DirtyFrag is a Linux local privilege escalation that abuses two page-cache write bugs, CVE-2026-43284 and CVE-2026-43500, affecting major distributions including Ubuntu, RHEL, Fedora, CentOS Stream, AlmaLinux, and openSUSE. A public GitHub PoC spread quickly and drew attention in multiple countries, while no confirmed in-the-wild campaign has been reported yet. #DirtyFrag #CVE-2026-43284 #CVE-2026-43500 #Ubuntu #RHEL #Fedora #CentOSStream #AlmaLinux #openSUSE
Keypoints
- DirtyFrag was disclosed on May 7, 2026 as a Linux local privilege escalation.
- It exploits two kernel page-cache write vulnerabilities: CVE-2026-43284 in xfrm-ESP and CVE-2026-43500 in RxRPC.
- The bugs are described as Dirty Pipe / Copy Fail family issues with deterministic logic errors and no race condition, making exploitation reliable.
- All major Linux distributions are affected, including Ubuntu, RHEL, Fedora, CentOS Stream, AlmaLinux, and openSUSE.
- A public proof of concept appeared on GitHub the same day, and compiled binaries showed up on VirusTotal within seven minutes.
- Within 24 hours, the PoC had hundreds of forks and active payload modifications, raising abuse risk.
- No confirmed in-the-wild exploitation campaign has been reported, but Netskope observed interest in seven countries shortly after disclosure.
MITRE Techniques
- [T1068] Exploitation for Privilege Escalation – The exploit uses kernel logic errors to gain root privileges by overwriting read-only file-backed memory (‘exploiting two kernel page-cache write vulnerabilities’).
- [T1611] Escape to Host – The attack leverages namespace creation privileges on one path to move from an unprivileged context to root on the host (‘requires namespace creation privileges’).
- [T1548.001] Abuse Elevation Control Mechanism: Setuid and Setgid – One path overwrites a setuid binary in memory to spawn a root shell (‘overwrites the in-memory copy of a setuid binary to spawn a root shell’).
- [T1068] Exploitation for Privilege Escalation – The second path sets the root account to passwordless and then uses su to obtain root (‘makes the root account passwordless, then invokes su to obtain a root shell’).
Indicators of Compromise
- [CVE IDs] Vulnerability references – CVE-2026-43284, CVE-2026-43500
- [GitHub repository] Public source for the exploit – V4bel/dirtyfrag
- [TLSH hashes] Dynamic/static ELF cluster similarity pivots – T1DC53E6BFAB52DA75C441D2709BEF9270A47070702F36212F3B016BBA3E716554B69E23, T16A53E66F9B52DA75C441D2709BEF9260A87070B02F36602F3B016BB63F716954F79E22, and 3 more hashes
- [vhash values] VirusTotal structural family pivots for builds – aa0a1187cb479f091e9b621389f89bbe, d5561820534ba7c79b05bc4db1baefd4, and 2 more hashes
- [YARA rules] Detection resources referenced by Netskope Threat Labs – Two YARA rules in the Netskope Threat Labs IoC repository
Read more: https://www.netskope.com/blog/dirtyfrag-two-kernel-bugs-give-root-on-all-major-linux-distros