Dirty Frag: CVE-2026-43284 and CVE-2026-43500 Grant Root Access Across All Major Linux Distros

Dirty Frag is a new universal Linux kernel local privilege escalation (LPE — a class of vulnerability that allows an attacker who already has limited access to a system to obtain full root or administrator-level control) exploit that chains two kernel vulnerabilities to achieve root access on every major Linux distribution. The flaws, CVE-2026-43284 (affecting the IPsec ESP subsystem) and CVE-2026-43500 (affecting the RxRPC transport), were discovered by security researcher Hyunwoo Kim and published ahead of schedule after the coordinated disclosure embargo broke. A working public proof-of-concept (PoC) exploit is available on GitHub. As of May 8, 2026, a kernel patch for CVE-2026-43284 has been merged into the upstream Linux netdev tree, but the patch for CVE-2026-43500 remains pending.

Dirty Frag: Technical Details

Dirty Frag exploits a class of Linux kernel memory-corruption bugs known as page-cache write vulnerabilities. The Linux kernel's page cache is a region of memory that the kernel uses to buffer data being read from or written to storage. Under certain conditions, an attacker can trick the kernel into writing controlled data to arbitrary physical memory pages — a technique that, when applied to the right target pages, overwrites critical kernel data structures and elevates the attacker's privileges to root.

CVE-2026-43284 is a page-cache write vulnerability in the xfrm IPsec ESP (Encapsulating Security Payload — a protocol used for encrypted IPv4 and IPv6 traffic) subsystem. CVE-2026-43500 is a related vulnerability in the RxRPC transport layer (the kernel's implementation of the RxRPC protocol, primarily used by the AFS distributed file system and certain kernel services). Kim's research demonstrates that chaining these two bugs produces a reliable, universal exploit — meaning it succeeds across different kernel versions and distribution configurations without requiring environment-specific tuning.

The exploit was tested successfully on:

• Ubuntu 24.04.4
• RHEL 10.1 (Red Hat Enterprise Linux)
• openSUSE Tumbleweed
• CentOS Stream 10
• AlmaLinux 10
• Fedora 44

This breadth of confirmed targets reflects the exploit's kernel-version-agnostic design. The underlying vulnerable code paths exist in the mainline Linux kernel and are present by default in distributions that ship IPsec and RxRPC support — which covers virtually all general-purpose Linux environments.

The CVE assignments are:

• CVE-2026-43284 — IPsec ESP xfrm page-cache write vulnerability (patched in upstream netdev tree as of May 7, 2026)
• CVE-2026-43500 — RxRPC page-cache write vulnerability (upstream patch not yet available as of May 8, 2026)

The public PoC is available at github.com/V4bel/dirtyfrag.

Exploitation Status and Threat Landscape

The disclosure timeline for Dirty Frag was disrupted by a broken embargo. Kim had coordinated with the Linux kernel security team and major distribution maintainers, but the embargo broke before all downstream vendors had finished testing their patches — leaving administrators facing a publicly available root exploit with no universal fix in place.

This situation parallels the 2022 "DirtyPipe" (CVE-2022-0847) and 2016 "Dirty COW" (CVE-2016-5195) disclosures, both of which involved Linux kernel LPE vulnerabilities with generic, widely applicable exploit code that forced administrators to race against public knowledge. The "Dirty" naming convention Kim chose is a deliberate nod to that lineage.

Unlike the earlier Dirty COW and CopyFail vulnerabilities — which required specific file-ownership conditions or race-condition timing — Dirty Frag exploits the page-cache write primitive in a way that is described as more reliable and less timing-dependent, making it more accessible to a wider range of attackers. The presence of a working public PoC on GitHub means any attacker with local access to a vulnerable Linux system can immediately attempt to escalate to root.

At the time of publication, there is no evidence of Dirty Frag being exploited in-the-wild as part of a targeted attack campaign. However, the combination of a weaponized PoC, broad distribution coverage, and the incomplete patch status (CVE-2026-43500 unpatched) means this window will not stay clean for long. Attackers who gain an initial foothold via web application vulnerabilities, phishing, or exposed SSH services can use Dirty Frag to immediately escalate to full root on vulnerable hosts.

There is no CISA KEV listing for Dirty Frag at time of writing, and no threat actor attribution.

