Dirty Frag: Two Chained Linux Kernel Flaws Enable Local Privilege Escalation to Root
Two chained Linux kernel vulnerabilities, collectively dubbed 'Dirty Frag,' allow local privilege escalation to root on all major distributions after the disclosure embargo was broken.
Two chained Linux kernel vulnerabilities, collectively dubbed 'Dirty Frag,' have been disclosed after the disclosure embargo was broken, allowing local privilege escalation to root on all major distributions. The flaws were discovered by independent security researcher Hyunwoo Kim in late April 2026, the flaws were inspired by a similar vulnerability called 'Copy Fail' (CVE-2026-31431) found earlier by Taeyang Lee of Theori. Kim contacted the Linux kernel security team on April 30, but on May 8 he publicly released details after the embargo was broken, stating, "After consultation with the Linux distributions maintainers, and at the maintainers' request, I am publicly releasing this Dirty Frag document."
The first vulnerability, tracked as CVE-2026-43284, is a write-what-where condition in the xfrm-ESP (IPsec) subsystem of the Linux kernel, exploitable since 2017. It carries a CVSS score of 8.8 and allows an attacker to write an arbitrary value to an arbitrary location. The second, CVE-2026-43500, is an out-of-bounds write in the RxRPC subsystem, exploitable since 2023, with a CVSS score of 7.8. When chained together, these flaws enable an unprivileged local attacker to gain root privileges on any major Linux distribution.
Kim also published a proof-of-concept (PoC) exploit for Dirty Frag. In a blog post on May 8, the Microsoft Defender Security Research Team reported "limited in-the-wild activity" where privilege escalation involving 'su'" that may be linked to either Dirty Frag or Copy Fail. The researchers believe Dirty Frag could be exploited through various intrusion paths, including compromised SSH accounts, web-shell access on internet-facing applications, container escapes, low-privileged service accounts, and post-exploitation activity following phishing or remote access compromise.
Linux distribution maintainers are rushing to release patches for both CVEs. As a temporary mitigation, Kim recommends disabling the vulnerable kernel modules by running the following script: `sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"`. Google Cloud-owned Wiz also published mitigation steps, including assessing operational impact (disabling esp4/esp6 may break IPsec, disabling rxrpc may impact AFS environments), applying patches promptly, hardening local access paths, monitoring for suspicious activity, and performing post-mitigation cleanup if compromise is suspected.
The Dirty Frag vulnerabilities highlight the ongoing challenge of securing the Linux kernel against local privilege escalation flaws. The broken embargo and rushed patches underscore the pressure on maintainers to address critical vulnerabilities quickly. With in-the-wild activity possibly linked to these flaws, organizations should prioritize patching and implementing mitigations to protect their Linux systems.