Security researchers have disclosed Dirty Frag, a new unpatched vulnerability in the Linux kernel that allows any ordinary user on the machine to silently elevate their access to full root (administrator) level. The flaw works by chaining two bugs in Linux’s networking subsystems — one in xfrm/ESP handling (CVE-2026-43284) and one in the RxRPC subsystem (CVE-2026-43500) — to corrupt kernel page-cache memory in a reliable way. Unlike many Linux privilege-escalation exploits that require precise timing or luck, Dirty Frag is designed to work consistently across a wide range of environments, including servers running containers.
The vulnerability was reported to kernel maintainers on April 30, 2026. Patches have been committed to the mainline Linux kernel, but they haven’t yet reached the stable versions shipped by most Linux distributions. Dirty Frag is considered a successor to Copy Fail (CVE-2026-31431), a similar kernel flaw that has already been exploited in the wild. A related variant called Fragnesia (CVE-2026-46300) has also been identified, making three kernel privilege-escalation bugs disclosed within two weeks.
How to check if you’re affected
Affected versions include Linux kernels that have not yet received the patches at commits f4c50a4034e6 (for CVE-2026-43284) and aa54b1d27fe0 (for CVE-2026-43500). Most current Ubuntu, Debian, Fedora, Arch, and Red Hat/CentOS systems are affected until their respective package maintainers push updated kernel packages.
To protect yourself:
- Run
uname -rto see your current kernel version, then check your distribution’s security advisory page for a patched kernel. - Apply any kernel updates your package manager offers as soon as they become available.
- If you run public-facing servers or shared hosting, treat this as urgent — a logged-in attacker or a compromised container could escalate to root.