Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- With one compromised account, Dirty Frag can expose your system.
- No patch can protect you from all possible attacks yet.
- To stay safe, you’ll need to block several services, including VPNs.
Linux has been having a rough few weeks. First, the Copy Fail security hole was uncovered by AI researchers. In that case, the patches were quickly made and distributed. We weren’t so lucky with the newly disclosed Linux kernel flaw, dubbed Dirty Frag, which was also, it seems, discovered with AI’s help, but patches are still in the works.
Also: Linux is getting a security wake-up call – why it was inevitable and I’m not worried
Security researcher Hyunwoo Kim, who disclosed the issue on May 7, describes Dirty Frag as an extension of the same bug class as previous high-profile Linux kernel flaws, 2022’s Dirty Pipe and Copy Fail. Like those flaws, Dirty Frag exploits kernel code paths that write to memory pages accessible to unprivileged user space, but it targets a different structure: the fragment field of sk_buff networking buffers.
Also: Immutable Linux delivers serious security – here are your 5 best options
Kim told the Linux kernel maintainers about the vulnerability at the end of April. Unfortunately, the coordinated disclosure and patch processes quickly went off the rails. On May 7, while distributions were still shipping fixes for the related Copy Fail flaw, detailed Dirty Frag technical information and a working proof-of-concept exploit for the xfrm-ESP component appeared online after an embargo break by an unrelated third party. Now, we’re all in trouble.
What is Dirty Frag?
Dirty Frag is a local privilege escalation vulnerability chain that exploits logic bugs in Linux’s networking and authentication stacks to corrupt data in the kernel’s page cache, enabling an unprivileged account to escalate to root.
It works by targeting two separate networking subsystems: the IPsec Encapsulating Security Payload, or xfrm-ESP, path, tracked as CVE-2026-43284, and the RxRPC authentication path, tracked as CVE-2026-43500.
By chaining these flaws, attackers can modify what should be read-only, page-cache-backed system files in memory and then trigger them to run with elevated privileges, without ever touching your file system.
Also: This critical Linux vulnerability is putting millions of systems at risk – how to protect yours
Once in, Dirty Frag exploits “page-cache write primitives” in kernel fast paths used for encrypted networking and remote file system authentication. By carefully choosing the target, an attacker can overwrite pieces of ostensibly read-only files in memory, such as executables or configuration files, and then execute or reload the modified files as root.
From there, the sky’s the limit, and attackers can do pretty much whatever they want.
The good news — yes, there is some — is that attackers typically need an existing foothold, such as an unprivileged shell via SSH, a web shell, or a compromised container, to use Dirty Frag to escalate.
On the other hand, because the underlying bug is a logic error rather than a timing-sensitive race, the exploit is unusually reliable and does not cause kernel panics when it fails. In other words, someone can attack your Linux system over and over again until they break in, and you’ll never know about it.
Defenders scrambled to assess exposure
It did not take long for attackers to take notice. Public exploit code was quickly mirrored across security blogs, GitHub repositories, and discussion forums, leaving defenders scrambling to assess exposure.
Also: Worried about the nationwide Canvas data breach? Take these 6 steps now
According to Microsoft’s threat intelligence team, Dirty Frag has already been observed in action. Hackers are using it to upgrade limited footholds on Linux systems to full root control across servers, cloud workloads, and containers.
So, who’s at risk?
I’m sorry to say it’s pretty much everyone who uses any Linux distribution. Dirty Frag affects a wide range of Linux environments, from bare-metal servers and enterprise distributions to container hosts and cloud instances. This includes current and earlier releases of Ubuntu, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, Fedora, and openSUSE Tumbleweed, among others.
Canonical, Ubuntu’s parent company, warns: “In container deployments that may execute arbitrary third-party workloads, the vulnerability may additionally facilitate container escape scenarios, in addition to local privilege escalation on the host.” That’s the ultimate cloud-native computing nightmare.
