CVE-2026-43500
published 2026-05-11CVE-2026-43500: In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet…
PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
92.77%
99.8th percentile
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true. This catches the splice-loopback vector
and other externally-shared frag sources while preserving the
zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
page_pool RX, GRO). The OOM/trace handling already in place is reused.
Affected
68 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux | — | — |
| linux | linux | >= d0d5c0cd1e711c98703f3544c1e6fc1372898de5 < 7c504ffab3efce8f7e4f463b314ae31030bdf18b | 7c504ffab3efce8f7e4f463b314ae31030bdf18b |
| linux | linux | >= d0d5c0cd1e711c98703f3544c1e6fc1372898de5 < 3711382a77342a9a1c3d2e7330dcfc7ea927f568 | 3711382a77342a9a1c3d2e7330dcfc7ea927f568 |
| linux | linux | >= d0d5c0cd1e711c98703f3544c1e6fc1372898de5 < 3eae0f4f9f7206a4801efa5e0235c25bbd5a412c | 3eae0f4f9f7206a4801efa5e0235c25bbd5a412c |
| linux | linux | >= d0d5c0cd1e711c98703f3544c1e6fc1372898de5 < d45179f8795222ce858770dc619abe51f9d24411 | d45179f8795222ce858770dc619abe51f9d24411 |
| linux | linux | >= d0d5c0cd1e711c98703f3544c1e6fc1372898de5 < aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71 | aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71 |
| linux | linux_kernel | < 6.18.29 | 6.18.29 |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 6.19 < 7.0.6 | 7.0.6 |
| ubuntu | linux | — | — |
| ubuntu | linux-aws | — | — |
| ubuntu | linux-aws-5.15 | — | — |
| ubuntu | linux-aws-5.4 | — | — |
| ubuntu | linux-aws-6.17 | — | — |
| ubuntu | linux-aws-6.8 | — | — |
| ubuntu | linux-aws-fips | — | — |
| ubuntu | linux-azure | — | — |
| ubuntu | linux-azure-5.15 | — | — |
| ubuntu | linux-azure-5.4 | — | — |
| ubuntu | linux-azure-6.17 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2026-43500 is the RxRPC Page-Cache Write sub-vulnerability of 'Dirty Frag'. Detect exploitation by monitoring for in-place crypto operations on skbs carrying externally-owned paged fragments (skb_has_frag_list() or skb_has_shared_frag() true) in the rxrpc subsystem, particularly via splice() into a UDP socket. ↗
- →Monitor for unexpected modifications to page-cache-backed read-only files such as /etc/passwd and /usr/bin/su in RAM (on-disk file unchanged, but in-memory copy differs). Use integrity monitoring tools that check live memory-mapped file content, not just on-disk hashes. ↗
- →Detect exploit activity by monitoring unprivileged processes making splice() syscalls in combination with rxrpc or UDP socket operations, especially when followed by privilege escalation (uid 0 process spawned from non-root parent). ↗
- →A public Metasploit module exists for CVE-2026-43500 (RxRPC Page-Cache Write). Hunt for execution of Metasploit-generated payloads or the module path linux/local/cve_2026_43284_dirty_frag on compromised hosts. ↗
- →Monitor for creation of /etc/modprobe.d/dirtyfrag.conf or /etc/modprobe.d/dirtyfrag-mitigation.conf as indicators that a system administrator has applied the Dirty Frag mitigation (useful for compliance/coverage tracking). ↗
- →In containerized environments, monitor for unexpected writes to base layer binaries (e.g., /usr/bin/su) from within a container, which may indicate an attempt to exploit Dirty Frag for container escape. ↗
- →The exploit is deterministic (no race condition required), making it highly reliable. Behavioral detections should not rely solely on timing anomalies; instead focus on the splice() + rxrpc/UDP socket combination and subsequent uid change. ↗
- ·Disabling esp4/esp6 kernel modules will break IPsec ESP functionality (VPN tunnels, IPsec-encrypted communications). Assess operational impact before applying this mitigation. ↗
- ·Disabling the rxrpc kernel module will break AFS (Andrew File System) distributed filesystem functionality. ↗
- ·CVE-2026-43500 affects the RxRPC subsystem introduced circa 2023; the paired CVE-2026-43284 (xfrm-ESP) dates to ~2017. Both must be chained for reliable full root escalation — neither alone provides a sufficiently reliable primitive. ↗
