Dirty Frag: Unpatched Linux vulnerability delivers root access
Dirty Frag: Unpatched Linux vulnerability delivers root access
Publish Date: 2026-05-08 10:13:00
Source Domain: www.helpnetsecurity.com
A week after Copy Fail, another Linux local privilege escalation vulnerability dubbed “Dirty Frag” has been revealed, along with a PoC exploit.
What is Dirty Frag
In effect, Dirty Frag refers to two flaws:
- A xfrm-ESP Page-Cache Write vulnerability (CVE-2026-43284, aka Copy Fail 2.0), now patched in the Linux kernel, affects the modules supporting one of the protocols used for IPsec
- A RxRPC Page-Cache Write vulnerability (CVE number reserved: CVE-2026-43500), currently unpatched, affects the modules that provide support for RxRPC, a protocol used for the AFS distributed file system.
Vulnerability researcher Hyunwoo Kim (aka “V4bel”) privately reported both flaws to the Linux kernel maintainers on April 29-30, 2026, and submitted patches for them to the mailing list for Linux kernel networking development (“netdev”).
On May 7, he submitted detailed information about the vulnerabilities and the exploit to the private, members-only mailing list used for coordinating security vulnerability disclosure across Linux distributions.
That same day, “an unrelated third party” published the details and the exploit for one of the flaws so, “after obtaining agreement from distribution maintainers,” Kim got the go-ahead to fully disclose Dirty Frag.
The consequence of the third-party leak during the embargo period is that CVE-2026-43500 has yet to be patched in the Linux kernel, and fixes haven’t been made available to users of various affected Linux distributions: Red Hat Enterprise Linux, AlmaLinux, Debian, Ubuntu, Fedora, Arch Linux, CentOS, CloudLinux, Amazon Linux, and others.
Patches in the works, mitigations available
“An interesting factor of Dirty Frag is that chaining the two sub-vulnerabilities covers each other’s blind spots,” SANS ISC handler Yee Ching Tok explained.
“As described in [Hyunwoo Kim’s] write-up, neither the xfrm-ESP Page-Cache Write nor the RxRPC Page-Cache Write alone provides a sufficiently reliable…