Fortunately, “A proof-of-concept exploit has not been published yet for container escape.”
So far. To the best of our knowledge. We hope.
Also: Best VPN services: Expert tested and recommended
While many of you were celebrating Mother’s Day, the Linux kernel community spent the weekend addressing the problem. CVE-2026-43284, the xfrm-ESP component, received an upstream fix in the mainline kernel on May 8, less than 24 hours after public disclosure, though that fix now needs to be backported across the many supported stable trees.
The RxRPC flaw, tracked as CVE-2026-43500, remains under evaluation. As of this writing, no upstream patch had been finalized. Linux vendors are issuing their own advisories and updates as they integrate the upstream changes.
What you should do immediately
Linux distributors, cloud providers, and hosting providers are urging customers to update to the latest kernel packages as they become available. They’re also urging administrators to blacklist esp4, esp6, and rxrpc modules as a stopgap. Keep in mind, however, that if you do so, you’re likely to disrupt IPsec VPNs or AFS-based workloads. On the other hand, you’ll be safer that way.
Also: Why Edge stores your passwords in plaintext, according to Microsoft
Debian and Ubuntu-related Linux distros
Canonical suggests the following steps. These will work on Ubuntu and related Linux distributions, like Mint.
Step 1. Block the modules
- Block the modules by creating a /etc/modprobe.d/dirty-frag.conf file:
- echo “install esp4 /bin/false” | sudo tee /etc/modprobe.d/dirty-frag.conf
- echo “install esp6 /bin/false” | sudo tee -a /etc/modprobe.d/dirty-frag.conf
- echo “install rxrpc /bin/false” | sudo tee -a /etc/modprobe.d/dirty-frag.conf
- Regenerate the initramfs images to prevent the modules from being loaded during early boot:
- sudo update-initramfs -u -k all
Step 2. Unload modules
- Unload the modules, in case they are already loaded:
- sudo rmmod esp4 esp6 rxrpc 2>/dev/null
Step 3. Confirm the modules aren’t loaded
- Check whether the modules are still loaded:
- grep -qE ‘^(esp4|esp6|rxrpc) ‘ /proc/modules && echo “Affected modules are loaded” || echo “Affected modules are NOT loaded”
- If the previous action indicates that the modules are not loaded, no further action is required. However, unloading the modules may not be possible if applications are already using them. In these instances, a system reboot will enforce their blocking, but it will affect applications:
- sudo reboot
- Once kernel updates are available and installed, the mitigation can be removed:
- sudo rm /etc/modprobe.d/dirty-frag.conf
- sudo update-initramfs -u -k all
Also: The best mobile antivirus software: Expert tested and reviewed
Red Hat and related Linux distros
Red Hat suggests you run:
- printf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf rmmod esp4 esp6 rxrpc 2>/dev/null; true
This approach, which will require disabling IPsec and AFS-based programs, will also work on CentOS, Rocky Linux, AlmaLinux, and other RHEL-related Linux distros.
SUSE Linux fixes
SUSE has a similar solution with the same warning about IPsec and AFS.
Create:
/etc/modprobe.d/10-copyfail2-fix.conf to remediate with the following lines:
- blacklist esp4
- blacklist esp6
- blacklist rxrpc
- install esp4 /bin/false
- install esp6 /bin/false
- install rxrpc /bin/false
The details vary from distro to distro, but the temporary fix is always the same: Use a modprobe configuration file to disable the potentially affected programs until the kernel patches are available and installed.
Once that’s done, you can delete the emergency fixes and get back to business as usual.
Also: Google bets $32B on AI agent cyber force as security arms race escalates
Until full kernel fixes are broadly deployed and systems are rebooted, you should mitigate your system as soon as possible. After all, if you have even a single compromised user account, an attacker can use Dirty Frag to take complete control of your infrastructure.
Now, if you’ll excuse me, I have a bunch of servers and workstations to fix.