- ·The vulnerability was disclosed before embargo expiration due to reverse engineering of the fix commit by an unrelated third party, meaning patches may not be universally available at time of disclosure. ↗
- ·The exploit requires CAP_NET_ADMIN capability in addition to local access on some configurations; verify whether user namespaces are enabled (user.max_user_namespaces > 0) as this may lower the bar for exploitation. ↗
- ·On-disk file integrity checks (e.g., hashing /usr/bin/su on disk) will NOT detect exploitation, as the corruption is purely in RAM page cache. Only in-memory integrity verification will catch active exploitation. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
vendor_ubuntu8.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Linux Kernel up to 6.18.28/7.0.5/7.1-rc2 rxrpc rxrpc_input_call_event infinite loop (Nessus ID 313681 / WID-SEC-2026-1430)
vuldb·2026-05-25·CVSS 7.8
CVE-2026-43500 [HIGH] Linux Kernel up to 6.18.28/7.0.5/7.1-rc2 rxrpc rxrpc_input_call_event infinite loop (Nessus ID 313681 / WID-SEC-2026-1430)
A vulnerability labeled as critical has been found in Linux Kernel up to 6.18.28/7.0.5/7.1-rc2. Affected by this vulnerability is the function rxrpc_input_call_event of the component rxrpc. Such manipulation leads to infinite loop.
This vulnerability is uniquely identified as CVE-2026-43500. The attack can only be initiated within the local network. No exploit exists.
The affected component should be upgraded.
Kernel
Merge branch 'rxrpc-better-fix-for-data-response-decrypt-vs-splice'
kernel_security·2026-05-20·CVSS 7.8
CVE-2026-43500 [HIGH] Merge branch 'rxrpc-better-fix-for-data-response-decrypt-vs-splice'
Merge branch 'rxrpc-better-fix-for-data-response-decrypt-vs-splice'
David Howells says:
rxrpc: Better fix for DATA/RESPONSE decrypt vs splice()
Here are two patches containing better fixes for the in-place decryption of
DATA and RESPONSE packets that can corrupt pagecache spliced into UDP
packets and sent to an AF_RXRPC server [CVE-2026-43500], plus a patch to
precheck the length of rxgk-secured DATA packets.
Of the main patches, one patch fixes DATA decryption by having recvmsg
unconditionally extract the data into a flat bounce buffer and, if need be,
decrypt it there. It doesn't seem to cause a performance problem to do
this even on unencrypted packets; for encrypted packets it makes sure the
content is correctly aligned for crypto which seems to get a small
performance gain.
Furth
Kernel
rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg
kernel_security·2026-05-16·CVSS 7.8
CVE-2026-43500 [HIGH] rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg
rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg
This improves the fix for CVE-2026-43500.
Fix the pagecache corruption from in-place decryption of a DATA packet
transmitted locally by splice() by getting rid of the packet sharing in the
I/O thread and unconditionally extracting the packet content into a bounce
buffer in which the buffer is decrypted. recvmsg() (or the kernel
equivalent) then copies the data from the bounce buffer to the destination
buffer. The sk_buff then remains unmodified.
This has an additional advantage in that the packet is then arranged in the
buffer with the correct alignment required for the crypto algorithms to
process directly. The performance of the crypto does seem to be a little
faster and, surprisingly, the unencrypted performance
Kernel
rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer
kernel_security·2026-05-16·CVSS 7.8
CVE-2026-43500 [HIGH] rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer
rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer
This improves the fix for CVE-2026-43500.
Fix the verification of RESPONSE packets to avoid the problem of
overwriting a RESPONSE packet sent via splice to a local address by
extracting the contents of the UDP packet into a kmalloc'd linear buffer
rather than decrypting the data in place in the sk_buff (which may corrupt
the original buffer).
