Overview
- Dirty Frag, disclosed Friday after an embargo was broken, chains CVE-2026-43284 and CVE-2026-43500 to let an unprivileged user gain root on major Linux distributions.
- The paired bugs sit in the xfrm-ESP IPsec path (esp4 and esp6) and the RxRPC subsystem and let attackers overwrite page-cache data in memory that files like /etc/passwd rely on.
- Researcher Hyunwoo Kim published a technical write-up and working exploit, and maintainers for Red Hat, Ubuntu, Fedora, Amazon Linux, and AlmaLinux began rolling out fixes and guidance.
- Microsoft Defender reported limited in-the-wild activity that may reflect testing or early use and flagged likely entry points such as stolen SSH access and web shells.
- Teams are urged to disable esp4, esp6, and rxrpc as a temporary mitigation until patches are applied, with the warning that this can break IPsec VPNs and AFS services.