Dirty Frag: Critical Linux Kernel Privilege Escalation Vulnerability Disclosed

Severity: High (Score: 69.9)

Sources: Scworld, security-tracker.debian.org, Blogs.Microsoft, Panewslab, github.com

Summary

On May 7, 2026, a new Linux kernel vulnerability dubbed 'Dirty Frag' was disclosed, allowing local users to escalate privileges to root on major distributions. This vulnerability exploits two flaws: CVE-2026-43284 in the xfrm-ESP module and a second, pending CVE related to RxRPC. The exploit is deterministic, making it highly reliable and easy to automate, posing significant risks in multi-user environments. Public exploit code has been released, and no patches are currently available, leaving millions of systems exposed. Affected distributions include Ubuntu, Fedora, RHEL, and others. Administrators are advised to disable the affected kernel modules as a temporary mitigation. The vulnerability follows closely on the heels of the Copy Fail exploit, raising concerns about the security of Linux systems. Key Points: • Dirty Frag allows local privilege escalation to root on major Linux distributions. • Public exploit code is available, and no patches are currently released. • Administrators should disable affected kernel modules to mitigate risks.

Key Entities

• Privilege Escalation (attack_type)
• Zero-day Exploit (attack_type)
• Red Hat (company)
• SlowMist (company)
• Fedora (company)
• OpenSUSE (company)
• Ubuntu (company)
• CVE-2016-5195 (cve)
• CVE-2022-0847 (cve)
• CVE-2026-43284 (cve)
• CVE-2026-43500 (cve)
• CWE-269 - Improper Privilege Management (cwe)
• T1021.004 - SSH (mitre_attack)
• T1021 - Remote Services (mitre_attack)
• T1068 - Exploitation for Privilege Escalation (mitre_attack)
• T1505.003 - Web Shell (mitre_attack)
• AlmaLinux (platform)
• Arch (platform)
• CentOS Stream (platform)
• Linux (platform)
• RHEL (platform)
• Copy Fail (vulnerability)
• CopyFail (vulnerability)
• Dirty Cow (vulnerability)
• Dirty Frag (vulnerability)
• Dirty Pipe (vulnerability)