Dirty Frag: Linux Kernel LPE via CVE-2026-43284 and CVE-2026-43500

Dirty Frag is the nickname for a pair of Linux kernel local privilege escalation (LPE — a class of vulnerability where an attacker already on a system as a low-privileged user can elevate their access to root, the highest administrative level) vulnerabilities: CVE-2026-43284 (affecting the IPsec ESP subsystem) and CVE-2026-43500 (affecting the RxRPC subsystem). Both carry a CVSS 3.1 (Common Vulnerability Scoring System version 3.1) score of 8.8 (High) from the kernel.org CNA (CVE Numbering Authority). A working proof-of-concept (PoC — publicly released exploit code that demonstrates the vulnerability is real and exploitable) was published the same day as disclosure, before most Linux distributions had shipped patched kernels. Metasploit modules for CVE-2026-43284 and CVE-2026-43500 — enabling push-button exploitation — were added on May 29, 2026. Patches are now available for all major Linux distributions including RHEL, Ubuntu, AlmaLinux, and Amazon Linux.

// 01 CVE-2026-43284: Technical Details

CVE-2026-43284 is a write-what-where condition (a bug class where an attacker can write arbitrary data to an arbitrary memory location) in the xfrm-ESP (IPsec Encapsulating Security Payload — the encryption and authentication component of the IPsec VPN protocol used extensively in kernel networking) subsystem of the Linux kernel. The bug was introduced by commit cac2661c53f3 in January 2017, which moved IPsec ESP receive into an in-place decryption fast path. The fast path skips a bounds check that the original code performed, allowing page cache corruption when processing specially crafted IPsec packets on a local socket.

CVE-2026-43500 is a variant of the same write-what-where condition introduced in June 2023 when the same optimized fast-path pattern was added to the RxRPC (Remote Procedure Call transport protocol — used by AFS and other distributed file systems) subsystem. Both vulnerabilities rely on the same underlying kernel page-cache fragmentation flaw, hence the "Frag" in the nickname.

Researcher Hyunwoo Kim discovered both vulnerabilities. The responsible-disclosure embargo was broken before patches could ship, meaning CVE-2026-43284 and CVE-2026-43500 became public on May 8, 2026, as zero-days with no fixes available for most distributions.

// 02 Exploitation Status and Threat Landscape

The PoC exploit for CVE-2026-43284 / CVE-2026-43500 was published the same day as disclosure (May 8, 2026), before any major Linux distribution had shipped kernel patches. The exploit relies exclusively on standard system calls — socket, setsockopt, bind, vmsplice, splice, sendmsg — that are available to all unprivileged users. The vulnerable kernel modules esp4, esp6, and rxrpc are loaded by default in the kernel packages of every major enterprise Linux distribution, including RHEL, CentOS Stream, Ubuntu, Debian, AlmaLinux, and CloudLinux.

Metasploit modules for both CVE-2026-43284 and CVE-2026-43500 were added to the Metasploit Framework on May 29, 2026, lowering the bar for exploitation significantly. Combined with the day-zero PoC, the Metasploit modules mean any attacker with a foothold on a Linux host (via credential theft, web shell, container escape, or any other initial access vector) can trivially escalate to root.

CVE-2026-43284 is not currently listed in the CISA KEV catalog, though the day-zero public PoC and newly added Metasploit modules represent the precursors to rapid real-world exploitation.

// 03 Who Is Affected

CVE-2026-43284 affects every Linux kernel that includes the IPsec ESP fast-path optimization introduced in January 2017 — meaning all kernels from version 4.10 onward are potentially vulnerable. Major confirmed affected distributions:

• Red Hat Enterprise Linux (RHEL) 8, 9, 10 and OpenShift 4 — Red Hat confirmed all are affected
• AlmaLinux 8, 9, 10 — patches published May 8, 2026 (errata ALSA-2026:A004/A005/A006)
• Ubuntu (all supported LTS releases) — patches published May 2026
• Amazon Linux (all maintained variants) — AWS shipped kernel patches May 9, 2026
• CloudLinux — patched kernels available
• Debian and derivatives — patches available

CVE-2026-43500 affects kernels from June 2023 onward (when the RxRPC fast-path was introduced). It is separately exploitable and covered by the same distribution patches.

