out-of-bounds write
• And 18 more...

See individual exploit directories for detailed CVE information and exploitation code.

We provide a self-contained Proof-of-Concept environment using a custom vulnerable kernel module (ToyExample). This allows testing the DirtyFree technique in an isolated QEMU VM without needing a real-world vulnerability.

See Proof-of-Concept/README.md for setup and usage instructions.

This work was presented at the Network and Distributed System Security (NDSS) Symposium 2026.

Authors: Yoochan Lee, Hyuk Kwon, and Thorsten Holz

Citation:

@inproceedings{lee2026dirtyfree,
  title={{DirtyFree}: Simplified Data-Oriented Programming in the Linux Kernel},
  author={Lee, Yoochan and Kwon, Hyuk and Holz, Thorsten},
  booktitle={Proceedings of the Network and Distributed System Security (NDSS) Symposium},
  year={2026}
}

This code is provided for educational and defensive security research purposes only.

For questions or issues, please open an issue on GitHub or contact the authors:

• Yoochan Lee: [email protected]

Disclaimer: The techniques and code in this repository are intended solely for security research and education. Unauthorized use of these techniques against systems you do not own or have explicit permission to test is illegal and unethical.