ctipilot.ch

Home · Live brief · Daily brief 2026-05-09

CVE-2026-43284 / CVE-2026-43500 — Linux "Dirty Frag": deterministic LPE chain via page-cache write primitives in xfrm-ESP and RxRPC, active exploitation confirmed

high vulnerability discovered 2026-05-09 05:00 UTC

Entities: Embargo NCSC-CH

Part of run 2026-05-09-migrated (intel · unknown)

Researcher Hyunwoo Kim disclosed "Dirty Frag" on 2026-05-07/08 after a third party inadvertently broke embargo by reverse-engineering the upstream patch. The chain exploits two page-cache write primitives: CVE-2026-43284 (xfrm-ESP/IPsec subsystem, introduced ~2017, kernel mainline patch merged 2026-05-08) and CVE-2026-43500 (RxRPC subsystem, introduced ~2023, patch still pending at disclosure). Unlike race-condition kernel exploits, this chain is deterministic and near-100% reliable: both primitives allow userland code to write arbitrary values into read-only page-cache pages (e.g., /etc/passwd, /usr/bin/su, setuid binaries) via memory aliasing caused by DMA remapping. The combined primitive produces a stable root primitive without timing windows. Exploitation requires CAP_NET_ADMIN — available by default in Linux user namespaces on Ubuntu, Fedora, and most Arch-based distributions; restricted on RHEL 8/9 and some hardened configs. Public PoC was published alongside disclosure. Microsoft Defender telemetry confirms limited active campaigns in which threat actors escalated from SSH-compromised user accounts, modified LDAP authentication files, exfiltrated PHP session contents, and disrupted active sessions (Microsoft Security Blog, 2026-05-08 · Wiz Research, 2026-05-08 · NCSC-CH advisory 12547, 2026-05-08).

Affected distributions with confirmed exposure: Ubuntu 22.04/24.04/24.10, RHEL 8/9/10, Fedora, CentOS Stream, AlmaLinux, openSUSE Tumbleweed. Red Hat published RHSB-2026-003 (Red Hat security bulletin); Ubuntu published a fixes-available blog (Ubuntu blog). Mitigation until patches land: modprobe -r esp4 esp6 rxrpc (breaks IPsec VPNs and AFS filesystems). This is a distinct chain from CVE-2026-31431 ("Copy Fail"), also by Kim; the two vulnerabilities are not the same primitive.

“Researcher Hyunwoo Kim disclosed "Dirty Frag" on 2026-05-07/08 after a third party inadvertently broke embargo by reverse-engineering the upstream patch.” — ctipilot v2 brief (migrated)

Action items

  • Note the combined-use pattern with CVE-2026-43284/43500 (Dirty Frag): patch for both families simultaneously where possible.
  • Apply kernel patch as it becomes available for your distribution. Track Ubuntu/RHEL security advisories — Ubuntu patches for CVE-2026-43284 are available; CVE-2026-43500 distro patches are pending.
  • Interim: modprobe -r esp4 esp6 rxrpc. Verify impact on site-to-site IPsec VPN configurations before applying in production. This breaks IPsec (esp4/esp6) and AFS (rxrpc) if used.
  • Disable unprivileged user namespaces if not required: sysctl -w kernel.unprivileged_userns_clone=0 (Ubuntu/Debian) or sysctl -w user.max_user_namespaces=0 (RHEL/CentOS). Prevents namespace-based CAP_NET_ADMIN acquisition.

Update chain

vulnerabilities lpe actively-exploited poc-public patch-available global CVE-2026-43284 CVE-2026-43500