Back to Blog
Cybersecurity May 18, 2026 5 min read

"Dirty Frag" Linux LPE (CVE-2026-43284 / CVE-2026-43500) Now Actively Exploited — Patch Your Kernel

The 'Dirty Frag' privilege-escalation pair targeting Linux kernel IPsec and AFS networking modules is now confirmed under active in-the-wild exploitation. Any unprivileged local account — including web shells and container escape footings — can escalate to root. Red Hat, Ubuntu, Amazon Linux, and SUSE have patches; apply them immediately.

"Dirty Frag" Linux LPE (CVE-2026-43284 / CVE-2026-43500) Now Actively Exploited — Patch Your Kernel

Active exploitation of the “Dirty Frag” Linux kernel privilege escalation pair — CVE-2026-43284 (CVSS 8.8) and CVE-2026-43500 (CVSS 7.8) — has been confirmed by Microsoft Defender telemetry. Any local unprivileged user on an unpatched system can escalate to root in a single operation. If you run Linux servers and have not applied this month’s kernel updates, do it now.

What the vulnerability does

Both CVEs root in how the Linux kernel handles memory-fragment ownership during decryption in two networking subsystems:

  • CVE-2026-43284 affects esp4 and esp6 — the kernel modules implementing IPsec Encapsulating Security Payload for IPv4 and IPv6.
  • CVE-2026-43500 affects rxrpc, the kernel’s AFS (Andrew File System) transport protocol implementation.

When either module decrypts data over paged buffers that are not privately owned by the kernel, ownership tracking of those memory fragments is mishandled. Combined with a standard splice(2) or sendfile(2) syscall, an unprivileged process can retain live references to the plaintext output — yielding a write primitive directly into the kernel’s page cache. From there, the path to root is a single additional step.

No initial access privilege is required beyond a low-privilege foothold: a compromised web server, an SSH account, a container escape, or any low-privilege user account.

Affected systems

Virtually every Linux distribution running kernel versions before the patched releases is vulnerable. The major distros with confirmed patches as of this writing:

  • Red Hat / RHEL: Advisory RHSB-2026-003 — patch available for RHEL 8 and 9
  • Ubuntu: Kernel security update USN-XXXX — patches for Jammy, Noble, and Oracular
  • Amazon Linux: ALAS-2026-XXXX for AL2 and AL2023
  • Fedora / AlmaLinux / CloudLinux: Updates available via standard repositories
  • SUSE / openSUSE: SUSE-SU-2026 advisory published

A third related CVE, CVE-2026-46300, is included in Red Hat’s RHSB-2026-003 advisory, suggesting broader scope across the same code path.

How to patch

On Red Hat / CentOS / Rocky / Alma:

sudo dnf update kernel && sudo reboot

On Ubuntu / Debian:

sudo apt update && sudo apt upgrade linux-image-generic && sudo reboot

On Amazon Linux 2:

sudo yum update kernel && sudo reboot

A reboot is mandatory — you cannot hot-patch a running kernel for this class of vulnerability.

Detection

Microsoft Defender is actively monitoring for exploitation patterns and has shipped detection coverage. If you run Defender for Endpoint on Linux, check your threat hunting queries for unusual splice(2) or sendfile(2) syscall sequences originating from low-privilege processes accessing kernel page cache regions.

This vulnerability is being described as the spiritual successor to Copy Fail (CVE-2026-31431), disclosed May 1. That pattern — same attack surface, iterative refinement — suggests Dirty Frag is part of a broader research campaign targeting kernel memory management in networking subsystems. Treat this as a high-urgency patching event, not routine maintenance.

Linux CVE privilege escalation kernel security patch