Linux Kernel “Dirty Frag” Local Privilege Escalation (LPE), CVE-2026-43284 & CVE-2026-43500

Overview

On May 8, 2026, cybersecurity researchers disclosed a critical vulnerability chain in the Linux kernel, nicknamed “Dirty Frag.” Tracked as CVE-2026-43284 and CVE-2026-43500, this flaw follows in the footsteps of “Dirty Pipe” and “Copy Fail” as a high-reliability page-cache corruption exploit.

The vulnerability allows a local user to gain root privileges by chaining two separate flaws in the networking subsystem (ESP and RxRPC). Like its predecessor Copy Fail, Dirty Frag is a deterministic logic flaw rather than a probabilistic memory corruption bug, making it extremely dangerous and effective across nearly all major Linux distributions.

The Threat

Dirty Frag weaponizes the kernel’s “zero-copy” optimization. By using the splice() system call, an attacker can link a read-only system file (like a root-owned binary) into a network buffer. When the kernel performs in-place decryption on that buffer, it incorrectly overwrites the cached version of the sensitive file in memory.

Key Metrics & Details:

• CVSS Score: 7.8 (High)
• Affected Versions: Linux Kernel versions since 2017 (for ESP) and 2023 (for RxRPC), including kernel 7.0.4. Impacted distributions include Ubuntu 24.04, RHEL 8/9/10, Fedora, and AlmaLinux.
• Root Cause: Logic flaws in the xfrm-ESP (IPsec) and RxRPC subsystems due to unsafe in-place decryption on externally-backed pages.
• Exploit Vector: Local; requires the ability to manipulate page-backed buffers (e.g., via splice()). Some paths may require CAP_NET_ADMIN privileges.
• Active Exploitation: Confirmed; a public Proof-of-Concept (PoC) exists that grants root access in a single command.

Real-World Impact

Dirty Frag presents a direct successor to Copy Fail, often bypassing existing mitigations for the latter:

• Bypasses Previous Mitigations: Dirty Frag can be triggered even if the algif_aead module (the primary target of Copy Fail) is disabled.
• Container Escape: Because the page cache is shared between the host and containers, an exploit triggered within a container can compromise the underlying host and other tenants.
• Forensic Evasion: Similar to recently-discovered Copy Fail, the exploit modifies volatile memory (the page cache) rather than the physical disk, meaning traditional File Integrity Monitoring (FIM) tools may not detect the change.
• High Reliability: The logic-based nature of the bug means the kernel does not typically panic if the exploit fails, allowing for repeated attempts with near 100% success rates.

The Exploit Chain: A Technical Breakdown

• Page Cache Linking: The attacker uses splice() to plant a reference to a read-only page-cache page (e.g., /usr/bin/su) into a network socket buffer.
• In-Place Decryption Trigger: The attacker sends encrypted traffic via ESP (IPsec) or RxRPC.
• Controlled Overwrite: The kernel’s “fast path” decrypts the data directly into the buffer. Because the buffer is linked to the page cache, the decryption process overwrites the target file’s memory with the attacker’s payload.
• Privilege Escalation: The attacker then executes the modified binary. Since the “dirty” version in the page cache is what runs, the attacker gains root access immediately.

Immediate Recommendations

The XM Cyber research team recommends security teams take the following steps immediately to safeguard their organizations:

• Patch Immediately: Monitor vendor advisories (Ubuntu, RedHat, AlmaLinux) and apply kernel updates as soon as they are available.
• Interim Mitigation: If patching is not possible, disable the vulnerable kernel modules to prevent exploitation: 

sh -c “printf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true”

**Note Before Implementing: disabling esp4 / esp6 may break IPsec functionality and disabling rxrpc may impact AFS-based environments

• Harden Containers: Ensure CAP_NET_ADMIN is not granted to unprivileged containers and enforce strict seccomp profiles to block AF_ALG and related networking socket creation.

How XM Cyber Can Help

Through XM Cyber Vulnerability Risk Management (VRM), customers can immediately identify all instances of the CVE-2026-31431 vulnerability across their organization. By mapping kernel versions to known exposures, VRM provides a prioritized list of systems requiring urgent patching. By considering both exploit likelihood and business impact, VRM helps prioritize vulnerabilities and streamline remediation efforts.

XM VRM helps security teams understand their exposure to Dirty Frag and validate whether or not a threat actor could actually weaponize it within their environment. Customers utilize XM VRM to:

• Identify Exposure: Rapidly identify all Linux assets running vulnerable kernel versions (4.14 through 7.0+) that lack the necessary security patches.
• Prioritize Choke Points: Understand how Dirty Frag can be used as a stepping stone in an attack path to reach your “Crown Jewels” and increase prioritization of fixing the entities that hold the highest risk to your business
• Continuous Monitoring: As new PoCs and variants of “Dirty” class vulnerabilities emerge, XM Cyber provides real-time visibility into your organizational risk.

The XM Cyber Continuous Exposure Management Platform adds to each vulnerability the complete context of the risk to the business. This allows security teams to filter out noise of non-exploitable and low risk vulnerabilities, and to quickly prioritize remediation based on how this vulnerability, along with other exposures such as misconfigurations and identity issues, can be combined by attackers to compromise their critical assets and data. In today’s acceleration of new vulnerabilities and exploits this context is the only way to stay ahead of attackers by fixing what matters.