Apply Dirty Frag kernel backports — Microsoft now confirms in-the-wild

Pull Red Hat / AlmaLinux / openSUSE / Ubuntu kernel updates for CVE-2026-43284 (xfrm-ESP) and CVE-2026-43500 (RxRPC) as they land; Red Hat RHSB-2026-003 was updated 2026-05-09 and errata are rolling to RHEL 8/9/10. Where patches are not yet available, blacklist the esp4 / esp6 / rxrpc modules via /etc/modprobe.d/ after assessing IPsec / AFS dependencies — or, less disruptive on Ubuntu-style estates with default-blocked user namespaces, set kernel.unprivileged_userns_clone=0 via sysctl. Post-incident forensics on suspected Dirty Frag compromise cannot rely on md5sum of files (the primitive writes to page cache, not disk) — compare in-memory page contents against authoritative checksums.