Two critical Linux kernel vulnerabilities, referenced CVE-2026-43284 and CVE-2026-43500, were disclosed on 8 May 2026 under the code name “Dirty Frag”. Chained together, they allow any local user without special privileges to deterministically obtain root rights. Public proof-of-concept code is available and active exploitation has been confirmed.
Overview
“Dirty Frag” refers to a class of vulnerabilities related to the handling of shared memory fragments in kernel network subsystems. Both CVEs exploit the same primitive: forcing an ESP in-place decryption on pages belonging to the kernel page cache, creating an arbitrary write primitive into the page cache.
CVE-2026-43284 — ESP/IPsec subsystem (xfrm)
Technical details
The flaw lies in the IPv4/IPv6 datagram append paths. When MSG_SPLICE_PAGES attaches pages from a pipe directly to a socket buffer (skb), the TCP protocol marks those skb with SKBFL_SHARED_FRAG to signal that the pages are not private. However, the UDP IPv4/IPv6 paths failed to set this flag when splicing pages into UDP skb.
As a result, ESP-in-UDP packets constructed from shared pipe pages appear as ordinary uncloned skb. ESP decryption then proceeds in place on data not exclusively owned by the kernel, creating a write primitive into the page cache.
- Type: CWE-269 — improper privilege management
- Vector: local, low complexity, no user interaction
- CVSS v3.1 score: 7.8 (High)
- Full vector:
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - Introduced: January 2017
CVE-2026-43500 — RxRPC subsystem (AFS)
Technical details
The flaw lies in the RxRPC subsystem (used by the AFS — Andrew File System protocol). The DATA packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() linearise packets before calling security operations — but only when the skb is cloned.
An attacker able to inject rxrpc packets with shared fragment pages can bypass the unshare check and trigger an in-place decryption — causing memory corruption and privilege escalation to root.
- Type: CWE-269 — improper privilege management
- Vector: local, low complexity, no user interaction
- CVSS v3.1 score: 7.8 (High)
- Full vector:
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - Introduced: June 2023
Affected systems
| Distribution | Affected versions |
|---|---|
| Ubuntu | 20.04, 22.04, 24.04 |
| Debian | 11, 12, 13 |
| Red Hat / RHEL | 8, 9, 10 |
| Rocky Linux / AlmaLinux | 8, 9, 10 |
| Oracle Linux | 8, 9 |
| Amazon Linux | 2, 2023 |
| SUSE / openSUSE | Recent versions |
| Fedora, CentOS Stream, Arch | Recent versions |
| Proxmox VE | Recent versions |
Containerised environments: container workloads inherit the host kernel’s exposure. Any container able to create AF_KEY, XFRM netlink or AF_RXRPC sockets can escalate to root on the host.
Remediation steps
1. Update the kernel (priority action)
Apply patched kernels as soon as possible via your distribution’s official channels:
# Debian / Ubuntu
apt update && apt full-upgrade
# RHEL / Rocky / AlmaLinux
dnf clean metadata && dnf upgrade
# Reboot after updating
reboot
2. Temporary mitigation
If the patch cannot be applied immediately, disable the vulnerable modules:
echo "install esp4 /bin/false" >> /etc/modprobe.d/disable-dirty-frag.conf
echo "install esp6 /bin/false" >> /etc/modprobe.d/disable-dirty-frag.conf
echo "install rxrpc /bin/false" >> /etc/modprobe.d/disable-dirty-frag.conf
Warning: disabling
esp4/esp6will break IPsec tunnels (strongSwan, Libreswan). Do not apply on hosts that terminate or transit IPsec tunnels.
3. Unprivileged user namespaces
Disabling unprivileged user namespaces is an effective mitigation for the ESP/XFRM variant:
sysctl -w kernel.unprivileged_userns_clone=0
4. Kubernetes environments
Maintain hardened seccomp profiles and restrict AF_KEY and AF_RXRPC socket creation in pod security policies.
Heavy Mind managed IT clients
Servers under a Heavy Mind managed IT contract received immediate attention. Patches have been deployed across all affected environments — no action required on your end.
Not a managed IT client?
Heavy Mind can support you on these vulnerabilities — and beyond:
- Linux server audit: inventory of exposed kernels, attack surface analysis and verification of mitigations in place
- Patch deployment: controlled rollout with regression testing
- Monitoring setup: proactive detection of future critical vulnerabilities across your server fleet
Let's talk about your needs and build the right solution together.
Contact usSources: NVD CVE-2026-43284 · NVD CVE-2026-43500 · Red Hat RHSB-2026-003 · AlmaLinux Advisory — Dirty Frag · Canadian Centre for Cyber Security AL26-011 · Wiz Blog — Dirty Frag