version
Log In
Sign Up

Linux Kernel “Dirty Frag” Privilege Escalation Vulnerability: What You Need to Know

shape
shape
shape
shape
shape
shape
shape
shape

What is the Dirty Frag Vulnerability?

Dirty Frag is a high-severity local privilege escalation (LPE) vulnerability chain affecting the Linux kernel. Publicly disclosed on May 7, 2026, it allows an unprivileged local user to gain full root access on a wide range of Linux distributions — in a single command.

The vulnerability was discovered and reported by security researcher Hyunwoo Kim (@v4bel) to Linux kernel maintainers on April 30, 2026. It was assigned two CVE identifiers:

AFFECTED CVEs

  • CVE-2026-43284 — xfrm-ESP (IPsec) Page-Cache Write vulnerability — CVSS score: 8.8 (HIGH)
  • CVE-2026-43500 — RxRPC Page-Cache Write vulnerability — CVSS score: 7.8 (HIGH)

Together, these two flaws form a chained exploit that security researchers and vendors have dubbed “Dirty Frag” — and also informally called “Copy Fail 2” or “CopyFail2: Electric Boogaloo” due to its close relationship with the previously disclosed Copy Fail vulnerability (CVE-2026-31431).

Official References: 

Which Linux Kernel Versions Are Affected?

The affected code paths date back to:

  • 2017 — for the xfrm-ESP (IPsec) component (CVE-2026-43284)
  • 2023 — for the RxRPC component (CVE-2026-43500)

This means any Linux kernel released in approximately the last 9 years may be vulnerable.

Affected Operating Systems / Tested Kernel Versions

The following operating systems and kernel versions are confirmed to contain vulnerable kernel ranges associated with the “Dirty Frag” vulnerabilities if not updated with vendor security patches:

Operating SystemKernel Version
Ubuntu 24.04.46.17.0-23-generic
RHEL 10.16.12.0-124.49.1.el10_1.x86_64
openSUSE Tumbleweed7.0.2-1-default
CentOS Stream 106.12.0-224.el10.x86_64
AlmaLinux 106.12.0-124.52.3.el10_1.x86_64
Fedora 446.19.14-300.fc44.x86_64

Additional Potentially Affected Distributions

  • Red Hat Enterprise Linux (RHEL) 8 / 9 / 10
  • AlmaLinux 8 / 9 / 10
  • Rocky Linux 8 / 9 / 10
  • Oracle Linux 8 / 9
  • CentOS Stream
  • OpenShift 4
  • Ubuntu 20.04 / 22.04 / 24.04
  • Debian 11 / 12
  • openSUSE Leap / Tumbleweed
  • SUSE Linux Enterprise Server (SLES)

What Components Are Affected?

The vulnerabilities are associated with the following kernel modules:

  • esp4 – IPSec ESP for IPv4
  • esp6 – IPSec ESP for IPv6
  • rxrpc – RxRPC protocol module

How Does the Dirty Frag Exploit Work?

Technical Overview

Dirty Frag is a vulnerability chain that combines two page-cache write primitives in the Linux kernel:

  1. xfrm-ESP Page-Cache Write (CVE-2026-43284): The flaw is in the in-place decryption path of the ESP (Encapsulating Security Protocol) subsystem — specifically esp4 and esp6. When the receive path decrypts data over paged buffers not privately owned by the kernel (such as pipe pages reaching the socket via splice(2) or sendfile(2)), unprivileged processes can retain references to the resulting plaintext. This yields a 4-byte STORE write primitive into the page cache.
  2. RxRPC Page-Cache Write (CVE-2026-43500): The RxRPC subsystem — which implements the RxRPC protocol used by AFS (Andrew File System) — contains a related flaw that provides the ability to create a user namespace, which is used together with the ESP primitive to complete the privilege escalation chain.

Are These Modules Enabled by Default?

In most environments:

  • esp4 / esp6 are not commonly active unless IPSec VPN functionality is configured and used.
  • rxrpc is generally not active unless AFS-related services are used.
  • User namespaces may be enabled by default on modern systems, especially container hosts and developer environments.

