To home page

Dirty Frag Vulnerability (CVE-2026-43284, CVE-2026-43500)

A critical Linux kernel vulnerability — here's what to do right now.

On May 7, 2026, researcher Hyunwoo Kim publicly disclosed a critical Linux kernel vulnerability called Dirty Frag. It allows any unprivileged local user — or a process running inside a container — to gain full root access on the host system.

A working public exploit is already in the wild. This needs your attention today.

Live updates

This article is updated as new patches and vulnerability details become available.

What is Dirty Frag

The vulnerability lives in the fast-path decryption code for IPsec ESP and rxrpc. When a socket buffer carries paged fragments that aren't privately owned by the kernel (e.g. pages attached via splice(2), sendfile(2), or MSG_SPLICE_PAGES), the kernel decrypts data directly over those externally-backed pages — exposing or corrupting plaintext that an unprivileged process still holds a reference to.

Dirty Frag is actually two separate bugs chained together:

  • CVE-2026-43284 — affects IPsec ESP (esp4 / esp6), present in all major distributions since 2017
  • CVE-2026-43500 — affects rxrpc, relevant only on systems with the kernel-modules-partner package installed

Who is affected

The vulnerability is present in all modern Linux kernels with xfrm/ESP support:

  • AlmaLinux 8, 9, 10
  • Rocky Linux, RHEL, and derivatives
  • Ubuntu, Debian, and derivatives

It's particularly dangerous on dedicated servers and containerized environments (Docker, LXC, Kubernetes) — it can be used to escape a container and compromise the host.

Step 1. Immediate mitigation

If updating and rebooting right now isn't an option, block the vulnerable kernel modules. This is safe to apply on most servers that don't actively use IPsec transport mode or AFS:

echo 'install esp4 /bin/false'  | sudo tee    /etc/modprobe.d/dirtyfrag.conf
echo 'install esp6 /bin/false'  | sudo tee -a /etc/modprobe.d/dirtyfrag.conf
echo 'install rxrpc /bin/false' | sudo tee -a /etc/modprobe.d/dirtyfrag.conf
sudo rmmod esp4 esp6 rxrpc 2>/dev/null

Then drop the page cache to evict any potentially tampered pages:

sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'

Don't apply this if your server actively uses IPsec ESP or AFS/rxrpc — those services will stop working. In that case, prioritize patching and rebooting as quickly as possible.

To undo the module blacklist later:

sudo rm /etc/modprobe.d/dirtyfrag.conf

Step 2. Patch your kernel

As soon as a patched kernel is available for your distribution, update and reboot.

AlmaLinux (patch available in the testing repository now):

sudo dnf install -y almalinux-release-testing
sudo dnf update 'kernel*' --enablerepo=almalinux-testing
sudo reboot

Patched kernel versions:

  • AlmaLinux 8: kernel-4.18.0-553.123.2.el8_10 or later
  • AlmaLinux 9: kernel-5.14.0-611.54.3.el9_7 or later
  • AlmaLinux 10: kernel-6.12.0-124.55.2.el10_1 or later

Ubuntu / Debian:

sudo apt update && sudo apt upgrade linux-image-generic
sudo reboot

Rocky Linux / RHEL:

sudo dnf update kernel
sudo reboot

After rebooting, confirm the new kernel is running:

uname -r

Checking for rxrpc exposure

CVE-2026-43500 only applies if you have the kernel-modules-partner package installed. Check with:

rpm -q kernel-modules-partner

If the package isn't installed, you're not affected by CVE-2026-43500.

References

Help

If you have any questions or need assistance, please contact us through the ticket system — we're always here to help!

Need help?Our engineers will help you free of charge with any question in minutesContact us