Skip to main content

CISA issues guidance on Linux kernel Dirty Frag privilege escalation

May 20, 2026

The Linux kernel versions 4.10 and later contain a privilege escalation vulnerability nicknamed “Dirty Frag.” The issue chains together xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write flaws, and it can lead to privilege escalation, with other outcomes depending on configuration.

Dirty Frag affects the IPv4/IPv6 fragmentation and reassembly subsystem. It involves improper handling of overlapping or malformed fragment offsets during reassembly, and exploitation is described for an attacker capable of sending crafted network packets to a vulnerable host. The write-ups reference two CVE identifiers: CVE-2026-43284 for xfrm-ESP Page-Cache Write and CVE-2026-43500 for RxRPC Page-Cache Write. The publicly documented proof of concept shows fragmentation logic can be manipulated so the kernel processes inconsistent fragment states, enabling a controlled write out-of-bounds scenario. The vulnerability is tied to insufficient validation of fragment metadata during reassembly, including incorrect or incomplete enforcement of fragment boundary checks, acceptance of overlapping fragments in unsafe sequences, and inadequate cleanup when transitions occur between valid and invalid fragment states. Fragment queue logic in affected kernels does not fully verify that fragment offsets, sizes, and overlap conditions remain consistent throughout reassembly, allowing malformed sequences to be processed without proper rejection.

The primary security concern is potential privilege escalation, similar in nature to the previously disclosed VU#260001 (“Copy Fail”). Depending on system configuration, kernel hardening features, and network exposure, successful exploitation may result in local or remote denial of service through kernel panic, memory corruption within the Linux networking stack, privilege escalation, container escape in certain containerized environments, and additional exploit primitives when chained with other vulnerabilities.

For remediation, the document instructs updating the distribution’s kernel package as soon as vendor patches are available through standard update channels. It also provides workarounds if patching is not immediately possible by disabling at-risk modules (esp4, esp6, rxrpc) by removing the modules and clearing the page cache using the command “sh -c ”printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true“.” It notes module usage verification using lsmod and the Used field or reviewing refcnt in /sys/module//refcnt, for example “cat /sys/module/esp4/refcnt.” As an alternative when esp4, esp6, and rxrpc are compiled into the kernel, it specifies adding “initcall_blacklist=esp4,esp6,rxrpc” to grub, systemd-boot, or grubby, with a system reboot required. For containers, it lists mitigations including seccomp filtering to restrict or deny system calls that create sockets using AF_ALG (protocol 38) and AF_RXRPC (protocol 33), AppArmor policies blocking AF_ALG and AF_RXRPC socket creation via the network alg rule, and BPF-based enforcement denying socket creation with AF_ALG (38) and AF_RXRPC (33).

The guidance provided by the advisory centers on updating the Linux distribution kernel package through vendor patch availability and standard distribution update channels. It further outlines optional steps when patching is not immediately possible, including disabling modules esp4, esp6, and rxrpc if they are loaded and loadable, or using initcall_blacklist for kernels that compile these modules in. For containerized environments where the issue may be used for container escape, it describes applying one or more of the listed mitigations: seccomp filtering, AppArmor policies, or BPF-based enforcement that blocks AF_ALG and AF_RXRPC socket creation.