Dirty Frag (CVE-2026-43284 xfrm-ESP + CVE-2026-43500 RxRPC) — Microsoft confirmed ITW, RxRPC distro patches still propagating

If you did nothing this week: any Linux host (workload, container host, on-premises server, public-cloud VM) where the kernel ships xfrm-ESP enabled (default on virtually every distribution) is exposed to a single-command unprivileged-to-root privilege escalation with public PoC; Microsoft confirmed limited in-the-wild exploitation on 2026-05-08 and tracked further activity into 2026-05-11 (Microsoft Security Blog, 2026-05-08; daily 2026-05-11 UPDATE; Wiz Research). Patch propagation is substantially complete: AlmaLinux 8/9/10, Ubuntu, Debian, Fedora, openSUSE all ship CVE-2026-43284 kernels as of 2026-05-07–10, with KernelCare live-patches generally available (AlmaLinux blog).

CVE-2026-43500 (RxRPC) patch propagation is uneven. AlmaLinux 8 is not affected (rxrpc module not built); RHEL 9 errata are rolling; Ubuntu and Debian shipped patches; the lagging configurations are systems that have the optional kernel-modules-partner package installed (typical on AFS-using estates and some research-network deployments). The interim mitigation — modprobe -r esp4 esp6 rxrpc — breaks IPsec VPNs and AFS file-system access, so production rollout requires impact testing rather than blanket application. Detection focus: Sysmon EID 1 / auditd execve events showing unusual parent-process chains from non-root users spawning root-effective shells.