Overview
- Dirty Frag, which researchers disclosed Friday, May 8 after an embargo break, came with technical details and a working proof‑of‑concept.
- It chains two kernel bugs, CVE-2026-43284 in the IPsec xfrm-ESP path and CVE-2026-43500 in the RxRPC module, to rewrite data in the page cache and gain root on many Linux systems.
- Microsoft reported limited activity that may reflect Dirty Frag or the related Copy Fail, including privilege escalation followed by tampering with GLPI authentication and PHP session files.
- Major distributions including Red Hat, Ubuntu, Fedora, AlmaLinux, and Amazon Linux are releasing updates, and temporary guidance urges blacklisting esp4, esp6, and rxrpc modules, which can disrupt IPsec encryption and AFS file services.
- Researchers say the exploit is deterministic and often avoids crashes, and the page-cache technique changes files in memory rather than on disk, which raises risk for shared hosts, CI runners, and some container or VM setups.