Dirty Frag: Linux Kernel Privilege Escalation Chain Actively Exploited, One CVE Still Unpatched
Tags Security ยท Infrastructure ยท OSS
A Linux kernel privilege escalation chain dubbed 'Dirty Frag' (CVE-2026-43284 in IPsec ESP + CVE-2026-43500 in RxRPC) allows unprivileged local attackers to gain deterministic root access on all major distributions. CVE-2026-43284 was patched in mainline on May 8, but CVE-2026-43500 has no patch anywhere. Microsoft Defender observed in-the-wild exploitation. The bugs chain weaknesses in fragmented memory page handling, extending the Dirty Pipe/Copy Fail bug class. Mitigation requires disabling esp4, esp6, and rxrpc kernel modules.
Technical significance
Dirty Frag affects virtually all major Linux distributions and is already being exploited in the wild. The deterministic nature of the exploit makes it highly reliable for attackers. With one of the two CVEs still unpatched, organizations running Linux โ which includes the vast majority of cloud infrastructure โ face a significant window of exposure.