Dirty Frag

2 CVEsstable

Two Linux kernel vulnerabilities in the xfrm/ESP and RxRPC subsystems allow an unprivileged local attacker to overwrite arbitrary bytes in root-owned files in the page cache to achieve local privilege escalation.

Details

Write-up
https://github.com/V4bel/dirtyfrag
CVEs
CVE-2026-43284 CVSS 8.8
CVE-2026-43500 CVSS 7.8
Author
Hyunwoo Kim
Introduced
cac2661c53f3
Patch
f4c50a4034e6
Releases
5.10.256, 5.15.206, 6.1.172, 6.6.139, 6.12.88, 6.18.29

Timeline

  1. RxRPC vulnerability reported to the Linux kernel security team, patch posted to netdev mailing list[4]
  2. xfrm-ESP vulnerability also reported[1]
  3. Kuan-Ting Chen submitted a SKBFL_SHARED_FRAG-based patch for CVE-2026-43284 to netdev[2]
  4. CVE-2026-43284 fix merged into the netdev tree, details submitted to linux-distros with a 5-day embargo
  5. Embargo broken by unrelated third-party publication, full Dirty Frag writeup and PoC released publicly[3]
  6. ESP fix merged into mainline, CVE-2026-43284 assigned
  7. CVE-2026-43500 assigned
  8. RxRPC fix merged into mainline

Mitigation

Blacklist affected modules and clear the page cache

IPsec and AFS/OpenAFS connectivity will be lost, which won't be an issue for normal desktop users.

printf 'install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
' > /etc/modprobe.d/dirtyfrag.conf
rmmod esp4 esp6 rxrpc 2>/dev/null
echo 3 > /proc/sys/vm/drop_caches

Sources

  1. https://lore.kernel.org/all/afLDKSvAvMwGh7Fy@v4bel/
  2. https://lore.kernel.org/all/20260504073403.38854-1-h3xrabbit@gmail.com/
  3. https://github.com/V4bel/dirtyfrag
  4. https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/

History