Full Report
AL26-011 - Vulnerabilities affecting Linux - CVE-2026-43284 and CVE-2026-43500
Analysis Summary
# Vulnerability: "Dirty Frag" Linux Kernel Local Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2026-43284, CVE-2026-43500
- **CVSS Score:** Not explicitly listed in source (Critical/High implied due to Root escalation)
- **CWE:** CWE-123 (Write-what-where Condition)
## Affected Systems
- **Products:** Various Linux distributions including Red Hat Enterprise Linux, Rocky Linux, AlmaLinux, Oracle Linux, Fedora, CentOS Stream, Debian, Ubuntu, SUSE Linux Enterprise, and openSUSE.
- **Versions:** Vulnerable Linux kernel versions (specific version ranges vary by distribution).
- **Configurations:** Systems with the following components enabled:
- ESP/XFRM IPsec support
- UDP ESP-in-UDP receive paths
- RxRPC subsystem
## Vulnerability Description
Publicly referred to as **“Dirty Frag,”** these vulnerabilities involve two distinct flaws in the Linux kernel:
1. **CVE-2026-43284:** A "Write-what-where" condition (CWE-123) in the kernel's networking stack.
2. **CVE-2026-43500:** A local privilege escalation (LPE) vulnerability specifically residing in the RxRPC subsystem.
When chained together, these flaws allow a local, unprivileged user to bypass isolation mechanisms and gain full root access to the host operating system.
## Exploitation
- **Status:** Proof of Concept (PoC) available and working publicly.
- **Complexity:** Low to Medium (Public PoCs lower the barrier for exploitation).
- **Attack Vector:** Local (Requires local access, but can be chained with Remote Code Execution [RCE] vulnerabilities for remote impact).
## Impact
- **Confidentiality:** High (Full system access/Root)
- **Integrity:** High (Ability to modify kernel and system files)
- **Availability:** High (Ability to crash or take over the system)
## Remediation
### Patches
- As of May 8, 2026, a universal fix across all stable kernels was not yet available.
- Organizations should monitor distribution-specific advisories (e.g., AlmaLinux has begun testing fixes).
### Workarounds
The primary workaround is to disable the vulnerable kernel modules if they are not required for system operations:
- **Command:** `sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n'> /etc/modprobe.d/dirtyfrag.conf;rmmod esp4 esp6 rxrpc 2>/dev/null;true"`
- **Vulnerable Modules:** `esp4`, `esp6`, and `rxrpc`.
- **Note:** Disabling `esp4` and `esp6` will break IPsec functionality.
## Detection
- **System Check:** Use `uname -r` to check the kernel version.
- **Module Check:** Run `lsmod | egrep '^(esp4|esp6|rxrpc)\b'` or `grep -qE '^(esp4|esp6|rxrpc)' /proc/modules` to see if the vulnerable modules are currently loaded.
- **Monitoring:** Monitor for unusual privilege escalation attempts or unauthorized `root` access originating from unprivileged service accounts.
## References
- Canadian Centre for Cyber Security Alert: hxxps://www.cyber.gc.ca/en/alerts-advisories/al26-011-vulnerabilities-affecting-linux-cve-2026-43284-cve-2026-43500
- AlmaLinux Advisory: hxxps://almalinux.org/blog/2026-05-07-dirty-frag/
- Wiz Research Blog: hxxps://www.wiz.io/blog/dirty-frag-linux-kernel-local-privilege-escalation-via-esp-and-rxrpc
- BleepingComputer Report: hxxps://www.bleepingcomputer.com/news/security/new-linux-dirty-frag-zero-day-with-poc-exploit-gives-root-privileges/
- Ubuntu Security: hxxps://ubuntu.com/security/CVE-2026-43284