Dirty Frag, a chained Linux kernel local privilege escalation (LPE — a class of vulnerability that lets a low-privilege user gain root/administrator-level access on the same machine) tracked as CVE-2026-43284 and CVE-2026-43500, went public on May 7, 2026, after a security researcher accidentally broke the coordinated disclosure embargo. A fully functional proof-of-concept exploit is already published on GitHub, a mainline kernel patch exists for only one of the two flaws, and the second flaw remains entirely unpatched across all distributions. Any unprivileged user on a vulnerable system can execute the exploit in a single command and obtain a root shell.
Dirty Frag CVE-2026-43284 and CVE-2026-43500: Technical Details
Dirty Frag chains two page-cache write primitives in the Linux kernel's networking subsystem. Canonical assesses a combined CVSS v3.1 (Common Vulnerability Scoring System version 3.1 — the industry-standard framework for rating vulnerability severity on a 0–10 scale) score of 7.8 / High (vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The score reflects that the attack requires only local access with low privileges, no user interaction, and delivers full confidentiality, integrity, and availability impact. In practice: an unprivileged shell account is all an attacker needs.
CVE-2026-43284 — the xfrm-ESP (IPsec Encapsulating Security Payload — the protocol component that handles encrypted IPsec VPN tunnels in the Linux kernel) page-cache write flaw — affects every Linux kernel commit from cac2661c53f3 (merged January 17, 2017) through current upstream. The bug lives in the in-place decryption fast paths of the esp4 and esp6 kernel modules: when a socket buffer carries paged fragments that are not privately owned by the kernel — for example, pipe pages attached via splice(2), sendfile(2), or the MSG_SPLICE_PAGES flag — the receive path decrypts directly over those externally-backed pages. An unprivileged process that still holds a reference to those pages can read or corrupt the decrypted plaintext, eventually obtaining arbitrary kernel write access and a root shell.
CVE-2026-43500 — the RxRPC (Remote Procedure Call over UDP, used by the AFS distributed filesystem and loaded by default on many Linux distributions) page-cache write flaw — introduces an independent exploitation path in the same externally-backed page class, affecting kernel commits from 2dc334f1a63a (merged June 2023) through upstream. Critically, CVE-2026-43500 has no patch in any mainstream kernel tree as of May 8, 2026.
Researcher Hyunwoo Kim (@v4bel) discovered both flaws. The exploit chains them so that each covers the other's blind spots: neither flaw alone provides a sufficiently reliable primitive for full root escalation on all kernel configurations, but the combined chain achieves deterministic root access. Because the exploit is a logic bug rather than a timing race, the kernel does not crash or panic when the exploit runs, leaving no immediate system stability indicator for administrators.
Red Hat's RHSB-2026-003 security bulletin confirms CVE-2026-43284 in its product line and notes the upstream mainline patch is commit f4c50a4034e6.
Exploitation Status and Threat Landscape
The public PoC landed on GitHub on May 7, 2026. It requires only a low-privilege shell on the target and produces a root shell in a single invocation, with a success rate described by researchers as very high due to the deterministic nature of the bug. The exploit was released before distribution patches were broadly available, creating an extended window during which the only protection is manual mitigation.
As of publication, CVE-2026-43284 and CVE-2026-43500 have not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog — the official U.S. government registry confirming in-the-wild exploitation. However, the directly related Copy Fail vulnerability (CVE-2026-31431 — a prior Linux kernel LPE from the same page-cache write class) was added to CISA KEV on May 1, 2026, following its own public PoC release. The availability of a working, reliable exploit for Dirty Frag substantially raises the probability of imminent active exploitation.
No ransomware groups or nation-state actors have been publicly attributed to Dirty Frag exploitation at this time. Given that local privilege escalation is a standard post-exploitation step after initial remote access, any threat actor already inside a Linux environment will find Dirty Frag immediately useful.
