A public exploit is available for a nine-year old vulnerability that affects the Linux kernel, paving the way for root privilege escalation. The flaw, which actually is two vulnerabilities chained together, is in the same class as previously discovered Linux flaws Dirty Pipe and Copy Failbut affects a different kernel data structure than those issues.
Security researcher Hyunwoo Kim disclosed the flaw, dubbed “Dirty Frag,” and published a proof of concept (PoC) exploit last week on X. The vulnerability affects a wide range of Linux distributions, including Ubuntu, Red Hat Enterprise Linux (RHEL), CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora — none of which are fully patched yet.
In fact, there are signs Dirty Frag already is under limited exploitation, although it’s unclear if attackers targeted Dirty Frag or Copy Fail, according to the Microsoft Defender Security Resarch Team. “Microsoft Defender is currently seeing limited in-the-wild activity where privilege escalation involving ‘su’ is observed, and which may be indicative of techniques associated with either “Dirty Frag” or “Copy Fail,” read a blog post published Friday by the team.
Exploiting the flaw allows for modification of protected system files in memory without authorization, leading to privilege escalation on a compromised system. The two flaws that comprise Dirty Frag are tracked CVE-2026-43284 and CVE-2026-43500both of which were assigned 7.8 CVSS scores and a severity impact of “Important” by Red Hat.
According to a GitHub post by Kim, who goes by the handle “V4bel,” Dirty Frag works by chaining two separate kernel flaws — the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability — to modify protected system files in memory without authorization and achieve privilege escalation.
Expands Scope of Previous Linux Kernel Bugs
It was in fact the Copy Fail flaw that first inspired Kim to explore the research that led to the discovery of Dirty Frag, he said in the GitHub post. Dirty Frag not only affects a different aspect of the Linux kernel than Copy Fail or Dirty Pipe, it also has a broader scope and thus is likely more dangerous, he said.
“In particular, xfrm-ESP Page-Cache Write in the Dirty Frag vulnerability chain shares the same sink as Copy Fail,” he explained, adding that it also extends Dirty Pipe’s and Copy Fail’s bug class.
This is “because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high,” he wrote.
This also means that even if organizations have applied the Copy Fail mitigation, “your Linux is still vulnerable to ‘Dirty Frag,'” Kim posted on X. He tested the Dirty Frag exploit successfully on the following Linux systems: Ubuntu 24.04.4: 6.17.0-23-generic; RHEL 10.1: 6.12.0-124.49.1.el10_1.x86_64; openSUSE Tumbleweed: 7.0.2-1-default; CentOS Stream 10: 6.12.0-224.el10.x86_64; AlmaLinux 10: 6.12.0-124.52.3.el10_1.x86_64; and Fedora 44: 6.19.14-300.fc44.x86_64.
How Dirty Frag Works
Red Hat last week acknowledged the discovery of Dirty Frag and the publication of an exploit, in which they described the technical aspects of the issue. The flaw “refers to two distinct issues in the IPsec ESP (esp4/esp6) and rxrpc modules” in the Linux kernel, according to Red Hat.
IPsec provides encrypted network communication and is commonly used for VPNs and site-to-site tunnels, while the rxrpc module implements the RxRPC protocol, which underpins Andrew File System (AFS), a distributed network filesystem.
Dirty Frag, like Dirty Pipe and Copy Fail, involves weaknesses in the Linux kernel’s handling of page-cache memory writes. The Linux kernel keeps file contents in RAM using the page cache for speed. Certain kernel subsystems also perform “in-place” cryptographic or networking operations on those cached memory pages.
Dirty Frag abuses flaws in those page-cache operations, letting attackers improperly modify memory-backed data structures, according to Kim. Those writes can be leveraged to alter protected system data and escalate privileges to root.
The Linux Kernel Organization already released patches to fix CVE-2026-43284 on Friday, which defenders are urged to apply quickly; however, patches for CVE-2026-43500 are not yet available.
Red Hat and the administrators of other major Linux distros are readying their own fixes for DirtyFrag. Red Hat is expediting the release of fixes, according to its advisory, while Canonical Ubuntu said a fix will be distributed through Ubuntu’s Linux kernel image packages, according to a blog post published Friday. SuseLinux administrators also said they are preparing kernel updates and livepatches to address the issue.
Don’t Hesitate, Mitigate
In the meantime, there are a number of steps that enterprises using affected versions of Linux can take to mitigate Dirty Frag. Those mitigations include disabling unused rxrpc kernel modules where operationally possible; assessing whether esp4, esp6, and related xfrm/IPsec functionality can be temporarily disabled safely; restricting unnecessary local shell access; hardening containerized workloads; and increasing monitoring for abnormal privilege escalation activity, according to Microsoft Defender.
Moreover, “any hardening measures that limit local access help reduce the risk of exploitation,” according to Red Hat, including disabling SSH, ensuring SELinux is in enforcing mode, using the default Security Context Constraints (SCC), running workloads as non-root, and restricting “oc debug” access to trusted cluster administrators.
Still, disabling any single access method does not eliminate all other means by which a user could gain local access, according to Red Hat. That means affected organizations also should prioritize kernel patch deployment as soon as the appropriate vendors or distribution adminstrators release them.
