Linux kernel Dirty Frag flaw is exploited in the wild
Updated
Updated · The Hacker News · May 8
Linux kernel Dirty Frag flaw is exploited in the wild
8 articles · Updated · The Hacker News · May 8
Microsoft reported limited attacks using SSH, an ELF binary and the su command; CVE-2026-43284 is patched upstream, while CVE-2026-43500 remains unpatched.
The chained xfrm-ESP and RxRPC page-cache write bugs can give local users root on major distributions and may enable container escape in some deployments.
A public one-command PoC increases urgency; vendors advise blocklisting esp4, esp6 and rxrpc modules because earlier Copy Fail mitigations do not stop Dirty Frag.
'Dirty Frag' bypasses its predecessor's fix in just one day. Are we entering a new era of rapid, chained zero-day exploits?
As AI accelerates vulnerability discovery, is the security model for shared-kernel containers now fundamentally broken?
The 'Dirty Frag' fix breaks VPNs, forcing a choice between security and connectivity. How should enterprises navigate this dilemma?
Urgent Security Alert: Dirty Frag Exploit Grants Reliable Root Privileges on Linux Systems
Overview
In May 2026, an unidentified party prematurely broke the embargo on the critical Dirty Frag Linux kernel vulnerability, forcing researcher Hyunwoo Kim to release a proof-of-concept exploit. This exposed millions of Linux systems worldwide without available patches, allowing attackers to gain reliable root access by manipulating the kernel's page cache in RAM. The vulnerability affects major distributions and poses severe risks to cloud, multi-tenant, and containerized environments. Immediate mitigation requires disabling key kernel modules, which can disrupt services, while AlmaLinux and CloudLinux have released patches and live updates. Dirty Frag bypasses previous defenses and highlights systemic weaknesses in Linux kernel security, demanding urgent and coordinated response.