A week after Copy Fail (CVE-2026-31431), researcher Hyunwoo Kim disclosed a second Linux kernel local privilege escalation chain. Microsoft confirmed active in-the-wild exploitation the same day patches for the first component arrived. This is not a theoretical vulnerability. Patch now or blacklist the affected modules.
What Dirty Frag actually does
Dirty Frag is a chain of two kernel bugs: CVE-2026-43284 in the IPsec ESP receive path (esp4 and esp6), and CVE-2026-43500 in the rxrpc authentication path. When chained, they allow an unprivileged local user to corrupt page-cache-backed system files that are later executed with root privileges, without writing anything to disk.
The mechanism is the in-place decryption path of esp4, esp6, and rxrpc. When the receive path decrypts over paged buffers not privately owned by the kernel, such as pipe pages reaching the socket via splice() or sendfile(), unprivileged processes can retain references to the resulting plaintext. This produces a write primitive into the page cache that the public proof-of-concept exploit turns into root access in a single command.
Unlike many Linux local privilege escalation techniques that depend on narrow timing windows or unstable corruption conditions, Dirty Frag is designed for reliability. Researcher Hyunwoo Kim confirmed root access on Ubuntu, RHEL, CentOS Stream, AlmaLinux, Fedora, and openSUSE Tumbleweed. All yielded root.
CVE-2026-43284 vs CVE-2026-43500: not the same bug
CVE-2026-43284 covers the esp4 and esp6 half. The vulnerable code was introduced in January 2017. A patch was merged into the upstream netdev tree on May 7 and formally released on May 8, 2026.
CVE-2026-43500 covers rxrpc. The vulnerable code was introduced in June 2023. As of May 9, 2026, an upstream patch is not yet published. CVE-2026-43500 is reserved in NVD but the fix is still pending.
If you patch CVE-2026-43284 today, you close one leg of the chain. CVE-2026-43500 remains open until the rxrpc fix ships. The public proof-of-concept exploit uses both legs, but the ESP half alone provides a viable primitive on systems with rxrpc disabled.
Active exploitation confirmed by Microsoft
Microsoft Defender Security Research Team published their findings on May 8, 2026. Microsoft is actively monitoring related activity and notes the vulnerability may be leveraged after initial compromise through SSH access, web-shell execution, container escape, or compromise of a low-privileged account. The blog post is marked as an ongoing investigation and will be updated as new details emerge.
Microsoft Defender Antivirus signatures cover this as Exploit:Linux/DirtyFrag.A, Exploit:Linux/DirtyFrag.B, and several Trojan:Linux/DirtyFrag variants.
Who is at risk
If your Linux hosts have any of the following enabled: IPsec VPN tunnels using esp4 or esp6, rxrpc (used primarily in AFS distributed filesystems), or kernel networking components that load these modules automatically, you are within the blast radius.
Enterprise environments running OpenShift or containerized workloads on Linux hosts are also at risk because the exploit can be triggered inside a container and escape to the host if the kernel modules are loaded.
What to do right now
Apply the CVE-2026-43284 patch from your distribution vendor as the first priority. CloudLinux, AlmaLinux, Ubuntu, and RHEL have all published advisories with KernelCare or standard kernel updates.
If you cannot patch immediately, blacklist the esp4, esp6, and rxrpc kernel modules to prevent loading, and unload them if they are currently active. The command sequence to do this safely is in the Microsoft Security Blog and in each distribution's advisory. Do not apply this mitigation blindly in environments where IPsec VPNs are load-bearing for production traffic without verifying the impact first.
After applying the mitigation, verify that critical system files have not already been tampered with. Cache clearing is an option but carries I/O performance implications in production environments.
For cloud and container environments: treat any SSH login followed immediately by execution of an unknown ELF binary as a potential Dirty Frag exploitation attempt and investigate the full session timeline.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you need help assessing your Linux environment's exposure or reviewing your vulnerability management cadence.