12 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-43284 is a local privilege escalation vulnerability in the Linux kernel related to xfrm and ESP shared skb fragment handling. The flaw can lead to memory corruption and unsafe page-cache manipulation conditions within the kernel.
An attacker with local access to a vulnerable Linux system may exploit this vulnerability to escalate privileges and gain root-level access. Public proof-of-concept exploit code is available as part of the “Dirty Frag” exploitation chain, and active exploitation in the wild has been confirmed.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Local Privilege Escalation Vulnerability in Linux Kernel xfrm ESP Handling
CVSS Score: 7.8 (High, CVSS v3.0)
Identifier: CVE-2026-43284
PoC or Exploitation:
Public proof-of-concept exploit code is available as part of the "Dirty Frag" exploitation chain. There are confirmed reports of active exploitation in the wild.
Update/ Patch:
Linux kernel maintainers and Linux distributions have released fixes and mitigation guidance for this vulnerability.
Affected versions include:
Linux kernel builds containing the vulnerable xfrm / ESP shared skb fragment handling behavior
Fixed versions include:
Mainline and stable Linux kernel releases containing the upstream xfrm/ESP fix
AlmaLinux patched kernel releases containing backported fixes for the vulnerable ESP/xfrm behavior
Distribution-specific kernel updates as released by Linux vendors
Patch and mitigation status remains distribution-specific. Red Hat, Ubuntu, Amazon Linux, and other vendors should be checked individually for finalized package availability and mitigation guidance.
Linux kernel and advisory references:
Description:
CVE-2026-43284 is a local privilege escalation vulnerability in the Linux kernel related to xfrm and ESP shared skb fragment handling.
The vulnerability can lead to memory corruption and unsafe page-cache manipulation conditions within the kernel.
An attacker with local access to a vulnerable system may exploit the vulnerability to escalate privileges and gain root-level access.
Mitigation Recommendation:
Immediately apply updated Linux kernel packages and distribution-specific security fixes where available.
Prioritize patching multi-user Linux systems, container hosts, shared environments, and systems where untrusted code execution is possible.
Monitor systems for suspicious local privilege escalation behavior, unexpected root-level process execution, or anomalous kernel activity.
Restrict unnecessary local shell access and enforce least-privilege access controls.
For Red Hat Enterprise Linux environments, review mitigation guidance regarding blocklisting esp4, esp6, and rxrpc modules where operationally feasible until patches are fully deployed.
Review Linux distribution advisories from vendors such as AlmaLinux, Debian, Ubuntu, Red Hat, and Amazon Linux for evolving patch availability and mitigation guidance.
Local Privilege Escalation Vulnerability in Linux Kernel RxRPC Paged Fragment Handling
CVSS Score: 7.8 (High, CVSS v3.0)
Identifier: CVE-2026-43500
PoC or Exploitation:
Public proof-of-concept exploit code is available as part of the "Dirty Frag" exploitation chain. There are confirmed reports of active exploitation in the wild.
Update/ Patch:
Linux kernel maintainers and Linux distributions have released fixes and mitigation guidance for this vulnerability.
Affected versions include:
Linux kernel builds containing the vulnerable RxRPC paged fragment handling behavior
Fixed versions include:
Mainline and stable Linux kernel releases containing upstream fixes for the RxRPC fragment handling issue
Distribution-specific kernel updates released by Linux vendors and maintainers
Patch and mitigation status currently varies by Linux distribution and kernel branch.
Distribution references include:
- Debian tracking and security updates
- Ubuntu security tracking and mitigation guidance
- Red Hat mitigation guidance and package tracking
- CloudLinux and KernelCare livepatch rollout guidance
Linux kernel and advisory references:
Description:
CVE-2026-43500 is a local privilege escalation vulnerability in the Linux kernel involving unsafe RxRPC paged fragment handling behavior.
The vulnerability is associated with memory and packet-fragment handling issues within the Linux networking subsystem.
An attacker with local access to a vulnerable Linux system may exploit the vulnerability to escalate privileges and gain root-level access.
Mitigation Recommendation:
Immediately apply updated Linux kernel packages and distribution-specific security fixes where available.
Prioritize patching multi-user Linux systems, container hosts, shared infrastructure, and systems where untrusted code execution is possible.
Monitor systems for suspicious privilege escalation activity, unexpected root-level process execution, or anomalous kernel behavior.
Restrict unnecessary local shell access and enforce least-privilege access controls.
