Dirty Frag gives root on Linux

Linux has a new local root bug, and the reason people are rattled is simple — it looks practical, broad, and messy to mitigate. “Dirty Frag” is the name Hyunwoo Kim gave to a two-part kernel exploit chain that can turn an ordinary local account into root on major distributions. The disclosure went public on May 7 after the coordinated embargo broke early, which meant exploit code landed before most vendors had distro-ready fixes. One half now has a CVE, CVE-2026-43284. The other is being tracked as CVE-2026-43500. (lwn.net) So what is Dirty Frag, exactly? Basically, it is not one neat bug in one neat place. It chains two kernel flaws tied to optional networking modules — ESP support for IPsec and RxRPC support used with AFS-style workloads. The exploit abuses page-cache writes, which puts it in the same family as Dirty Pipe and the newer Copy Fail bug. The ugly part is reliability: Kim’s write-up says this is a deterministic logic bug, not a race, so it does not depend on lucky timing and has a high success rate. (github.com) Why does “local privilege escalation” matter so much? Because “local” sounds narrower than it is. A local user can mean a shell user over SSH, a tenant on a shared box, a CI runner, or in some cases a foothold inside a containerized environment. Ubuntu’s advisory is blunt here — on ordinary hosts, published exploit code can elevate a local user to root, and in container-heavy deployments the same underlying issue may also help with container escape scenarios. Red Hat is treating the issue as important and says hardening measures that reduce local access can lower exposure, but they do not erase it. (ubuntu.com) Which systems are actually exposed? The short version is: a lot of them. Kim’s public repo says the xfrm-ESP half traces back to a January 2017 kernel commit, while the RxRPC half dates to June 2023, and the combined practical exposure is about nine years because the older bug covers such a long span. The proof-of-concept was tested on Ubuntu 24.04.4, RHEL 10.1, Fedora 44, CentOS Stream 10, AlmaLinux 10, and openSUSE Tumbleweed. Ubuntu says all supported Ubuntu releases are affected. Red Hat says RHEL 8, 9, 10 and OpenShift 4 are affected. (github.com) Why is patching awkward right now? Because the disclosure outran the normal distro pipeline. Mainline has a patch for the xfrm-ESP issue — Kim’s repo points to commit `f4c50a4034e6` for CVE-2026-43284 — but the RxRPC half still had no patch in any tree at the time of that update. That leaves many admins in the in-between state security teams hate most: public PoC, active scramble, incomplete packaged fixes. Some vendors have started shipping mitigations or early builds, but this is not yet a clean “just update everything” moment across Linux. (github.com) What is the mitigation, and what breaks? The immediate workaround is to disable the affected modules — `esp4`, `esp6`, and `rxrpc`. That can block exploitation, but the catch is operational fallout. If you use IPsec ESP, this can break VPN or encrypted tunnel setups such as StrongSwan deployments. If you rely on RxRPC or AFS-related workflows, those can break too. Ubuntu explicitly warns that disabling only one side is not enough; the remaining module path stays exploitable. LWN’s discussion also notes that if those modules were already loaded, simply unloading them may not be enough and a reboot may be needed to clear the contaminated page cache. (ubuntu.com) Why does this hit sensitive servers harder? Because the safest temporary fix is not always the cheapest one. On latency-tuned or tightly profiled hosts, emergency kernel changes, reboots, or disabling networking features can have real side effects. If a box depends on IPsec, blacklisting ESP modules is not a paper cut — it can remove a security function to avoid a different security failure. That is the tradeoff admins are staring at right now. (ubuntu.com) Bottom line: Dirty Frag is not “Linux is remotely owned from the internet.” It is “if an attacker gets a foothold, root may be one command away.” Today that is enough to make it a serious incident-response problem, especially because the exploit is public and the fix picture is still uneven. (github.com)