Skip to Content

News

Security Advisory: Linux Kernel Dirty Frag Privilege Escalation Vulnerabilities

Mon, May 11, 2026 at 6:20 PM Tue, May 12, 2026 at 3:51 PM

We would like to inform you about the recently disclosed Linux kernel privilege escalation vulnerabilities associated with the “Dirty Frag” vulnerability group. 

These vulnerabilities DO NOT affect the Ezeelogin software directly. The issue exists within the underlying Linux operating system kernel and may affect servers depending on the OS version and installed kernel packages in use.

OVERVIEW 

 These vulnerabilities affect specific Linux kernel networking subsystems (esp4, esp6, rxrpc) and may allow a local authenticated user to escalate privileges to root under certain conditions. Public proof-of-concept (PoC) exploit code has already been released, increasing the urgency for action. These vulnerabilities are considered local privilege escalation (LPE) vulnerabilities that may allow a local authenticated user to obtain root access. Security researchers indicate that the vulnerabilities can affect most major Linux distributions. Public disclosure occurred before patches became widely available, increasing the urgency for mitigation and patching. 

AFFECTED CVEs  

CVE-2026-43284 – “Dirty Frag” Linux kernel IPSec ESP (esp4 / esp6) subsystem vulnerability 
CVE-2026-43500 – “Dirty Frag” Linux kernel rxrpc subsystem vulnerability 

 Official References: 

AFFECTED OPERATING SYSTEMS / TESTED KERNEL VERSIONS 

 The following operating systems and kernel versions are confirmed to contain vulnerable kernel ranges associated with the “Dirty Frag” vulnerabilities if not updated with vendor security patches: 

  •  Ubuntu 24.04.4 
              Kernel: 6.17.0-23-generic 
  •  Red Hat Enterprise Linux (RHEL) 10.1 
             Kernel: 6.12.0-124.49.1.el10_1.x86_64 
  •  openSUSE Tumbleweed 
              Kernel: 7.0.2-1-default 
  •  CentOS Stream 10 
              Kernel: 6.12.0-224.el10.x86_64 
  •  AlmaLinux 10 
               Kernel: 6.12.0-124.52.3.el10_1.x86_64 

 Additional potentially affected distributions: 

  •  Red Hat Enterprise Linux (RHEL) 8 / 9 / 10 
  •  AlmaLinux 8 / 9 / 10 
  •  Rocky Linux 8 / 9 / 10 
  •  Oracle Linux 8 / 9 
  •  CentOS Stream 
  •  OpenShift 4 
  •  Ubuntu 20.04 / 22.04 / 24.04 
  •  Debian 11 / 12 
  •  SUSE Linux Enterprise Server (SLES) 

WHAT COMPONENTS ARE AFFECTED BY? 

The vulnerabilities are associated with the following kernel modules: 

  • esp4 – IPSec ESP for IPv4 
  • esp6 – IPSec ESP for IPv6 
  • rxrpc – RxRPC protocol module 

 Are these Modules enabled by default? 

In most environments: 

  •   esp4 / esp6 are NOT commonly active unless IPSec VPN functionality is configured and used. 
  •   rxrpc is generally NOT active unless AFS-related services are used. 
  •   User namespaces may be enabled by default on modern systems, especially container hosts and developer environments. 

The vulnerability is mainly exploitable in environments where: 

  •  Local shell access exists 
  •  Containers/rootless containers are used 
  •  User namespaces are enabled 
  •  IPSec functionality is active 
  •  Additional Important Notes 

 HOW TO CHECK IF YOU ARE AFFECTED 

  1. Check if vulnerable modules are loaded: 

                lsmod | grep -E ’esp4|esp6|rxrpc’ 

          If no output is returned, the modules are not currently loaded. 

   2. Check if user namespaces are enabled:

               sysctl user.max_user_namespaces 

         If the returned value is greater than 0, user namespaces are enabled. 

 MITIGATION STEPS (If Security Updates Are Not Yet Available) 

  1.   1. For systems NOT using IPSec or AFS:                     

                     printf ’install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf 
                      rmmod esp4 esp6 rxrpc 2>/dev/null; true 
                      echo 3 > /proc/sys/vm/drop_caches 

              2. Alternative Mitigation (If IPSec Must Remain Enabled)

                    echo "user.max_user_namespaces=0" > /etc/sysctl.d/dirtyfrag.conf 
                    sysctl –system 

 Important Notes: 

  •   Blocking esp4 / esp6 disables IPSec VPN functionality. 
  •   Blocking rxrpc affects AFS client connectivity. 
  •  Disabling user namespaces may affect: 
  •  Rootless containers 
  •  Podman 
  •  Docker rootless mode 
  •  Flatpak 
  •  Browser sandboxes 
  •  Clearing page cache using drop_caches may temporarily impact system performance and should be performed carefully on production servers.  

VENDOR UPDATE REFERENCES  

  1. Red Hat / AlmaLinux / Rocky Linux / Oracle Linux:   https://access.redhat.com/security/vulnerabilities/RHSB-2026-003 
  2. Ubuntu: https://ubuntu.com/security/notices , https://ubuntu.com/blog/dirty-frag-linux-vulnerability-fixes-available 
  3. Debian: https://www.debian.org/security/ 
  4. openSUSE / SUSE: https://www.suse.com/security/  

Customers are strongly advised to: 

  •  Take a snapshot or backup of the system before proceeding with any kernel or system updates.
  •  Take and securely retain a full backup of the Ezeelogin installation before applying updates.
  •  Apply the latest available kernel security updates from your OS vendor 
  •  Reboot systems after kernel updates 
  •  Apply temporary mitigations if patched kernels are not yet available 

Recommended Priority 

      Please review your environment and apply the required updates or mitigations accordingly. 

 

Thanks!

Ezeelogin Team