Dirty Frag Linux Kernel LPE Enables Immediate Root Access Across Major Distros
Researchers publicly disclosed Dirty Frag, a Linux kernel local privilege escalation chain that can give an unprivileged local user immediate root access across major distributions. The disclosure said the issue combines flaws in the in-place decryption fast paths for esp4, esp6, and rxrpc, allowing page-cache corruption or plaintext exposure in externally backed paged fragments. Public write-ups and exploit repositories described two working paths: overwriting /usr/bin/su with a root shell via the ESP/XFRM stack, or corrupting /etc/passwd through RXRPC/RXKAD behavior so a UID 0 account can be used without a password.
The bug was published without patches or CVE assignments after an embargo was reportedly broken, and exploit code was quickly made public through oss-sec, GitHub, and security forums. A related GitHub proof of concept, Copy Fail 2: Electric Boogaloo, tied the ESP path to the MSG_SPLICE_PAGES no-copy-on-write fast path and reported successful exploitation on Debian, Arch, Fedora, and newer Ubuntu releases, while noting older Ubuntu 22.04 kernels were not affected by that specific path. AlmaLinux said all supported releases were affected, issued patched kernels in testing by backporting the upstream ESP fix, and recommended temporary mitigations including blacklisting or unloading esp4, esp6, and rxrpc modules and dropping page cache if compromise is suspected.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
35 events from the most recent confirmed update back to the earliest known activity.
SUSE published bug tracker entry for Dirty Frag CVE-2026-43284
SUSE published Bugzilla entry 1264449 tracking CVE-2026-43284, the Linux kernel xfrm ESP flaw known as Dirty Frag. The entry documents SUSE's official handling of the vulnerability in its products and adds a direct vendor reference beyond earlier media reporting that SUSE had acknowledged the issue.
V12 Security published fourth Dirty Frag PoC later deemed blocked by v3 fix
An oss-sec discussion said V12 Security published a fourth Dirty Frag proof of concept on May 15, 2026. Demi Marie Obenour later assessed that this variant was already blocked by the earlier v3 skb_gro_receive fix, while warning that more variants may still emerge as long as the ESP in-place path remains.
CERT/CC published VU#980487 advisory for Dirty Frag
CERT/CC published vulnerability note VU#980487 covering the Linux kernel local privilege escalation issue known as Dirty Frag. The advisory added another official coordination and guidance reference for CVE-2026-43284 and the related Dirty Frag flaws.
Netdev merged v5 patch for multiple Dirty Frag variants
Hyunwoo Kim announced that a v5 Linux kernel patch fixing four publicly disclosed Dirty Frag variants was merged into the netdev tree on May 13, 2026. He said CVE-2026-46300 (Fragnesia) was split into a separate patch, noted the fixes were validated with self-tests and stress tests, and warned that more variants may still exist while the esp in-place path remains.
AWS published advisory for Fragnesia CVE-2026-46300
AWS issued security bulletin ALAS2026-029 covering the Fragnesia local privilege escalation vulnerability in the Linux kernel's ESP-in-TCP path. This added an official AWS vendor response and remediation tracking for CVE-2026-46300.
Fragnesia assigned CVE-2026-46300
The Fragnesia Linux local privilege escalation flaw in the kernel's XFRM ESP-in-TCP subsystem was assigned CVE-2026-46300. The oss-sec discussion also noted that a patch had been posted to netdev but had not yet been merged into netdev, Linus's tree, or any stable kernel at that time.
Fragnesia Linux LPE disclosed as new Dirty Frag-class ESP-in-TCP flaw
A new Linux local privilege escalation vulnerability dubbed Fragnesia was publicly disclosed as a Dirty Frag-class bug in the XFRM ESP-in-TCP subsystem, allowing reliable root escalation by corrupting file-backed page cache pages. The report said a public proof of concept was available and that an upstream patch had already been submitted.
Sasha Levin floated temporary Dirty Frag 'kill switch' concept
Linux stable kernel co-maintainer Sasha Levin proposed a non-official temporary 'kill switch' idea that would let administrators disable vulnerable kernel functionality until patches are available. The concept was discussed as defenders weighed the risks of emergency kernel patching and reboots during the Dirty Frag response.
SUSE, Debian, and Fedora acknowledged Dirty Frag with fixes pending
The Record reported that SUSE, Debian, and Fedora had acknowledged the Dirty Frag vulnerabilities and said fixes were in progress. This expanded the set of vendors with official responses beyond Red Hat, AlmaLinux, Ubuntu, AWS, CloudLinux, and F5 already captured in the timeline.
Metasploit pull request opened for Dirty Frag exploit support
A public Rapid7 Metasploit Framework pull request referenced Dirty Frag Linux local privilege escalation support for CVE-2026-43284 and CVE-2026-43500, indicating active work to add exploitation capability to the framework. GitHub activity on May 10 showed the item being updated and tracked on the Metasploit project board.