The vulnerability is mainly exploitable in environments where:

  • Local shell access exists
  • Containers/rootless containers are used
  • User namespaces are enabled
  • IPSec functionality is active

Who Is Most at Risk?

High-Risk Environments

  • Virtual machines with local user access
  • Linux servers where multiple users or applications share access
  • Environments with compromised low-privileged accounts
  • Web servers exposed to web shell execution
  • Systems running IPsec VPNs (esp4/esp6 modules loaded)
  • Systems using AFS (rxrpc module loaded

How to Check If Your System Is Vulnerable?

Check If Vulnerable Modules Are Loaded

				
					lsmod | grep -E 'esp4|esp6|rxrpc'

If no output is returned, the modules are not currently loaded.

If any of these modules appear in the output, your system has the vulnerable components loaded.

Check if User Namespaces Are Enabled

				
					sysctl user.max_user_namespaces

If the returned value is greater than 0, user namespaces are enabled.

How to Fix and Patch the Dirty Frag Vulnerability?

MITIGATION STEPS (If Security Updates Are Not Yet Available) 

 1.  For systems NOT using IPSec or AFS:     

				
					printf ’install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf 
rmmod esp4 esp6 rxrpc 2>/dev/null; true 
echo 3 > /proc/sys/vm/drop_caches

 2. Alternative Mitigation (If IPSec Must Remain Enabled)

				
					echo "user.max_user_namespaces=0" > /etc/sysctl.d/dirtyfrag.conf 
sysctl –system

Important Notes: 

  •   Blocking esp4 / esp6 disables IPSec VPN functionality. 
  •   Blocking rxrpc affects AFS client connectivity. 
  •  Disabling user namespaces may affect: 
  •  Rootless containers 
  •  Podman 
  •  Docker rootless mode 
  •  Flatpak 
  •  Browser sandboxes 
  •  Clearing page cache using drop_caches may temporarily impact system performance and should be performed carefully on production servers.  

VENDOR UPDATE REFERENCES  

Customers are strongly advised to: 

  •  Take a snapshot or backup of the system before proceeding with any kernel or system updates.
  • Apply the latest available kernel security updates from your OS vendor 
  •  Reboot systems after kernel updates 
  •  Apply temporary mitigations if patched kernels are not yet available 

Frequently Asked Questions (FAQ)

1. What is privilege escalation in Linux?

         Privilege escalation is when a user with limited permissions exploits a vulnerability to gain higher-level access — typically root (superuser) access. Root access grants full control over the system, including the ability to modify any file, install software, and access all data.

2. Is Dirty Frag the same as Dirty COW?

    No. Dirty Frag (CVE-2026-43284 / CVE-2026-43500) and Dirty COW (CVE-2016-5195) are both Linux kernel privilege escalation vulnerabilities, but they exploit different code paths and use different techniques. Dirty COW relied on a race condition, making exploitation unreliable. Dirty Frag uses chained page-cache write primitives and is significantly more consistent.

3. Is Dirty Frag the same as Copy Fail?

     Not exactly. Dirty Frag is a successor to Copy Fail (CVE-2026-31431) and belongs to the same bug class, which is why it is sometimes called “Copy Fail 2.” However, Dirty Frag chains two separate vulnerabilities (ESP + RxRPC) to achieve root escalation, while Copy Fail used a different single code path.

Conclusion

Dirty Frag (CVE-2026-43284 and CVE-2026-43500) is one of the most significant Linux kernel privilege escalation vulnerabilities in recent years. Its high reliability, wide distribution impact, and the availability of a public proof-of-concept make it an urgent priority for any organization running Linux servers.

Immediate actions to take:

  1. ✅ Update your kernel on all Linux systems — patches available from May 8, 2026
  2. ✅ If patching isn’t immediately possible, apply the module blocklist mitigation
  3. ✅ Check for signs of exploitation in your logs (unexpected su calls, staged ELF binaries)
  4. ✅ Audit which users have local access to your Linux servers
  5. ✅ Monitor security advisories from your Linux distribution for further updates.