Dirty Frag (CVE-2026-43284, CVE-2026-43500): Linux Kernel LPE via Page Cache Corruption
Dirty Frag (CVE-2026-43284 / CVE-2026-43500) is a local privilege escalation (LPE) vulnerability in the Linux kernel, disclosed on May 7, 2026 by security researcher Hyunwoo Kim (@v4bel). The embargo was broken prematurely by an unidentified third party before the planned May 12 disclosure date. Patches were released on May 8, 2026.
CVE Details
Dirty Frag was split into two CVEs covering the two affected subsystems:
| CVE | Module | Severity |
|---|---|---|
| CVE-2026-43284 | xfrm/ESP – esp4, esp6 | HIGH |
| CVE-2026-43500 | rxrpc | HIGH |
Both CVEs have patches available. Apply kernel updates from your distribution vendor immediately.
Background
Hyunwoo Kim (@v4bel) is the same researcher who discovered Copy Fail (CVE-2026-31431) – a related Linux kernel page-cache privilege escalation vulnerability disclosed earlier in 2026. Both bugs belong to the same vulnerability class as Dirty Pipe (CVE-2022-0847): incorrect assumptions about page-cache mutability when sharing pages across kernel subsystems.
Affected kernel modules
Dirty Frag affects three kernel modules:
esp4andesp6– IPsec ESP (Encapsulating Security Payload) for IPv4/IPv6rxrpc– Reliable Datagram Sockets over UDP (RxRPC protocol, used by AFS)
How it works
The vulnerability combines two distinct page-cache write bugs:
- xfrm-ESP Page-Cache Write (CVE-2026-43284) – present in
esp4/esp6kernel modules - RxRPC Page-Cache Write (CVE-2026-43500) – present in the
rxrpckernel module
An unprivileged attacker uses the splice() system call to embed a reference to a read-only page – for example /etc/passwd or /usr/bin/su – into the frag slot of an sk_buff structure (the kernel's socket buffer). When the kernel's receiving code performs in-place cryptographic operations (AES-GCM decryption, HMAC verification), it writes directly back into that read-only page in RAM, permanently modifying the page cache.
The result: an unprivileged user can overwrite any read-only file in the page cache and gain root-level code execution.
Why Dirty Frag is especially dangerous
Unlike typical race-condition local privilege escalation exploits, Dirty Frag is a pure logic bug:
- No race condition – no precise timing or CPU pinning required
- No kernel crash – the exploit is clean and leaves no visible instability
- 100% reliable – succeeds on the first attempt, no brute force needed
This places it in the same class as Dirty Pipe (CVE-2022-0847) – one of the most reliable local privilege escalation techniques ever found on Linux.
Current status
| CVE (ESP/xfrm) | CVE-2026-43284 |
| CVE (rxrpc) | CVE-2026-43500 |
| Patches | Available – apply kernel updates from your vendor |
| Public PoC | Yes – github.com/V4bel/dirtyfrag |
| Disclosure date | May 7, 2026 (embargo broken early; planned May 12) |
| Researcher | Hyunwoo Kim (@v4bel) |
Workaround
If you cannot apply patches immediately, blacklist the affected kernel modules:
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \
> /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"> Do not apply on IPsec hosts. This blacklist disables the kernel-space ESP data path. Hosts running strongSwan, Libreswan, or any kernel-mode IPsec termination will lose VPN connectivity. For IPsec hosts, apply kernel patches as they become available.
The rxrpc blacklist is safe for most systems – the RxRPC protocol is uncommon outside of AFS deployments.
Affected distributions
All Linux distributions using an unpatched kernel with CONFIG_XFRM_ALGO or CONFIG_AF_RXRPC enabled are affected. Apply patches from:
- Ubuntu Security Notices
- Red Hat Security Advisories – RHSB-2026-003
- Debian Security Advisories
- SUSE Security Advisories
References
- GitHub PoC: V4bel/dirtyfrag
- CVE-2026-43284: vuln.today/cve/CVE-2026-43284
- CVE-2026-43500: vuln.today/cve/CVE-2026-43500
- oss-security: openwall.com/lists/oss-security/2026/05/07/8
- LWN.net: Linux Weekly News coverage
- Red Hat: RHSB-2026-003
- Wiz: Analysis
- CloudLinux: Workaround guide
Related CVEs
Use-after-free in Linux kernel ESP (IPsec) allows local authenticated attackers to decrypt shared memory fragments improperly, potentially exposing encrypted network traffic or causing memory corruption. Affects kernel versions 6.5+ where MSG_SPLICE_PAGES can attach pipe pages directly to UDP socket buffers. The IPv4/IPv6 datagram paths fail to mark spliced pages as shared, causing ESP input decryption to modify memory not privately owned by the packet buffer. Public exploit code exists (POC available on GitHub), EPSS score is low (0.01%) indicating limited widespread exploitation risk, and vendor patches are available across affected stable kernel branches (6.6.138, 6.12.87, 6.18.28, 7.0.5).
Buffer overflow in Linux kernel rxrpc subsystem allows local authenticated attackers to achieve arbitrary code execution with kernel privileges. The vulnerability stems from improper handling of shared fragment memory in DATA and RESPONSE packet processing, where the kernel fails to unshare externally-owned page fragments before in-place decryption operations. This creates a buffer overflow condition (CWE-787) exploitable by local users with low privileges. Patches are available for kernel versions 6.18.29, 7.0.6, and 7.1-rc3. EPSS and KEV status not provided in available data.