Two new privilege escalation vulnerabilities, CVE-2026-43284 and CVE-2026-43500, have been disclosed in the Linux kernel. Both vulnerabilities originate from flaws in the kernel's handling of page caches stored in memory, allowing untrusted users to modify them. They specifically target caches within networking and memory-fragment handling components. CVE-2026-43284 exploits the esp4 and esp6 processes, while CVE-2026-43500 focuses on rxrpc. These bugs are categorized within the same family as previous page cache exploitation vulnerabilities like "CopyFail" (last week) and "Dirty Pipe" (2022).
Security firm Automox has dubbed these vulnerabilities "Dirty Frag." This exploit family, while similar to "Dirty Pipe" and "Copy Fail," specifically targets the frag member within the kernel's struct sk_buff, rather than pipe_buffer. The exploit method involves using the splice() system call to plant a reference to a read-only page-cache page (e.g., /etc/passwd or /usr/bin/su) into the frag slot of a sender-side skb. Subsequently, receiver-side kernel code performs in-place cryptographic operations on that frag, effectively modifying the page cache in RAM. This allows an attacker, despite only having read access, to corrupt the file content as seen in subsequent reads.
CVE-2026-43284 is located within the esp_input() process on the IPsec ESP receive path. When an skb object is non-linear but lacks a frag list, the kernel's code bypasses skb_cow_data() and performs in-place AEAD decryption on the planted frag. This mechanism allows an attacker to control both the file offset and the 4-byte value of each data store.
CVE-2026-43500 is found in rxkad_verify_packet_1(), which decrypts RxRPC payloads using a single-block process. In this context, splice-pinned pages serve as both a source and a destination. Coupled with the ability to freely extract the decryption key using add_key (rxrpc), an attacker can leverage this vulnerability to rewrite contents directly in memory.
Individually, both exploits are considered unreliable. For instance, certain Ubuntu configurations employ AppArmor to prevent untrusted users from creating namespace contents, which neutralizes the ESP technique. Similarly, most other distributions do not run rxrpc.ko by default, thus mitigating the RxRPC vulnerability. However, when chained together, these two exploits enable attackers to obtain root privileges on every major distribution tested by Kim. Successful exploitation can then lead to SSH access, web-shell execution, container escapes, or the compromise of low-privilege accounts.
Microsoft researchers commented that "Dirty Frag is notable because it introduces multiple kernel attack paths involving rxrpc and esp/xfrm networking components to improve exploitation reliability. Rather than relying on narrow timing windows or unstable corruption conditions often associated with Linux local privilege escalation exploits, Dirty Frag appears designed to increase consistency across vulnerable environments."
Researchers from Google-owned security firm Wiz noted that these exploits are less likely to break out of hardened containerized environments, such as Kubernetes with default security settings. However, they cautioned that the risk still remains.
