Dirty Frag (CVE-2026-43284 + CVE-2026-43500) is a deterministic, chainable Linux kernel LPE with a working exploit; patch and reboot immediately.
Key Takeaways
Root cause: IPsec/ESP path fails to mark MSG_SPLICE_PAGES-attached pipe pages as shared, enabling in-place ESP decryption over unowned memory and a controlled kernel page cache write.
Unlike DirtyPipe’s race condition, Dirty Frag is a logic flaw with no timing window; researcher Hyunwoo Kim reports very high success rates and minimal kernel panic risk.
Chaining CVE-2026-43284 and CVE-2026-43500 is required for reliable root; neither alone is sufficient, but combined they cover each other’s blind spots across most distributions.
Affects all mainstream Linux kernels since ~2017: RHEL, AlmaLinux, Debian, Ubuntu, Fedora, Arch, CentOS, CloudLinux, Amazon Linux. Patched kernels available since May 8, 2026.
Interim mitigation: blacklist esp4, esp6, rxrpc modules and drop page cache – but only if no active IPsec VPNs or Kubernetes network policies depend on them.