There is no remote attack vector: Dirty Frag requires an attacker to already have local code execution — a shell, container, or process on the target host. However, in container environments and shared hosting scenarios, local-only LPE vulnerabilities are critical: a container escape or compromised co-tenant app can weaponize CVE-2026-43284 to gain root on the hypervisor node.

// 04 What You Should Do Right Now

• Apply kernel patches immediately. Check your distribution's security advisory and install the patched kernel package. For RHEL/CentOS-based systems:

“bash sudo dnf update kernel --security sudo reboot ` For Ubuntu/Debian-based systems: `bash sudo apt update && sudo apt upgrade linux-image-generic sudo reboot “

• Apply the module blacklist if rebooting is not immediate. The following commands disable the vulnerable modules without a reboot. They survive a reboot if the modprobe configuration is written to disk:

“bash printf 'install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen' > /etc/modprobe.d/dirtyfrag.conf rmmod esp4 esp6 rxrpc 2>/dev/null echo 3 > /proc/sys/vm/drop_caches “

• Verify the modules are unloaded. After the blacklist command, run lsmod | grep -E 'esp4|esp6|rxrpc'. If any appear, unload them individually with rmmod.
• Check whether your workloads require esp4/esp6. These modules power IPsec site-to-site VPN tunnels on Linux hosts. If you use IPsec kernel-based tunnels, the mitigation will break them. In that case, patching the kernel is the only safe option.
• Assess container environments. On Kubernetes worker nodes and Docker hosts, any container with network capabilities could exploit CVE-2026-43284 to break out and root the node. Apply kernel patches to all worker nodes as a priority.
• Enable live-patch solutions if available. TuxCare KernelCare and Ubuntu Livepatch offer live kernel patching for CVE-2026-43284 without requiring a reboot, useful for hosts that cannot tolerate downtime.

// 05 Background: Understanding the Risk

The Dirty Frag name follows a tradition of catchy naming for high-impact Linux kernel vulnerabilities — Dirty COW (CVE-2016-5195, race condition LPE), Dirty Pipe (CVE-2022-0847, anonymous pipe LPE), and Copy Fail (the LPE chain Dirty Frag's discoverer Hyunwoo Kim published weeks earlier in 2026) are all members of this lineage. This naming convention helps the vulnerability get the organizational attention it deserves: LPE bugs are easy to dismiss as "local only" when in fact they are the post-exploitation staple of ransomware operators, red teams, and nation-state actors.

IPsec (Internet Protocol Security) is a suite of protocols built into the Linux kernel for encrypting and authenticating network traffic at the IP layer. It underpins site-to-site VPNs between data centers, encrypted transport for government and financial networks, and kernel-bypass VPN solutions. The fast-path optimization that introduced CVE-2026-43284 was a performance improvement — a common pattern where security reviews may not fully re-examine code changes framed as non-security-impacting optimizations.

The broken embargo that caused day-zero disclosure without a coordinated patch window is a significant event in itself. Coordinated vulnerability disclosure (CVD) depends on the embargo period holding long enough for vendors to ship fixes before public knowledge enables attacker weaponization. When embargoes break — through leaks, independent rediscovery, or researcher disputes — the window between public knowledge and available patches collapses, and defenders are placed in an immediate reactive posture.

Wiz's analysis of CVE-2026-43284 and Sysdig's detection guidance provide deeper technical analysis and runtime detection rules for cloud-native environments.

// 06 Conclusion

Dirty Frag (CVE-2026-43284 and CVE-2026-43500) is a CVSS 8.8 Linux kernel privilege escalation vulnerability with day-zero public exploit code, Metasploit modules, and nine years of affected kernels. All organizations running Linux should patch immediately or apply the esp4/esp6/rxrpc module blacklist as an interim measure. Container environments and Kubernetes clusters deserve priority attention: any compromised workload on an unpatched node can reach root on the host.