Security News 9 min read May 9, 2026

Dirty Frag (CVE-2026-43284): Universal Linux Privilege Escalation via Kernel Networking

Disclosed on May 7, 2026, Dirty Frag chains two kernel networking vulnerabilities to give any local user root access. Here's what it is, why it's urgent, and how to protect your systems.

What Is Dirty Frag?

Dirty Frag is a critical local privilege escalation (LPE) vulnerability affecting the Linux kernel's networking subsystem. Publicly disclosed on May 7, 2026, it allows any unprivileged local user to gain root access on all major Linux distributions — reliably, deterministically, and without race conditions.

Unlike typical single-bug exploits, Dirty Frag chains two separate vulnerabilities in the kernel's page cache handling:

  • CVE-2026-43284 — xfrm-ESP Page-Cache Write vulnerability (in esp4 and esp6 modules)
  • CVE-2026-43500 — RxRPC Page-Cache Write vulnerability (in the rxrpc module)

Both vulnerabilities independently allow controlled writes to the kernel page cache, enabling an attacker to modify protected files — including setuid binaries — in memory and escalate to root.

7.8
CVSS 3.1 score (High severity)
2 CVEs
chained for reliable exploitation
0-day
disclosed without patches (broken coordinated disclosure)

How Dirty Frag Works

Dirty Frag targets the same fundamental primitive as CopyFail (CVE-2026-31431) — controlled writes to the Linux page cache — but through the networking subsystem rather than the crypto API.

Dirty Frag: Dual-Path Exploitation Path 1: xfrm-ESP (CVE-2026-43284) • Targets esp4/esp6 kernel modules • IPsec packet fragmentation handling flaw • Allows controlled page-cache write Affects: Any system with esp4/esp6 modules available Path 2: RxRPC (CVE-2026-43500) • Targets rxrpc kernel module • AFS protocol packet handling flaw • Independent page-cache write primitive Affects: Any system with rxrpc module available Page Cache Corruption of Setuid Binary In-memory only — disk unchanged, evades FIM ROOT PRIVILEGE ESCALATION Either path alone is sufficient — both work independently

Dirty Frag provides two independent exploitation paths through the kernel networking subsystem — either alone achieves root

The Attack Flow

  1. The attacker creates specially crafted network packets targeting either the ESP (IPsec) or RxRPC (AFS) protocol handlers
  2. A flaw in how these modules handle packet fragmentation allows writing controlled data into the kernel page cache
  3. The attacker targets the page cache entry of a setuid binary (e.g., /usr/bin/sudo)
  4. The corrupted page cache is served to subsequent executions of that binary
  5. When executed, the corrupted binary runs attacker-controlled code as root

Why This Disclosure Is Unusual

Dirty Frag's disclosure was unusual because it was released as a 0-day — without coordinated patches available from all vendors. According to the oss-security mailing list, the coordinated disclosure process broke down, leading to public disclosure before some distributions had patches ready.

Broken Coordinated Disclosure

Unlike CopyFail (which had patches ready at disclosure), Dirty Frag was disclosed on May 7, 2026 with some vendors still preparing fixes. This means a window of active exposure existed where the exploit was public but patches were not universally available. Some distributions (like Ubuntu) released mitigations within 24 hours, but others lagged behind.

Who Is Affected?

Dirty Frag affects all Linux kernel versions with the esp4, esp6, or rxrpc modules available — which is essentially every Linux distribution since 2017.

Module Protocol Common Use Loaded by Default?
esp4 / esp6 IPsec ESP VPN tunnels, network encryption Often auto-loaded on demand
rxrpc RxRPC (AFS) Andrew File System Available but rarely loaded

IPsec VPN Users: Read Carefully

If your infrastructure uses IPsec VPNs (StrongSwan, Libreswan, Openswan), disabling the esp4/esp6 modules will break your VPN connectivity. For these environments, patching the kernel is the only viable option. Plan emergency maintenance windows accordingly.

Immediate Mitigation

If you cannot patch immediately, disable the affected modules:

# Create modprobe blacklist
cat <<EOF | sudo tee /etc/modprobe.d/dirtyfrag.conf
install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
EOF

# Unload modules if currently loaded
sudo modprobe -r esp4 2>/dev/null
sudo modprobe -r esp6 2>/dev/null
sudo modprobe -r rxrpc 2>/dev/null
  • Check if modules are loaded: lsmod | grep -E "esp4|esp6|rxrpc"
  • Verify after mitigation: Attempt to load the modules to confirm they're blocked
  • Test VPN connectivity: If using IPsec, you cannot disable esp modules — patch instead
  • Plan kernel update: Schedule emergency patching within 24-48 hours

Dirty Frag vs CopyFail: Comparison

Dirty Frag arrives just days after CopyFail (CVE-2026-31431), making May 2026 one of the most significant months for Linux kernel security in years. Here's how they compare:

Characteristic CopyFail (CVE-2026-31431) Dirty Frag (CVE-2026-43284/43500)
Attack vector Crypto subsystem (AF_ALG) Networking subsystem (ESP/RxRPC)
Exploit complexity 732-byte Python script Network packet crafting
Race condition? No No
Disclosure type Coordinated (patches ready) Broken disclosure (partial 0-day)
Mitigation impact Low (algif_aead rarely used) High if using IPsec VPNs
CVSS 7.8 7.8

The Bigger Picture: Why Access Management Matters More Than Ever

Two critical kernel LPEs in the same week. Both allow any local user to become root. Both have existed since 2017. The message is clear: if someone has shell access to your Linux system, assume they can become root.

This fundamentally changes how you should think about infrastructure access:

  • Minimize local access: Every SSH session is a potential root escalation. Reduce who has standing access.
  • Time-limit all access: JIT (Just-in-Time) access means credentials expire automatically — reducing the window of exploitation.
  • Record everything: Session recording creates an audit trail that reveals exploitation attempts.
  • Assume breach: Design your access architecture assuming any individual server can be compromised. Limit blast radius.
  • Patch fast: Automated access management frees your team to focus on patching instead of access ticket handling.

With OnePAM, your production infrastructure has fewer standing access sessions, every session is recorded and auditable, and access automatically expires — meaning even if a kernel LPE exists, the window and scope of exploitation is dramatically reduced.

Two Kernel LPEs in One Week. Is Your Access Locked Down?

CopyFail and Dirty Frag prove that local access = root access. OnePAM's Just-in-Time access, session recording, and auto-expiring credentials minimize your exposure to kernel-level threats.

Start Free Trial

Recommendations for Security Teams

Immediate Actions (Next 24 Hours)

1. Identify all systems running affected kernels (essentially all Linux systems).

2. Apply module blacklisting where IPsec is not in use.

3. Schedule emergency kernel patching for all production systems.

4. Audit who currently has shell access to production — revoke any unnecessary standing access.

5. Enable audit logging for the esp4, esp6, and rxrpc modules if you cannot disable them.

Dirty Frag and CopyFail together represent a watershed moment for Linux security. Two independent, reliable, deterministic privilege escalation vulnerabilities disclosed within days of each other — both exploiting the same fundamental page-cache write primitive through different kernel subsystems. The defensive lesson is the same: control who has local access, limit how long they have it, and record what they do with it.

CVE Dirty Frag Linux Privilege Escalation Kernel 0-day
OnePAM Team
Security & Infrastructure Team

Keep Reading