Fixes: 24481a7f5733 ("rxrpc: Fix conn-level packet handling to unshare RESPONSE packets")
Reported-by: Hyunwoo Kim
Closes: https://lore.kernel.org/r/afKV2zGR6rrelPC7@v4bel/
Signed-off-by: David Howells
cc: Simon Horman
cc: Jiayuan Chen
cc: [email protected]
cc: [email protected]
Reviewed-by: Jeffrey Altman
Tested-by: Marc Dionne
Link: https://patch.msgid.link/2026
GHSA
GHSA-8p2w-g92w-f4x3: In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-
ghsa_unreviewed·2026-05-11
CVE-2026-43500 [HIGH] CWE-787 GHSA-8p2w-g92w-f4x3: In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true. This catches the splice-loopback vector
and
VulnCheck
Linux Kernel Out-of-bounds Write
vulncheck·2026·CVSS 7.8
CVE-2026-43500 [HIGH] Linux Kernel Out-of-bounds Write
Linux Kernel Out-of-bounds Write
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true. This catch
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2026-06-22·CVSS 8.8
CVE-2026-43284 [HIGH] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000)
It was discovered that a logic flaw existed in the XFRM ESP-in-TCP
subsystem in the Linux kernel when handling socket buffer fragments. This
flaw is known as Fragnesia. A local attacker could use this to escalate
privileges, or possibly escape a container.
Ubuntu
Linux kernel (Oracle) vulnerabilities
vendor_ubuntu·2026-06-22·CVSS 7.8
CVE-2026-43284 [HIGH] Linux kernel (Oracle) vulnerabilities
Title: Linux kernel (Oracle) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500)
It was discovered that a logic f
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2026-06-16·CVSS 7.8
CVE-2026-43503 [HIGH] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500)
It was discovered that a logic fl
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2026-06-16·CVSS 6.4
CVE-2026-23262 [MEDIUM] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo
Rizzo discovered that some AMD Zen processors did not properly verify the
signature of CPU microcode. This flaw is known as EntrySign. A privileged
attacker could possibly use this issue to cause load malicious CPU
microcode causing loss of integrity and confidentiality. (CVE-2024-36347)
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle share
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2026-06-11·CVSS 7.8
CVE-2026-46333 [HIGH] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500)
It was discovered that a logic fl
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-04·CVSS 7.8
CVE-2026-43033 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500)
Several security issues were discovered i
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-04·CVSS 8.8
CVE-2026-43284 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- RDS protocol;
(CVE-2026-43494)
Instructions: After a standard system update you need to reboot your computer to ma
Ubuntu
Linux kernel (Azure FIPS) vulnerabilities
vendor_ubuntu·2026-06-04·CVSS 7.8
CVE-2026-23069 [HIGH] Linux kernel (Azure FIPS) vulnerabilities
Title: Linux kernel (Azure FIPS) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-4600
Ubuntu
Linux kernel (Raspberry Pi) vulnerabilities
vendor_ubuntu·2026-06-04·CVSS 5.5
CVE-2026-31504 [MEDIUM] Linux kernel (Raspberry Pi) vulnerabilities
Title: Linux kernel (Raspberry Pi) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500)
Several security issues w
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-04·CVSS 8.8
CVE-2026-43284 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500)
It was discovered that a logic flaw existed in the XFRM ESP-in-TCP
subsystem in the Linux kernel when handling socket buffer fragments. This
flaw is known as Fragnesia. A local attacker could use this to escalate
privileges, or possibly escape a container. (CVE-2026-43503,
CVE-2026-46300)
Qualys
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 8.8
CVE-2026-47333 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000)
It was discovered that a logic flaw existed in the XFRM ESP-in-TCP
subsystem in the Linux kernel when handling socket buffer fragments. This
flaw is known as Fragnesia. A local attacker could use this to escalate
privileges, or possibly escape a container. (CVE-202
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 8.8
CVE-2026-47333 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000)
It was discovered that a logic flaw existed in the XFRM ESP-in-TCP
subsystem in the Linux kernel when handling socket buffer fragments. This
flaw is known as Fragnesia. A local attacker could use this to escalate
privileges, or possibly escape a container. (CVE-202
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 7.8
CVE-2025-71134 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000)
It was di
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 8.8
CVE-2026-46300 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000)
It was discovered that a logic flaw existed in the XFRM ESP-in-TCP
subsystem in the Linux kernel when handling socket buffer fragments. This
flaw is known as Fragnesia. A local attacker could use this to escalate
privileges, or possibly escape a container. (CVE-202
Red Hat
kernel: "Dirty Frag" RxRPC variant is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel
vendor_redhat·2026-05-11·CVSS 7.8
CVE-2026-43500 [HIGH] CWE-123 kernel: "Dirty Frag" RxRPC variant is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel
kernel: "Dirty Frag" RxRPC variant is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel
A flaw was found in the Linux kernel's RxRPC networking subsystem. When a non-linear socket buffer carrying a splice-pinned page-cache reference reaches the RxRPC authentication verification path, the kernel performs an in-place pcbc(fcrypt) decryption directly on the referenced page-cache page without first isolating the buffer with skb_copy(). An unprivileged local attacker can exploit this behavior to corrupt the page-cache contents of readable files, including sensitive system files such as /etc/passwd, and obtain root privileges. Unlike the ESP/XFRM variant, exploitation does not require unprivileged user or network namespaces, but depends on the RxRPC protocol sta
Fortinet
Linux Kernel vulnerability Dirty Frag
vendor_fortinet·CVSS 8.8
CVE-2026-43284 [HIGH] Linux Kernel vulnerability Dirty Frag
FG-IR-26-144: Linux Kernel vulnerability Dirty Frag
CVSSv3 Score:
7.9
Linux kernel is impacted by CVE-2026-43284 and CVE-2026-43500 which chained together create the Dirty Frag vulnerability.CVE-2026-43284In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for unclo
No detection rules found.
