it is called “Dirty Frag”. It was publicly disclosed on May 7, 2026. A working exploit already exists. And if your server hasn’t been patched and rebooted since May 8th, it’s vulnerable right now.
What is a dirty frag?
Dirty Frag is the informal name of a chained exploit that combines two Linux kernel vulnerabilities: CVE-2026-43284 and CVE-2026-43500. The first one has already been patched; The second is still being released for distribution at the time of this writing.
The root cause of CVE-2026-43284 is how the Linux kernel handles network packet memory in the IPsec/ESP path. When? MSG_SPLICE_PAGES While pipes connect pages directly to the network buffer (skb), IPv4/IPv6 datagram paths failed to mark those pages as shared.
This left an ESP-in-UDP packet composed of shared pipe pages visible to the kernel like a normal, privately owned buffer – so ESP decryption would occur directly on memory that SKB does not own. An attacker who knows how to manipulate this behavior can achieve controlled writes to the kernel page cache and eventually escalate to root.
In plain words: the kernel should not have trusted memory, and an attacker can use that misplaced trust to take over the entire machine.
Unlike the previous DirtyPipe vulnerability, which relied on a narrow race condition in pipe buffer flag handling, Dirty Frag is a deterministic logic flaw. Researcher Hyunwoo Kim reports very high success rates and minimal kernel panic risk, with no time limit to lose. As exploits go, this makes it unusually reliable.
How does this connect to copy failure?
Copy Fail (CVE-2026-31431), disclosed on April 29, exploited a logic bug in the cryptographic subsystem of the Linux kernel – specifically a flaw authencesn AEAD template that allows controlled 4-byte writes to the kernel page cache. A 732-byte Python script was enough to gain root on every major Linux distribution produced since 2017.
Dirty frags follow the same fundamental pattern – a page cache write primitive is turned into a root escalation – but via a completely different code path. Both vulnerabilities turn long-lived in-place processing optimizations into deterministic route primitives: copy failure via userspace crypto, dirty frag via IPsec receive.
This relationship is not accidental. Researcher Hyunwoo Kim apparently built on the bug class introduced by Copy Fail. Some in the security community have already begun to refer to CVE-2026-43284 as “Copy Fail 2.0”. What was presented as a rare kernel bug ten days ago is becoming a frequent attack class.
An interesting aspect of Dirty Frag is that chaining two sub-vulnerabilities (CVE-2026-43284 and CVE-2026-43500) covers each other’s blind spots. No single defect alone provides a sufficient reliable primitive for full root growth. However, when combined, chained exploits gain instant root on most distributions.
Who is affected?
Nearly every server running a mainstream Linux kernel built since 2017 is affected. Every supported AlmaLinux release is affected. CVE-2026-43284 affects AlmaLinux 8, 9, and 10 esp4/esp6 Modules, which are part of the standard kernel package on each release.
The full list of affected distributions includes Red Hat Enterprise Linux, AlmaLinux, Debian, Ubuntu, Fedora, Arch Linux, CentOS, CloudLinux, and Amazon Linux.
Particularly for web hosting environments, the threat vector is similar to a copy fail: the attacker does not need to penetrate remotely. The danger is that once an attacker gets in – via a vulnerable WordPress plugin, a web shell, weak SSH credentials, or a compromised container – Dirty Frag allows them to quickly escalate to root and then disable security tools, read credentials, tamper with logs, move laterally, or persist on the server.
On shared hosting servers, a compromised account can become a full server compromise.
Solution – Step by Step
Step 1: Update the Kernel
Patched kernels are now available in production repositories until May 8, 2026. This is the only real solution.
For AlmaLinux, CloudLinux, Rocky Linux, CentOS Stream, RHEL:
sudo dnf clean metadata && sudo dnf upgrade
sudo rebootFor Debian/Ubuntu:
sudo apt update && sudo apt upgrade
sudo rebootFor CloudLinux with KernelCare (no reboot required):
kcarectl --updateAfter rebooting, confirm that you are running a patched kernel:
uname -rCompare the output against the patched version in your distribution’s security advisory before considering server protection.
Step 2: Interim Mitigation (If You Can’t Reboot Immediately)
If a reboot is not possible immediately, you can prevent vulnerable modules from loading. The Dirty Frag technical writeup offers a mitigation that removes modules with vulnerabilities and clears the page cache:
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \
> /etc/modprobe.d/dirtyfrag.conf
rmmod esp4 esp6 rxrpc 2>/dev/null
echo 3 > /proc/sys/vm/drop_cachesImportant before applying this: Verify that your server does not use IPsec VPN tunnels, site-to-site encrypted networking, or Kubernetes network policies that rely on esp4 Or esp6. Disabling these modules on servers with active IPsec will break those connections. If in doubt, apply a kernel update instead.
After installing the patched kernel and rebooting the server, revert the mitigations by deleting /etc/modprobe.d/dirtyfrag.conf file.
Step 3: Combine with copy failure prevention
If you have not yet resolved Copy Fail (CVE-2026-31431), given their similarity and overlapping mitigation steps, consider both vulnerabilities as a joint remediation effort. A single kernel covers both updates and reboots. Check that your running kernel is patched for both CVE-2026-31431 and CVE-2026-43284 before considering clearing the server.
what does it mean to move forward
Two universal Linux kernel privilege escalation vulnerabilities in eight days are not normal. Dirty Frag is the second in this period after Copy Fail. With a working public proof-of-concept released before the patch and the exploit limited to a handful of standard syscalls, defenders must assume that any local foot on an unpatched host can become root within seconds.
The Dirty Frag disclosure also turned out badly: an unrelated third party leaked exploit details before the distribution’s packaging patch was finished, leading to premature public disclosure while CVE-2026-43500 was still unpatched. This is the same pattern that made Copy Fail so dangerous in its first hours.
The practical lesson is that the time between when a vulnerability is discovered by attackers and when it is exploited in the wild is no longer measured in days, but in hours. Kernel updates should be treated with the same urgency as application security patches – applied as soon as they become available, not during the next scheduled maintenance window.
For any server running web hosting workloads: patch, reboot, verify today. Then set alerts so you’ll know within an hour the next time it happens.
sources say
Help Net Security: https://www.helpnetsecurity.com/2026/05/08/dirty-frag-linux-wlnerability-cve-2026-43284-cve-2026-43500/
AlmaLinux Security Advice: https://almalinux.org/blog/2026-05-07-dirty-frag/
Rational Research FAQ: https://www.tenable.com/blog/dirty-frag-cve-2026-43284-cve-2026-43500-frequently-asked-questions-linux-kernel-lpe
Sysdig detection guide: https://www.sysdig.com/blog/dirty-frag-cve-2026-43284-and-cve-2026-43500-detecting-unpatched-local-privilege-escalation-via-linux-kernel-esp-and-rxrpc
SUSE CVE entry: https://www.suse.com/security/cve/CVE-2026-43284.html
Ubuntu CVE page: https://ubuntu.com/security/CVE-2026-43284
Ubuntu Blog (fixes available): https://ubuntu.com/blog/dirty-frag-linux-wlnerability-fixes-available
CloudLinux Blog (Dirty Frag): https://blog.cloudlinux.com/dirty-frag-mitigation-and-kernel-update
Knightly Mitigation Guide: https://www.knightli.com/en/2026/05/09/dirty-frag-cve-2026-43284-linux-lpe-mitigation/
<a href