Dirty Frag Linux Kernel Vulnerability Chain Enables Local Privilege Escalation to Root
Tags Infrastructure · Enterprise · OSS
A Linux kernel vulnerability chain dubbed Dirty Frag (CVE-2026-43284 and CVE-2026-43500) enables a low-privileged local user to escalate privileges to root by corrupting page-cache-backed memory without modifying files on disk. CVE-2026-43284 affects the IPsec ESP path through esp4 and esp6 kernel modules; CVE-2026-43500 affects RxRPC. The chain was publicly disclosed after coordinated disclosure was disrupted, with proof-of-concept code available before many distributions completed patch rollout. Ubuntu rated the issue HIGH (CVSS 3.1 score 7.8); Red Hat rated it Important with confirmed impact to RHEL 8, 9, 10, and OpenShift 4. AlmaLinux began rolling patched kernels on May 8, 2026.
Technical significance
Dirty Frag is the latest in a line of page-cache corruption vulnerabilities (following Dirty COW and Copy Fail) that are particularly dangerous in cloud environments where attackers gain initial foothold through compromised credentials or vulnerable containers. The page-cache attack vector creates a detection gap: traditional file-integrity checks may miss exploitation since the in-memory representation is altered, not the on-disk file.