Exploit-DB
Linux Kernel - Local Privilege Escalation
exploitdb·2026-05-29·CVSS 8.8
CVE-2026-46300 [HIGH] Linux Kernel - Local Privilege Escalation
Linux Kernel - Local Privilege Escalation
---
# Titles:** Linux Kernel Local Privilege Escalation (CVE-2026-43284 /
CVE-2026-43500 / CVE-2026-46300)
# Author:** nu11secur1ty
# Date:** 2026-05-11
# Vendor:** Linux Kernel
# Software:** Linux Kernel (All major distributions)
# Vulnerability Type:** Page-Cache Write / Memory Corruption
# Status:** HIGH / CRITICAL
---
## Description
The **"Kukurigu"** exploit represents a sophisticated local privilege
escalation (LPE) vector targeting the Linux kernel's page-cache management.
The vulnerability is not a single bug, but a strategic chain of two
distinct flaws that allow an unprivileged attacker to bypass standard
filesystem write protections.
### Vulnerability Chain:
1. **CVE-2026-43284 (xfrm-ESP):** A logic error in the ESP protocol
implem
Exploit-DB
Linux Kernel - Local Privilege Escalation
exploitdb·2026-05-27·CVSS 8.8
CVE-2026-43500 [HIGH] Linux Kernel - Local Privilege Escalation
Linux Kernel - Local Privilege Escalation
---
# Titles:** Linux Kernel Local Privilege Escalation (CVE-2026-43284 /
CVE-2026-43500)
# Author:** nu11secur1ty
# Date:** 2026-05-11
# Vendor:** Linux Kernel
# Software:** Linux Kernel (All major distributions)
# Vulnerability Type:** Page-Cache Write / Memory Corruption
# Status:** HIGH / CRITICAL
---
## Description
The **"Kukurigu"** exploit represents a sophisticated local privilege
escalation (LPE) vector targeting the Linux kernel's page-cache management.
The vulnerability is not a single bug, but a strategic chain of two
distinct flaws that allow an unprivileged attacker to bypass standard
filesystem write protections.
### Vulnerability Chain:
1. **CVE-2026-43284 (xfrm-ESP):** A logic error in the ESP protocol
implementation when Ext
Metasploit
rxkad Page-Cache Write via CVE-2026-43500
metasploit·CVSS 7.8
CVE-2026-43500 [HIGH] rxkad Page-Cache Write via CVE-2026-43500
rxkad Page-Cache Write via CVE-2026-43500
CVE-2026-43500 exploits a memory-corruption vulnerability in the Linux kernel's RxRPC authentication subsystem (rxkad). When a crafted DATA packet is delivered to an AF_RXRPC socket configured with an attacker-controlled rxkad session key, the kernel's rxkad_verify_packet_1() function performs an in-place 8-byte pcbc(fcrypt) decryption directly on the page-cache page referenced by the splice offset. Because the decryption mutates the page in-place without marking it dirty, the corrupted in-memory view is immediately visible to all processes reading from the page cache. This allows a local attacker to corrupt the in-memory contents of a SUID binary and escalate privileges to root.
