How to protect your Linux server from Dirty Frag (CVE-2026-43284, CVE-2026-43500)

    What is Dirty Frag?

    Dirty Frag is a chain of two Linux kernel vulnerabilities that together enable local privilege escalation:

    • CVE-2026-43284: page-cache write primitive in the IPsec ESP modules (esp4/esp6).
    • CVE-2026-43500: page-cache write primitive in the RxRPC module.

    Both were disclosed on May 7, 2026. When the receive path decrypts over paged buffers not privately owned by the kernel (for example pages reaching the socket via splice(2) or sendfile(2)), an unprivileged process can retain references to the resulting plaintext and modify read-only system files. The result: root from an unprivileged account through a single command.

    It is being actively exploited and a public proof-of-concept exists. CVE-2026-43284 has been upstream since 2017; CVE-2026-43500 since 2023.

    Are you affected?

    Yes, if you run any modern Linux server that is unpatched:

    • AlmaLinux 8, 9, and 10
    • CloudLinux 7h, 8, 9, and 10
    • Rocky Linux, RHEL, Ubuntu, Debian, SUSE

    Not affected: CloudLinux 7.

    Applies to bare metal, VMs, and container hosts. The vulnerability lives in the kernel, so containers inherit the host's exposure.

    How to check your server

    Check the running kernel version:

    uname -r

    Compare it to the patched versions in the next section. If your kernel is lower within the same branch, you are vulnerable.

    How to mitigate

    Option Best for Reboot? Durable?
    Install vendor patched kernel Everyone, long-term fix Yes Yes
    KernelCare livepatch Servers running KernelCare No Yes
    Blacklist esp4/esp6/rxrpc modules While waiting for the patch No Temporary

    Option A: vendor patched kernel

    Minimum patched versions:

    • AlmaLinux / CloudLinux / Rocky 8: kernel-4.18.0-553.123.2.el8
    • AlmaLinux / CloudLinux / Rocky 9: kernel-5.14.0-611.54.3.el9_7
    • AlmaLinux / CloudLinux / Rocky 10: kernel-6.12.0-124.55.2.el10_1
    • CloudLinux 7h: kernel-4.18.0-553.123.2.lve.el7h
    • Debian / Ubuntu: check the package changelog with apt changelog linux-image-$(uname -r) | grep -E 'CVE-2026-43284|CVE-2026-43500'.

    Apply the kernel update and reboot:

    dnf -y update 'kernel*'
reboot

    Option B: KernelCare livepatch

    kcarectl --update
kcarectl --info | grep kpatch-build-time

    Any patch level dated May 8, 2026 or later contains the fix. No reboot required.

    Option C: module blacklist (temporary workaround)

    Disable the vulnerable modules until you can apply the patch. This breaks IPsec ESP and AFS clients, so use it only on servers that do not terminate or transit IPsec/strongSwan/Libreswan tunnels and do not depend on RxRPC:

    sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf"
rmmod esp4 esp6 rxrpc 2>/dev/null; true

    After applying the blacklist, drop the page cache to evict potentially tampered binaries from memory:

    echo 3 > /proc/sys/vm/drop_caches

    Once you install the patched kernel, remove the blacklist:

    rm /etc/modprobe.d/dirtyfrag.conf

    After mitigating

    1. Confirm the running kernel with uname -r and compare it to the patched versions.
    2. If you used KernelCare, verify the livepatch: 
      kcarectl --patch-info | grep CVE-2026-43284
    3. Review /var/log/secure, auth.log, and the command history of unprivileged accounts for suspicious activity.
    4. If you find signs of root-level compromise, rotate credentials (root, MySQL, SSH keys, API tokens) and consider rebuilding the system.

    Need help?

    Open a ticket at soporte.telecu.cloud and reference: Dirty Frag (CVE-2026-43284, CVE-2026-43500).

    Sources

    Tags
    cve-2026-43284 cve-2026-43500 dirty-frag linux-kernel security privilege-escalation
    Published