Full Report
Unpatched kernel flaw chain (CVE-2026-43284, CVE-2026-43500) enables root escalation on major Linux distributions.
Analysis Summary
# Vulnerability: Dirty Frag (Linux Kernel Local Privilege Escalation)
## CVE Details
- **CVE ID:** CVE-2026-43284, CVE-2026-43500
- **CVSS Score:** Pending (High/Critical Severity)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) / Page Cache Write Primitive.
## Affected Systems
- **Products:** Linux Kernel (specifically ESP and RxRPC subsystems).
- **Versions:**
- ESP subsystem: Vulnerable since ~2017.
- RxRPC subsystem: Vulnerable since ~2023.
- **Configurations:** Systems where an attacker can access specific kernel interfaces and manipulate page-backed buffers (e.g., via `splice()`).
- **Note:** Exploitation typically requires high-level privileges such as `CAP_NET_ADMIN`. Default container environments (like Kubernetes with standard seccomp profiles) are generally less at risk.
## Vulnerability Description
"Dirty Frag" is a vulnerability chain consisting of two page-cache write primitives. It exploits flaws in the xfrm-ESP (IPsec) and RxRPC subsystems. The flaw allows an attacker to modify page-cache-backed memory that is not exclusively owned by the kernel. By manipulating these buffers, an attacker can corrupt sensitive system files (e.g., `/etc/passwd` or system binaries), leading to a deterministic and highly reliable privilege escalation to root. It is described as a successor to "Copy Fail" (CVE-2026-31431).
## Exploitation
- **Status:** PoC available (Public); disclosed prior to embargo expiration due to reverse-engineered fix commits.
- **Complexity:** Medium (Requires specific capabilities like `CAP_NET_ADMIN`).
- **Attack Vector:** Local.
## Impact
- **Confidentiality:** High (Full system access/root).
- **Integrity:** High (Ability to modify any file on the system).
- **Availability:** High (Ability to crash the system or delete critical data).
## Remediation
### Patches
Official patches are currently being rolled out across major distributions.
- **AlmaLinux:** Early patched kernels available in testing repositories.
- **Monitor:** Keep track of official updates from Red Hat, Ubuntu, Debian, and AWS for official kernel releases.
### Workarounds
If active patching is not possible, disable the vulnerable kernel modules:
bash
# Disable ESP and RxRPC modules
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
**Warning:** Disabling these modules will break IPsec functionality (esp4/esp6) and AFS-based environments (rxrpc).
## Detection
- **Indicators of Compromise:** Monitor for unexpected modifications to system configuration files and sensitive binaries.
- **Detection methods:**
- Inspect for unusual processes running with `root` privileges that originated from low-privilege users.
- Track the execution of compilation tools and known exploit-like behaviors on production servers.
- Post-mitigation/Detection cleanup: Clear caches to ensure corrupted page-cache data is evicted: `echo 3 > /proc/sys/vm/drop_caches`.
## References
- Wiz Blog: hxxps://www[.]wiz[.]io/blog/dirty-frag-linux-kernel-local-privilege-escalation
- Public PoC/Research: hxxps://github[.]com/V4bel/dirtyfrag
- AlmaLinux Advisory: hxxps://almalinux[.]org/blog/2026-05-07-dirty-frag/
- Red Hat Advisory: hxxps://access[.]redhat[.]com/security/vulnerabilities/RHSB-2026-003
- AWS Security Bulletin: hxxps://aws[.]amazon[.]com/security/security-bulletins/rss/2026-027-aws/