Dirty Frag Exploit Poised to Blow Up on Enterprise Linux Distros TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryVulnerabilities & ThreatsThreat IntelligenceCyber RiskСloud SecurityNews'Dirty Frag' Exploit Poised to Blow Up on Enterprise Linux DistrosThe privilege escalation vulnerability, which is similar to other Linux flaws like Copy Fail and Dirty Pipe, may already be under limited exploitation.Elizabeth Montalbano,Contributing WriterMay 11, 20265 Min ReadSource: Valerly Kachaev via Alamy Stock PhotoA public exploit is available for a nine-year old vulnerability that affects the Linux kernel, paving the way for root privilege escalation. The flaw, which actually is two vulnerabilities chained together, is in the same class as previously discovered Linux flaws Dirty Pipe and Copy Fail, but affects a different kernel data structure than those issues.Security researcher Hyunwoo Kim disclosed the flaw, dubbed "Dirty Frag," and published a proof of concept (PoC) exploit last week on X. The vulnerability affects a wide range of Linux distributions, including Ubuntu, Red Hat Enterprise Linux (RHEL), CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora — none of which are fully patched yet. In fact, there are signs Dirty Frag already is under limited exploitation, although it's unclear if attackers targeted Dirty Frag or Copy Fail, according to the Microsoft Defender Security Resarch Team. "Microsoft Defender is currently seeing limited in-the-wild activity where privilege escalation involving 'su' is observed, and which may be indicative of techniques associated with either "Dirty Frag" or "Copy Fail," read a blog post published Friday by the team.Related:Cyber Espionage Group Targets Aviation Firms to Steal Map DataExploiting the flaw allows for modification of protected system files in memory without authorization, leading to privilege escalation on a compromised system. The two flaws that comprise Dirty Frag are tracked CVE-2026-43284 and CVE-2026-43500, both of which were assigned 7.8 CVSS scores and a severity impact of "Important" by Red Hat.According to a GitHub post by Kim, who goes by the handle "V4bel," Dirty Frag works by chaining two separate kernel flaws — the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability — to modify protected system files in memory without authorization and achieve privilege escalation.Expands Scope of Previous Linux Kernel BugsIt was in fact the Copy Fail flaw that first inspired Kim to explore the research that led to the discovery of Dirty Frag, he said in the GitHub post. Dirty Frag not only affects a different aspect of the Linux kernel than Copy Fail or Dirty Pipe, it also has a broader scope and thus is likely more dangerous, he said. "In particular, xfrm-ESP Page-Cache Write in the Dirty Frag vulnerability chain shares the same sink as Copy Fail," he explained, adding that it also extends Dirty Pipe's and Copy Fail's bug class. This is "because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high," he wrote.Related:Why Security Leadership Makes or Breaks a Pen TestThis also means that even if organizations have applied the Copy Fail mitigation, "your Linux is still vulnerable to 'Dirty Frag,'" Kim posted on X. He tested the Dirty Frag exploit successfully on the following Linux systems: Ubuntu 24.04.4: 6.17.0-23-generic; RHEL 10.1: 6.12.0-124.49.1.el10_1.x86_64; openSUSE Tumbleweed: 7.0.2-1-default; CentOS Stream 10: 6.12.0-224.el10.x86_64; AlmaLinux 10: 6.12.0-124.52.3.el10_1.x86_64; and Fedora 44: 6.19.14-300.fc44.x86_64.How Dirty Frag WorksRed Hat last week acknowledged the discovery of Dirty Frag and the publication of an exploit, in which they described the technical aspects of the issue. The flaw "refers to two distinct issues in the IPsec ESP (esp4/esp6) and rxrpc modules" in the Linux kernel, according to Red Hat. IPsec provides encrypted network communication and is commonly used for VPNs and site-to-site tunnels, while the rxrpc module implements the RxRPC protocol, which underpins Andrew File System (AFS), a distributed network filesystem. Dirty Frag, like Dirty Pipe and Copy Fail, involves weaknesses in the Linux kernel’s handling of page-cache memory writes. The Linux kernel keeps file contents in RAM using the page cache for speed. Certain kernel subsystems also perform “in-place” cryptographic or networking operations on those cached memory pages. Related:How Dark Reading Lifted Off the Launchpad in 2006Dirty Frag abuses flaws in those page-cache operations, letting attackers improperly modify memory-backed data structures, according to Kim. Those writes can be leveraged to alter protected system data and escalate privileges to root.The Linux Kernel Organization already released patches to fix CVE-2026-43284 on Friday, which defenders are urged to apply quickly; however, patches for CVE-2026-43500 are not yet available. Red Hat and the administrators of other major Linux distros are readying their own fixes for DirtyFrag. Red Hat is expediting the release of fixes, according to its advisory, while Canonical Ubuntu said a fix will be distributed through Ubuntu's Linux kernel image packages, according to a blog post published Friday. SuseLinux administrators also said they are preparing kernel updates and livepatches to address the issue.Don't Hesitate, MitigateIn the meantime, there are a number of steps that enterprises using affected versions of Linux can take to mitigate Dirty Frag. Those mitigations include disabling unused rxrpc kernel modules where operationally possible; assessing whether esp4, esp6, and related xfrm/IPsec functionality can be temporarily disabled safely; restricting unnecessary local shell access; hardening containerized workloads; and increasing monitoring for abnormal privilege escalation activity, according to Microsoft Defender. Moreover, "any hardening measures that limit local access help reduce the risk of exploitation," according to Red Hat, including disabling SSH, ensuring SELinux is in enforcing mode, using the default Security Context Constraints (SCC), running workloads as non-root, and restricting "oc debug" access to trusted cluster administrators. Still, disabling any single access method does not eliminate all other means by which a user could gain local access, according to Red Hat. That means affected organizations also should prioritize kernel patch deployment as soon as the appropriate vendors or distribution adminstrators release them.About the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth MontalbanoWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The vulnerability, dubbed “Dirty Frag,” poses a significant risk to enterprise Linux distributions, including RHEL, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora. This flaw, discovered by Hyunwoo Kim (V4bel), is a chained exploitation of two existing kernel vulnerabilities – CVE-2026-43284 and CVE-2026-43500 – related to page-cache memory writes within the IPsec ESP and rxrpc modules. Kim’s proof-of-concept exploit, now publicly available, enables attackers to modify protected system files in memory without authorization, ultimately leading to privilege escalation. The flaw’s complexity stems from chaining these vulnerabilities, resulting in a high success rate and bypassing traditional defenses. Notably, the Copy Fail flaw initially inspired Kim’s research, and Dirty Frag extends the scope of previous Linux kernel bugs due to its deterministic logic and lack of reliance on timing windows. Red Hat has acknowledged the vulnerability and released a patch for CVE-2026-43284, but a patch for CVE-2026-43500 is still pending. Microsoft Defender Security Research has observed limited “in-the-wild” activity potentially utilizing Dirty Frag or Copy Fail for privilege escalation. Mitigation strategies include disabling unused rxrpc kernel modules, restricting access, hardening containerized workloads, increasing monitoring for abnormal privilege escalation, and prioritizing kernel patch deployment. Given the flaw’s scope and potential impact, rapid adoption of security updates is critical for affected organizations.