VYPR
researchPublished May 11, 2026· Updated May 17, 2026· 1 source

"Dirty Frag" Linux Kernel Vulnerability Enables Root Privilege Escalation

A new, highly reliable privilege escalation exploit chain dubbed "Dirty Frag" is targeting the Linux kernel, affecting major enterprise distributions and showing early signs of in-the-wild exploitation.

A newly disclosed Linux kernel vulnerability chain, dubbed "Dirty Frag," is enabling root privilege escalation across a wide range of enterprise Linux distributions. Security researcher Hyunwoo Kim, known as "V4bel," publicly disclosed the flaw and released a proof-of-concept (PoC) exploit last week, prompting immediate concern among security teams Dark Reading.

The "Dirty Frag" vulnerability is composed of two distinct kernel flaws: the xfrm-ESP Page-Cache Write and the RxRPC Page-Cache Write. By chaining these two issues—tracked as CVE-2026-43284 and CVE-2026-43500—an attacker can modify protected system files in memory without authorization. Both vulnerabilities have been assigned a CVSS score of 7.8 and are classified as "Important" by Red Hat Dark Reading.

Technically, Dirty Frag belongs to the same class of vulnerabilities as the previously discovered "Dirty Pipe" and "Copy Fail" flaws, as all involve weaknesses in how the Linux kernel handles page-cache memory writes. However, Dirty Frag is considered more dangerous due to its deterministic nature. Unlike its predecessors, it does not rely on timing windows or race conditions, meaning the exploit does not cause kernel panics and boasts a very high success rate Dark Reading.

The scope of the vulnerability is extensive, affecting major distributions including Ubuntu 24.04.4, Red Hat Enterprise Linux (RHEL) 10.1, CentOS Stream 10, AlmaLinux 10, openSUSE Tumbleweed, and Fedora 44. Researcher Hyunwoo Kim confirmed that even systems previously patched against "Copy Fail" remain vulnerable to Dirty Frag, as it targets different kernel data structures Dark Reading.

There are already indications of limited in-the-wild exploitation. The Microsoft Defender Security Research Team reported observing privilege escalation activity involving the su command that may be linked to either Dirty Frag or Copy Fail. While it remains unclear if attackers are specifically targeting Dirty Frag, the availability of a public PoC has significantly lowered the barrier for exploitation Dark Reading.

As of the latest reports, many affected distributions remain without full patches. Red Hat has acknowledged the vulnerability, noting that the issues reside within the IPsec ESP (esp4/esp6) and rxrpc modules, which are critical for encrypted network communications and distributed filesystems, respectively. Organizations are advised to monitor vendor security advisories closely as patches become available Dark Reading.

The emergence of Dirty Frag highlights the persistent risk posed by logic flaws within the Linux kernel's memory management subsystems. Because this exploit chain bypasses previous mitigations and operates reliably without triggering system instability, it represents a significant escalation in the threat landscape for enterprise Linux environments. Security teams should prioritize patching as soon as vendor updates are released to mitigate the risk of unauthorized root access Dark Reading.

Synthesized by Vypr AI