Dirty Frag Vulnerability Chain Exposes Linux Systems to Root-Level Exploitation
A new Linux kernel privilege escalation chain dubbed \"Dirty Frag\" allows unprivileged local users to gain root access across most major distributions using a publicly available exploit.

"Dirty Frag" is a high-severity local privilege escalation (LPE) vulnerability chain affecting the Linux kernel that allows unprivileged local users to gain root access. Discovered by researcher Hyunwoo Kim, the vulnerability consists of two distinct flaws: an xfrm-ESP Page-Cache Write vulnerability (CVE-2026-43284) and an RxRPC Page-Cache Write vulnerability (CVE-2026-43500) Tenable. By chaining these two components, an attacker can modify protected files in memory—such as /etc/passwd or /usr/bin/su—without requiring a race condition, resulting in a highly reliable and deterministic exploit SANS ISC BleepingComputer.
The technical mechanism behind Dirty Frag involves a zero-copy send path where the splice() system call plants a reference to a page cache page—which the attacker only has read access to—into the frag slot of a sender-side socket buffer (skb). The receiver-side kernel code then performs in-place cryptographic operations on that frag, effectively corrupting the page cache in RAM. While the xfrm-ESP flaw resides in the IPsec ESP decryption fast paths, the RxRPC flaw affects the module supporting the AFS distributed file system SANS ISC. Neither vulnerability provides a reliable primitive for full root escalation on its own, but their combination covers the blind spots of each, enabling immediate root access SANS ISC Help Net Security.
The vulnerability affects a broad range of major Linux distributions, including Ubuntu, Red Hat Enterprise Linux (RHEL), CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora Tenable The Register. The xfrm-ESP component has been present in the upstream kernel since 2017, while the RxRPC component was introduced in 2023 Tenable. Because the vulnerability was publicly disclosed on May 7, 2026, following an embargo breach by an unrelated third party, proof-of-concept exploit code is already publicly available, creating an urgent risk for system administrators Tenable The Register.
As of May 11, 2026, Microsoft Defender has observed limited in-the-wild activity involving privilege escalation techniques that may be associated with Dirty Frag or the recently disclosed "Copy Fail" vulnerability (CVE-2026-31431) Help Net Security. Attackers have been observed gaining initial access via SSH, executing ELF binaries to trigger privilege escalation via su, and performing reconnaissance on sensitive system files Help Net Security. While Copy Fail has already been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, Dirty Frag remains a critical, evolving threat BleepingComputer Help Net Security.
In the absence of comprehensive patches for all affected distributions, the primary mitigation is to denylist and unload the vulnerable kernel modules (esp4, esp6, and rxrpc) SANS ISC BleepingComputer. Administrators can use the following command to disable these modules: sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true" BleepingComputer. Note that this action may disrupt IPsec VPNs and AFS-dependent workloads Help Net Security BleepingComputer.
Dirty Frag highlights a recurring pattern of page-cache corruption vulnerabilities in the Linux kernel, following similar disclosures like Dirty Pipe and Copy Fail Tenable BleepingComputer. The incident underscores the risks posed by broken disclosure embargoes, which can leave systems exposed to public exploits before vendors have time to finalize and distribute security updates. Organizations are encouraged to treat Dirty Frag and Copy Fail as a combined remediation effort, as they share similar attack surfaces and mitigation strategies Help Net Security.