New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks

Summary

A new local privilege escalation vulnerability dubbed Dirty Frag (CVE-2026-43284 and CVE-2026-43500) chains two kernel flaws in xfrm-ESP and RxRPC components, allowing unprivileged users to escalate to root with very high success rate. The vulnerability was disclosed publicly before patches were available, and Microsoft reports it may already be exploited in the wild for post-compromise lateral movement. Major Linux distributions including Red Hat, Ubuntu, Fedora, and Amazon Linux have begun releasing patches and mitigations.

Full text

A newly disclosed local privilege escalation vulnerability affecting major Linux distributions may already be exploited in the wild. The exploit, named Dirty Frag and Copy Fail 2, chains two flaws tracked as CVE-2026-43284 and CVE-2026-43500, allowing an unprivileged user to escalate permissions to root. Researcher Hyunwoo Kim responsibly disclosed the vulnerability, but someone made it public before patches could be released, prompting Kim to make the technical details and PoC code available. “Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high,” Kim explained. The vulnerabilities affect the xfrm-ESP (IPsec) and RxRPC components of the Linux kernel, with the greatest impact on hosts that do not run container workloads. In container deployments, an attacker may be able to exploit Dirty Frag to escape a container, but this has yet to be demonstrated, Ubuntu developers noted. Dirty Frag is similar to Dirty Pipe, a vulnerability that emerged in 2022, and the recently discovered flaw named Copy Fail.Advertisement. Scroll to continue reading. Copy Fail has been exploited in the wild, and Microsoft reports that Dirty Frag may also have been exploited. According to the tech giant, Dirty Frag can be exploited after attackers gain access to the targeted system, which can be achieved through various means, including compromised SSH accounts, web shell access via internet-exposed applications, abusing service accounts, container escapes to the host environment, or remote access compromise. Microsoft said its Defender product has seen limited in-the-wild activity that could indicate exploitation of either Dirty Frag or Copy Fail. “After gaining elevated access, the actor modifies a GLPI LDAP authentication file (evidenced by a .swp file from vim), performs reconnaissance of the GLPI directory and system configuration, and inspects an exploit artifact,” Microsoft explained. “The activity then shifts to accessing sensitive data and interacting with PHP session files — first deleting multiple session files and then forcefully wiping additional ones — before reading remaining session data, indicating both disruption of active sessions and access to session contents,” it added. Linux distributions have started releasing patches and mitigations for Dirty Frag, including Red Hat, Amazon Linux, Ubuntu, Fedora, and Alma Linux. Related: OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years Related: Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access Related: Organizations Warned of Exploited Linux Vulnerabilities Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Drupal to Patch Highly Critical Vulnerability at Risk of Quick ExploitationMicrosoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’ Critical Vulnerability Exposes Industrial Robot Fleets to HackingMillions Impacted Across Several US Healthcare Data Breaches7-Eleven Data Breach Confirmed After ShinyHunters Ransom DemandGrafana Confirms Breach After Hackers Claim They Stole DataHackers Earn $1.3 Million at Pwn2Own Berlin 2026 Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild Latest News Quantum Bridge Raises $8 Million for Quantum-Safe Key Distribution SolutionMicrosoft Rolls Out Mitigations for ‘YellowKey’ BitLocker BypassAI-Powered App Attacks Are Faster, More Frequent and Harder to Stop1Password Teams With OpenAI to Stop AI Coding Agents From Leaking CredentialsAnthropic Silently Patches Claude Code Sandbox BypassOver 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain AttackCaught Off Guard: Securing AI After It Hits ProductionReal-World ICS Security Tales From the Trenches Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the MoveTim Byrd has been appointed Chief Information Security Officer at First Citizens Bank.IRONSCALES has named Steve McKenzie as Chief Operating Officer.Silvio Pappalardo has joined AuthMind as Chief Revenue Officer.More People On The MoveExpert Insights Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-43284
• cve — CVE-2026-43500
• malware — Dirty Frag

Entities