Upstream mainline fix landed for Dirty Frag RxRPC flaw CVE-2026-43500
The Dirty Frag RxRPC vulnerability, CVE-2026-43500, was patched in the Linux mainline kernel by commit aa54b1d27fe0. This advanced remediation for the second Dirty Frag exploitation path beyond the earlier state where only the xfrm-ESP flaw had an upstream fix.
Elastic published detections and analysis for Copy Fail and Dirty Frag
Elastic Security Labs published research on Copy Fail, Copy Fail 2, and Dirty Frag, describing them as Linux page-cache corruption bugs that can lead to reliable local root escalation. The report provided behavioral detections and auditd/process-based hunting guidance focused on primitives such as AF_ALG and AF_RXRPC sockets, splice(), namespace creation, and suspicious SUID execution, while recommending kernel patching and temporary module-disabling mitigations.
Upstream mainline fix landed for Dirty Frag CVE-2026-43284
An upstream fix for the Dirty Frag xfrm-ESP flaw, CVE-2026-43284, landed in the mainline Linux kernel on May 8. At the time of reporting, the RxRPC flaw CVE-2026-43500 was still under evaluation and did not yet have a finalized upstream patch.
Microsoft warned Dirty Frag was being actively exploited and published detections
Microsoft said it was actively investigating Dirty Frag exploitation activity and described the Linux local privilege escalation technique as a post-compromise path from limited local access to root. The company also published Microsoft Defender detections and recommended mitigations such as disabling unused modules, restricting shell access, hardening containers, and prioritizing kernel patches.
cPanel published advisory on Dirty Frag Linux kernel vulnerability
cPanel published a product advisory about the Dirty Frag Linux kernel vulnerabilities, adding another official vendor response to the issue. The advisory indicates cPanel was tracking the vulnerability and providing guidance for affected environments running on vulnerable Linux kernels.
F5 published advisory for Dirty Frag kernel vulnerabilities
F5 issued product advisory K000161181 covering Linux kernel vulnerabilities CVE-2026-43284 and CVE-2026-43500, extending vendor tracking and response for Dirty Frag to F5-affected products. The advisory marks a new official vendor statement on impact and remediation guidance.
Public mitigation script released for Dirty Frag and copy.fail
Kalin Kozhuharov published an interim mitigation script, cf+df_patching.sh in the thinrope/cf-df GitHub repository, after finding that modprobe-based mitigations and module-loading restrictions were unreliable across distributions. The tool was presented as a way to rename affected modules directly and deploy mitigation at scale while patches were not yet broadly available.
oss-sec post says Dirty Frag exploit came from public fix, not embargo leak
In an oss-sec discussion, SiCk said the public 'Copy Fail 2: Electric Boogaloo' proof of concept was derived by analyzing Steffen Klassert's publicly committed netdev fix, not from any linux-distros embargo leak or access to Hyunwoo Kim's materials. Sam James endorsed the clarification, highlighting how quickly a public patch can be turned into a working exploit.
RxRPC Dirty Frag flaw identified as CVE-2026-43500
Netskope reported that Dirty Frag comprises two kernel bugs: CVE-2026-43284 in xfrm-ESP and CVE-2026-43500 in RxRPC. This adds formal identification for the RxRPC exploitation path, which earlier timeline entries described without a CVE assignment.
NIST assigned CVE-2026-43284 to Dirty Frag ESP flaw
SC Media reported that NIST assigned CVE-2026-43284 to the Dirty Frag Linux kernel vulnerability on May 8 and rated it High severity with a CVSS score of 7.8. The identifier covers the xfrm/IPsec ESP exploitation path that had previously been discussed publicly without a formal CVE entry in the timeline.
Canonical warned Ubuntu releases were affected by Dirty Frag
Canonical said the two Dirty Frag local privilege escalation flaws affected Ubuntu releases from 14.04 LTS through 26.04 LTS, rated them High severity, and warned they could enable root escalation and possible container escape. Pending patched kernel packages, it recommended blocking and unloading the esp4, esp6, and rxrpc kernel modules as a temporary mitigation.
Red Hat confirmed Dirty Frag impact on RHEL and OpenShift
Red Hat published security bulletin RHSB-2026-003 for Dirty Frag, confirming impact to Red Hat Enterprise Linux 8, 9, and 10 as well as OpenShift 4. The bulletin described the ESP and rxrpc privilege-escalation paths, noted fixes were being expedited, and provided mitigation guidance including module blacklisting, SELinux enforcement, and restricting local or debug access.
CloudLinux published Dirty Frag mitigation guidance and kernel update
CloudLinux published an advisory for Dirty Frag (CVE-2026-43284) that provided mitigation guidance and announced updated kernels for affected systems. This added a new vendor-specific response and remediation path beyond the previously documented AWS and AlmaLinux actions.
