Dirty Frag Linux Flaws Let Local Attackers Gain Root Access
6 min. read 
Published on
Dirty Frag is a newly disclosed Linux kernel vulnerability chain that can let a local, unprivileged user gain root access on affected systems. The issue affects kernel networking components tied to ESP and RxRPC, and public proof-of-concept activity has already raised the urgency for administrators.
The two flaws are tracked as CVE-2026-43284 and CVE-2026-43500. They can be chained to tamper with page cache data and move from low-level access to full system control.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
This is not a remote attack by itself. An attacker needs local access first, such as a compromised user account, web shell, SSH access, or a container workload that can run code on the host. Once that foothold exists, Dirty Frag can increase the damage by giving the attacker root privileges.
What Dirty Frag is
Dirty Frag is a Linux local privilege escalation issue discovered and reported by security researcher Hyunwoo Kim. The vulnerability class works by chaining two separate page-cache write flaws in the Linux kernel.
The first flaw affects the ESP support used by IPsec and is tracked as CVE-2026-43284. The second affects RxRPC and is tracked as CVE-2026-43500.
The name has drawn comparisons to earlier Linux page-cache bugs such as Dirty Pipe and Copy Fail. The similarity matters because these bugs can change what the system reads from protected files in memory, even when the attacker should not have write permission to those files.
At a glance
| Item | Details |
|---|---|
| Vulnerability name | Dirty Frag |
| CVE IDs | CVE-2026-43284 and CVE-2026-43500 |
| Vulnerability type | Linux local privilege escalation |
| Main impact | Local attacker can gain root privileges |
| Affected areas | ESP, IPsec related modules, and RxRPC |
| Exploit status | Public proof-of-concept activity reported |
Why the flaw is serious
Dirty Frag matters because local privilege escalation flaws often appear after an attacker already has a limited foothold. With root access, the attacker can disable security tools, steal credentials, alter logs, install persistence, and move deeper into the environment.
Microsoft said Dirty Frag may be used after initial compromise through SSH access, web shell execution, container escape scenarios, or a compromised low-privileged account. The company also said affected environments may include Ubuntu, RHEL, CentOS Stream, AlmaLinux, Fedora, openSUSE, and OpenShift deployments.
Microsoft also reported limited in-the-wild activity involving privilege escalation patterns that may relate to Dirty Frag or Copy Fail. That makes the issue more urgent than a purely theoretical kernel bug.
How the attack works at a high level
The Dirty Frag chain targets how the Linux kernel handles certain memory fragments and page cache data. In the right conditions, an attacker can make protected file data appear modified in memory without directly writing to the file on disk.
CVE-2026-43284 affects ESP paths used by IPsec. Ubuntu describes the issue as a case where shared skb fragments could be modified without first making a private copy.
CVE-2026-43500 affects RxRPC. When chained with the ESP issue, it can expand the number of systems where the privilege escalation path may work.
Affected systems
Ubuntu says the vulnerabilities were publicly disclosed on May 7, 2026, and affect Linux kernel modules. Its guidance lists multiple Ubuntu releases as affected, including 14.04 LTS, 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, 24.04 LTS, 25.10, and 26.04 LTS.
Red Hat also published a security bulletin for Dirty Frag and said a user with a local account could trigger the flaws to gain root privileges. Red Hat refers to the issue as Copy Fail 2 because of its similarity to the earlier Copy Fail vulnerability.
Security teams should not assume only internet-facing servers matter. Developer workstations, CI runners, containers, Linux desktops, internal servers, cloud workloads, and WSL-style environments may also need review.
Patch status and mitigation
Administrators should apply vendor-supplied kernel updates as soon as they become available for their distribution and kernel package. Patch timing can vary by vendor, kernel flavor, support tier, and cloud image.
Microsoft said Linux kernel patches for CVE-2026-43284 were released on May 8, 2026. It also said CVE-2026-43500 was still pending in some places at that time.
Ubuntu recommends a temporary mitigation that blocks the affected modules from loading and unloads them if they are already active. This can reduce exposure, but it may break systems that rely on IPsec, StrongSwan, AFS, or another RxRPC based workload.
What administrators should check
- Identify Linux hosts that allow local users or container workloads.
- Check whether affected ESP and RxRPC modules are loaded.
- Review vendor advisories for the exact kernel package used on each system.
- Apply kernel updates when your distribution releases them.
- Consider temporary module blocking only after checking IPsec and RxRPC dependencies.
- Review recent privilege escalation alerts and suspicious root-level activity.
- Validate the integrity of sensitive files if exploitation is suspected.
Why container environments need attention
Container environments deserve extra attention because local privilege escalation bugs can sometimes help attackers move from a limited workload into a more powerful position on the host.
Ubuntu says deployments that run arbitrary third-party workloads may face additional container escape risk, although a public proof-of-concept for container escape was not published in its guidance.
This makes Dirty Frag especially important for hosting providers, CI platforms, shared development systems, cloud servers, and environments that run untrusted workloads.
What makes Dirty Frag different
Dirty Frag does not rely on a fragile timing race in the same way many older kernel exploits do. Reports describe it as more reliable than traditional race-condition privilege escalation techniques.
That reliability increases the risk after attackers gain initial access. A low-privileged shell that might otherwise have limited value can become a path to full root control.
The public proof-of-concept also changes the timeline. Defenders should treat the issue as something attackers can test quickly, especially on systems that lag behind on kernel updates.
Summary
- Dirty Frag is a Linux local privilege escalation vulnerability chain.
- The two flaws are tracked as CVE-2026-43284 and CVE-2026-43500.
- An attacker needs local code execution first, but the chain can lead to root access.
- Ubuntu, Red Hat, Fedora, AlmaLinux, CentOS Stream, openSUSE, and related environments may need review.
- Administrators should apply kernel updates and consider vendor-recommended mitigations where patches are not yet available.
FAQ
Dirty Frag is a Linux kernel local privilege escalation vulnerability chain that can let a local attacker gain root privileges on affected systems.
Dirty Frag is linked to CVE-2026-43284 and CVE-2026-43500. The first affects ESP related kernel paths, while the second affects RxRPC.
Dirty Frag is not a remote exploit by itself. An attacker first needs local code execution through a compromised account, web shell, SSH access, container workload, or another foothold.
Patch availability depends on the Linux distribution and kernel package. Administrators should check vendor advisories and install the latest kernel updates released for their systems.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages