Dirty Frag: Universal Linux Root Exploit, No Patches Yet

Another universal Linux root exploit just dropped. Dirty Frag chains two kernel bugs to give an unprivileged user root on every major distro. Korean security researcher Hyunwoo Kim disclosed Dirty Frag on May 7, eight days after Theori's Copy Fail. It combines two page-cache write bugs: CVE-2026-43284 in the IPsec ESP code, present since January 2017, and CVE-2026-43500 in the RxRPC remote-procedure-call module, added in mid-2023. Each bug has a blind spot — ESP needs unprivileged user namespaces (blocked on Ubuntu by AppArmor), and RxRPC needs the rxrpc kernel module loaded (which most enterprise distros don't ship). Chained together, they cover every major distro: ESP on Red Hat, Fedora, openSUSE; RxRPC on Ubuntu. The standard linux-distros embargo had a May 12 release date, but an unrelated third party published the ESP exploit on May 7, breaking the embargo. Kim then released the full write-up and chained PoC with distribution maintainers' agreement. Most major distributions don't have a patch yet. AlmaLinux and CloudLinux are already rolling out fixes. Kim's recommended mitigation is to blacklist three kernel modules: esp4, esp6, and rxrpc. If you applied last week's Copy Fail mitigation by blacklisting algif_aead, that does nothing for Dirty Frag — different subsystems, different primitives. Sources: https://www.bleepingcomputer.com/news/security/new-linux-dirty-frag-zero-day-with-poc-exploit-gives-root-privileges/ https://www.wiz.io/blog/dirty-frag-linux-kernel-local-privilege-escalation-via-esp-and-rxrpc https://www.helpnetsecurity.com/2026/05/08/dirty-frag-linux-vulnerability-cve-2026-43284-cve-2026-43500/ https://almalinux.org/blog/2026-05-07-dirty-frag/ https://blog.cloudlinux.com/dirty-frag-mitigation-and-kernel-update More on cybersecurity, privacy, scams, and homelab on Hake Hardware. New shorts every weekday. #cybersecurity #linux #zeroday