‘Dirty Frag’ Linux Kernel Vulnerability Under Active Exploitation
A high-severity local privilege escalation vulnerability affecting the Linux kernel is currently being exploited in the wild, prompting urgent patch releases across major distributions.

A newly disclosed local privilege escalation vulnerability, dubbed "Dirty Frag" and "Copy Fail 2," is currently threatening major Linux distributions. The vulnerability is comprised of two distinct flaws, tracked as CVE-2026-43284 and CVE-2026-43500, which allow an unprivileged user to gain root-level permissions on an affected system SecurityWeek.
The technical mechanism behind the exploit targets the xfrm-ESP (IPsec) and RxRPC components of the Linux kernel. According to researcher Hyunwoo Kim, who responsibly disclosed the flaws, the vulnerability is a deterministic logic bug. Unlike many kernel exploits that rely on complex timing windows or race conditions, this bug is highly reliable and does not cause kernel panics upon failure, leading to a very high success rate SecurityWeek.
While the vulnerability was intended to be disclosed after patches were ready, the details and proof-of-concept (PoC) code were made public prematurely. Microsoft has reported limited in-the-wild activity potentially linked to the exploitation of Dirty Frag or the related "Copy Fail" vulnerability. Observed attack patterns involve attackers gaining initial access through compromised SSH accounts, web shells, or service account abuse, followed by the modification of GLPI LDAP authentication files and the manipulation of PHP session data SecurityWeek.
The impact of Dirty Frag is most significant on standard hosts, though Ubuntu developers have noted that it may potentially allow for container escapes, a capability that has not yet been fully demonstrated. Microsoft’s Defender product has already observed activity consistent with these exploits, highlighting the urgency for administrators to secure their environments SecurityWeek.
In response to the threat, major Linux distributions have begun rolling out patches and mitigations. Users of Red Hat, Amazon Linux, Ubuntu, Fedora, and Alma Linux are advised to apply the latest security updates as soon as they become available to protect their systems from potential privilege escalation SecurityWeek.
Dirty Frag joins a growing list of high-impact Linux kernel vulnerabilities, drawing comparisons to the 2022 "Dirty Pipe" flaw. The emergence of these vulnerabilities underscores the ongoing challenge of securing core kernel components against logic-based exploits. Security teams should prioritize patching and monitor for unauthorized access to sensitive configuration and session files, which remain primary targets for actors leveraging these types of kernel-level flaws SecurityWeek.