Bugzilla
[Major Incident] CVE-2026-43500 kernel: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present [fedora-all]
bugzilla·2026-05-11·CVSS 7.8
CVE-2026-43500 [HIGH] [Major Incident] CVE-2026-43500 kernel: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present [fedora-all]
[Major Incident] CVE-2026-43500 kernel: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Reproducers, if any, will remain confidential and never be made public, unless done so by the security team.
Discussion:
I am not sure why this got an additional "Major Incident" when it was treated in Fedora as a part of the dirty frag vulnerability as a whole. Both dirty frag CVEs were addressed in the same kernel update.
*** This bug has been marked as a duplicate of bug 2467807 ***
Bugzilla
CVE-2026-43500 kernel: "Dirty Frag" RxRPC variant is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel
bugzilla·2026-05-08·CVSS 8.8
CVE-2026-43500 [HIGH] CVE-2026-43500 kernel: "Dirty Frag" RxRPC variant is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel
CVE-2026-43500 kernel: "Dirty Frag" RxRPC variant is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel
The “Dirty Frag” vulnerability is a local privilege escalation (LPE) issue in the Linux kernel that combines flaws in the ESP/XFRM and RXRPC subsystems (each one separately could be used) to allow an unprivileged local attacker to gain root access on major Linux distributions. The CVE-2026-43500 is about RxRpc variant of vulnerability and the other similar CVE-2026-43284 is about ESP/XFRM variant. The attack abuses kernel page-cache manipulation and network protocol handling to overwrite privileged binaries and execute arbitrary code with elevated privileges. Exploitation differs by distribution: the ESP issue affects systems permitting unprivileged user
Hackernews
New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets
blogs_hackernews·2026-06-26·CVSS 8.8
CVE-2026-43503 [HIGH] New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets
DirtyClone is a new Linux kernel privilege escalation in the DirtyFrag family. JFrog Security Research published a working exploit walkthrough for the flaw on June 25, the first public demonstration for this variant.
Tracked as CVE-2026-43503 (CVSS 8.8), it lets a local user corrupt file-backed memory through a cloned network packet and gain root. The patch landed in mainline on May 21; if your kernel does not have it, update now.
When the kernel copies a network packet internally, two helper functions drop a safety flag that marks the packet's m
Hackernews
Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models
blogs_hackernews·2026-06-09
CVE-2026-39987 Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models
University of Toronto researchers have built and tested a proof-of-concept AI-driven computer worm that uses a locally hosted open-weight large language model to reason its way through a network, generate tailored attack strategies for each target it encounters, and replicate itself, all without human intervention and without touching a commercial AI service.
The preprint, posted to arXiv on June 2 and currently under peer review, shows why single-CVE patching breaks down when malware can inspect exposed services, read fresh adviso
Rapid7
Metasploit Wrap Up 05/29/2026
blogs_rapid7·2026-05-29·CVSS 9.8
CVE-2026-43284 [CRITICAL] Metasploit Wrap Up 05/29/2026
## More Linux LPEs
Hark the age of the Linux LPE has arrived. This week’s release follows up on recent work bringing new Linux LPEs to Metasploit users. Copy Fail seemed to have kicked off a trend of similar bugs and hot on its heels is Dirty Frag. Dirty Frag is actually two vulnerabilities in a trenchcoat, individually identified as CVE-2026-43284 and CVE-2026-43500. Each is exploitable individually and comes with a new Metasploit module.
## New module content (5)
## Citrix ADC (NetScaler) CVE-2026-3055 Scanner
Authors: sfewer-r7 and watchTowr
Type: Auxiliary
Pull request: #21204 contributed by sfewer-r7
Path: scanner/http/citrix_netscaler_cve_2026_3055
AttackerKB reference: CVE-2026-3055
Description: Adds auxiliary module targeting CVE-2026-3055, an info leak in Citrix NetScaler
Hackernews
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
blogs_hackernews·2026-05-19·CVSS 7.5
CVE-2026-31635 [HIGH] DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local privilege escalation (LPE).
Dubbed DirtyDecrypt (aka DirtyCBC), the vulnerability was discovered and reported by the Zellic and V12 security team on May 9, 2026, only to be informed by the maintainers that it was a duplicate of a vulnerability that had already been patched in the mainline.
"It's a rxgk pagecache write due to missing COW [copy-on-write] guard in rxgk_decrypt_skb," Zellic co-founder Luna Tong (a
Huntress
Panic at the Distro
blogs_huntress·2026-05-14·CVSS 7.8
CVE-2026-31431 [HIGH] Panic at the Distro
Acknowledgments: Special thanks to Jamie Levy, Tom Lawrence, Jim Deville, Tyler Bohlmann, and Shivangi Pandey for their contributions to this write-up.
