Warning: Dirty Frag, a new Linux Local Privilege Escalation vulnerability, was disclosed. Patch Immediately!

• Last update:  08/05/2026
• Affected software: Linux kernel
• Type: Local Privilege Escalation (LPE)
• CVE/CVSS:
  → CVE-2026-43284: CVSS 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
  → CVE-2026-43500: CVSS 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Sources

• NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43284
• NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43500
• AlmaLinux advisory: https://almalinux.org/blog/2026-05-07-dirty-frag/
• Amazon Linux advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-027-aws/
• Debian tracker: https://security-tracker.debian.org/tracker/CVE-2026-43284
• Red hat Linux advisory: https://access.redhat.com/security/vulnerabilities/RHSB-2026-003
• Ubuntu advisory: https://ubuntu.com/blog/dirty-frag-linux-vulnerability-fixes-available
   

Risks

The Linux kernel is the core component of the Linux operating system, responsible for managing the computer’s hardware and providing essential services to software applications. The “Dirty Frag” vulnerability allows a local unprivileged user to gain root privileges by chaining together two new vulnerabilities in the Linux kernel. This issue affects most major Linux distributions. Successful exploitation has a high impact on the confidentiality, integrity and availability of the involved system.

Description

“Dirty Frag” is a recently disclosed Linux kernel local privilege escalation (LPE) vulnerability that allows an unprivileged local user to obtain root access on many major Linux distributions. This includes a user logged in remotely via SSH. It belongs to the same class of page-cache corruption issues as Dirty Pipe and the more recent “Copy Fail” vulnerability. The vulnerability works by chaining two separate kernel flaws in the networking subsystem. Together, these flaws allow attackers to overwrite protected file contents in the Linux page cache without proper write permissions, ultimately enabling deterministic root privilege escalation.

The issue has been fixed in the Linux kernel, but an official kernel release containing the patch has not yet been published. Most Linux distributions however have backported these patches to their kernels and started to make them available through updates.

No in-the-wild exploitation has been reported to date. However, the similar “Copy Fail” vulnerability was exploited shortly after its public disclosure.

Recommended Actions

 
Patch  
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Mitigate
If patching is not immediately possible, the Centre for Cybersecurity Belgium strongly recommends to implement mitigation measures in accordance with your Linux distribution’s guidelines. Please be aware these mitigation measures might break IPSEC and AFS functionality.
 
Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
 
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
 
 

References

• Wiz blog: https://www.wiz.io/blog/dirty-frag-linux-kernel-local-privilege-escalation-via-esp-and-rxrpc
• Copy Fail advisory: https://ccb.belgium.be/advisories/warning-copy-fail-getting-root-major-linux-distributions-patch-immediately