CVE-2026-43284: Dirty Frag Linux Kernel Flaw Enables Local Root Privilege Escalation
CVE-2026-43284 is the ESP/XFRM-side Linux kernel vulnerability associated with Dirty Frag, a local privilege escalation chain that can allow a local attacker to gain root privileges when combined with CVE-2026-43500.
Dirty Frag is commonly discussed as a chain involving CVE-2026-43284 and CVE-2026-43500. CVE-2026-43284 covers the IPsec ESP side, while CVE-2026-43500 tracks the RxRPC side. Several vendor and security advisories say the chain can allow a local, unprivileged attacker to obtain root privileges on affected Linux systems.
Defenders should prioritize kernel updates, especially on multi-user systems, container hosts, developer workstations, exposed application servers, and environments where attackers may already have low-privileged shell access. Temporary module blocklisting is available, but it can break IPsec/VPN or AFS/RxRPC-dependent workloads.
Summary
Dirty Frag matters because local privilege escalation bugs are often used after initial compromise. A web shell, compromised SSH account, exposed service account, or weak container workload can provide the local execution needed to attempt root escalation.
CVE-2026-43284 is not a remote unauthenticated RCE by itself. The practical risk is post-compromise escalation: an attacker who already has local execution may be able to move from a restricted user context to root, disable security controls, access secrets, tamper with logs, and pivot further inside the environment.
The available sources confirm public proof-of-concept activity. Microsoft also describes an ongoing investigation into active campaign activity involving Dirty Frag. That does not automatically mean mass exploitation across the internet, but it is enough to treat this as an urgent patching issue for Linux estates.
What happened
The Linux kernel CVE record for CVE-2026-43284 was published on May 8, 2026. NVD describes the issue as: xfrm: esp: avoid in-place decrypt on shared skb frags.
The bug involves how pages from a pipe can be attached directly to a socket buffer through MSG_SPLICE_PAGES. TCP marks those socket buffers with SKBFL_SHARED_FRAG so later code can copy data before modifying it. NVD says the IPv4 and IPv6 datagram append paths did not set this flag when splicing pages into UDP socket buffers.
That leaves an ESP-in-UDP packet made from shared pipe pages looking like a normal, uncloned nonlinear socket buffer. ESP input may then take a fast path and decrypt in place over data not privately owned by the socket buffer. The fix marks IPv4 and IPv6 datagram splice fragments with SKBFL_SHARED_FRAG and makes ESP input fall back to copy-on-write behavior when that flag is present.
Vendors and security organizations are referring to the broader chained issue as Dirty Frag. Red Hat describes Dirty Frag as two issues in the Linux kernel networking subsystem affecting IPSec ESP (esp4/esp6) and rxrpc. Ubuntu says the first vulnerability affects ESP modules used for IPsec and the second affects RxRPC, a protocol used by AFS.
Affected products
| Product | Affected versions | Fixed versions | Source notes |
|---|---|---|---|
| Linux kernel | Kernel versions containing the vulnerable ESP/XFRM behavior | Kernel builds containing the xfrm: esp: avoid in-place decrypt on shared skb frags fix |
NVD and kernel stable release notes confirm the resolved kernel issue. |
| Ubuntu | Canonical says all listed Ubuntu releases in its advisory are impacted, including 14.04 LTS through 26.04 LTS | Fixes are distributed through Linux kernel image packages; mitigation can be removed once updated | Canonical assessed severity as HIGH with CVSS 3.1 score 7.8. |
| Red Hat Enterprise Linux and OpenShift | Red Hat confirms investigation is ongoing and lists Red Hat Enterprise Linux 10, 9, 8 and OpenShift 4 as affected | Red Hat says it is expediting fixes and provides interim mitigation guidance | Red Hat rates the CVE-2026-43284 ESP issue as Important. |
| AlmaLinux | AlmaLinux says every supported AlmaLinux release is affected | AlmaLinux reported patched kernels rolling out to production repositories on May 8, 2026 at 15:22 UTC | AlmaLinux says CVE-2026-43284 covers the IPsec ESP half and CVE-2026-43500 covers the RxRPC half. |
| Debian | Debian tracker lists several Linux source package releases as vulnerable, with trixie security and sid fixed at the time checked | Debian lists trixie security 6.12.86-1 and sid 7.0.4-1 as fixed |
Debian status differs by release and package stream. Check your exact package version. |
| Other Linux distributions | Multiple advisories mention Fedora, CentOS Stream, openSUSE, and other Linux distributions in Dirty Frag testing or exposure context | Use each vendor's kernel advisory and package repositories | Do not assume your distribution is fixed until the running kernel version is verified. |
Technical details
CVE-2026-43284 affects the Linux kernel ESP/XFRM path. In practical terms, the vulnerable condition can allow externally backed page fragments to be modified in place by ESP input handling when they should first be copied into private kernel-owned memory.
