Each privilege escalation vulnerabilities stem from bugs within the kernel’s handling of page caches stored in memory, allowing untrusted users to switch them. They aim caches in networking and memory-fragment handling components. Specifically, CVE-2026-43284 attacks the esp4 and esp6 () processes, and CVE-2026-43500 zeroes in on rxrpc. Last week’s CopyFail exploited faulty page caching within the authencesn AEAD template process, which is used for IPsec prolonged sequence numbers. A 2022 vulnerability named Dirty Pipe also stemmed from flaws that allow attackers to overwrite page caches.
Researchers from security firm Automox wrote:
Dirty Frag belongs to the identical bug family as Dirty Pipe and Copy Fail, however it targets the frag member of the kernel’s struct sk_buff reasonably than pipe_buffer. The exploit uses splice() to plant a reference to a read-only page-cache page (for instance, /etc/passwd or /usr/bin/su) into the frag slot of a sender-side skb. Receiver-side kernel code then performs in-place cryptographic operations on that frag, modifying the page cache in RAM. Every subsequent read of the file sees the corrupted version, although the attacker only ever had read access.
CVE-2026-43284 is present in the esp_input() process on the IPsec ESP receive path. When an skb object is non-linear but lacks a frag list, the code skips skb_cow_data() and decrypts AEAD in place on the planted frag. From there, an attacker can control the file offset and the 4-byte value of every store.
CVE-2026-43500, meanwhile, resides in rxkad_verify_packet_1(). The method decrypts RxRPC payloads using a single-block process. Splice-pinned pages change into each a source and destination. That, paired with the decryption key being freely extracted using the add_key (rxrpc), allows an attacker to rewrite contents in memory.
Either exploit used individually is unreliable. Some Ubuntu configurations use AppArmor to stop untrusted users from creating namespace contents. That, in turn, neutralizes the ESP technique. Most other distributions by default don’t run rxrpc.ko, which neutralizes the RxRPC arm. When chained together, nonetheless, the 2 exploits allow attackers to acquire root on every major distribution Kim tested. Once the exploits run, attackers can use SSH access, web-shell execution, or container escapes, or compromise low-privilege accounts.
“Dirty Frag is notable since it introduces multiple kernel attack paths involving rxrpc and esp/xfrm networking components to enhance exploitation reliability,” Microsoft researchers wrote. “Fairly than counting on narrow timing windows or unstable corruption conditions often related to Linux local privilege escalation exploits, Dirty Frag appears designed to extend consistency across vulnerable environments.”
Researchers at Google-owned Wiz said exploits might be less prone to break out of hardened containerized environments like Kubernetes with default security settings in place. “Nonetheless, the danger stays significant for virtual machines or less restricted environments.”
One of the best response for anyone using Linux is to put in patches immediately. While fixes likely require a reboot, protection from a threat as severe as Dirty Frag outweighs the price of disruptions. Anyone who can’t install immediately should follow the mitigation steps specified by the posts linked above. Additional guidance may be found here.