Dirty Frag Linux Kernel Vulnerability Enables Root Privilege Escalation
Original: Dirty Frag: Yet Another Universal Linux Kernel Privilege Escalation Vulnerability Active Since 2017, Unaffected By "Copy Fail" Mitigations
Why This Matters
Major Linux distributions face privilege escalation risk affecting systems since 2017
Wiz researchers disclosed Dirty Frag (CVE-2026-43284, CVE-2026-43500), a Linux kernel privilege escalation vulnerability affecting ESP and RxRPC subsystems since 2017. The flaw allows local attackers to gain root access on major distributions including Ubuntu, RHEL, and Fedora.
Dirty Frag exploits flaws in Linux kernel's ESP (IPsec) and RxRPC subsystems to enable local privilege escalation. Discovered by Hyunwoo Kim, the vulnerability chain allows modification of page-cache-backed memory, enabling corruption of sensitive files and root access. Unlike race-condition exploits, this bug is deterministic and highly reliable. The ESP component dates back to 2017, while RxRPC affects kernels since 2023. Exploitation requires CAP_NET_ADMIN permissions, making it less likely in hardened containers but significant for VMs. No official patches are available, but researchers recommend disabling vulnerable modules (esp4, esp6, rxrpc) as temporary mitigation. The vulnerability affects Ubuntu, RHEL 8/9/10, CentOS Stream, AlmaLinux, Fedora, and openSUSE Tumbleweed. Organizations should monitor vendor advisories and apply kernel updates when released.