Dirty Frag
Two Linux kernel vulnerabilities in the xfrm/ESP and RxRPC subsystems allow an unprivileged local attacker to overwrite arbitrary bytes in root-owned files in the page cache to achieve local privilege escalation.
Details
- Write-up
- https://github.com/V4bel/dirtyfrag
- CVEs
- CVE-2026-43284 CVSS 8.8
- CVE-2026-43500 CVSS 7.8
- Author
- Hyunwoo Kim
- Introduced
- cac2661c53f3
- Patch
- f4c50a4034e6
- Releases
- 5.10.256, 5.15.206, 6.1.172, 6.6.139, 6.12.88, 6.18.29
Timeline
- RxRPC vulnerability reported to the Linux kernel security team, patch posted to netdev mailing list[4]
- xfrm-ESP vulnerability also reported[1]
- Kuan-Ting Chen submitted a
SKBFL_SHARED_FRAG-based patch for CVE-2026-43284 to netdev[2] - CVE-2026-43284 fix merged into the netdev tree, details submitted to linux-distros with a 5-day embargo
- Embargo broken by unrelated third-party publication, full Dirty Frag writeup and PoC released publicly[3]
- ESP fix merged into mainline, CVE-2026-43284 assigned
- CVE-2026-43500 assigned
- RxRPC fix merged into mainline
Mitigation
Blacklist affected modules and clear the page cache
IPsec and AFS/OpenAFS connectivity will be lost, which won't be an issue for normal desktop users.
printf 'install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
' > /etc/modprobe.d/dirtyfrag.conf
rmmod esp4 esp6 rxrpc 2>/dev/null
echo 3 > /proc/sys/vm/drop_cachesSources
- https://lore.kernel.org/all/afLDKSvAvMwGh7Fy@v4bel/
- https://lore.kernel.org/all/20260504073403.38854-1-h3xrabbit@gmail.com/
- https://github.com/V4bel/dirtyfrag
- https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/