On May 8, 2026, the vulnerabilities CVE-2026-43284 (also known as Dirty Frag) and CVE-2026-43500 were publicly disclosed. Update from May 13: A variant of Dirty Frag, called Fragnesia, CVE-2026-46300, has been publicly disclosed and requires additional Kernel fixes beyond the original Dirty Frag patches. All of these are Local Privilege Escalation (LPE) vulnerabilities that allow an attacker with local access (including SSH access) to gain root privileges by manipulating the page cache. The vulnerabilities affect a large number of Linux distributions and are particularly critical because they can be exploited deterministically and do not require race conditions.
The vulnerabilities are especially critical for multi-user systems or systems executing untrusted code.

Dirty Frag is an evolution of the bug class that also includes Dirty Pipe and Copy Fail. It combines two separate vulnerabilities:

• xfrm-ESP Page-Cache Write: Allows writing to the page cache of readable files. (CVE-2026-43284)
• RxRPC Page-Cache Write: Allows writing to the page cache without creating namespaces. (CVE-2026-43500)

By combining these two vulnerabilities, attackers can gain root privileges on almost all major Linux distributions, even if individual mitigation measures (e.g., blacklisting algif_aead) have already been applied.

Affected Systems

The vulnerability affects Linux kernel versions released since 2017.

Since the vulnerability is at the kernel level, it can be assumed that all current distributions are affected.

Risk Assessment

High Risk: The vulnerability allows reliable and deterministic exploitation without causing the kernel to crash. Since the page cache is shared across all processes, the vulnerability can also be exploited in container environments (Container Escape).

Recommended Actions

As of May 8, 2026, there are no official patches available for most distributions. Until patches are available, it is recommended to disable the kernel modules esp4, esp6, and rxrpc (e.g., via modprobe), if they are not essential for the operation of your system. Update on May 13: Keep these three modules disabled to mitigate the risk of the Fragnesia variant of the vulnerability, even when running a kernel version that mitigates the original Dirty Frag vulnerability.
Please refer to the mitigation instructions provided by your distribution or the exploit author.

Regularly check your distribution's security advisories for kernel updates:

• RHEL: https://access.redhat.com/security/cve/cve-2026-43284
• Debian: https://security-tracker.debian.org/tracker/CVE-2026-43284 and https://security-tracker.debian.org/tracker/CVE-2026-43500 
• Ubuntu: https://ubuntu.com/security/CVE-2026-43284 and https://ubuntu.com/security/CVE-2026-43500 

If no updates are available and you cannot disable the mentioned kernel modules, restrict access to your system and enhance monitoring for unusual access attempts.

Further Information

• GitHub – V4bel/dirtyfrag (Official description and PoC)
• NVD – CVE-2026-43284
• Heise – Dirty Frag: Linux-Lücken verschaffen Root-Rechte