Dirty Fragdirtyfrag.tech

Research attribution: Hyunwoo Kim (@v4bel), github.com/V4bel/dirtyfrag

Technical overview

This page summarizes non-weaponized aspects of Dirty Frag useful to defenders and reviewers. Canonical vulnerability text remains on NVD; exploit source code or compile commands appear only in the researcher repository linked above—never run PoCs outside legally authorized scopes.

What is being chained?

Dirty Frag publicly refers to chaining xfrm-ESP page-cache interaction (CVE-2026-43284) with RxRPC page-cache interaction (CVE-2026-43500) to achieve local privilege escalation on broadly deployed kernels. Research documentation emphasizes deterministic logic flaws rather than timing races—confirm specifics against kernel patches and distributor analyses.

Why chain two primitives?

Per the researcher README FAQ: distributions diverge on policies around unprivileged user namespaces versus availability of rxrpc.ko. Pairing ESP-centric and RxRPC-centric variants reduces scenarios where a single hardening decision neutralizes exploitation entirely—validate each fleet image independently rather than assuming parity across Ubuntu, RHEL, Fedora, etc.

Relationship to Dirty Pipe / Copy Fail lineage

Disclosure positions Dirty Frag alongside Dirty Pipe-like bug classes and mentions Copy Fail as motivating research—particularly overlapping sink concepts while differing on trigger prerequisites versus algif-focused mitigations. Operational takeaway: absence of one mitigation does not prove safety against Dirty Frag—patch kernels via vendor channels listed on Respond.

Maintainer commits cited by researchers

README excerpts reference mainline commits f4c50a4034e6 (ESP/xfrm fix) and aa54b1d27fe0 (RxRPC fix). Always reconcile shortened hashes with full stable-series commits listed on NVD References before auditing custom kernels.

Version framing (researcher-tested vs authoritative coverage)

Disclosures enumerate distributions exercised during validation (Ubuntu, RHEL, Fedora, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, etc.). Treat those rows as samples; authoritative affected-product ranges belong to NVD CPE data and each distributor's tracker linked from Distros.

Emergency mitigation posture (high-level)

Research documentation illustrates unloading esp4, esp6, and rxrpc alongside cache-drop workflows when patching is temporarily impossible. Expect outages for IPsec VPNs and RxRPC-dependent workloads (including common Kerberos/AFS integrations). Operators must coordinate through change management—copy/pasting mitigation scripts without stakeholder review is discouraged; follow vendor-equivalent guidance on Respond.

Naming note

“Dirty Frag” is informal branding describing skb fragment manipulation. Contracts, filings, and scanner mappings should reference CVE IDs—not the nickname alone.