## TL;DR
It’s never a good day for administrators when a branded vulnerability drops, especially when multiple of them land in rapid fire. Over the last two weeks, security researchers independently discovered multiple vulnerabilities in the Linux kernel that allow an unprivileged user to easily gain root access (local privilege escalation). All of these named vulnerabilities pertain to the Linux kernel’s zero-copy functionality, and are named CopyFail (CVE-2026-31431), Dirty Frag (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300).
While these vulnerabilities require an attacker to have established access on a victim mac
Bleepingcomputer
New Fragnesia Linux flaw lets attackers gain root privileges
blogs_bleepingcomputer·2026-05-14·CVSS 8.8
CVE-2026-46300 [HIGH] New Fragnesia Linux flaw lets attackers gain root privileges
## New Fragnesia Linux flaw lets attackers gain root privileges
## Sergiu Gatlan
Linux distros are rolling out patches for a new high-severity kernel privilege escalation vulnerability that allows attackers to run malicious code as root.
Known as Fragnasia and tracked as CVE-2026-46300 , this security flaw stems from a logic bug in the Linux XFRM ESP-in-TCP subsystem that can enable unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files.
Zellic's head of assurance, William Bowling , who discovered this new universal local privilege escalation flaw, also shared a proof-of-concept (PoC) exploit that achieves a memory-write primitive in the kernel that is used to corrupt the page cache memory of the /usr/bin/su binary to
Tenable
Fragnesia (CVE-2026-46300): Frequently asked questions about new Linux Kernel XFRM ESP-in-TCP privilege escalation
blogs_tenable·2026-05-14
CVE-2026-46300 Fragnesia (CVE-2026-46300): Frequently asked questions about new Linux Kernel XFRM ESP-in-TCP privilege escalation
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Fragnesia (CVE-2026-46300): Frequently asked questions about new Linux Kernel XFRM ESP-in-TCP privilege escalation
A new Linux kernel local privilege escalation exploit with a public proof-of-concept targets the same subsystem as Dirty Frag but requires a separate patch.
## Key Takeaways
CVE
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
Tenable
Microsoft’s May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103)
blogs_tenable·2026-05-12·CVSS 9.1
CVE-2026-41103 [CRITICAL] Microsoft’s May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103)
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Microsoft’s May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103)
16 Critical
102 Important
0 Moderate
0 Low
Microsoft addresses 118 CVEs in its May 2026 Patch Tuesday release, with no zero-days exploited in the wild or publicly disclosed for the first time since June 2024.
Microsoft p
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
Qualys
Dirty Frag: Using the Page Caches as an Attack Surface
blogs_qualys·2026-05-09·CVSS 7.8
CVE-2026-43284 [HIGH] Dirty Frag: Using the Page Caches as an Attack Surface
## Table of Contents
Qualys QID Coverage
Remediate at Scale With TruRiskEliminate
Dirty Frag is a Linux local privilege escalation (LPE) chain published on May 7, 2026. It combines two previously unknown kernel vulnerabilities can allow an unprivileged local user to escalate to root on many major Linux distributions.
xfrm-ESP Page-Cache Write (CVE-2026-43284)
RxRPC Page-Cache Write (CVE-2026-43500)
As of May 8, 2026, CVE-2026-43284 had been patched in mainline Linux, while public reporting indicated that CVE-2026-43500 did not yet have patches available.
The Dirty Pipe Connection:
Dirty Frag is the third discovery of a bug class that all share similar logic. A zero-copy send path plants an attacker-controlled or attacker-readable page into a kernel data structure as a raw reference
Wiz
Dirty Frag: Linux Kernel Local Privilege Escalation via ESP and RxRPC
blogs_wiz·2026-05-08·CVSS 7.8
CVE-2026-43284 [HIGH] Dirty Frag: Linux Kernel Local Privilege Escalation via ESP and RxRPC
A newly disclosed Linux kernel local privilege escalation vulnerability chain, dubbed “Dirty Frag” and assigned CVE-2026-43284 and CVE-2026-43500 , enables attackers with local access to obtain root privileges by exploiting flaws in the ESP (IPsec) and RxRPC subsystems. While no official patches are currently available, a public proof-of-concept exists. Organizations should assume the vulnerability is valid and exploitable under certain conditions. This vulnerability is a successor to Copy Fail (CVE-2026-31431) , and was discovered by Hyunwoo Kim (@v4bel). "CopyFail2" is another name for the same vulnerability, and is based on an exploit reversed from the fix commit .