The broader Dirty Frag chain is described by several sources as involving two bugs:
| CVE | Component | Public status | Notes |
|---|---|---|---|
| CVE-2026-43284 | ESP/XFRM, esp4 and esp6 |
Published | NVD has a public record and describes the resolved kernel issue. |
| CVE-2026-43500 | RxRPC | Reserved / emerging details at initial publication | CVE.org showed the record as reserved when checked; vendors use it to track the RxRPC half. |
According to Canonical and other advisories, the issue is local privilege escalation. The reported CVSS 3.1 assessment from Canonical is 7.8 HIGH. The Belgian Centre for Cybersecurity also lists CVSS 7.8 with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H for CVE-2026-43284.
Current source-backed technical properties:
| Field | Status |
|---|---|
| CVE | CVE-2026-43284 |
| Vulnerability name | Dirty Frag, ESP/XFRM side |
| Component | Linux kernel networking, ESP/IPsec, XFRM |
| Attack vector | Local |
| Privileges required | Low/local user access according to vendor descriptions |
| User interaction | None according to CVSS vector used by public advisories |
| Impact | Privilege escalation to root when successfully exploited, especially in the broader Dirty Frag chain |
| CWE | Not clearly confirmed in the reviewed authoritative sources |
| CVSS | NVD did not provide a clearly confirmed score in the reviewed record; Canonical and Belgium CCB list 7.8 HIGH |
No exploit code or exploitation procedure is included here. The important defensive point is that this is a kernel memory-handling issue that can turn local execution into root privileges on vulnerable systems.
Exploitation status
Public proof-of-concept activity is confirmed by Tenable and NHS England Digital. NHS England Digital says researchers published a proof-of-concept exploit for CVE-2026-43284 and CVE-2026-43500 and assessed exploitation as highly likely.
Microsoft published a May 8, 2026 report titled “Active attack: Dirty Frag Linux vulnerability expands post-compromise risk” and states that it is investigating active campaign activity. Microsoft also published Microsoft Defender detection names related to Dirty Frag activity.
A public proof of concept does not automatically prove broad real-world exploitation. However, the combination of public PoC activity, vendor urgency, Microsoft’s active campaign investigation, and the operational value of Linux root escalation makes this a high-priority vulnerability for defenders.
No CISA Known Exploited Vulnerabilities catalog entry for CVE-2026-43284 was identified in the public sources checked at the time of writing. If CISA adds the CVE later, organizations bound by KEV deadlines should follow the official remediation date.
Impact
Successful exploitation can allow a local attacker to obtain root privileges on an affected Linux host. This is especially serious where attackers can already gain limited code execution through:
- Compromised SSH accounts
- Web shells on Linux servers
- Low-privileged service accounts
- CI/CD runners and build hosts
- Developer workstations
- Shared hosting systems
- Containerized workloads running on vulnerable kernels
Ubuntu warns that in container deployments executing arbitrary third-party workloads, the vulnerability may also facilitate container escape scenarios in addition to local privilege escalation. Canonical also says a container escape proof of concept had not been published at the time of its advisory.
The practical risk is not just root on one machine. Root access can lead to credential theft, EDR tampering, kernel-level persistence attempts, lateral movement, log destruction, and compromise of secrets stored on the host.
Defender guidance
Patch first. Temporary mitigations are useful, but they are not a substitute for kernel updates.
Recommended actions:
- Inventory Linux systems running affected kernels.
- Prioritize internet-facing servers, SSH-accessible systems, shared systems, Kubernetes/container hosts, CI/CD runners, and high-value production Linux hosts.
- Apply vendor kernel updates as soon as they are available.
- Reboot systems after kernel updates to ensure the fixed kernel is actually running.
- Validate the running kernel version after reboot, not only the installed package version.
- Restrict unnecessary local shell access.
- Review privileged container configurations and untrusted workloads.
- Monitor for suspicious privilege escalation behavior.
- Review logs for abnormal root activity after low-privileged process execution.
- Confirm whether IPsec, VPN, AFS, or RxRPC-dependent workloads will be affected before applying module blocklisting.
For container and Kubernetes environments, focus on node patching. Updating a container image does not fix a vulnerable host kernel.
Detection and hunting notes
There are no reliable public IP, domain, or file-hash indicators that should be treated as universal Dirty Frag IOCs at the time of writing. This is a local kernel privilege escalation issue, so hunting should focus on behavior and post-exploitation activity.
