Dirty Frag: Linux Kernel Vulnerability Chain Enables Local Privilege Escalation to Root

Executive Summary

A Linux kernel vulnerability chain dubbed Dirty Frag has been disclosed, enabling a low-privileged local user to escalate privileges to root on affected Linux systems. The issue is especially relevant for cloud environments where attackers often gain an initial foothold through compromised credentials, vulnerable applications, CI/CD runners, containers, or exposed administrative services before attempting privilege escalation on the host. Reports of limited in-the-wild exploitation have started surfacing, involving suspicious su-based privilege escalation that may be associated with Dirty Frag or the recently disclosed Copy Fail vulnerability.

Dirty Frag is tracked as two related vulnerabilities: CVE-2026-43284, affecting the Linux kernel’s IPsec ESP path through esp4 and esp6, and CVE-2026-43500, affecting RxRPC. Together, these flaws can be chained to corrupt page-cache-backed memory and escalate privileges without modifying the file on disk.

About the vulnerability: CVE-2026-43284 and CVE-2026-43500

Dirty Frag belongs to the same broader page-cache corruption family as Dirty COW and Copy Fail, but it reaches the vulnerable condition through Linux networking components instead of the same crypto path used by Copy Fail. The vulnerability chain abuses kernel behavior in paths that process fragmented socket buffers, where pages that are not privately owned by the kernel may be modified in place. In practical terms, an attacker who already has local execution may be able to tamper with sensitive file contents as represented in memory, enabling root-level execution while leaving the underlying disk file unchanged.

The vulnerability is tracked as two separate CVEs because they cover different Linux deployment conditions. CVE-2026-43284, the ESP path issue, affects IPsec-related kernel modules and has been patched in mainline and stable kernel references. CVE-2026-43500 affects RxRPC, and vendor status varies by distribution.

Dirty Frag was disclosed after the coordinated disclosure timeline was disrupted, leading to public proof-of-concept availability before many distributions had completed patch rollout. Early reporting described the issue as broadly affecting major distributions, including Ubuntu, RHEL, Fedora, CentOS Stream, openSUSE, and AlmaLinux, while vendor advisories have since been updated with distribution-specific mitigation and patch guidance.

Risk impact

Successful exploitation could allow an attacker to gain root privileges on the affected Linux host. On non-containerized systems, this means full host compromise. In containerized environments, Ubuntu warns that the issue may also contribute to container escape scenarios where arbitrary third-party workloads are executed, although a container-escape proof of concept has not been published in its advisory.

The page-cache aspect also creates an important detection gap. Because the exploit can alter the in-memory representation of protected files rather than the file stored on disk, traditional file-integrity checks that rely only on disk hashes may miss signs of exploitation. Security teams should treat suspicious privilege escalation, unexpected execution of su, unusual kernel-module interactions, newly staged ELF binaries, and modifications to authentication-related files as high-priority investigation leads.

Affected systems

The full affected matrix depends on kernel version, distribution packaging, enabled modules, and vendor backports. Official advisories identify the vulnerable components as the Linux kernel modules used for IPsec ESP and RxRPC. Ubuntu stated that multiple Ubuntu releases were affected and assessed the issue as HIGH with a CVSS 3.1 score of 7.8, while Red Hat rated the issue Important and confirmed impact to RHEL 8, 9, 10, and OpenShift 4 during its ongoing investigation.

NVD lists CVE-2026-43284 as an issue in the Linux kernel’s ESP handling of shared socket-buffer fragments, with multiple stable-kernel patch references and a CISA-ADP CVSS 3.1 score of 7.8 HIGH.

Patch availability is moving quickly and differs by vendor. AlmaLinux, for example, updated its advisory to state that patched kernels were rolling out to production repositories on May 8, 2026, and published patched kernel version guidance for AlmaLinux 8, 9, and 10. Red Hat’s bulletin remains marked ongoing as of its May 9 update and includes mitigation guidance for affected products.

Mitigation recommendations

Organizations should prioritize kernel updates from their Linux distribution vendor. Where patched kernels are available, update and reboot into the fixed kernel as soon as operationally possible. Where patches are not yet available or cannot be deployed immediately, apply temporary mitigations after validating operational impact.

Recommended actions:

1. Patch affected kernels using vendor-supported packages and reboot into the updated kernel.
2. Temporarily block vulnerable modules where operationally safe. This generally means preventing esp4, esp6, and rxrpc from loading and unloading them if already active. Disabling esp4 and esp6 may disrupt IPsec or VPN functionality, while disabling rxrpc may affect AFS or other RxRPC-dependent environments.  
3. Validate whether IPsec or RxRPC is in use before applying blanket mitigations in production. Red Hat notes that blocklisting ESP modules can break IPsec after reboot, and blocklisting RxRPC can break AFS client connectivity.  
4. Restrict local execution paths by limiting unnecessary shell access, tightening SSH exposure, enforcing least privilege, and ensuring container workloads run with hardened security contexts.
5. Harden container and Kubernetes environments by avoiding unnecessary capabilities such as CAP_NET_ADMIN, enforcing SELinux or AppArmor where applicable, using default-secure pod policies or security context constraints, and limiting debug access to trusted administrators.  
6. Investigate suspected compromise before assuming patching alone is sufficient. Because the page cache can remain affected until cleared or the system is rebooted, systems suspected of exploitation should go through incident response, including memory-aware investigation, credential rotation, and reboot or cache-clearing steps consistent with vendor guidance. 

How can Orca help?

Orca enables customers to quickly identify cloud assets running affected Linux kernels, understand whether they are exposed in context, and prioritize remediation based on real-world risk rather than CVSS alone. This includes correlating vulnerable workloads with factors such as internet exposure, container hosting, privileged runtime settings, sensitive data access, identity risk, and asset criticality.