A week after Copy Fail, another Linux local privilege escalation vulnerability dubbed “Dirty Frag” has been revealed, along with a PoC exploit.
What is Dirty Frag
In effect, Dirty Frag refers to two flaws:
- A xfrm-ESP Page-Cache Write vulnerability (CVE-2026-43284, aka Copy Fail 2.0), now patched in the Linux kernel, affects the modules supporting one of the protocols used for IPsec
- A RxRPC Page-Cache Write vulnerability (CVE number reserved: CVE-2026-43500), currently unpatched, affects the modules that provide support for RxRPC, a protocol used for the AFS distributed file system.
Vulnerability researcher Hyunwoo Kim (aka “V4bel”) privately reported both flaws to the Linux kernel maintainers on April 29-30, 2026, and submitted patches for them to the mailing list for Linux kernel networking development (“netdev”).
On May 7, he submitted detailed information about the vulnerabilities and the exploit to the private, members-only mailing list used for coordinating security vulnerability disclosure across Linux distributions.
That same day, “an unrelated third party” published the details and the exploit for one of the flaws so Kim got the go-ahead to fully disclose Dirty Frag “after obtaining agreement from distribution maintainers.”
The consequence of the third-party leak during the embargo period is that CVE-2026-43500 has yet to be patched in the Linux kernel, and fixes haven’t been made available to users of various affected Linux distributions. The list includes Red Hat Enterprise Linux, AlmaLinux, Debian, Ubuntu, Fedora, Arch Linux, CentOS, CloudLinux, Amazon Linux, and others.
Patches in the works, mitigations available
“An interesting factor of Dirty Frag is that chaining the two sub-vulnerabilities covers each other’s blind spots,” SANS ISC handler Yee Ching Tok explained.
“As described in [Hyunwoo Kim’s] write-up, neither the xfrm-ESP Page-Cache Write nor the RxRPC Page-Cache Write alone provides a sufficiently reliable primitive for full root escalation. However, when combined, the chained exploit achieves immediate root on most distributions.”
The various Linux distros are working furiously on implementing the fixes into new Linux kernel image packages and releasing them.
In the meantime, since the PoC exploit(s) are now publicly available, users and admins are advised to mitigate the risk of exploitation by:
- Blacklisting / preventing the loading of the affected modules
- Unloading them if they are in use
This action may affect workloads that depend on them, though.
After patched kernel packages are released, installed, and systems rebooted, the mitigations should be reversed.
It may be too soon to hear reports of Dirty Frag being leveraged by attackers, but they will undoubtedly surface soon enough: a PoC exploit for Copy Fail was published on April 29, and CISA added the flaw to its Known Exploited Vulnerabilities catalog on May 1.
“If you have not yet addressed Copy Fail (CVE-2026-31431), now would be a good time to treat both vulnerabilities as a combined remediation effort, given their similarity and overlapping mitigation steps,” Tok noted.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
