{"id":242608,"date":"2026-05-08T04:57:00","date_gmt":"2026-05-08T08:57:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/08\/dirty-frag-cve-2026-43284-linux-privilege-escalation\/"},"modified":"2026-05-09T18:30:35","modified_gmt":"2026-05-09T22:30:35","slug":"dirty-frag-cve-2026-43284-linux-privilege-escalation","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/08\/dirty-frag-cve-2026-43284-linux-privilege-escalation\/","title":{"rendered":"Dirty Frag (CVE-2026-43284) Linux Privilege Escalation"},"content":{"rendered":"<p><a href=\"https:\/\/www.wiz.io\/blog\/dirty-frag-linux-kernel-local-privilege-escalation-via-esp-and-rxrpc\">Dirty Frag (CVE-2026-43284) Linux Privilege Escalation<\/a><\/p>\n<p><a href=\"https:\/\/www.wiz.io\/blog\/dirty-frag-linux-kernel-local-privilege-escalation-via-esp-and-rxrpc\">https:\/\/www.wiz.io\/blog\/dirty-frag-linux-kernel-local-privilege-escalation-via-esp-and-rxrpc<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-08 04:57:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.wiz.io\">www.wiz.io<\/a><\/p>\n<p class=\"\">A newly disclosed Linux kernel local privilege escalation vulnerability chain, dubbed \u201cDirty Frag\u201d and assigned CVE-2026-43284 and CVE-2026-43500, enables attackers with local access to obtain root privileges by exploiting flaws in the ESP (IPsec) and RxRPC subsystems. While no official patches are currently available, a public proof-of-concept exists. Organizations should assume the vulnerability is valid and exploitable under certain conditions. This vulnerability is a successor to Copy Fail (CVE-2026-31431), and was discovered by Hyunwoo Kim (@v4bel). &#8220;CopyFail2&#8221; is another name for the same vulnerability, and is based on an exploit reversed from the fix commit.<\/p>\n<h2>What is Dirty Frag?<\/h2>\n<p class=\"\">Dirty Frag is a vulnerability chain combining two page-cache write primitives in the Linux kernel: one in the xfrm-ESP (IPsec) subsystem and another in RxRPC. Both flaws allow modification of page-cache-backed memory that is not exclusively owned by the kernel, enabling corruption of sensitive files and ultimately privilege escalation. Unlike race-condition-based exploits, this bug class is deterministic and highly reliable, similar to previous vulnerabilities like Copy Fail and Dirty Pipe.<\/p>\n<p class=\"\">To pull off this exploit, an attacker needs two things: access to specific vulnerable kernel interfaces and the ability to manipulate page-backed buffers (e.g., via splice()-related paths).<\/p>\n<p class=\"\">However, there is a significant hurdle: the exploit usually requires high-level system permissions, such as CAP_NET_ADMIN. This means exploitation is less likely in hardened containerized environments (e.g., Kubernetes with default seccomp profiles). However, the risk remains significant for virtual machines or less restricted environments. The affected code paths date back to approximately 2017 (ESP) and 2023 (RxRPC), meaning a wide range of kernel versions may be impacted.<\/p>\n<h2>Affected Products<\/h2>\n<p class=\"\">The full scope is still under investigation, but the following are known or likely affected:<\/p>\n<table class=\"overflow-hidden rounded-lg\">\n<tr>\n<th class=\"border-r px-3 pt-2 align-top font-sans text-base! last-of-type:border-r-0\">Product \/ Distribution<\/th>\n<th class=\"border-r px-3 pt-2 align-top font-sans text-base! last-of-type:border-r-0\">Status<\/th>\n<\/tr>\n<tr class=\"even:bg-gray-light\/50 dark-research:even:bg-white\/5\">\n<td class=\"border-r pl-3 font-sans...<\/td>\n<\/tr>\n<\/table>\n<p><a href=\"https:\/\/www.wiz.io\/blog\/dirty-frag-linux-kernel-local-privilege-escalation-via-esp-and-rxrpc\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dirty Frag (CVE-2026-43284) Linux Privilege Escalation https:\/\/www.wiz.io\/blog\/dirty-frag-linux-kernel-local-privilege-escalation-via-esp-and-rxrpc Publish Date: 2026-05-08 04:57:00 Source Domain: www.wiz.io A&#8230;<\/p>\n","protected":false},"author":1,"featured_media":242609,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.datocms-assets.com\/75231\/1778236280-image-19.png?fm=webp","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,31,71,27],"class_list":["post-242608","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-exploit","tag-linux","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242608"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=242608"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242608\/revisions"}],"predecessor-version":[{"id":242610,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242608\/revisions\/242610"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/242609"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=242608"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=242608"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=242608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}