1. Summary
2. Technical details
3. CVE identifiers
4. Impacted versions
5. Fixed versions
6. Active exploitation
7. Recommendations
8. References
9. Support

On May 7, 2026, security researcher Hyunwoo Kim (@v4bel on GitHub) published a technical report detailing Dirty Frag, a Linux local privilege escalation (LPE) vulnerability class. Dirty Frag enables attackers to gain root privileges on a wide range of Linux distributions by chaining two kernel-level page cache write vulnerabilities: the xfrm-ESP Page-Cache Write vulnerability (CVE-2026-43284) and the RxRPC Page-Cache Write vulnerability (CVE-2026-43500).

The release included a proof-of-concept (PoC), increasing the risk of real-world exploitation. Due to the absence of official patches at the time of disclosure, systems remain highly exposed. Organizations are strongly encouraged to review mitigation guidance and monitor for potential exploitation activity.

Dirty Frag leverages weaknesses in the Linux kernel’s page cache handling, specifically through two subsystems:

• xfrm-ESP (Encapsulating Security Payload)
• RxRPC (Remote Execution Remote Procedure Call)

These vulnerabilities allow attackers to perform unauthorized writes to the page cache. By chaining both flaws, an attacker with local system access can manipulate memory-backed file contents and escalate privileges to root.

The attack works by exploiting inconsistencies in how cached file pages are updated and synchronized. Malicious writes can overwrite protected data structures or binaries in memory before they are flushed to disk, bypassing traditional permission checks enforced at the filesystem level.

Because this occurs within the kernel and page cache layer, the attack bypasses many user-space security mechanisms and can affect nearly all Linux distributions that include the vulnerable components.

• CVE-2026-43284 (xfrm-ESP Page-Cache Write)
• CVE-2026-43500 (RxRPC Page-Cache Write)

Multiple Linux distributions are affected, including all Ubuntu releases.
Likely impacts other distributions using vulnerable kernel components.

No official patches are currently available.
Mitigation guidance has been released (e.g., Ubuntu), though with potential functional impact.

Reports indicate active exploitation attempts following the PoC release.
The availability of a working exploit significantly lowers the barrier for attackers.

• Restrict local access paths
• Disable or tightly control SSH access (use allowlists, VPN-only access)
• Remove unused user accounts and enforce MFA
• Prevent untrusted users from obtaining shell access on shared systems
• Enable AppArmor or SELinux
• Disable or restrict unneeded kernel modules (especially xfrm and rxrpc if not required)

  Lsmod | grep – E ‘xfrm|rxrpc’

1. Ubuntu Advisory & Mitigations
2. Proof-of-Concept Repository (Hyunwoo Kim)
3. oss-sec Mailing List – Dirty Frag Discussion

As always, please let us know if you have any questions or concerns or see unusual activity on your systems that you believe might be associated with this or any other vulnerability. Please send these communications to security.response@utoronto.ca.