Dirty Fragdirtyfrag.tech
CVE-2026-43284CVE-2026-43500Reviewed

Dirty Frag — Linux kernel local privilege escalation

Pair of flaws in networking paths (xfrm ESP, RxRPC) that can underpin local escalation on affected kernels. CVSS, CWE, and CPE identifiers are authoritative on NVD.

At a glance

  • Attack surface: Local (typically AV:L / PR:L in published vectors). Assume risk grows where untrusted workloads get code execution on the host—not anonymous WAN-to-root spraying.
  • First fix: Install the security-maintained kernel or package set your vendor assigned to CVE-2026-43284 and CVE-2026-43500 (Respond, Distros).
  • Verify: Align running lineage with advisory tables via Detect checks.
  • Temporary controls: Module-level mitigations referenced by CERTs/vendors (esp4, esp6, rxrpc) can break IPsec VPNs and RxRPC/AFS traffic—treat as a change-managed trade-off.
  • Mechanism depth: Read per-CVE pages and Technical for researcher-sourced narrative (no exploit walkthroughs here).

Recommended reading order: Respond Distros Detect Technical if you still need background.

Respond — patch firstTechnical overviewCheck exposure

Pick your starting point

Operations & SOC

Ship vendor kernels fast; defer risky module hacks unless approved.

  1. Apply your vendor kernel fixes for CVE-2026-43284 and CVE-2026-43500 using maintainer timelines in Respond and linked trackers.
  2. Shortcut to distro trackers via Distros overview.
  3. CCCS bulletin AL26-011 for national-context wording.

Security engineering

Mechanisms, commits, and researcher FAQs—without exploit steps.

See Technical for chain rationale, Dirty Pipe / Copy Fail context, cited maintainer commits—without exploit walkthroughs.

Proof-of-concept source is referenced only through github.com/V4bel/dirtyfrag for authorized environments.

Compliance & evidence

Immutable references for filings and ticket citations.

  • Timeline — oss-security / NVD milestones.
  • Sources — NVD, CERT, distro portals.
  • About — disclaimer scope.

CVE snapshot

Detailed wording remains on each CVE page and NVD; refresh after enrichment updates.

FieldCVE-2026-43284CVE-2026-43500
Subsystemxfrm ESP input / UDP splice skb fragmentsRxRPC DATA / RESPONSE handlers
CWE (NVD)CWE-123 (per CISA-ADP listing)CWE-787
CVSS 3.1 (publishers)CNA kernel.org 8.8 HIGH vs CISA-ADP 7.8 HIGH — verify on NVDNIST / CISA-ADP 7.8 HIGH — verify on NVD
Where to confirm coverageAudit each CVE separately: inspect CPE configuration data on CVE-2026-43284 and CVE-2026-43500 NVD listings, then reconcile your fleet against distribution security trackers on the Distros page.

Jump to: Respond · Distros · Detect · Sources

Administrators

Is Dirty Frag exploitable over the network without local access?
Public CVE metrics classify these issues as local attack vector (AV:L). An attacker still needs a path to execute code or interact with vulnerable kernel paths—see NVD.
Do I already need root to exploit Dirty Frag?
CVSS lists PR:L—concern is escalation from a low-privileged local session. Confirm vectors on each CVE record before governance reporting.
Will disabling kernel modules fully mitigate everyone?
Only when ESP/IPsec and RxRPC-backed workloads are genuinely unused and your risk owners approve outages. Prefer patched kernels from your vendor.
Do containers isolate hosts from Dirty Frag?
Containers share the host kernel—patch nodes and golden images according to distro guidance.

Technical readers

Why are CVE-2026-43284 and CVE-2026-43500 chained?
Summarized from researcher disclosure (V4bel/dirtyfrag): distributions diverge on namespaces/AppArmor defaults versus where rxrpc.ko ships or loads—pairing variants improves coverage across maintained distros. Full narrative on Technical.
How does Dirty Frag relate to Copy Fail?
Research notes Copy Fail motivated this line of work and contrasts sink overlap versus algif-based mitigations—treat vendor kernels as source of truth and read Technical.
Why is it called "Dirty Frag"?
Informal researcher naming tied to Dirty Pipe lineage and skb fragment handling—not a CVE authority term.