CyberBrief HQ
All news
HighPatch availableHigh confidenceVulnerabilitiesBreaking

Severity rationale: High severity due to reliable local privilege escalation to root, public proof-of-concept availability, broad Linux distribution exposure, and container-host risk. The issue is not remotely exploitable by itself, which keeps it below critical in most scoring models.

Dirty Frag Extends Linux’s Page-Cache Bug Class Into ESP and RxRPC

Linux kernel / Linux distribution vendors · Linux kernel networking subsystems: ESP/IPsec, xfrm, esp4, esp6, RxRPC, AFS-related rxrpcCVE-2026-43284, CVE-2026-43500

Dirty Frag is a pair of Linux kernel local privilege-escalation vulnerabilities affecting ESP/IPsec and RxRPC networking paths. Tracked as CVE-2026-43284 and CVE-2026-43500, the chain abuses in-place processing of shared page-backed fragments to corrupt page-cache data and escalate from a local unprivileged account to root. Public proof-of-concept code is available, and Microsoft has reported limited activity that may be related to Dirty Frag or Copy Fail. Organizations should prioritize kernel updates, apply module blocklists where safe, harden container workloads, and monitor for unusual privilege-escalation behavior.

May 12, 2026 5 min readLast updated May 12, 2026Reviewed May 12, 2026

Key Facts

Vendor
Linux kernel / Linux distribution vendors
Product
Linux kernel networking subsystems: ESP/IPsec, xfrm, esp4, esp6, RxRPC, AFS-related rxrpc
CVE
CVE-2026-43284, CVE-2026-43500
CVSS
8.8
Exploitation
Suspected exploitation
Affected versions
Linux kernel CVE-2026-43284: 4.11 to before 5.10.255, 5.12 to before 5.15.205, 5.16 to before 6.1.171, 6.2 to before 6.6.138, 6.7 to before 6.12.87, 6.13 to before 6.18.28, 7.0 to before 7.0.5; CVE-2026-43500: RxRPC path introduced in 2023 and fixed by upstream commit aa54b1d27fe0; distro exposure varies by backports and module configuration
Fixed versions
CVE-2026-43284 upstream mainline commit f4c50a4034e6, CVE-2026-43500 upstream mainline commit aa54b1d27fe0, Debian linux 5.10.251-4, Debian linux 6.1.170-3, Debian linux 6.12.86-1, Debian linux 7.0.4-1, SUSE kernel-rt 6.4.0-150700.7.44.1, vendor kernel updates as released

Dirty Frag is a Linux kernel local privilege-escalation issue that extends the page-cache corruption bug class associated with Dirty Pipe and Copy Fail into networking code paths used by ESP/IPsec and RxRPC.

The issue is tracked as CVE-2026-43284 for the xfrm/ESP path and CVE-2026-43500 for the RxRPC path. Together, the bugs can allow a local unprivileged user to corrupt page-cache-backed data and escalate to root on vulnerable Linux systems.

This is not a wormable remote vulnerability. The risk begins after an attacker has local code execution, such as a compromised SSH account, web shell, low-privileged service account, or container foothold. From there, Dirty Frag can turn “some access” into root access very quickly.

What happened

Dirty Frag was publicly disclosed after coordinated disclosure timelines broke down and public proof-of-concept code became available. The exploit chain targets Linux kernel networking and memory-fragment handling behavior involving esp4, esp6, xfrm, and rxrpc.

CVE-2026-43284 affects ESP support used by IPsec. The vulnerable path can decrypt in place over shared socket-buffer fragments that are backed by page-cache data. CVE-2026-43500 affects RxRPC, a protocol used by AFS. In both cases, externally backed fragments can be modified by kernel crypto paths that should first have copied or unshared the data.

The result is a page-cache write primitive that can be shaped into local privilege escalation.

Why it matters

Local privilege escalation flaws are post-compromise accelerators. They let attackers move from a low-privileged shell to root, then disable controls, tamper with logs, read credentials, change system binaries, and persist.

Dirty Frag is especially concerning because public reporting describes it as deterministic rather than race-dependent. That means defenders should not treat it like a flaky lab-only crash bug. If vulnerable modules are present and reachable, a local foothold may be enough.

Containerized environments deserve special attention. Containers share the host kernel, so a compromised workload may inherit host exposure if it can reach the relevant socket families or kernel modules.

Affected systems

Affected exposure depends on kernel version, distribution backports, module configuration, and container policy.

Known impacted components include:

  • esp4
  • esp6
  • xfrm/IPsec ESP paths
  • rxrpc
  • AFS-related RxRPC usage

Distributions and platforms with advisories or public impact notes include Ubuntu, Debian, Red Hat Enterprise Linux, OpenShift, SUSE Linux Enterprise, Fedora-family systems, AlmaLinux, CentOS Stream, and openSUSE.

Technical details

Dirty Frag abuses in-place cryptographic processing over shared socket-buffer fragments.

For CVE-2026-43284, MSG_SPLICE_PAGES can attach pages from a pipe directly into socket buffers. In vulnerable ESP receive paths, those fragments may be decrypted in place without first making a private copy. That allows attacker-controlled page-cache-backed memory to be modified through kernel networking code.

For CVE-2026-43500, the RxRPC path has a similar shared-fragment problem. DATA and RESPONSE packet handling can reach in-place decryption paths when externally owned paged fragments are present.

The practical result is page-cache poisoning. In public demonstrations, that class of primitive can be used to modify cached contents of sensitive files or setuid binaries and then trigger root-level execution.

Detection guidance

Detection is mostly behavioral. There is no clean network-only signature because exploitation is local and uses normal Linux syscalls.

