Dirty Frag: Two Linux kernel vulnerabilities give root on all major distros

Two Linux kernel local privilege escalation vulnerabilities collectively called 'Dirty Frag' (CVE-2026-43284 and CVE-2026-43500) allow unprivileged local users to gain root privileges on virtually all major Linux distributions, with no patches available in any distribution kernel at disclosure. CVE-2026-43284 exploits the xfrm-ESP kernel module (IPsec) and requires namespace creation privileges; CVE-2026-43500 exploits the RxRPC kernel module and requires no special privileges. Canonical published mitigations for Ubuntu; Red Hat guidance is pending. The embargo was broken before patches were ready.