Both privilege escalation vulnerabilities arise from bugs in the kernel’s management of page caches stored in memory, allowing untrusted users to modify them. They target caches in networking and memory-fragment handling components. Specifically, CVE-2026-43284 attacks the esp4 and esp6() processes, and CVE-2026-43500 zeroes in on rxrpc. Last week’s copyfail took advantage of faulty page caching in the AuthenticationSense AEAD template process, which is used for IPsec extended sequence numbers. A 2022 vulnerability called Dirty Pipe also resulted from a flaw that allows attackers to overwrite the page cache.
Researchers at security firm Automox wrote:
Dirty Frag belongs to the same bug family as Dirty Pipe and Copy Fail, but it targets Piece member of the kernel struct sk_buff instead of pipe_buffer. uses exploits Splice() To plant a reference to a read-only page-cached page (for example, /etc/passwd Or /usr/bin/su) In Piece sender-side slot skb. The receiver-side kernel code then performs in-place cryptographic operations on that fragment, modifying the page cache in RAM. The corrupted version appears in every subsequent read of the file, even if the attacker only had read access.
CVE-2026-43284 is found in the esp_input() procedure on an IPsec ESP receive path. When a SKB object is non-linear but lacks a frag list, the code skips skb_cow_data() and decrypts the AED in place of the imposed frag. From there, an attacker can control the file offset and the 4-byte value of each store.
Meanwhile, CVE-2026-43500 lives in rxkad_verify_packet_1(). This process decrypts the RxRPC payload using a single-block process. The splice-pinned pages become both the source and destination. This, combined with the decryption key being extracted independently using add_key (rxrpc), allows an attacker to rewrite the contents in memory.
Any exploit used in isolation is untrusted. Some Ubuntu configurations use AppArmor to prevent untrusted users from creating namespace content. That, in turn, neutralizes the ESP technology. Most other distributions do not run rxrpc.ko by default, which disables the RxRPC arm. However, when chained together, both exploits allow attackers to establish roots on every major distribution tested by Kim. Once the exploit is running, attackers can use SSH access, web-shell execution, container escape, or compromise low-privileged accounts.
“The dirty frag is notable because it introduces multiple kernel attack paths, incorporating RXRPC and ESP/XFrame networking components to improve the reliability of the exploit,” Microsoft researchers wrote. “Rather than relying on the narrow timing window or unstable corruption conditions that are often associated with Linux local privilege escalation exploits, Dirty Frag appears to be designed to increase stability in vulnerable environments.”
Researchers at Google-owned Wiz said they would be less likely to opt out of a rigid containerized environment like Kubernetes with default security settings. “However, the risk remains significant for virtual machines or less restricted environments.”
The best response for anyone using Linux is to install the patch immediately. Although fixes require a reboot, the protection from a serious threat like Dirty Frag outweighs the cost of disruptions. Anyone who cannot install immediately should follow the mitigation steps explained in the post linked above. Additional guidance can be found here.
<a href