Dirty Frag CVE-2026-43284: New Linux Kernel Exploit Gives Root Access on Every Major Distribution

A new Linux kernel privilege escalation vulnerability called Dirty Frag can give any local user root access on virtually every major Linux distribution. Disclosed on May 7, 2026, Dirty Frag chains two independent page-cache write vulnerabilities in the xfrm-ESP and RxRPC kernel subsystems to achieve reliable, universal local privilege escalation. It has been successfully tested on Ubuntu 24.04, RHEL 10.1, Fedora 44, openSUSE Tumbleweed, CentOS Stream 10, and AlmaLinux 10.

If you run Linux servers, containers, or cloud instances, this is a patch-immediately situation. A proof-of-concept exploit is publicly available, one of the two patches is still pending upstream, and the vulnerability class affects systems going back years. Here is everything you need to know.

What Is Dirty Frag?

Dirty Frag is a local privilege escalation (LPE) vulnerability that allows any unprivileged user on a Linux system to escalate their privileges to root. The name follows the tradition of “Dirty” Linux kernel vulnerabilities — Dirty COW (2016), Dirty Pipe (2022), and now Dirty Frag (2026).

What makes Dirty Frag particularly dangerous is that it is a vulnerability class, not a single bug. It chains two separate page-cache write vulnerabilities, each independently exploitable, to achieve root. Disabling only one of the affected subsystems still leaves the other exploitable. You need to patch or mitigate both.

The vulnerability was publicly disclosed on May 7, 2026, via the oss-security mailing list after the embargo was broken by an unrelated third party. This premature disclosure means organizations had less time than planned to prepare patches before exploit code became available.

How Dirty Frag Works: Chaining Two Page-Cache Vulnerabilities

Dirty Frag achieves root privileges by exploiting two independent page-cache write vulnerabilities in the Linux kernel networking stack:

Vulnerability 1: xfrm-ESP Page-Cache Write (CVE-2026-43284)

The first vulnerability exists in the xfrm framework’s ESP (Encapsulating Security Payload) implementation. ESP is used for IPsec VPN connections. The bug allows an attacker to corrupt page cache entries through carefully crafted ESP packets, enabling arbitrary writes to kernel memory through the page cache mechanism.

Vulnerability 2: RxRPC Page-Cache Write (CVE-2026-43500)

The second vulnerability is in the RxRPC protocol implementation, used by the Andrew File System (AFS). A similar page-cache write primitive exists in the RxRPC packet processing code, providing an independent path to the same type of kernel memory corruption.

The Chain:

Either vulnerability alone can be used for privilege escalation. But chaining them together creates a more reliable exploit that works across different kernel configurations. According to Tenable’s FAQ, the page-cache write primitive allows the attacker to modify sensitive kernel data structures, including credential structures, to elevate their privileges from an unprivileged user to root.

Dirty Frag Affected Distributions: Ubuntu, RHEL, Fedora, SUSE, and More

Dirty Frag has been successfully tested and confirmed to grant root access on the following distributions:

• Ubuntu 24.04.4 LTS
• Red Hat Enterprise Linux (RHEL) 10.1
• openSUSE Tumbleweed
• CentOS Stream 10
• AlmaLinux 10
• Fedora 44

Because the vulnerable code exists in core networking subsystems (xfrm/ESP and RxRPC) that have been present in the kernel for years, older distribution versions are likely affected as well. Any Linux system running a kernel with the esp4/esp6 or rxrpc modules loaded — or loadable — is potentially vulnerable.

Red Hat’s security bulletin RHSB-2026-003 provides specific guidance for RHEL systems, while Ubuntu has published patches and mitigation steps for affected releases.

CVE Details: CVE-2026-43284 and CVE-2026-43500

Two CVE identifiers have been assigned to cover the Dirty Frag vulnerability class:

• CVE-2026-43284 — xfrm-ESP Page-Cache Write vulnerability. This is the IPsec-related component. A patch was merged into the upstream netdev tree on May 7, 2026.
• CVE-2026-43500 — RxRPC Page-Cache Write vulnerability. This is the AFS-related component. An upstream patch is still pending as of this writing.

Both vulnerabilities are independently exploitable. Patching only CVE-2026-43284 while leaving CVE-2026-43500 unpatched still leaves the system vulnerable to privilege escalation through the RxRPC path. Organizations must address both CVEs to fully remediate Dirty Frag.

Disclosure Timeline: Embargo Broken by Third Party

The Dirty Frag disclosure did not go as planned. The vulnerability was under coordinated disclosure with an embargo period to give distributions time to prepare patches. However, the embargo was broken by an unrelated third party on May 7, forcing the researcher to publish the full details and proof-of-concept exploit earlier than intended.

This is a recurring problem in vulnerability disclosure. When embargoes break, the window between public knowledge and available patches narrows dramatically, giving defenders less time to react while attackers gain immediate access to exploit details. Microsoft’s security blog noted that Dirty Frag is already being used in post-compromise scenarios to expand attacker access on compromised Linux systems.

Patch Status: ESP Fixed, RxRPC Still Pending

As of May 11, 2026, the patch status is mixed:

• CVE-2026-43284 (ESP): Patch merged into the upstream netdev tree on May 7. Distribution-specific packages are rolling out.
• CVE-2026-43500 (RxRPC): Upstream patch is still pending. Some distributions have applied their own fixes, but a canonical upstream fix is not yet available.