Who Is Affected
Any system running an unpatched Linux kernel with the esp4, esp6, or rxrpc modules loaded is at risk. Confirmed affected distributions include:
- Ubuntu 24.04.4 LTS and earlier (Canonical advisory and patches available)
- Red Hat Enterprise Linux (RHEL) 10.1 and earlier
- CentOS Stream 10
- AlmaLinux 10
- Fedora 44
- openSUSE Tumbleweed
- Debian, Arch Linux, CloudLinux, and Amazon Linux
The xfrm/ESP component has been present in the Linux kernel since 2017, meaning essentially every production Linux system deployed over the past nine years falls within the CVE-2026-43284 vulnerable commit range. On-premises servers, cloud instances with custom kernels, container host systems, and CI/CD workers are all in scope. Containerized workloads using the host kernel — standard Kubernetes nodes, Docker hosts, LXC containers — are vulnerable if the host kernel is unpatched. Systems where neither esp4/esp6 nor rxrpc are loaded are not directly exploitable, but this should be verified rather than assumed.
What You Should Do Right Now
- Check kernel version and loaded modules. Run
uname -rto identify the running kernel version, andlsmod | grep -E 'esp4|esp6|rxrpc'to confirm whether the vulnerable modules are currently loaded.
- Apply available distribution kernel patches immediately. AlmaLinux released a combined test kernel addressing both CVE-2026-43284 and CVE-2026-43500 on May 7. Ubuntu patches are available via
apt-get update && apt-get dist-upgrade. RHEL patches are tracked under RHSB-2026-003. Check your distribution's security announcement channel.
- Apply module blacklist mitigations where kernel patches are not yet available. For CVE-2026-43284, unload the ESP modules:
modprobe -r esp4 esp6 xfrm4_tunnel xfrm6_tunnel
echo "install esp4 /bin/false" >> /etc/modprobe.d/blacklist-dirty-frag.conf
echo "install esp6 /bin/false" >> /etc/modprobe.d/blacklist-dirty-frag.conf
For CVE-2026-43500, unload the rxrpc module:
modprobe -r rxrpc
echo "install rxrpc /bin/false" >> /etc/modprobe.d/blacklist-dirty-frag.conf
Warning: Disabling esp4/esp6 will break IPsec VPN tunnels on that host. Evaluate operational impact before applying in production.
- Do not rely on the Copy Fail mitigation. Systems that already applied the
algif_aeadblacklist for CVE-2026-31431 (Copy Fail) are still vulnerable to Dirty Frag. The xfrm-ESP path does not route throughalgif_aead.
- Prioritize multi-tenant and internet-facing systems. Dirty Frag requires local access, so the highest-risk scenarios are shared hosting environments, developer systems with multiple user accounts, cloud VMs where tenants share a host kernel, and CI/CD runners executing untrusted code.
- Monitor the CISA KEV catalog at cisa.gov/known-exploited-vulnerabilities-catalog for a mandatory federal remediation timeline if exploitation is confirmed.
Background: Understanding the Risk
Dirty Frag belongs to the same page-cache write primitive family as Dirty COW (CVE-2016-5195, 2016), Dirty Pipe (CVE-2022-0847, 2022), and Copy Fail (CVE-2026-31431, 2026) — a recurring lineage of Linux kernel privilege escalation bugs that exploit kernel code paths where user-controlled memory and kernel-controlled memory momentarily overlap during I/O operations. Each generation has produced reliable, widely deployed exploits.
The ESP (IPsec Encapsulating Security Payload) subsystem is part of the Linux kernel's built-in VPN and encrypted tunnel stack, loaded by default or in use on a very large share of production Linux systems — precisely the infrastructure that represents attractive post-exploitation escalation targets. The rxrpc module, while less universally deployed, provides an independent escalation path for systems without IPsec configured.
The embargo break on May 7, 2026 — before most distribution patches were generally available — is the critical operational factor. For CVE-2026-43284, the mainline kernel patch exists but must be backported and packaged by each distribution. For CVE-2026-43500, no upstream patch exists at all. The window between public exploit availability and patch availability is therefore measured in days for most distributions, and has no defined endpoint for the rxrpc component.
This pattern follows the same dynamic that made Dirty Pipe severe in 2022: a deterministic, reliable LPE with a public PoC, released before universal patch availability, against a kernel component present on essentially all production Linux hosts.
Conclusion
Dirty Frag (CVE-2026-43284 + CVE-2026-43500) presents a high-severity, deterministic local privilege escalation with a working public exploit and no complete patch for the rxrpc component. Apply distribution kernel updates immediately where available, apply module blacklists as an interim measure, and do not assume Copy Fail mitigations provide protection. Multi-tenant environments and systems running untrusted code should treat this as an emergency.
For any query contact us at contact@cipherssecurity.com
