Dirty Frag Linux Kernel Vulnerability Lets Attackers Gain Full Administrative Control

A nine-year-old Linux kernel vulnerability nicknamed "Dirty Frag" was publicly disclosed after an embargo broke, and it allows attackers with low-level access to gain full administrative control.

“Linux users have been bitten by yet another vulnerability that gives containers and untrusted users the ability to gain root access, marking the second time in as many weeks that a severe threat has caught defenders off guard”

Ars Technica

Hyunwoo Kim, who privately reported the issue to Linux maintainers on 30th April, said "Because the embargo has currently been broken, no patch or CVE exists," in a public post to the oss-security mailing list.

Ars Technica

The flaw is tracked as two linked vulnerabilities, CVE-2026-43284 and CVE-2026-43500, and it chains weaknesses in the kernel’s networking subsystem to corrupt files held in memory without altering the originals stored on disk.

Red Hat confirmed the vulnerabilities affect its enterprise Linux products and classified the issue as "Important" severity, while Alma Linux and Ubuntu released patches or temporary mitigations within a day of public disclosure.

In response to the rapid succession of critical flaws, Linux stable kernel co-maintainer Sasha Levin proposed a "Killswitch" feature to disable vulnerable kernel functions while systems remain online until official patches can be deployed.

Dark Reading reported that a public exploit is available for the nine-year-old Dirty Frag flaw and that it may already be under limited exploitation, citing Microsoft Defender Security Research Team observations.

Elizabeth Montalbano’s Dark Reading account quoted the Microsoft Defender team: "Microsoft Defender is currently seeing limited in-the-wild activity where privilege escalation involving 'su' is observed," and said it may be indicative of techniques associated with either "Dirty Frag" or "Copy Fail."

Computing UK

Ars Technica said exploit code was leaked online three days ago and works reliably across virtually all Linux distributions, and it described the threat as deterministic and stealthy because it causes no crashes.

Ars Technica also said Microsoft has spotted signs that hackers are experimenting with Dirty Frag in the wild, and it described the exploit as chaining together code for CVE-2026-43284 and CVE-2026-43500.

Infosecurity Magazine added that Kim notified users of the Openwall Project’s open source security email thread on May 8 that the embargo had been broken before patches were ready, and it quoted Kim: "After consultation with the [Linux distributions] maintainers, and at the maintainers' request, I am publicly releasing this Dirty Frag document."

As distributions moved to fix the two CVEs, Infosecurity Magazine said the Linux kernel security team disclosed two separate high-severity page-cache vulnerabilities on May 8, with CVE-2026-43284 rated 8.8 and CVE-2026-43500 rated 7.8.

Until patches are available, Kim recommended disabling vulnerable kernel modules with a script that writes a modprobe configuration to install esp4, esp6, and rxrpc to /bin/false and then runs rmmod esp4 esp6 rxrpc.

ZDNET framed the moment as a security wake-up call by pointing to the rapid discovery of Copy Fail and Dirty Frag within a week and noting that a kill switch had been proposed to quickly disable affected functions until a patch is released.

SecurityWeek reported that Dirty Frag affects the xfrm-ESP (IPsec) and RxRPC components of the Linux kernel and said Ubuntu developers noted the container escape angle "has yet to be demonstrated."

Phoronix reported that Linux 7.0.6 was released to finish mitigating Dirty Frag, and it said the release is focused on a single patch for RXRPC, while Linux 6.18.29 LTS was also released with the same security fix.