Major Linux distributions are rushing to fix two new vulnerabilities after the disclosure embargo was broken.
The vulnerability, comprised of two chained issues in subsystems of the Linux kernel and known as ‘Dirty Frag,’ was detected in late April 2026 by independent security researcher Hyunwoo Kim.
He found a local privilege escalation (LPE) flaw in the Linux kernel that could allow an attacker with local access to a vulnerable device to obtain root privileges on all major Linux distributions.
This vulnerability has a similar impact to ‘Copy Fail,’ a nine-year-old flaw in the Linux kernel tracked as CVE-2026-31431. Copy Fair was discovered in April by Taeyang Lee, a vulnerability researcher at offensive security firm Theori.
Lee’s work inspired Kim to look for similar vulnerabilities in the Linux kernel.
Kim said he contacted the Linux kernel security team on April 30. However, on May 8 he notified users of the Openwall Project’s open source security email thread that the embargo on the new vulnerability disclosure had been broken before patches were ready.
“After consultation with the [Linux distributions] maintainers, and at the maintainers’ request, I am publicly releasing this Dirty Frag document,” Kim wrote.
Quickly, Kim and other members of the vulnerability research community worked to develop ways to fix the Dirty Frag vulnerability.
Meanwhile, the Linux kernel security team disclosed two separate high-severity page-cache vulnerabilities on May 8 which, chained together, make Dirty Frag.
The first, tracked as CVE-2026-43284, is a write-what-where condition vulnerability in the xfrm-ESP (IPsec) subsystem of the Linux kernel that has been exploitable since 2017. When exploited, it grants an attacker the ability to write an arbitrary value to an arbitrary location. CVE-2026-43284 has a severity rating (CVSS) of 8.8
The second one, tracked as CVE-2026-43500, is an out-of-bounds write in the RxRPC subsystem of the Linux kernel that has been exploitable since 2023. An out-of-bounds write is a vulnerability where a product writes data past the end, or before the beginning, of the intended buffer. CVE-2026-43500 has a severity rating (CVSS) of 7.8.
Observed In-the-Wild Activity Could Be Linked to Dirty Frag Exploitation
Kim also published a proof-of-concept (PoC) exploit for Dirty Frag.
In a blog post published on May 8, the Microsoft Defender Security Research Team said it has identified “limited in-the-wild activity” where privilege escalation involving ‘su’ is observed, which may be indicative of techniques associated with either Dirty Frag or Copy Fail.
The researchers believe Dirty Frag could be exploited for a variety of intrusion paths, including:
- Compromising SSH accounts
- Web-shell access on internet-facing applications
- Container escapes into the host environment
- Abusing low-privileged service accounts
- Post-exploitation activity following phishing or remote access compromise
Meanwhile, maintainers of Linux distributions are progressively releasing patches for CVE-2026-43284 and CVE-2026-43500.
Mitigation Recommendations for Dirty Frag
Until a relevant patch is available, Kim recommended security teams disable vulnerable kernel modules by running the following script as a temporary mitigation for Dirty Frag:
sh -c “printf ‘install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true”
In another blog post, also published on May 8, Google Cloud-owned Wiz shared a list of mitigation steps.
These include the following steps:
- Assessing operational impact before applying mitigation (disabling esp4 / esp6 may break IPsec functionality, disabling rxrpc may impact AFS-based environments)
- Applying patches as soon as they are available
- Hardening local access paths: restrict shell access and enforce least privilege, ensure SELinux/AppArmor is enforced and avoid granting unnecessary capabilities (e.g. CAP_NET_ADMIN)
- Monitoring for suspicious activity: detect abnormal privilege escalations, track execution of compilation tools and exploit-like behavior and inspect integrity of critical system binaries
- Performing post-mitigation cleanup (if compromise suspected): run “echo 3 > /proc/sys/vm/drop_caches” script
