Security Intelligence
Loading table of contents...
At a glance: Dirty Frag is a Linux kernel vulnerability that allows a threat actor with limited access to escalate privileges to full root by modifying trusted system files only in memory, bypassing disk‑based security controls. Microsoft observed Dirty Frag being used in post‑compromise activity, increasing the likelihood that an initial foothold on a Linux system can quickly lead to complete system takeover across servers, cloud workloads, and containers.
Threat summary
On May 7, while Linux distributions were still rolling out updates for Copy Fail, a researcher disclosed a proof-of-concept (POC) exploit for a new Linux kernel local privilege escalation vulnerability class known as Dirty Frag.
The vulnerability consists of a chain of two linked flaws, tracked as CVE-2026-43284 and CVE-2026-43500. Public disclosure followed a broken embargo, and by May 8, Microsoft reported observing Dirty Frag activity during post-compromise investigations.
The first flaw, CVE-2026-43284, resides in the Internet Protocol Security Encapsulating Security Protocol receive path and has been present since a Linux kernel change introduced on January 17, 2017. The second flaw, CVE-2026-43500, affects the RxRPC authentication path and was introduced through a kernel change in June 2023. When chained together, these vulnerabilities enable reliable corruption of page-cache-backed system files that are later executed with root privileges, without modifying files on disk.
Affected environments include Linux servers, cloud instances, and container hosts running distributions such as:
-
Ubuntu
-
Red Hat Enterprise Linux
-
CentOS Stream
-
AlmaLinux
-
Fedora
-
openSUSE
Because the flaw operates at the kernel level, container isolation is within scope, and compromise of a single workload can affect the underlying host.
The author describes Dirty Frag as extending the same underlying bug class as Dirty Pipe and Copy Fail. All three vulnerabilities originate from kernel code that writes to shared page cache memory that remains accessible to unprivileged processes. Each exploit applies this pattern to a different kernel structure.
Dirty Pipe affects pipe buffers, Copy Fail targets the AF_ALG cryptographic interface, and Dirty Frag targets the fragment field of the sk_buff networking structure by chaining CVE-2026-43284 and CVE-2026-43500. This places Dirty Frag in the same vulnerability family while making it a distinct exploit chain with separate remediation requirements.
Exploitation is described as deterministic, producing consistent results without reliance on race conditions. A local threat actor with the ability to execute code on an affected system can use Dirty Frag to escalate privileges to full root access. Microsoft reported that Dirty Frag is being used in post-compromise scenarios, where existing access is leveraged to expand control over affected systems.
On May 8, CVE-2026-43284 received an upstream fix in the Linux mainline kernel. CVE-2026-43500 was assigned as a tracking CVE for the RxRPC flaw and remained under evaluation in upstream and distribution-specific trees at the time of reporting.
Public documentation confirms that Dirty Frag remains exploitable even on systems where Copy Fail mitigations were applied, due to the use of different kernel code paths.
Analysis
From an impact perspective, Dirty Frag allows a threat actor with limited access to escalate privileges by modifying trusted system files only in memory, bypassing disk-based security controls. This expands post-compromise risk across servers, cloud workloads, and containers, because once the kernel is compromised, security tooling, audit logs, and isolation boundaries can no longer be relied upon.
To reduce exposure while kernel updates are prepared and deployed, organizations can limit the kernel paths Dirty Frag uses to escalate privileges. This involves disabling unused RxRPC kernel modules and evaluating whether Internet Protocol Security Encapsulating Security Protocol functionality, including esp4 and esp6, is required in the environment. Dirty Frag depends on these kernel components to modify page-cache-backed memory, and removing access to them disrupts the exploit chain.
Restricting unnecessary local shell access further reduces the likelihood that a low-privilege foothold can escalate into full system control, while hardening container workloads limits container-to-host risk. Increased monitoring for abnormal privilege escalation activity supports detection during this interim period. Kernel patch deployment remains the definitive remediation once vendor updates address both CVEs.
These actions affect kernel networking components that may be required for virtual private networks or applications relying on RxRPC, so operational impact requires evaluation before deployment. Disabling vulnerable modules limits new exploitation but does not reverse changes made prior to mitigation.
If exploitation occurred earlier, modifications may persist in memory rather than on disk. In those cases, validating the integrity of critical system files and assessing whether page cache clearing is appropriate can help restore trusted execution state. Cache eviction can increase disk input and output and affect production performance, so response actions need to account for workload sensitivity.
Microsoft Defender included detections associated with Dirty Frag exploitation and post-exploitation activity across endpoint and cloud workloads. These detections support investigation and containment while Microsoft continues expanding telemetry analysis and posture guidance as its investigation proceeds.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
