Dirty Fragdirtyfrag.tech
CVE-2026-43284CVE-2026-43500Reviewed

Dirty Frag — Linux kernel local privilege escalation

Two linked flaws in kernel networking stacks (xfrm ESP, RxRPC). Official identifiers and CVSS live on NVD; this hub prioritizes patching, verification, and cited technical context (including researcher disclosure).

Respond — patch firstTechnical overviewCheck exposure

Choose your path

Operations & SOC

Ship vendor kernels fast; defer risky module hacks unless approved.

  1. Follow Respond for patch-first sequencing.
  2. Shortcut to distro trackers via Distros overview.
  3. CCCS bulletin AL26-011 for national-context wording.

Security engineering

Mechanisms, commits, and researcher FAQs—without exploit steps.

CVE-specific kernelspeak stays on dedicated pages; synthesis ( chains, Copy Fail lineage, maintainer commits ) lives on Technical.

Proof-of-concept source is referenced only through github.com/V4bel/dirtyfrag for authorized environments.

Compliance & evidence

Immutable references for filings and ticket citations.

  • Timeline — oss-security / NVD milestones.
  • Sources — NVD, CERT, distro portals.
  • About — disclaimer scope.

CVE snapshot

Detailed wording remains on each CVE page and NVD; refresh after enrichment updates.

FieldCVE-2026-43284CVE-2026-43500
Subsystemxfrm ESP input / UDP splice skb fragmentsRxRPC DATA / RESPONSE handlers
CWE (NVD)CWE-123 (per CISA-ADP listing)CWE-787
CVSS 3.1 (publishers)CNA kernel.org 8.8 HIGH vs CISA-ADP 7.8 HIGH — verify on NVDNIST / CISA-ADP 7.8 HIGH — verify on NVD
Kernel scopeIndependent CPE ranges per CVE—never merge audits blindly.

Administrators

Is Dirty Frag exploitable over the network without local access?
Public CVE metrics classify these issues as local attack vector (AV:L). An attacker still needs a path to execute code or interact with vulnerable kernel paths—see NVD.
Do I already need root to exploit Dirty Frag?
CVSS lists PR:L—concern is escalation from a low-privileged local session. Confirm vectors on each CVE record before governance reporting.
Is this the same vulnerability class as Dirty COW?
No. Dirty Cow was a separate historical issue. Dirty Frag maps to CVE-2026-43284 and CVE-2026-43500 per official CVE descriptions.
Will disabling kernel modules fully mitigate everyone?
Only when ESP/IPsec and RxRPC-backed workloads are genuinely unused and your risk owners approve outages. Prefer patched kernels from your vendor.
Do containers isolate hosts from Dirty Frag?
Containers share the host kernel—patch nodes and golden images according to distro guidance.

Technical readers

Why are CVE-2026-43284 and CVE-2026-43500 chained?
Summarized from researcher disclosure (V4bel/dirtyfrag): distributions diverge on namespaces/AppArmor defaults versus where rxrpc.ko ships or loads—pairing variants improves coverage across maintained distros. Full narrative on Technical.
How does Dirty Frag relate to Copy Fail?
Research notes Copy Fail motivated this line of work and contrasts sink overlap versus algif-based mitigations—treat vendor kernels as source of truth and read Technical.
Why is it called "Dirty Frag"?
Informal researcher naming tied to Dirty Pipe lineage and skb fragment handling—not a CVE authority term.