Check your distribution’s security advisory page for the latest patch availability. Ubuntu, Red Hat, SUSE, and others have published advisories with specific kernel versions that include fixes.

Mitigations: Disable Vulnerable Kernel Modules

If you cannot patch immediately, the recommended mitigation is to disable the vulnerable kernel modules. However, there is an important caveat: the two vulnerabilities are independent. Disabling only one set of modules leaves the other path exploitable.

To mitigate CVE-2026-43284 (ESP/IPsec), block the esp4 and esp6 modules:

echo "install esp4 /bin/false" | sudo tee /etc/modprobe.d/disable-esp4.conf
echo "install esp6 /bin/false" | sudo tee /etc/modprobe.d/disable-esp6.conf

To mitigate CVE-2026-43500 (RxRPC), block the rxrpc module:

echo "install rxrpc /bin/false" | sudo tee /etc/modprobe.d/disable-rxrpc.conf

You must disable BOTH sets to fully mitigate Dirty Frag. Disabling only ESP modules or only RxRPC modules still leaves one exploit path open.

Warning: Disabling esp4/esp6 will break IPsec VPN connections. Disabling rxrpc will break AFS file system access. Evaluate the impact on your environment before applying these mitigations. For most cloud and web server deployments, neither ESP nor RxRPC is typically required.

How Dirty Frag Compares to Dirty Pipe and Dirty COW

Dirty Frag joins a notorious family of Linux kernel privilege escalation vulnerabilities:

• Dirty COW (CVE-2016-5195): Race condition in copy-on-write handling. Required repeated exploitation attempts and was somewhat unreliable. Affected kernels going back to 2007.
• Dirty Pipe (CVE-2022-0847): Pipe buffer flag manipulation allowing arbitrary file overwrites. Extremely reliable, simple exploit. Affected kernels 5.8+.
• Dirty Frag (CVE-2026-43284/43500): Page-cache write corruption through ESP and RxRPC subsystems. Chains two independent vulnerabilities. Reliable across all major distributions.

Dirty Frag is arguably the most versatile of the three because it provides two independent exploit paths. Even if one is patched or mitigated, the other remains available. This redundancy makes it particularly valuable for attackers and particularly challenging for defenders.

Who Should Worry: Cloud, Containers, and Shared Hosting

Dirty Frag is a local privilege escalation, meaning an attacker needs some level of local access before exploiting it. But “local access” in 2026 includes a lot of scenarios:

• Cloud instances: Any compromised web application, container escape, or SSH access gives the attacker a foothold to escalate to root
• Containers: Container breakout combined with Dirty Frag gives root on the host — a complete container security failure
• Shared hosting: Any user on a shared hosting server can potentially gain root access to the entire machine
• Multi-tenant environments: One compromised tenant can escalate to control the underlying infrastructure
• CI/CD pipelines: Malicious code in a build pipeline could exploit Dirty Frag to compromise the build server

The vulnerability is most dangerous in environments where multiple users or workloads share the same kernel. Single-user desktops are lower risk because the primary user typically already has sudo access.

What to Do Right Now

• Check your kernel version against your distribution’s security advisory
• Apply available patches immediately — Ubuntu and Red Hat have released fixes
• Disable esp4, esp6, and rxrpc modules on systems that cannot be patched yet
• Audit for compromise — If your systems were exposed, check for unauthorized privilege escalation
• Monitor for kernel updates — The RxRPC patch is still pending upstream; watch for your distribution’s update
• Prioritize multi-tenant systems — Shared hosting, Kubernetes nodes, and CI/CD servers should be patched first

Final Thoughts

Dirty Frag is a serious privilege escalation vulnerability that affects every major Linux distribution. The combination of two independent exploit paths, a broken embargo leading to early PoC availability, and one patch still pending upstream creates a challenging security situation. If you run Linux in production — and statistically, you almost certainly do — check your kernel version, apply patches, disable the vulnerable modules, and monitor for signs of exploitation. The “Dirty” family of Linux vulnerabilities keeps growing, and Dirty Frag is its most versatile member yet.

How to Protect Your Linux Servers from this vulnerability

System administrators managing Linux servers need to act immediately against this Dirty Frag exploit. The CVE-2026-43284 vulnerability targets a fundamental flaw in IP fragment reassembly that has existed in Linux kernel versions 5.10 through 6.12. Here are the critical steps every organization should take right now.

First, check your kernel version with uname -r and compare it against the patched versions listed in the Linux Kernel Archives. Distributions including Red Hat, Ubuntu, and Debian have already released emergency patches. Apply them immediately using your package manager: apt update && apt upgrade for Debian-based systems or dnf update kernel for Red Hat derivatives.

If immediate patching isn’t possible, the temporary mitigation involves adjusting the kernel’s IP fragment handling. Set net.ipv4.ipfrag_high_thresh = 262144 and net.ipv4.ipfrag_low_thresh = 196608 in /etc/sysctl.conf to limit the memory available for fragment reassembly. The NIST National Vulnerability Database entry for CVE-2026-43284 provides the full technical details. Meanwhile, the PAN-OS zero-day CVE-2026-0300 demonstrates that network appliances face equally critical vulnerabilities. CISA’s CI Fortify directive now requires infrastructure operators to prepare for extended offline operation, and the Canvas LMS breach shows what happens when patching is delayed. Stay current with the cPanel zero-day timeline for additional context on server-side exploits in 2026.