Both elevation of privilege vulnerabilities are caused by bugs in the kernel’s handling of in-memory page caches, allowing untrusted users to modify them. They target caches in network and memory fragment processing components. Specifically, CVE-2026-43284 attacks the esp4 and esp6() processes, while CVE-2026-43500 zeroes in on rxrpc. Last week, CopyFail exploited a page cache error in the authensn AEAD template process used for IPsec extended sequence numbers. The 2022 vulnerability, named Dirty Pipe, was also caused by flaws that allowed attackers to overwrite page caches.
Researchers at security firm Automox he wrote:
Dirty Frag belongs to the same bug family as Dirty Pipe and Copy Fail, but it fabric member of the nucleus struct sk_buff more pipe_buffer. Uses exploitation append() plant a reference to a read-only page cache page (eg /etc/passwd or /usr/bin/su) included cloth the sender’s socket skb. The kernel code on the receiving end then performs in-place cryptographic operations on that frag by modifying the page cache in RAM. Each subsequent read of the file sees the corrupted version, even though the attacker only had read access.
CVE-2026-43284 IPsec ESP is found in the esp_input() process on the receive path. When an skb object is non-linear but does not have a frag list, the code skips skb_cow_data() and decodes the AEAD in the seeded frag. From there, an attacker can manipulate the file offset and the 4-byte value of each store.
CVE-2026-43500, meanwhile, resides in rxkad_verify_packet_1(). The process decrypts RxRPC payloads using a single-block process. Pages covered by a merge become both source and destination. This, combined with a freely derived decryption key using add_key (rxrpc), allows an attacker to overwrite the contents of memory.
Both exploits used separately are invalid. Some Ubuntu configurations use AppArmor to prevent untrusted users from creating namespace content. This in turn neutralizes the ESP technique. Most other distributions do not run rxrpc.ko by default, which neutralizes the RxRPC arm. When chained together, the two exploits allow attackers to gain root on every major distribution that Kim tested. Once the exploits are enabled, attackers can use SSH access, web shell execution, container escapes, or compromise low-privileged accounts.
“Dirty Frag is notable because it provides multiple kernel attack paths involving rxrpc and esp/xfrm network components to increase exploit reliability” – Microsoft researchers he wrote. “Instead of relying on narrow time windows or the unstable corruption conditions associated with Linux local privilege elevation exploits, Dirty Frag is designed to increase consistency in sensitive environments.”
Researchers at Wiz, a Google-owned company he said exploits will be less likely to emerge from hardened containerized environments such as Kubernetes with default security settings. “However, the risk remains significant for virtual machines or less restricted environments.”
The best answer for anyone using Linux is to install the patches immediately. While the fixes will likely require a reboot, protection from a serious threat like Dirty Frag outweighs the cost of the disruptions. Anyone unable to install immediately should follow the mitigation steps in the posts linked above. You can find additional instructions here here.
