A week after CopyFail, Hyunwoo Kim disclosed another local privilege escalation built on the same primitive: a write into the page cache of a read-only file. This time not through crypto, but through fragment handling in two network protocols. The name: Dirty Frag.

It is not a single bug but a chain of two CVEs:

  • CVE-2026-43284 in the ESP modules (Encapsulating Security Payload, i.e. IPsec): esp4, esp6. CVSS 8.8 per kernel.org, 7.8 per CISA. Vulnerable code since roughly 2017 (4.x kernels).
  • CVE-2026-43500 in RxRPC (the AFS protocol): the rxrpc module. CVSS 7.8. Vulnerable since roughly 2023 (6.2+ kernels).

Why it is the same family

Dirty COW, Dirty Pipe and CopyFail shared one denominator: an unauthorized write into page cache grants instant escalation, because you can overwrite the contents of a file the system treats as trusted (e.g. /usr/bin/su). Dirty Frag does exactly the same, except the entry point is faulty fragment handling in ESP and RxRPC. Hence the “Frag” in the name.

The end result is identical: an unprivileged user becomes root. A public PoC is already available (V4bel/dirtyfrag), and Microsoft reports use in post-compromise attacks.

Am I affected

The vulnerability needs the modules loaded. Check:

lsmod | grep -E 'esp4|esp6|rxrpc'

If any is listed, you are in range of the matching CVE (unless you already have the patch). esp4/esp6 are often loaded on machines with IPsec/VPN, rxrpc much more rarely (mostly AFS).

You can also check your kernel version in the CVE tab of Kernel Security Checker: enter the output of uname -r and the tool will surface both Dirty Frag entries if your base version is in range.

Mitigation

The kernel patch is still rolling out across distributions (at the time of writing most show “work in progress”). Mainline already has the fixes: commit f4c50a4 for ESP and aa54b1d for RxRPC. Until they reach your distro, the simplest defense is to block the vulnerable modules if you do not use them:

sudo tee /etc/modprobe.d/disable-dirtyfrag.conf << 'EOF'
install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
EOF

Note: blocking esp4/esp6 breaks IPsec, so do not do this on machines that actually use a VPN or IPsec tunnels. There you have to wait for the distro patch. rxrpc you can safely block if you do not use AFS.

After blocking, check the modules are not already loaded (lsmod), since an active module requires a reboot.

Status

This is fresh (disclosed 7 May 2026), so the patched version numbers per distribution are still settling. Track your distribution’s changelog and update the kernel as soon as the errata appears.

The same family of vulnerabilities: CopyFail: 9 Years of Hidden Privilege Escalation | Dirty COW, Dirty Pipe, CopyFail: Three Ways to Root

Check your kernel: Kernel Security Checker