Defenders should monitor for:

  • Unexpected creation of AF_RXRPC sockets.
  • Unusual AF_KEY or XFRM netlink activity by unprivileged users.
  • Attempts to load or use esp4, esp6, rxrpc, xfrm_user, ipcomp4, or ipcomp6.
  • Unexpected privilege transitions through su, setuid binaries, or shell execution.
  • Suspicious use of splice, vmsplice, sendmsg, setsockopt, and related syscalls by low-privileged processes.
  • Unexpected changes to setuid binaries, /etc/passwd, /etc/shadow, PAM files, SSH configuration, or authentication plugins.
  • Container workloads creating socket families they do not normally require.

Microsoft Defender has published Dirty Frag-related detections, and Sysdig has published runtime/Falco-oriented detection guidance for ESP and RxRPC paths.

Recommended actions

Patch first. Where patched kernels are not yet available or cannot be deployed immediately, block and unload vulnerable modules if operationally safe.

Short-term mitigations include blocklisting esp4, esp6, and rxrpc. This may break IPsec VPN or AFS/RxRPC functionality, so validate business impact before broad deployment.

Container operators should restrict AF_KEY, AF_RXRPC, and XFRM netlink access through runtime security policy where possible. Hosts running untrusted workloads, CI/CD runners, shared shell environments, jump boxes, and internet-facing application servers should be prioritized.

After suspected exploitation, mitigation alone may not clean contaminated page cache. Validate file integrity and consider rebooting or carefully dropping caches after incident-response review.

Technical details

Dirty Frag targets Linux kernel networking paths that perform in-place cryptographic processing over shared socket-buffer fragments.

CVE-2026-43284 affects the xfrm/ESP path used by IPsec. When pages are attached into socket buffers through splice-related mechanisms, vulnerable ESP receive logic may decrypt over fragments that are not privately owned by the kernel.

CVE-2026-43500 affects RxRPC packet handling. The vulnerable path can process externally backed paged fragments without first unsharing or linearizing the packet.

Both paths can create page-cache corruption. Public research describes the bug class as deterministic, with no race window required. Exploitation requires local execution, but once local execution exists, the impact can be root-level compromise.

Detection & hunting

Host indicators

Monitor for:

  • Unexpected AF_RXRPC socket creation.
  • Unexpected AF_KEY or XFRM netlink use.
  • Unusual loading or use of esp4, esp6, rxrpc, xfrm_user, ipcomp4, or ipcomp6.
  • Suspicious privilege transitions involving su, setuid binaries, or shell spawning.
  • Low-privileged processes using splice, vmsplice, sendmsg, setsockopt, or related syscalls in unusual sequences.
  • Unexpected modification of /usr/bin/su, /etc/passwd, /etc/shadow, PAM configuration, SSH configuration, or authentication plugins.

Container indicators

Monitor containers for:

  • Creation of AF_RXRPC sockets.
  • Use of AF_KEY or XFRM netlink by workloads that do not require IPsec.
  • Privilege transitions from application users to root.
  • Unexpected host-file or authentication-file access.

Product detections

Microsoft Defender coverage includes detections such as:

  • Exploit:Linux/DirtyFrag.A
  • Exploit:Linux/DirtyFrag.B
  • Trojan:Linux/DirtyFrag.Z!MTB
  • Trojan:Linux/DirtyFrag.ZA!MTB
  • Trojan:Linux/DirtyFrag.ZC!MTB
  • Trojan:Linux/DirtyFrag.DA!MTB

Sysdig published detections for:

  • Dirty Frag xfrm-ESP Page Cache Poisoning LPE
  • Dirty Frag RxRPC Page Cache Poisoning LPE

Falco-style detection should focus on unexpected AF_RXRPC socket creation and unprivileged use of XFRM-related interfaces.

Recommended actions

P0

Immediate containment

  • Identify Linux hosts that allow local users, SSH access, web-shell execution, CI/CD jobs, or untrusted containers.
  • Block and unload esp4, esp6, and rxrpc where IPsec ESP and AFS/RxRPC are not required.
  • Reboot systems where vulnerable modules cannot be unloaded cleanly.
P1

Patch deployment

  • Apply vendor kernel updates for CVE-2026-43284 and CVE-2026-43500 as soon as available.
  • Prioritize multi-tenant hosts, container hosts, bastion hosts, developer servers, and internet-facing Linux servers.
  • Confirm fixed kernel package versions through the relevant distribution advisory.
P2

Container hardening

  • Restrict AF_KEY, AF_RXRPC, and XFRM netlink access through seccomp, AppArmor, SELinux, or Kubernetes policy where possible.
  • Review privileged containers and workloads with broad host namespace access.
  • Limit root containers and restrict debug shell access.
P3

Detection and hunting

  • Monitor for unexpected AF_RXRPC socket creation.
  • Hunt for abnormal privilege transitions involving su, setuid binaries, and root shells.
  • Monitor for unexpected changes to authentication files and setuid binaries.
  • Review EDR alerts for Dirty Frag, Copy Fail, page-cache poisoning, or suspicious Linux privilege escalation.
P4

Post-exploitation validation

  • Validate integrity of critical files on systems suspected of exploitation.
  • Consider dropping page cache or rebooting after incident-response review.
  • Rotate credentials where root compromise is suspected.

Compliance relevance

NIST CSFNIST SP 800-53ISO 27001:2022CIS ControlsSOC 2Vulnerability ManagementPatch ManagementConfiguration ManagementPrivileged Access ManagementLogging and MonitoringIncident ResponseContainer Security

Sources

ShareXLinkedIn

Disclaimer: CyberBrief HQ articles are for informational purposes only and do not constitute security advice for any specific environment. Always validate guidance against your own controls and vendor advisories before acting.