Public Dirty Frag technical site and GitHub exploit references appeared
By May 7, public references including dirtyfrag.io and a GitHub repository describing 'Copy Fail 2: Electric Boogaloo' were available, documenting exploitation details and affected distributions. The GitHub material credited Hyunwoo Kim and Kuan-Ting Chen and said Steffen Klassert had posted the upstream fix to netdev/net.git.
AlmaLinux released patched kernels in testing repository
Alongside its advisory, AlmaLinux said it had backported the upstream ESP fix and published patched kernels in its testing repository ahead of Red Hat updates. This marked one of the first vendor remediation actions mentioned in the references.
AlmaLinux warned all supported releases were affected
AlmaLinux published guidance stating that Dirty Frag affected all supported AlmaLinux releases, warned that public exploit code was already available, and noted that no CVE had been assigned because the embargo was broken. It recommended blacklisting or unloading esp4, esp6, and rxrpc and other defensive steps if compromise was suspected.
AWS issued Amazon Linux advisory for Dirty Frag kernel issues
AWS published security bulletin ALAS2026-027 covering Dirty Frag and other vulnerabilities in Amazon Linux kernels. This marked AWS's vendor response for affected Amazon Linux systems and provided official tracking/remediation guidance.
AWS published advisory for CVE-2026-31431
AWS published a security bulletin for CVE-2026-31431, the earlier related 'Copy Fail' issue referenced by later Dirty Frag reporting as being in the same vulnerability class. The advisory indicates vendor tracking and response for that separate but related kernel flaw.
Dirty Frag fix commit introduced Fragnesia regression
An oss-sec discussion said Fragnesia ('copyfail 3.0') was unintentionally introduced by Linux kernel commit f4c50a4034e6 on 2026-05-05 while patching CVE-2026-43284. The post described this as creating a roughly nine-day upstream exposure window before the new flaw was publicly disclosed.
Netdev patch posted for Dirty Frag ESP/XFRM flaw
Kuan-Ting Chen submitted a Linux kernel netdev patch to fix the Dirty Frag ESP/XFRM issue by marking shared spliced UDP fragments with SKBFL_SHARED_FRAG and forcing ESP input to use copy-on-write handling when shared fragments are present. The patch covered both IPv4 and IPv6 datagram append paths and described the root cause behind unsafe in-place decryption on shared skb fragments.
Dirty Frag reportedly disclosed privately to Linux kernel team
The Tom's Hardware report says the Dirty Frag vulnerability was reported to the Linux kernel team on April 30, 2026, before the coordinated disclosure process collapsed. This private report preceded the broken embargo and subsequent public release of exploit details.
Dirty Frag publicly disclosed on oss-sec with full exploit code
Hyunwoo Kim publicly disclosed Dirty Frag on oss-sec, describing it as a universal Linux local privilege escalation chaining two kernel vulnerabilities and providing exploit code for ESP/XFRM and rxrpc-based paths to root. The post said no patches or CVEs were available at the time and suggested disabling esp4, esp6, and rxrpc as a temporary mitigation.
Embargo on Dirty Frag disclosure was broken by a third party
Before coordinated fixes or CVE assignments were available, a third party reportedly broke the embargo covering the Linux local privilege escalation issue later dubbed Dirty Frag. This forced an abrupt public disclosure process.
Linux kernel commit introduced Dirty Frag ESP/XFRM bug path
A Linux kernel commit modifying IPv4 ESP/IPsec processing introduced the vulnerable ESP/XFRM behavior later tied to one Dirty Frag exploitation path. The change added page fragment handling and refactored scatter-gather and buffer management in esp4/xfrm code.
