Threat Research

Dirty Frag (CVE-2026-43284 and CVE-2026-43500): Detecting unpatched local privilege escalation via Linux Kernel ESP and RxRPC

Sysdig
Dirty Frag (CVE-2026-43284 and CVE-2026-43500): Detecting unpatched local privilege escalation via Linux Kernel ESP and RxRPC
Dirty Frag is a pair of Linux kernel vulnerabilities, CVE-2026-43284 and CVE-2026-43500, that let an unprivileged local user overwrite page cache contents and escalate to root across many distributions. A public proof of concept was released before patches, and defenders are urged to patch kernels, block vulnerable modules, and monitor AF_KEY, AF_RXRPC, and XFRM activity. #CVE-2026-43284 #CVE-2026-43500 #DirtyFrag #LinuxKernel

Keypoints

  • Two Linux kernel vulnerabilities, CVE-2026-43284 and CVE-2026-43500, were disclosed on May 8, 2026 and collectively nicknamed Dirty Frag.
  • The flaws allow an unprivileged local user to corrupt arbitrary page cache contents and obtain root on vulnerable Linux systems.
  • A working proof of concept was published the same day, before patched kernels were available from distributions.
  • CVE-2026-43284 affects the IPsec ESP in-place decryption path, while CVE-2026-43500 affects the RxRPC fast path.
  • Most Linux distributions are affected, with known impacted kernel versions ranging from 4.10 through 7.0.
  • The exploit can be adapted to different environments, including Ubuntu and containerized workloads, and can lead to host root from a container foothold.
  • Sysdig and Falco detections were highlighted, along with recommendations to patch, restrict vulnerable modules, and monitor suspicious socket and netlink activity.

MITRE Techniques

  • [T1068 ] Exploitation for Privilege Escalation – The vulnerabilities let a local attacker gain root privileges by corrupting page cache data and executing attacker-controlled code (‘an unprivileged local user can corrupt arbitrary page caches and pivot to root’).
  • [T1055 ] Process Injection – The attacker uses page-cache corruption to alter a shared in-memory binary so it runs attacker code when executed (‘/usr/bin/su is silently rewritten in RAM with the attacker’s shellcode’).
  • [T1206 ] Exploitation for Client Execution – The exploit causes a legitimate binary to execute malicious payload when a user runs it (‘The next person to run su runs the attacker’s code as root’).
  • [T1106 ] Native API – The attack relies on standard Linux syscalls and kernel interfaces such as socket, setsockopt, bind, vmsplice, splice, and sendmsg (‘The exploit relies only on standard syscalls’).
  • [T1611 ] Escape to Host – Container workloads can use the flaw to break out to host root (‘a compromise of any container … escalates to host root’).
  • [T1040 ] Network Sniffing – Not applicable; no direct evidence of sniffing was described in the article.

Indicators of Compromise

  • [CVE IDs] Vulnerability identifiers – CVE-2026-43284, CVE-2026-43500, and other 1 item
  • [Kernel versions] Affected software versions – Linux kernel 4.10, Linux kernel 7.0
  • [Commit hash] Source code introduction point – cac2661c53f3
  • [Module names] Vulnerable or related kernel modules – esp4, rxrpc, and other 3 items
  • [Socket families / protocol identifiers] Suspicious network interfaces used in exploitation or detection – AF_RXRPC, AF_KEY, and XFRM netlink
  • [File paths] Targeted sensitive files – /usr/bin/su, /etc/passwd
  • [Rule names] Detection artifacts referenced by the article – Dirty Frag xfrm-ESP Page Cache Poisoning LPE, Dirty Frag RxRPC Page Cache Poisoning LPE

Read more: https://www.sysdig.com/blog/dirty-frag-cve-2026-43284-and-cve-2026-43500-detecting-unpatched-local-privilege-escalation-via-linux-kernel-esp-and-rxrpc

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint