Blog

DirtyFrag: A New Linux Kernel Vulnerability and What to Do About It Right Now

dirtyflag_en
Uncategorized

DirtyFrag: A New Linux Kernel Vulnerability and What to Do About It Right Now

Picture this: your server is running fine. nginx is serving pages, fail2ban is banning bots, Cloudflare is filtering garbage traffic. You’ve set up ModSecurity, installed a WAF, closed unnecessary ports. The server is a fortress.

Then someone finds a SQL injection in an outdated plugin, gets RCE as www-data, runs one command — and becomes root.

Welcome to DirtyFrag.

WHAT HAPPENED

On May 7, 2026, security researcher Hyunwoo Kim published technical details of a Linux kernel vulnerability he named DirtyFrag. The disclosure embargo was broken by a third party before distributions had time to prepare patches — so a working exploit became publicly available before any fix existed.

The vulnerability was assigned two CVEs:
— CVE-2026-43284 — xfrm-ESP Page-Cache Write (IPsec, esp4/esp6 modules)
— CVE-2026-43500 — RxRPC Page-Cache Write (rxrpc module)

CVSS 3.1: 8.8 (HIGH) for CVE-2026-43284 and 7.8 (HIGH) for CVE-2026-43500.

Affected distributions include Ubuntu, Debian, RHEL, AlmaLinux, Fedora, openSUSE, and CentOS Stream — essentially every major server distro. The vulnerability has been present in Linux kernels since approximately 2017.

HOW IT WORKS (WITHOUT DIVING INTO ASSEMBLY)

The Linux kernel uses a page cache — essentially a RAM buffer for files read from disk. When the kernel reads /etc/passwd or /usr/bin/su, it stores the contents in the page cache and works with the cached version from that point on.

DirtyFrag exploits two bugs in the IPsec ESP and rxrpc decryption paths. Under specific conditions (data transfer via splice(2)/sendfile(2)), the kernel decrypts data directly over pages that an unprivileged process still holds a reference to. The result: a write primitive into the page cache without authorization.

What does this give an attacker? The ability to replace the in-memory contents of a system file. For example, to modify /usr/bin/su so that instead of asking for a password, it immediately opens a root shell. The file on disk remains untouched — the kernel simply serves the “fresh” page from cache.

Three properties that make DirtyFrag particularly nasty:
— No race condition. This is a deterministic bug, not a timing attack.
— High exploit success rate.
— The kernel doesn’t crash even on a failed attempt — making the attack hard to detect.

BUT THERE’S A CATCH

DirtyFrag is an LPE (Local Privilege Escalation), not a remote exploit. The attacker must already have the ability to execute code on the server.

A typical attack chain:

  1. RCE via a vulnerable WordPress plugin, outdated PHP, or an exposed service
  2. The attacker operates as www-data or another unprivileged user
  3. They run DirtyFrag — and get root

This is exactly why a well-configured stack (Cloudflare + WAF + nftables + fail2ban) reduces the risk but doesn’t eliminate it entirely. If there’s any gap for initial access — DirtyFrag turns it into full server control.

WHAT TO DO RIGHT NOW

Step 1. Check whether the vulnerable modules are loaded

lsmod | grep -E 'esp4|esp6|rxrpc'

If the output is empty — they’re not loaded. But the blacklist is still necessary: the modules may load on the next reboot or during certain network operations.

Step 2. Block the modules (primary workaround)

sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf"
sudo rmmod esp4 esp6 rxrpc 2>/dev/null
echo "Done"

This is safe for most servers. Exception: if you’re running an IPsec VPN or AFS — verify whether you actually need these modules before blacklisting.

Step 3. Drop the page cache

If you suspect someone may have already attempted to exploit the vulnerability — flush potentially compromised pages from cache:

sudo sh -c "echo 3 > /proc/sys/vm/drop_caches"

This is safe to run on a live system. The kernel will simply free clean cache; the next file reads will come fresh from disk.

Step 4. Update the kernel as soon as a patch is available

Ubuntu/Debian:

sudo apt update && sudo apt upgrade -y
sudo reboot

RHEL/AlmaLinux/Fedora:

sudo dnf clean metadata && sudo dnf upgrade -y
sudo reboot

After rebooting with the patched kernel, remove the workaround:

sudo rm /etc/modprobe.d/dirtyfrag.conf

Step 5. Isolate PHP-FPM via systemd

If you haven’t done this yet — it’s a solid general practice that limits the blast radius of any initial RCE:

sudo systemctl edit php8.3-fpm

Add the following:

[Service]
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
sudo systemctl daemon-reload && sudo systemctl restart php8.3-fpm

NoNewPrivileges=yes is the key directive here — it prevents the process from gaining privileges beyond what it started with. Even if www-data runs DirtyFrag, the privilege escalation is blocked at the systemd level.

Step 6. Separate DB server — don’t forget about it

“My database is in a private network, nobody can reach it” — classic assumption. If the web server is compromised, the attacker is already inside your network. One hop and they’re on the DB server. Then DirtyFrag does the rest.

Same two minutes of work on the DB server. IPsec is definitely not needed there — blacklist without hesitation:

sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf"
sudo rmmod esp4 esp6 rxrpc 2>/dev/null
sudo sh -c "echo 3 > /proc/sys/vm/drop_caches"

And NoNewPrivileges=yes for the database service itself:

sudo systemctl edit postgresql   # or mysql / mariadb
[Service]
NoNewPrivileges=yes
PrivateTmp=yes
sudo systemctl daemon-reload && sudo systemctl restart postgresql

WHERE TO TRACK PATCH STATUS

Ubuntu security notices: https://ubuntu.com/security/notices
AlmaLinux errata: https://errata.almalinux.org
RHEL security bulletin: https://access.redhat.com/security/vulnerabilities/RHSB-2026-003

Watch for kernel updates mentioning “fixes CVE-2026-43284” — update and reboot as soon as they appear.

IF YOUR SERVER MAY ALREADY BE COMPROMISED

Signs worth checking:
— Unexpected processes running as root or unknown users
— Changes to /etc/passwd, /etc/sudoers, /etc/crontab (even if the file looks normal on disk — verify the hash)
— New SSH keys in ~/.ssh/authorized_keys
— Suspicious outbound traffic in nftables logs

# Verify hashes of system binaries
sudo debsums -c 2>/dev/null | head -20       # Debian/Ubuntu
sudo rpm -Va 2>/dev/null | grep -E '^..5' | head -20  # RHEL/AlmaLinux
# Recent logins
last -20
lastb -20
# Processes running as root
ps aux | grep ^root

BOTTOM LINE

DirtyFrag is not a reason to panic — but it is a reason to act. The vulnerability is real, the exploit is public, and patches are still pending for some distributions.

Three things to do today:

  1. Add the module blacklist — two commands, five minutes.
  2. Make sure PHP-FPM is isolated via systemd with NoNewPrivileges=yes.
  3. Subscribe to your distro’s security announcements and update the kernel the moment a patch drops.

If your stack already includes Cloudflare + WAF + fail2ban + nftables — you’re in a good position. DirtyFrag doesn’t work without initial access, and your job is to deny that access in the first place.


Author: sysadmin.courses
Course “Linux Server Security: From Beginner to Pro” — practical Linux server security for those who want to understand, not just copy-paste commands.

Leave your thought here

Your email address will not be published. Required fields are marked *