TP-EXP-2026-0022 CVE-2026-43284 high Patched AI Draft

Dirty Frag Linux Kernel Local Privilege Escalation (CVE-2026-43284)

CVE CVE-2026-43284 Platform Linux kernel ESP/XFRM networking subsystem Type Local Privilege Escalation

Severity HIGH

Status Patched

Zero-Day Confirmed

Disclosed May 7, 2026

Patched May 8, 2026

Researcher Hyunwoo Kim

CISA KEV Not Listed

Severity Assessment

Exploitability: 7.5/10 - Exploitation requires local code execution or an equivalent foothold, but public proof-of-concept material and kernel patch references are available.
Impact: 8.5/10 - Successful exploitation can give an unprivileged user root privileges on affected Linux systems.
Weaponization Risk: 8/10 - Microsoft reported limited activity involving local privilege escalation behavior that may be associated with Dirty Frag or Copy Fail, and public exploit material lowers the barrier for replication.
Patch Urgency: 8.5/10 - Upstream kernel fixes exist for CVE-2026-43284, while distribution remediation and mitigation guidance were still evolving after disclosure.
Detection Coverage: 6.5/10 - Microsoft lists Defender detections and suspicious SUID/SGID process-launch coverage, but host integrity checks remain necessary after suspected exploitation.

Summary

CVE-2026-43284 is a Linux kernel local privilege escalation vulnerability associated with the Dirty Frag disclosure. The issue affects the ESP/XFRM networking path used for IPsec-related processing. NVD describes the flaw as an ESP in-place decryption path that can operate on shared skb fragments created from spliced pipe pages, allowing data not privately owned by the skb to be modified.

Dirty Frag was disclosed publicly on May 7, 2026 after an embargo breakdown. The public disclosure and companion write-up describe a page-cache write primitive that can be used to modify sensitive file-backed memory and escalate from a low-privileged context to root. The Dirty Frag family also includes related RxRPC and Fragnesia issues; CVE-2026-43284 covers the ESP/XFRM path.

Microsoft reported limited in-the-wild activity involving privilege escalation around su that may indicate techniques associated with Dirty Frag or Copy Fail. That telemetry does not by itself establish a single confirmed campaign for CVE-2026-43284, but it supports treating the vulnerability as an active post-compromise escalation risk where attackers already have local execution.

Exploit Chain

Stage 1: Local Execution

An attacker first needs local code execution on an affected Linux host. Plausible entry points include compromised SSH accounts, web-shell execution, a low-privileged service account, or a container context that exposes the necessary kernel interfaces.

Stage 2: Shared Page Placement

The exploit path uses zero-copy or splice-related behavior to place a page-cache-backed page into a network buffer fragment. The relevant condition is that the fragment references memory that the networking stack does not privately own.

Stage 3: ESP/XFRM Processing

For CVE-2026-43284, ESP input processing can take a no-copy-on-write path for an uncloned nonlinear skb. When that path decrypts in place over shared fragments, kernel processing can write into page-cache-backed memory.

Stage 4: Sensitive File-Backed Memory Modification

The Dirty Frag write-up describes this class as modifying cached contents of files that the attacker can read but should not be able to write. Public exploit material focuses on modifying privileged execution paths so a later operation runs attacker-controlled content with elevated privileges.

Stage 5: Root Privilege Escalation

After the page-cache modification takes effect, the attacker triggers the modified privileged path and obtains root privileges. Microsoft’s post-compromise scenario shows why the vulnerability is useful after initial access: root privileges enable credential access, log tampering, defense impairment, and lateral movement from the affected Linux host.

Detection Guidance

Monitor Linux hosts for suspicious SUID or SGID process launches, especially su execution soon after staging an unfamiliar ELF binary.
Alert on new or unusual executable files in temporary, web application, user home, or service-account writable directories followed by privilege escalation attempts.
Review shell history, process telemetry, and EDR events for local exploitation after SSH, web-shell, or low-privileged service-account access.
Check whether esp4, esp6, rxrpc, or related XFRM/IPsec modules are loaded, and compare that state against expected business use.
After suspected exploitation, validate integrity of privileged binaries and configuration files because cache-backed modifications may not be fully addressed by module blocklisting alone.
Track vendor kernel packages and platform advisories for remediation status, including Red Hat Enterprise Linux and OpenShift guidance where applicable.

Indicators of Compromise

Execution of unknown ELF binaries shortly before su, SUID, or SGID process activity.
Unexpected root shells or root-owned child processes spawned from low-privileged accounts.
Creation of module blocklist files such as /etc/modprobe.d/dirtyfrag.conf outside authorized change windows.
Abnormal access to privileged binaries or authentication-related files after a low-privileged foothold.
Microsoft Defender detections including Exploit:Linux/DirtyFrag.A, Exploit:Linux/DirtyFrag.B, and related Trojan:Linux/DirtyFrag families.
Vulnerable Linux kernels in environments where ESP/IPsec, XFRM, or RxRPC modules are loaded or reachable by untrusted local users.

Disclosure Timeline

2026-04-30 - ESP Vulnerability Reported

Hyunwoo Kim reported details of the ESP vulnerability and a weaponized exploit to security@kernel.org and submitted an initial patch to the netdev mailing list.

2026-05-04 - Shared-Fragment Patch Proposed

A follow-up shared-fragment approach patch was submitted to the netdev mailing list, according to the public Dirty Frag disclosure timeline.

2026-05-07 - Public Disclosure

Dirty Frag details and exploit material were published publicly after the embargo was broken. Red Hat published its Dirty Frag advisory on the same date.

2026-05-08 - CVE Assigned and Kernel Fixes Published

CVE-2026-43284 was assigned, NVD received the kernel.org record, and upstream patch references became available for the ESP/XFRM issue.

2026-05-08 - Microsoft Publishes Active-Risk Analysis

Microsoft published analysis describing Dirty Frag post-compromise risk, limited observed activity that may relate to Dirty Frag or Copy Fail, and Defender detection coverage.

2026-05-11 - Risky Business Tracks Public Patch Race

Risky Business summarized the Dirty Frag disclosure as Linux distributions worked through patching after public release of details and proof-of-concept material.

2026-05-13 - NVD and Red Hat Records Updated

NVD and Red Hat records showed continued updates for CVE-2026-43284 and related Dirty Frag family issues.

Sources & References

National Vulnerability Database: CVE-2026-43284 — National Vulnerability Database, 2026-05-08
Red Hat: RHSB-2026-003 Dirty Frag — Red Hat, 2026-05-07
Openwall: Dirty Frag Universal Linux LPE — Openwall, 2026-05-08
V4bel: Dirty Frag Write-Up — V4bel, 2026-05-07
Microsoft: Active Attack Dirty Frag Linux Vulnerability Expands Post-Compromise Risk — Microsoft, 2026-05-08
Wiz: Dirty Frag Linux Kernel Local Privilege Escalation via ESP and RxRPC — Wiz, 2026-05-08
Risky Business: Risky Bulletin FCC Relaxes Foreign Router Ban — Risky Business, 2026-05-11