Dirty Frag: Nine-Year-Old Linux Kernel Vulnerabilities Expose Systems to Privilege Escalation
Researchers have uncovered two critical Linux kernel vulnerabilities, collectively named Dirty Frag, which remained undetected for nearly nine years. Discovered by independent security researcher Hyunwoo Kim, these flaws enable local privilege escalation (LPE), allowing an unprivileged user to gain root access a severe security risk given root privileges grant full system control.
The vulnerabilities stem from logic flaws in the Linux kernel’s networking components, specifically the IPSec ESP (esp4 and esp6) and rxrpc modules. The IPSec ESP flaw is tracked as CVE-2026-43284, while the rxrpc issue is designated CVE-2026-43500. By chaining these vulnerabilities, attackers can overwrite protected memory and modify critical system files.
Dirty Frag belongs to the page-cache-write family of bugs, similar to earlier exploits like Dirty Pipe and Copy Fail, but leverages the fragment field for exploitation. Unlike its predecessors, it does not rely on timing windows, increasing its reliability. While CVE-2026-43284 requires namespace permissions (blocked by default on some systems like Ubuntu), CVE-2026-43500 bypasses this restriction but depends on the rxrpc module being enabled often disabled by default.
The vulnerabilities affect a wide range of Linux distributions, including Red Hat Enterprise Linux 8, 9, and 10, OpenShift 4, Ubuntu, Fedora, CentOS Stream, and AlmaLinux. Red Hat has advised temporary mitigations, such as blocking the affected modules by creating a configuration file at /etc/modprobe.d/dirtyfrag.conf with commands like install esp4 /bin/false. Users can check for active modules using lsmod | grep -E 'esp4|esp6'. Enabling SELinux in enforcing mode and avoiding root-level workloads are also recommended until official patches are released.
Industry experts have weighed in on the severity of the discovery. Ben Ronallo, Principal Cybersecurity Engineer at Black Duck, noted that Dirty Frag exploits the same root cause as Copy Fail and Dirty Pipe but is not limited to a single subsystem. With exploit code now public, weaponization is expected within days. David Brumley, Chief AI and Science Officer at Bugcrowd, emphasized that the fix for Copy Fail alone was insufficient, highlighting the ongoing need for independent research to uncover overlooked vulnerability classes.
The early leak of Kim’s research accelerated public disclosure, underscoring the challenges of coordinated vulnerability reporting. As Linux distributions rush to deploy fixes, the incident serves as a reminder of the persistent risks posed by long-standing kernel flaws.
Source: https://hackread.com/9-year-old-dirty-frag-vulnerability-root-access-linux/
Fedora TPRM report: https://www.rankiteo.com/company/fedora-project
"id": "fed1778509814",
"linkid": "fedora-project",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology',
'name': 'Red Hat Enterprise Linux',
'type': 'Operating System'},
{'industry': 'Technology',
'name': 'OpenShift',
'type': 'Container Platform'},
{'industry': 'Technology',
'name': 'Ubuntu',
'type': 'Operating System'},
{'industry': 'Technology',
'name': 'Fedora',
'type': 'Operating System'},
{'industry': 'Technology',
'name': 'CentOS Stream',
'type': 'Operating System'},
{'industry': 'Technology',
'name': 'AlmaLinux',
'type': 'Operating System'}],
'attack_vector': 'Local',
'description': 'Researchers have uncovered two critical Linux kernel '
'vulnerabilities, collectively named *Dirty Frag*, which '
'remained undetected for nearly nine years. These flaws enable '
'local privilege escalation (LPE), allowing an unprivileged '
'user to gain root access. The vulnerabilities stem from logic '
'flaws in the Linux kernel’s networking components, '
'specifically the IPSec ESP (*esp4* and *esp6*) and *rxrpc* '
'modules. By chaining these vulnerabilities, attackers can '
'overwrite protected memory and modify critical system files.',
'impact': {'operational_impact': 'Potential full system compromise (root '
'access)',
'systems_affected': 'Linux systems with affected kernel modules'},
'investigation_status': 'Ongoing (patches pending)',
'lessons_learned': 'The incident highlights the persistent risks posed by '
'long-standing kernel flaws and the importance of '
'independent security research to uncover overlooked '
'vulnerability classes. The early leak of research '
'underscores challenges in coordinated vulnerability '
'reporting.',
'post_incident_analysis': {'corrective_actions': 'Kernel-level patches, '
'improved vulnerability '
'disclosure coordination, '
'enhanced security research',
'root_causes': 'Logic flaws in Linux kernel '
'networking components (IPSec ESP '
'and rxrpc modules), insufficient '
'fixes for prior vulnerabilities '
'(e.g., Dirty Pipe, Copy Fail)'},
'recommendations': ['Apply official patches once available',
'Implement temporary mitigations (blocking affected '
'modules, enabling SELinux)',
'Monitor for exploit weaponization',
'Review and improve coordinated vulnerability disclosure '
'processes'],
'references': [{'source': 'Independent security researcher Hyunwoo Kim'},
{'source': 'Red Hat Advisory'},
{'source': 'Black Duck (Ben Ronallo)'},
{'source': 'Bugcrowd (David Brumley)'}],
'response': {'containment_measures': ['Blocking affected modules (esp4, esp6, '
'rxrpc) via '
'/etc/modprobe.d/dirtyfrag.conf',
'Enabling SELinux in enforcing mode',
'Avoiding root-level workloads'],
'remediation_measures': 'Official patches pending'},
'stakeholder_advisories': 'Linux distributions and vendors are advised to '
'deploy fixes urgently. Users should implement '
'temporary mitigations.',
'title': 'Dirty Frag: Nine-Year-Old Linux Kernel Vulnerabilities Expose '
'Systems to Privilege Escalation',
'type': 'Privilege Escalation',
'vulnerability_exploited': ['CVE-2026-43284', 'CVE-2026-43500']}