Dirty Frag (CVE-2026-43284, CVE-2026-43500): Linux Kernel LPE via Page Cache Corruption
Dirty Frag (CVE-2026-43284 / CVE-2026-43500) is a local privilege escalation (LPE) vulnerability in the Linux kernel, disclosed on May 7, 2026 by security researcher Hyunwoo Kim (@v4bel). The embargo was broken prematurely by an unidentified third party before the planned May 12 disclosure date. Patches were released on May 8, 2026.
CVE Details
Dirty Frag was split into two CVEs covering the two affected subsystems:
| CVE | Module | Severity |
|---|---|---|
| CVE-2026-43284 | xfrm/ESP – esp4, esp6 | HIGH |
| CVE-2026-43500 | rxrpc | HIGH |
Both CVEs have patches available. Apply kernel updates from your distribution vendor immediately.
Background
Hyunwoo Kim (@v4bel) is the same researcher who discovered Copy Fail (CVE-2026-31431) – a related Linux kernel page-cache privilege escalation vulnerability disclosed earlier in 2026. Both bugs belong to the same vulnerability class as Dirty Pipe (CVE-2022-0847): incorrect assumptions about page-cache mutability when sharing pages across kernel subsystems.
Affected kernel modules
Dirty Frag affects three kernel modules:
esp4andesp6– IPsec ESP (Encapsulating Security Payload) for IPv4/IPv6rxrpc– Reliable Datagram Sockets over UDP (RxRPC protocol, used by AFS)
How it works
The vulnerability combines two distinct page-cache write bugs:
- xfrm-ESP Page-Cache Write (CVE-2026-43284) – present in
esp4/esp6kernel modules - RxRPC Page-Cache Write (CVE-2026-43500) – present in the
rxrpckernel module
An unprivileged attacker uses the splice() system call to embed a reference to a read-only page – for example /etc/passwd or /usr/bin/su – into the frag slot of an sk_buff structure (the kernel's socket buffer). When the kernel's receiving code performs in-place cryptographic operations (AES-GCM decryption, HMAC verification), it writes directly back into that read-only page in RAM, permanently modifying the page cache.
The result: an unprivileged user can overwrite any read-only file in the page cache and gain root-level code execution.
Why Dirty Frag is especially dangerous
Unlike typical race-condition local privilege escalation exploits, Dirty Frag is a pure logic bug:
- No race condition – no precise timing or CPU pinning required
- No kernel crash – the exploit is clean and leaves no visible instability
- 100% reliable – succeeds on the first attempt, no brute force needed
This places it in the same class as Dirty Pipe (CVE-2022-0847) – one of the most reliable local privilege escalation techniques ever found on Linux.
Current status
| CVE (ESP/xfrm) | CVE-2026-43284 |
| CVE (rxrpc) | CVE-2026-43500 |
| Patches | Available – apply kernel updates from your vendor |
| Public PoC | Yes – github.com/V4bel/dirtyfrag |
| Disclosure date | May 7, 2026 (embargo broken early; planned May 12) |
| Researcher | Hyunwoo Kim (@v4bel) |
Workaround
If you cannot apply patches immediately, blacklist the affected kernel modules:
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \
> /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"> Do not apply on IPsec hosts. This blacklist disables the kernel-space ESP data path. Hosts running strongSwan, Libreswan, or any kernel-mode IPsec termination will lose VPN connectivity. For IPsec hosts, apply kernel patches as they become available.
The rxrpc blacklist is safe for most systems – the RxRPC protocol is uncommon outside of AFS deployments.
Affected distributions
All Linux distributions using an unpatched kernel with CONFIG_XFRM_ALGO or CONFIG_AF_RXRPC enabled are affected. Apply patches from:
- Ubuntu Security Notices
- Red Hat Security Advisories – RHSB-2026-003
- Debian Security Advisories
- SUSE Security Advisories
References
- GitHub PoC: V4bel/dirtyfrag
- CVE-2026-43284: vuln.today/cve/CVE-2026-43284
- CVE-2026-43500: vuln.today/cve/CVE-2026-43500
- oss-security: openwall.com/lists/oss-security/2026/05/07/8
- LWN.net: Linux Weekly News coverage
- Red Hat: RHSB-2026-003
- Wiz: Analysis
- CloudLinux: Workaround guide