Dirty Frag is the collective name researchers assigned to two Linux vulnerabilities that existed in the Linux kernel for around nine years before being discovered.
Red Hat, a major American software firm, has released a report on two Linux kernel vulnerabilities collectively dubbed Dirty Frag. It is a local privilege escalation (LPE) vulnerability similar to the recently reported Copy Fail, allowing an unprivileged user with a basic local account to gain root access.
For context, in cybersecurity, root is the highest level of power possible, and getting it without permission is called privilege escalation.
According to researchers, the Dirty Frag vulnerability has existed for around nine years, and caused by a logic flaw in the networking sections of the system that handle the IPSec ESP (esp4 and esp6) and rxrpc modules. The IPSec ESP issue is tracked as CVE-2026-43284, whereas the rxrpc part is given the ID CVE-2026-43500.
How the attack works
The issue, discovered by an independent security researcher Hyunwoo Kim, is a third-generation class of vulnerabilities, part of the page-cache-write family of bugs. It works by linking two different vulnerabilities together to achieve root privileges on most Linux distributions that Kim tested.
These flaws are found in the xfrm-ESP Page-Cache Write and the RxRPC Page-Cache Write. CVE-2026-43284 targets the IPsec path to overwrite memory, but it usually needs namespace permissions, which some systems, like Ubuntu, can block. CVE-2026-43500 targets the RxRPC protocol and doesn’t need special permissions, but many systems do not turn this module on by default.
So, by combining these two, the attack covers the blind spots of each, and when used in a chain, a hacker can change protected files in the computer’s memory.
Kim originally planned to keep the details private until fixes were ready. However, the information was released early after a third party leaked parts of the research. He said that this bug is like older ones called Dirty Pipe and Copy Fail, but it uses a different part of the system called the fragment field. It is very effective because it is a logic bug that doesn’t depend on a timing window and has a high success rate.
Impacted Versions and Safety Steps
Dirty Frag affects many Linux versions, including Red Hat Enterprise Linux 8, 9, and 10, OpenShift 4, Ubuntu, Fedora, CentOS Stream, and AlmaLinux. To stay safe, users can block the broken modules. This is done by creating a file at /etc/modprobe.d/dirtyfrag.conf and adding specific commands like install esp4 /bin/false.
You can also check if these are running by using the command lsmod | grep -E 'esp4|esp6'. While Red Hat is rushing to release official fixes, they suggest that keeping SELinux in enforcing mode and running workloads as non-root can help keep systems secure for now.
Experts’ Perspectives
Several industry experts have shared their perspectives with Hackread.com regarding the discovery and the risks it poses.
Ben Ronallo, Principal Cybersecurity Engineer at Black Duck, noted that there are technically two CVEs: “The first contains the primary details of the vulnerability class while the second is currently reserved for any unpatched kernels over time.”
He added, “Copy Fail, Dirty Pipe, and Dirty Frag are all exploiting the same root cause, but Dirty Frag is not limited to a single Linux subsystem, whereas Copy Fail is limited to only algif_aead and Dirty Pipe is limited to pipe_buffer.” He warned that with the exploit code public, “it’s only a matter of hours or days before this is weaponized.”
David Brumley, Chief AI and Science Officer at Bugcrowd, called the discoverer “the legendary Hyunwoo Kim” and noted that “the fix for Copy Fail alone is insufficient.” He pointed out that while AI tools are helpful, they missed this bug.
“It is a reminder that vulnerability classes are rarely exhausted by a single pass, even a very good one. Independent researchers still matter because they bring different intuitions, different workflows, and different failure modes.”