## What is Dirty Frag?
Dirty Frag is a vulnerability chain combining two page-cache write primitives in the Linux kernel:
Tenable
Why the approaching flood of vulnerabilities changes everything — and what to do about it
blogs_tenable·2026-05-08
CVE-2026-43284 Why the approaching flood of vulnerabilities changes everything — and what to do about it
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Sans Isc
Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag, (Fri, May 8th)
blogs_sans_isc·2026-05-08·CVSS 7.8
CVE-2026-31431 [HIGH] Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag, (Fri, May 8th)
Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag
Published: 2026-05-08. Last Updated: 2026-05-08 14:57:03 UTC
by Yee Ching Tok (Version: 1)
0 comment(s)
Less than two weeks after the public disclosure of the Copy Fail vulnerability (CVE-2026-31431), another local privilege escalation (LPE) vulnerability in the Linux kernel has been revealed. Referred to as "Dirty Frag," this vulnerability was discovered and reported by Hyunwoo Kim (@v4bel) [1]. In this diary, I will provide a brief background on Dirty Frag, and discuss its relationship to Copy Fail. I will then discuss how to mitigate Dirty Frag and outline recommended next steps for system owners.
The existence of Dirty Frag was revealed after the coordinated disclosure embargo was broken by an unrela
Hackernews
Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions
blogs_hackernews·2026-05-08·CVSS 7.8
CVE-2026-31431 [HIGH] Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions
Details have emerged about a new, unpatched local privilege escalation (LPE) vulnerability impacting the Linux kernel.
Dubbed Dirty Frag , it has been described as a successor to Copy Fail (CVE-2026-31431, CVSS score: 7.8), a recently disclosed LPE flaw impacting the Linux kernel that has since come under active exploitation in the wild. The vulnerability was reported to Linux kernel maintainers on April 30, 2026.
"Dirty Frag is a vulnerability (class) that achieves root privileges on most Linux distributions by chaining the xfrm-ESP Page-Cac
Bleepingcomputer
New Linux 'Dirty Frag' zero-day gives root on all major distros
blogs_bleepingcomputer·2026-05-08
CVE-2026-43284 New Linux 'Dirty Frag' zero-day gives root on all major distros
## New Linux 'Dirty Frag' zero-day gives root on all major distros
## Sergiu Gatlan
Kim released complete Dirty Frag documentation and a PoC exploit with distribution maintainers' agreement after an embargo on full public disclosure was broken on May 7, 2026, when an unrelated third party independently published the exploit.
"Because the embargo has currently been broken, no patch or CVE exists. After consultation with the maintainers on [email protected] and at their request, this Dirty Frag document is being published," Kim said.
To secure systems against attacks, Linux users can use the following command to remove the vulnerable esp4, esp6, and rxrpc kernel modules (however, it's important to note that this will break IPsec VPNs and AFS distributed network file systems)
Tenable
Dirty Frag (CVE-2026-43284, CVE-2026-43500): Frequently asked questions about this Linux kernel privilege escalation vulnerability chain
blogs_tenable·2026-05-08·CVSS 7.8
CVE-2026-43284 [HIGH] Dirty Frag (CVE-2026-43284, CVE-2026-43500): Frequently asked questions about this Linux kernel privilege escalation vulnerability chain
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
https://git.kernel.org/stable/c/3711382a77342a9a1c3d2e7330dcfc7ea927f568https://git.kernel.org/stable/c/3eae0f4f9f7206a4801efa5e0235c25bbd5a412chttps://git.kernel.org/stable/c/7c504ffab3efce8f7e4f463b314ae31030bdf18bhttps://git.kernel.org/stable/c/aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71https://git.kernel.org/stable/c/d45179f8795222ce858770dc619abe51f9d24411https://access.redhat.com/security/cve/CVE-2026-43500https://bugzilla.redhat.com/show_bug.cgi?id=2468273https://github.com/V4bel/dirtyfraghttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43500.json
2026-05-11
Published
Exploited in the wild