Kernel bug introduced via netdev commit affecting ESP/XFRM path
The Dirty Frag disclosures tie one exploitation path to a specific netdev kernel commit in the ESP/XFRM networking stack that enabled the vulnerable behavior. The exact introduction date is not stated in the references.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
1264449 - (CVE-2026-43284) VUL-0: CVE-2026-43284: kernel: xfrm: esp: avoid in-place decrypt on shared skb frags (aka Dirty Frag)
bugzilla.suse.com
Open sourceoss-sec: Re: Linux kernel: Dirty Frag variants - fix merged into netdev
seclists.org
Open sourceoss-sec: Re: Recent Kernel exploits, attack surface reduction, example IPSEC
seclists.org
Open sourceoss-sec: Recent Kernel exploits, attack surface reduction, example IPSEC
seclists.org
Open sourceGitHub - V4bel/dirtyfrag · GitHub
github.com
Open sourceDirty Frag vulnerability reported for Linux kernel - cPanel
support.cpanel.net
Open sourceNew Linux 'Dirty Frag' zero-day gives root on all major distros
bleepingcomputer.com
Open sourceDirtyFrag and Copy Fail2 Show the Page-Cache Bug Class Is Not Done - Bugflation
bugflation.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fragnesia Linux Kernel Flaw Lets Local Users Gain Root via Page Cache Corruption
Researchers disclosed **Fragnesia** (`CVE-2026-46300`), a Linux kernel local privilege escalation flaw that allows an unprivileged local user to gain **root** by corrupting the kernel page cache for read-only files. The bug, discovered by William Bowling of Zellic and the V12 team, is described as a new variant in the Dirty Frag family and affects Linux kernels released before May 13, 2026. It stems from faulty bookkeeping when shared page fragments are merged in socket buffers and can be triggered through the kernel's XFRM **ESP-in-TCP** path, with additional exposure through `rxrpc` on some systems. A public proof-of-concept exploit modifies the in-memory copy of files such as `/usr/bin/su` to spawn a root shell while leaving the on-disk binary unchanged, reducing forensic visibility. Vendors and distributions moved quickly to publish advisories, patches, and mitigations as exploit code became public. AlmaLinux said releases 8, 9, and 10 are affected through `esp4` and `esp6`, with AlmaLinux 9 and 10 also exposed through `rxrpc` when `kernel-modules-partner` is installed, and released backported fixes ahead of upstream vendor updates. Recommended mitigations include disabling or blacklisting the `esp4`, `esp6`, and `rxrpc` kernel modules, restricting unprivileged user namespaces, and monitoring for suspicious namespace creation or XFRM manipulation; AlmaLinux also advised dropping page cache if compromise is suspected. The disclosure comes amid heightened concern over Linux local-root bugs in the same code area, and one cybercrime forum post reportedly advertised a Linux LPE zero-day for sale for **$170,000**.
May 25, 2026
Linux kernel LPE exploits DirtyDecrypt and PinTheft expose root access paths
Public proof-of-concept exploit code was released for **DirtyDecrypt** (`CVE-2026-31635`), a high-severity Linux kernel local privilege escalation flaw caused by a missing copy-on-write guard in `rxgk_decrypt_skb()` within the RxGK subsystem. The bug allows unprivileged local users to corrupt shared page-cache memory tied to privileged files or processes, potentially overwriting targets such as `/etc/shadow`, `/etc/sudoers`, or SUID binaries to gain **root**. Reports said the issue was quietly patched upstream in late April and primarily affects systems using mainline or rolling-release kernels with `CONFIG_RXGK` enabled, including **Fedora**, **Arch Linux**, and **openSUSE Tumbleweed**; the risk is elevated on Kubernetes worker nodes and developer workstations because exploitation can also enable container escape and theft of secrets or runtime sockets. At the same time, researchers disclosed **PinTheft**, another Linux local privilege escalation exploit that abuses a double-free or refcount bug in the **RDS zerocopy send path** and uses `io_uring` fixed buffers to turn the flaw into a page-cache overwrite against a SUID-root binary. The exploit, credited to Aaron Esau of V12 Security, reportedly drains page references through failed RDS zerocopy sends, frees the page, reclaims it as page cache, and overwrites it with a malicious ELF payload that yields a root shell when executed. Mailing list discussion said a patch and proof of concept are available, with exploitability depending on the `rds` kernel module being present or autoloadable; **Arch Linux** was reported to enable it by default, while Fedora may also be exposed and Debian and Ubuntu appear to have mitigations that restrict autoloading.
May 25, 2026
Linux Dirty Frag and Copy Fail Flaws Spur Calls for Kernel Killswitch
Linux developers and government defenders are responding to newly disclosed local privilege-escalation flaws **Dirty Frag** and **Copy Fail**, which can let unprivileged users gain root on affected systems. Dirty Frag combines `CVE-2026-43284` and `CVE-2026-43500` in Linux networking components tied to IPSec ESP and RxRPC, while Copy Fail (`CVE-2026-31431`) is a separate AF_ALG cryptographic socket flaw. Researchers said the bugs had existed for years, proof-of-concept exploit material is public, and affected environments include major enterprise distributions such as **RHEL**, **Ubuntu**, **Fedora**, **CentOS Stream**, **AlmaLinux**, and **OpenShift** deployments. The Canadian Centre for Cyber Security warned that Dirty Frag could be chained with remote code execution for more severe compromise and advised organizations to identify exposed systems, disable vulnerable modules where possible, regenerate initramfs, restrict access, reduce privileges, and monitor logs until vendor patches arrive. In parallel, Linux kernel maintainer Sasha Levin proposed an emergency runtime **Killswitch** mechanism that would let administrators temporarily disable vulnerable kernel functions until reboot, aiming to reduce exposure when public disclosure outpaces patch distribution; the proposal remains under review and has not yet been merged.
May 11, 2026