Summary
DirtyFrag is a Linux local privilege escalation disclosed on May 7, 2026, exploiting two kernel page-cache write vulnerabilities–CVE-2026-43284 (xfrm-ESP, patched in mainline only) and CVE-2026-43500 (RxRPC, no patch merged into any kernel tree as of disclosure)–that affect every major Linux distribution: Ubuntu, RHEL, Fedora, CentOS Stream, AlmaLinux, and openSUSE. Both bugs belong to the Dirty Pipe / Copy Fail family: deterministic logic errors with no race condition, meaning the exploit is reliable and does not crash the kernel on failure.
The public PoC appeared on GitHub the same day. Compiled binaries appeared on VirusTotal within seven minutes of the source dropping, and within 24 hours the PoC had accumulated hundreds of forks with active modifications to the exploit payload.
An exploit as reliable as DirtyFrag–a deterministic LPE covering every major Linux distribution, extended to arbitrary command execution, with one CVE entirely unpatched at disclosure–is likely to be abused by attackers. However, there is currently no confirmed in-the-wild exploitation campaign. Netskope telemetry confirmed interest in the exploit in seven countries within 24 hours of disclosure. The gap between PoC availability and operational use is narrowing as the exploit payload evolves publicly.
How it works
DirtyFrag exploits a kernel logic error that allows an unprivileged process to overwrite read-only file-backed memory. The first path (CVE-2026-43284) requires namespace creation privileges and overwrites the in-memory copy of a setuid binary to spawn a root shell. The second path (CVE-2026-43500, reserved for tracking) requires no special privileges on systems where the rxrpc module loads by default. It makes the root account passwordless, then invokes su to obtain a root shell.
Mitigation
No patch has been merged into any kernel tree for CVE-2026-43500. For CVE-2026-43284, a fix is in Linux mainline only. No distribution kernels have shipped it as of May 8, 2026. The interim mitigation is to block kernel module loading for the relevant subsystems:
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf;
rmmod esp4 esp6 rxrpc 2>/dev/null;
echo 3 > /proc/sys/vm/drop_caches; true"This disables both attack paths but is partial: if esp4, esp6, or rxrpc are already loaded and in use, the rmmod step will fail. Confirm module state with lsmod before and after.
Source: V4bel/dirtyfrag
Netskope security
Netskope Threat Labs is tracking DirtyFrag as the exploit ecosystem develops and weaponized variants emerge. Two YARA rules are available on Netskope Threat Labs IoC repository: https://github.com/netskopeoss/NetskopeThreatLabsIOCs.
IOCs
TLSH (fuzzy similarity)
| TLSH | Notes |
| T1DC53E6BFAB52DA75C441D2709BEF9270A47070702F36212F3B016BBA3E716554B69E23 | Dynamic ELF cluster |
| T16A53E66F9B52DA75C441D2709BEF9260A87070B02F36602F3B016BB63F716954F79E22 | Dynamic ELF cluster |
| T18853E66F9B52DA75C441D2709BEF9260A87070B02F36702F3B016BB63E716954F79E22 | Dynamic ELF cluster |
| T166F59F87FB587D5BC0224632CDEB43693332F1513713692F1998327CAD97AE4DE06A62 | Static ELF cluster |
| T17643E977BA51C5B4C096C1B05EDB42A0A677B0B02B72762F3B4537773A213C64E5AB32 | RHEL 9.x cluster |
vhash (VirusTotal structural family pivot)
| vhash | Notes |
| aa0a1187cb479f091e9b621389f89bbe | Ubuntu 24.04 dynamic builds |
| d5561820534ba7c79b05bc4db1baefd4 | Ubuntu 25.04 dynamic build |
| b82700d064ce87ae7f980201e683b8fd | RHEL static build |
| fa09b0e61917f449bb5682216f868073 | RHEL 9.x dynamic build |
CVEs
- CVE-2026-43284 — xfrm-ESP page-cache write (patched mainline only)
- CVE-2026-43500 — RxRPC page-cache write (reserved; no patch merged into any kernel tree)
