DirtyFrag details two Linux kernel vulnerabilities enabling local root

DirtyFrag is a Linux local privilege escalation disclosed on May 7, 2026, using two kernel page-cache write vulnerabilities tied to CVE-2026-43284 and CVE-2026-43500. For enterprise IT and security teams, the disclosure pairs distribution-wide exposure with an interim mitigation that targets kernel module loading.

Research Overview

The write-up describes DirtyFrag as part of the Dirty Pipe / Copy Fail family, with deterministic logic errors and no race condition. It states the two underlying vulnerabilities affect major Linux distributions including Ubuntu, RHEL, Fedora, CentOS Stream, AlmaLinux, and openSUSE.

It also reports public PoC activity soon after disclosure, including GitHub release on the same day and rapid compilation and payload iteration following source publication.

Key Findings

The article links CVE-2026-43284 to xfrm-ESP and says a fix exists only in Linux mainline as of the disclosure timing. It states CVE-2026-43500 is reserved for tracking and that no patch had been merged into any kernel tree as of disclosure.

It says both paths map to arbitrary command execution, with one CVE described as unpatched at disclosure. The write-up further notes no confirmed in-the-wild exploitation campaign at the time of publication.

Technical Breakdown

DirtyFrag is described as exploiting a kernel logic error that allows an unprivileged process to overwrite read-only file-backed memory. For CVE-2026-43284, it describes a requirement for namespace creation privileges and overwriting an in-memory copy of a setuid binary to spawn a root shell.

For CVE-2026-43500, it says no special privileges are required on systems where the rxrpc module loads by default. It describes setting the root account passwordless and using su to obtain a root shell.

Operational Impact and Mitigation

The mitigation section states there is no merged kernel fix for CVE-2026-43500, while a mainline-only fix exists for CVE-2026-43284 and no distribution kernels had shipped it as of May 8, 2026. It proposes disabling related kernel subsystems by blocking module loading and removing modules esp4, esp6, and rxrpc, then dropping caches.

It cautions that if esp4, esp6, or rxrpc are already loaded and in use, the rmmod step can fail. It instructs confirming module state with lsmod before and after the mitigation sequence.

Netskope Security Monitoring

The write-up says Netskope Threat Labs is tracking DirtyFrag as the exploit ecosystem evolves and weaponized variants emerge. It notes that two YARA rules are available in the Netskope Threat Labs IoC repository under a Dirtyfrag directory.

It also reports telemetry indicating interest in the exploit in seven countries within 24 hours of disclosure, while reiterating that it found no confirmed in-the-wild exploitation campaign.

DirtyFrag centers on two Linux kernel page-cache write issues tied to CVE-2026-43284 and CVE-2026-43500, with one tracked vulnerability described as unpatched at disclosure and a mitigation focused on disabling related module loading. This Blog Signals brief is a fact-based summary of the vendor blog.