Recommended hunting areas:
| Hunt area | What to look for |
|---|---|
| Privilege escalation | Low-privileged users or service accounts spawning root shells or privileged processes unexpectedly. |
| Process lineage | Web server, SSH, CI runner, container runtime, or application processes followed by unusual root-level command execution. |
| Kernel modules | Unexpected loading, unloading, or blocklisting changes involving esp4, esp6, rxrpc, XFRM, IPsec, or AFS-related functionality. |
| Container hosts | Workloads with weak isolation, unconfined seccomp, unnecessary capabilities, privileged containers, or allowPrivilegeEscalation enabled. |
| Integrity checks | Unexpected changes to root-owned binaries, scripts, security tooling, scheduled jobs, SSH keys, PAM configuration, or service units. |
| Security tooling | EDR/AV disabling, audit log tampering, kernel log clearing, or suspicious changes after local user activity. |
Microsoft published the following Microsoft Defender detection names for possible Dirty Frag exploitation activity:
| Indicator | Type | Notes |
|---|---|---|
| Exploit:Linux/DirtyFrag.A | Defender detection name | Possible Dirty Frag exploitation activity. |
| Exploit:Linux/DirtyFrag.B | Defender detection name | Possible Dirty Frag exploitation activity. |
| Trojan:Linux/DirtyFrag.Z!MTB | Defender detection name | Microsoft Defender malware/threat detection. |
| Trojan:Linux/DirtyFrag.ZA!MTB | Defender detection name | Microsoft Defender malware/threat detection. |
| Trojan:Linux/DirtyFrag.ZC!MTB | Defender detection name | Microsoft Defender malware/threat detection. |
| Trojan:Linux/DirtyFrag.DA!MTB | Defender detection name | Microsoft Defender malware/threat detection. |
| Potential exploitation of dirtyfrag vulnerability detected | Defender for Cloud alert | Microsoft Defender for Cloud detection coverage. |
Mitigation
Patch guidance
Apply kernel updates from your Linux distribution or vendor. Reboot after installing the fixed kernel. Kernel package installation alone is not enough if the system is still running the old vulnerable kernel.
For AlmaLinux, the project reported production repository kernel updates rolling out on May 8, 2026. For Debian, status varies by release and package stream. For Red Hat and Ubuntu, follow the vendor advisories and errata for your exact product version.
Temporary workaround
Vendors describe temporary mitigation by preventing affected kernel modules from loading and unloading them where possible. This can reduce exposure but can break functionality.
Operational warning: blocking esp4 and esp6 can break IPsec functionality, including VPN deployments. Blocking rxrpc can affect AFS or other RxRPC-dependent systems. Test before applying broadly.
Example defensive mitigation pattern based on vendor guidance:
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' | sudo tee /etc/modprobe.d/dirty-frag.conf
sudo rmmod esp4 esp6 rxrpc 2>/dev/null || true
On Ubuntu systems, Canonical also recommends regenerating initramfs after module blocklisting:
sudo update-initramfs -u -k all
To check whether the modules are loaded:
grep -qE '^(esp4|esp6|rxrpc) ' /proc/modules && echo "Affected modules are loaded" || echo "Affected modules are NOT loaded"
Remove the mitigation only after the system is running a fixed kernel and the risk has been accepted:
sudo rm /etc/modprobe.d/dirty-frag.conf
sudo update-initramfs -u -k all
Timeline
| Date | Event |
|---|---|
| 2026-04-30 | Public disclosure timelines reported vulnerability submission and patch activity around the ESP issue. |
| 2026-05-07 | Dirty Frag was publicly disclosed, according to vendor and security advisories. |
| 2026-05-08 | NVD published CVE-2026-43284 from kernel.org with the ESP/XFRM fix description. |
| 2026-05-08 | Ubuntu, Red Hat, AlmaLinux, Tenable, Microsoft, NHS England Digital, and other organizations published or updated advisories. |
| 2026-05-08 | AlmaLinux reported patched kernels rolling out to production repositories at 15:22 UTC. |
| 2026-05-09 | This article was prepared based on available public sources. |
Bottom line
CVE-2026-43284 should be treated as a high-priority Linux kernel vulnerability. It is local privilege escalation, not unauthenticated remote code execution, but that distinction should not make defenders comfortable. Attackers often obtain low-privileged execution first and then use LPE bugs to take over the host.
Patch affected Linux kernels, reboot into the fixed kernel, and prioritize systems where local execution is realistic: servers with SSH exposure, web workloads, CI/CD runners, shared Linux hosts, and container platforms. Use module blocklisting only as a temporary control and only after checking the impact on IPsec, VPN, AFS, and RxRPC-dependent workloads.
Sources
- https://nvd.nist.gov/vuln/detail/CVE-2026-43284
- https://www.cve.org/CVERecord?id=CVE-2026-43284
- https://access.redhat.com/security/vulnerabilities/RHSB-2026-003
- https://ubuntu.com/blog/dirty-frag-linux-vulnerability-fixes-available
- https://almalinux.org/blog/2026-05-07-dirty-frag/
- https://security-tracker.debian.org/tracker/CVE-2026-43284
- https://www.microsoft.com/en-us/security/blog/2026/05/08/active-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk/
- https://www.tenable.com/blog/dirty-frag-cve-2026-43284-cve-2026-43500-frequently-asked-questions-linux-kernel-lpe
- https://digital.nhs.uk/cyber-alerts/2026/cc-4779
- https://ccb.belgium.be/advisories/warning-dirty-frag-new-linux-local-privilege-escalation-vulnerability-was-disclosed
- https://lwn.net/Articles/1071778/