Who Is Affected

Any Linux system running a kernel that includes the IPsec ESP (xfrm) and RxRPC subsystems is potentially vulnerable. In practice, this means:

• All Ubuntu 20.04, 22.04, 24.04 LTS installations (and interim releases) running default kernels
• All RHEL 9.x and 10.x installations (and derivatives: CentOS Stream, AlmaLinux, Rocky Linux)
• openSUSE Tumbleweed, Leap, and SUSE Linux Enterprise
• Fedora (all recent releases)
• Debian (stable and testing branches)
• Any Linux-based container host — Dirty Frag is a local privilege escalation, meaning a process that escapes a container and lands on the host at a low-privilege level could use this exploit to reach root on the host kernel

Notably, CVE-2026-43500 (RxRPC) remains unpatched in mainline. Even on systems where the esp4/esp6 modules have been updated, the RxRPC component is still exploitable via a separate path within the Dirty Frag chain.

What You Should Do Right Now

• Apply available kernel updates immediately. Ubuntu, RHEL, AlmaLinux, and Fedora have all released kernel updates addressing CVE-2026-43284. Run apt update && apt upgrade (Debian/Ubuntu) or dnf update kernel (RHEL/Fedora) and reboot.
• Apply the temporary module-disable mitigation for CVE-2026-43500. Until the RxRPC patch is available, disable the three kernel modules that comprise the vulnerable code paths:

sudo modprobe -r esp4 esp6 rxrpc
sudo tee /etc/modprobe.d/dirty-frag-mitigation.conf <<EOF
install esp4 /bin/true
install esp6 /bin/true
install rxrpc /bin/true
EOF

This blacklists all three modules from loading on subsequent boots. Note: disabling esp4/esp6 will break IPsec-based VPN connections. Disabling rxrpc will break AFS-based network filesystem access. Assess impact before applying in production environments.

• Audit local access. Dirty Frag is a local privilege escalation — it requires an attacker to first gain some level of access to the system. Audit all local user accounts, SSH authorized keys, and web application deployment contexts for signs of unauthorized access.
• Monitor container environments. If you run containers on Linux hosts (Docker, Podman, Kubernetes), ensure no container breakout is possible that would land an attacker on the host. Apply the module-disable mitigation on all container host kernels.
• Track the CVE-2026-43500 upstream patch. Monitor the oss-security mailing list and your distribution's security tracker for the RxRPC patch. Apply it immediately when it lands.

Background: Understanding the Risk

Page-cache write vulnerabilities occupy a particularly dangerous category of Linux kernel bugs. The page cache is a fundamental, low-level kernel structure — it underlies almost every I/O operation on the system. Gaining the ability to write arbitrary data to arbitrary pages means an attacker can overwrite kernel credentials structures (the cred struct that defines a process's UID/GID), turning any running process into a root process.

What makes Dirty Frag notable is its universality. Previous LPE exploits often relied on specific kernel configurations, SUID binaries, or race conditions that were sensitive to system load and CPU topology. Dirty Frag's design avoids these constraints, making it operationally reliable — a characteristic that significantly lowers the skill bar for an attacker attempting post-exploitation privilege escalation.

The broken embargo situation creates an asymmetric problem for defenders. Attackers have access to a working public PoC right now. Defenders on distributions where the kernel package has not yet been updated may not have a kernel fix available yet. The module-disable mitigation provides meaningful protection during this gap, but it comes at the cost of disabling IPsec-based VPN functionality — a real operational constraint in enterprise and government environments that rely heavily on IPsec for network segmentation.

Dirty Frag joins a growing list of Linux LPE vulnerabilities with memorable names and generic applicability: Dirty COW (2016), Dirty Pipe (2022), CopyFail (2026), and now Dirty Frag (2026). The pattern suggests that Linux kernel networking and memory subsystems continue to harbor privilege escalation primitives that skilled researchers can identify and chain into reliable exploits.

Conclusion

Dirty Frag chains CVE-2026-43284 and CVE-2026-43500 into a reliable root exploit that works across every major Linux distribution. Apply kernel updates for CVE-2026-43284 now, implement the module-disable mitigation for the still-unpatched CVE-2026-43500, and monitor for the upstream RxRPC fix. Any attacker with local access to a vulnerable system can become root in seconds.