'Dirty Frag' Exploit Poised to Blow Up on Enterprise Linux Distros

VULNERABILITIES & THREATS THREAT INTELLIGENCE CYBER RISK СLOUD SECURITY NEWS 'Dirty Frag' Exploit Poised to Blow Up on Enterprise Linux Distros The privilege escalation vulnerability, which is similar to other Linux flaws like Copy Fail and Dirty Pipe, may already be under limited exploitation. Elizabeth Montalbano,Contributing Writer May 11, 2026 5 Min Read SOURCE: VALERLY KACHAEV VIA ALAMY STOCK PHOTO A public exploit is available for a nine-year old vulnerability that affects the Linux kernel, paving the way for root privilege escalation. The flaw, which actually is two vulnerabilities chained together, is in the same class as previously discovered Linux flaws Dirty Pipe and Copy Fail, but affects a different kernel data structure than those issues. Security researcher Hyunwoo Kim disclosed the flaw, dubbed "Dirty Frag," and published a proof of concept (PoC) exploit last week on X. The vulnerability affects a wide range of Linux distributions, including Ubuntu, Red Hat Enterprise Linux (RHEL), CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora — none of which are fully patched yet.  In fact, there are signs Dirty Frag already is under limited exploitation, although it's unclear if attackers targeted Dirty Frag or Copy Fail, according to the Microsoft Defender Security Resarch Team. "Microsoft Defender is currently seeing limited in-the-wild activity where privilege escalation involving 'su' is observed, and which may be indicative of techniques associated with either "Dirty Frag" or "Copy Fail," read a blog post published Friday by the team. Related:Cyber Espionage Group Targets Aviation Firms to Steal Map Data Exploiting the flaw allows for modification of protected system files in memory without authorization, leading to privilege escalation on a compromised system. The two flaws that comprise Dirty Frag are tracked CVE-2026-43284 and CVE-2026-43500, both of which were assigned 7.8 CVSS scores and a severity impact of "Important" by Red Hat. According to a GitHub post by Kim, who goes by the handle "V4bel," Dirty Frag works by chaining two separate kernel flaws — the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability — to modify protected system files in memory without authorization and achieve privilege escalation. Expands Scope of Previous Linux Kernel Bugs It was in fact the Copy Fail flaw that first inspired Kim to explore the research that led to the discovery of Dirty Frag, he said in the GitHub post. Dirty Frag not only affects a different aspect of the Linux kernel than Copy Fail or Dirty Pipe, it also has a broader scope and thus is likely more dangerous, he said.  "In particular, xfrm-ESP Page-Cache Write in the Dirty Frag vulnerability chain shares the same sink as Copy Fail," he explained, adding that it also extends Dirty Pipe's and Copy Fail's bug class.  This is "because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high," he wrote. Related:Why Security Leadership Makes or Breaks a Pen Test This also means that even if organizations have applied the Copy Fail mitigation, "your Linux is still vulnerable to 'Dirty Frag,'" Kim posted on X. He tested the Dirty Frag exploit successfully on the following Linux systems: Ubuntu 24.04.4: 6.17.0-23-generic; RHEL 10.1: 6.12.0-124.49.1.el10_1.x86_64; openSUSE Tumbleweed: 7.0.2-1-default; CentOS Stream 10: 6.12.0-224.el10.x86_64; AlmaLinux 10: 6.12.0-124.52.3.el10_1.x86_64; and Fedora 44: 6.19.14-300.fc44.x86_64. How Dirty Frag Works Red Hat last week acknowledged the discovery of Dirty Frag and the publication of an exploit, in which they described the technical aspects of the issue. The flaw "refers to two distinct issues in the IPsec ESP (esp4/esp6) and rxrpc modules" in the Linux kernel, according to Red Hat.  IPsec provides encrypted network communication and is commonly used for VPNs and site-to-site tunnels, while the rxrpc module implements the RxRPC protocol, which underpins Andrew File System (AFS), a distributed network filesystem.  Dirty Frag, like Dirty Pipe and Copy Fail, involves weaknesses in the Linux kernel’s handling of page-cache memory writes. The Linux kernel keeps file contents in RAM using the page cache for speed. Certain kernel subsystems also perform “in-place” cryptographic or networking operations on those cached memory pages.  Related:How Dark Reading Lifted Off the Launchpad in 2006 Dirty Frag abuses flaws in those page-cache operations, letting attackers improperly modify memory-backed data structures, according to Kim. Those writes can be leveraged to alter protected system data and escalate privileges to root. The Linux Kernel Organization already released patches to fix CVE-2026-43284 on Friday, which defenders are urged to apply quickly; however, patches for CVE-2026-43500 are not yet available.  Red Hat and the administrators of other major Linux distros are readying their own fixes for DirtyFrag. Red Hat is expediting the release of fixes, according to its advisory, while Canonical Ubuntu said a fix will be distributed through Ubuntu's Linux kernel image packages, according to a blog post published Friday. SuseLinux administrators also said they are preparing kernel updates and livepatches to address the issue. Don't Hesitate, Mitigate In the meantime, there are a number of steps that enterprises using affected versions of Linux can take to mitigate Dirty Frag. Those mitigations include disabling unused rxrpc kernel modules where operationally possible; assessing whether esp4, esp6, and related xfrm/IPsec functionality can be temporarily disabled safely; restricting unnecessary local shell access; hardening containerized workloads; and increasing monitoring for abnormal privilege escalation activity, according to Microsoft Defender.  Moreover, "any hardening measures that limit local access help reduce the risk of exploitation," according to Red Hat, including disabling SSH, ensuring SELinux is in enforcing mode, using the default Security Context Constraints (SCC), running workloads as non-root, and restricting "oc debug" access to trusted cluster administrators.  Still, disabling any single access method does not eliminate all other means by which a user could gain local access, according to Red Hat. That means affected organizations also should prioritize kernel patch deployment as soon as the appropriate vendors or distribution adminstrators release them. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems Anatomy of a Data Breach: What to Do if it Happens to You How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS Microsoft Issues Emergency Patch for Critical Windows Server Bug by Rob Wright OCT 24, 2025 VULNERABILITIES & THREATS 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE by Nate Nelson, Contributing Writer JUL 11, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MAY 26, 2026, AT 1PM EST Anatomy of a Data Breach: What to Do if it Happens to You JUNE 18TH, 2026 | 11:00AM -5:00PM ET | DOORS OPEN AT 10:30AM ET How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS