Dirty Frag (CVE-2026-43284 and CVE-2026-43500): Detecting unpatched local privilege escalation via Linux Kernel ESP and RxRPC

On May 8, 2026, two significant vulnerabilities in the Linux kernel, named Dirty Frag (CVE-2026-43284 and CVE-2026-43500), were disclosed by independent researcher Hyunwoo Kim ahead of patches due to an embargo breach. These vulnerabilities allow unprivileged local users to gain root access by corrupting page caches through Linux Kernel ESP and RxRPC, affecting Linux kernel versions 4.10 through 7.0 across most distributions. The vulnerabilities exploit a flaw in the kernel’s handling of network decryption processes, enabling an attacker to manipulate the cache of essential system files such as /usr/bin/su. A public proof of concept was released, highlighting the ease and reliability of the exploit using standard syscalls, with detection and mitigation efforts involving runtime monitoring tools like Sysdig and Falco, as well as recommendations to update kernels and restrict vulnerable modules. This incident follows closely after another Linux kernel vulnerability, emphasizing the recurrent nature of such security flaws.