Linux Patches 2 Dirty Frag Flaws Enabling Root Access as Limited Exploitation Emerges
Updated
Updated · The Hacker News · May 11
Linux Patches 2 Dirty Frag Flaws Enabling Root Access as Limited Exploitation Emerges
7 articles · Updated · The Hacker News · May 11
Mainline Linux has patched Dirty Frag’s two privilege-escalation bugs as CVE-2026-43284 and CVE-2026-43500 after researchers showed the chain could give unprivileged users root on many distributions.
The exploit combines page-cache write flaws in xfrm-ESP and RxRPC, creating a deterministic, high-success path that avoids race conditions and can work even where Copy Fail mitigations such as algif_aead blacklisting are in place.
Ubuntu 24.04.4, RHEL 10.1, Fedora 44 and other major distributions were cited as affected, with Ubuntu warning the bugs could also enable container escapes in some deployments.
Microsoft said it has seen limited in-the-wild activity consistent with Dirty Frag or Copy Fail, including SSH access, execution of an ELF binary, privilege escalation via su, and follow-on access to GLPI files and PHP sessions.
Until patched kernels are deployed, advisories recommend blocklisting the esp4, esp6 and rxrpc modules; Wiz said exploitation still needs access to vulnerable interfaces and is less likely in hardened containers.
Dirty Frag corrupts system memory without a trace. How can anyone detect this 'ghostly' threat on their Linux servers?
As AI uncovers thousands of bugs, can the open-source model survive this new era of high-speed vulnerability disclosure?
With AI now finding critical kernel flaws in under an hour, is the era of manual cybersecurity defense officially over?
Dirty Frag Hits Linux: CVE-2026-43284 & CVE-2026-43500 Enable Root Escalation Across Major Distributions
Overview
Dirty Frag is a newly disclosed and critical vulnerability chain in the Linux kernel, identified as CVE-2026-43284 and CVE-2026-43500. This exploit allows attackers who have already gained initial access to escalate their privileges and potentially gain root access on affected systems. The vulnerabilities work by letting attackers manipulate memory through flaws in the IPsec ESP and RxRPC subsystems, and have already been exploited in the wild. Because Dirty Frag affects many major Linux distributions and can be used to escape containers, organizations are urged to patch immediately and monitor for suspicious activity to protect their systems.