EresusSecurity
Back to Advisories
ERESUS-ADV-2026-006HighCVSS: 7.8

Dirty Frag: Linux Kernel Local Privilege Escalation via xfrm-ESP and RxRPC (CVE-2026-43284, CVE-2026-43500)

Disclosed: 2026-05-17

Summary

Dirty Frag is a chained local privilege escalation (LPE) vulnerability in the Linux kernel, publicly disclosed on May 8, 2026 by Wiz researchers Merav Bar and Rami McCarthy. It combines two page-cache write primitives — one in the xfrm-ESP (IPsec) subsystem (CVE-2026-43284) and one in the RxRPC subsystem (CVE-2026-43500) — to enable deterministic root escalation from an unprivileged local user account.

Microsoft Defender confirmed limited in-the-wild exploitation as of May 8, 2026.

A related variant, Fragnesia (CVE-2026-46300), was disclosed on May 14, 2026. See ERESUS-ADV-2026-007 for details.

CVE IDs: CVE-2026-43284 (xfrm-ESP), CVE-2026-43500 (RxRPC)

Affected Systems

  • Subsystems: esp4, esp6 (xfrm-ESP/IPsec), rxrpc kernel modules
  • Distributions: Ubuntu, Red Hat Enterprise Linux, Debian, Amazon Linux, SUSE, Fedora, Rocky Linux, AlmaLinux, CloudLinux, Gentoo, and all distributions shipping unpatched kernel versions
  • Prerequisite: Local code execution (unprivileged user account sufficient)
  • Container note: Exploitation from within a container requires CAP_NET_ADMIN; host-level access bypasses this requirement

Technical Overview

Both CVEs allow modification of page-cache-backed memory not exclusively owned by the kernel, using splice()-based paths through the respective networking subsystems. Unlike race-condition exploits, this bug class is deterministic and reliable. A working single-command PoC is publicly available.

Important: This vulnerability is independent of Copy Fail (CVE-2026-31431). Applying the Copy Fail mitigation (algif_aead blocklist) does not protect against Dirty Frag.

| CVE | Subsystem | Mainline Patch Commit | |---|---|---| | CVE-2026-43284 | xfrm-ESP (esp4, esp6) | f4c50a4034e6 | | CVE-2026-43500 | RxRPC | aa54b1d27fe0 |

Observed Exploitation

Microsoft Defender documented a campaign where:

  1. Attacker gains SSH access to a target system
  2. ELF binary (./update) triggers privilege escalation via su
  3. GLPI LDAP authentication config is modified
  4. PHP session files are deleted and harvested for credential access

Mitigation

Until vendor kernel patches are applied, blocklist the affected modules:

cat > /etc/modprobe.d/disable-dirtyfrag.conf << 'EOF'
install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
EOF

rmmod rxrpc 2>/dev/null || true
rmmod esp6 2>/dev/null || true
rmmod esp4 2>/dev/null || true

Note: This workaround interrupts active IPsec VPN sessions. Verify IPsec usage with ip xfrm state list before applying.

Patch Status

| Distribution | Advisory | |---|---| | Ubuntu | dirty-frag-linux-vulnerability-fixes-available | | Red Hat | RHSB-2026-003 | | Amazon Linux | AWS Security Bulletin 2026-027 | | SUSE | addressing-copy-fail2-aka-dirtyfrag | | Debian | CVE-2026-43284 tracker |

References