"Dirty Frag" (CVE-2026-43284) - Second Linux root exploit in eight days - patch your server now

Eight days after Copy Fail shook the Linux server world, another critical vulnerability has arrived, and this one also grants root access to anyone who can run code on your server.

https://omg10.com/4/10736335

is called “Dirty Fragment”. It was publicly revealed on May 7, 2026. A working exploit already exists. And if your server hasn’t been patched or rebooted since May 8, it’s vulnerable right now.

What is Dirty Frag?

Dirty Frag is the informal name for a chained exploit that combines two Linux kernel vulnerabilities: CVE-2026-43284 and CVE-2026-43500. The first one is already patched; the second is still being rolled out to distributions at the time of writing.

The root cause of CVE-2026-43284 lies in how the Linux kernel handles network packet memory in the IPsec/ESP path. When MSG_SPLICE_PAGES attaches pages from a pipe directly to a network buffer (skb), IPv4/IPv6 datagram paths were unable to mark those pages as shared.

This left an ESP-in-UDP packet created from shared pipe pages appearing in the kernel as an ordinary privately owned buffer, so ESP decryption would occur directly on memory that the skb does not own. An attacker who knows how to manipulate this behavior can achieve a controlled write to the kernel page cache and ultimately escalate to the root.

In layman’s terms: the kernel trusted memory it shouldn’t have trusted, and an attacker can use that misplaced trust to take over the entire machine.

Unlike the previous DirtyPipe vulnerability, which depended on a tight race condition in pipe buffer flag handling, Dirty Frag is a deterministic logic flaw. Researcher Hyunwoo Kim reports very high success rates and minimal risk of kernel panic, with no time window to waste. This makes it unusually reliable when it comes to exploits.

How to connect to Copy Fail

Copy Error (CVE-2026-31431)disclosed on April 29, exploited a logical error in the cryptographic subsystem of the Linux kernel, specifically a flaw in the authencesn AEAD template that allowed a controlled 4-byte write to the kernel page cache. A 732-byte Python script was enough to get root on all major Linux distributions created since 2017.

Dirty Frag follows the same fundamental pattern: a page cache write primitive converted to a root escalation, but via a completely different code path. Both vulnerabilities convert long-running in-place processing optimizations into deterministic root primitives: Copy Fail via user-space cryptography, Dirty Frag via IPsec receive.

The connection is not coincidental. Researcher Hyunwoo Kim relied explicitly on the kind of error that Copy Fail introduced. Some members of the security community have already started referring to CVE-2026-43284 as “Copy Fail 2.0.” What appeared as a rare kernel bug ten days ago is turning into a repeatable attack of sorts.

An interesting factor about Dirty Frag is that by chaining the two subvulnerabilities (CVE-2026-43284 and CVE-2026-43500) the blind spots of each one are covered. None of the defects alone provide a sufficiently reliable primitive for full root scaling. However, when combined, the chained exploit achieves immediate rooting on most distributions.

Who is affected?

All servers running a conventional Linux kernel built around 2017 or later are affected. All supported versions of AlmaLinux are affected. CVE-2026-43284 affects AlmaLinux 8, 9, and 10 through esp4/esp6 modules, which are part of the standard kernel package in each version.

The full list of affected distributions includes Red Hat Enterprise Linux, AlmaLinux, Debian, Ubuntu, Fedora, Arch Linux, CentOS, CloudLinux, and Amazon Linux.

Specifically for web hosting environments, the threat vector is the same as Copy Fail: the attacker does not need to log in remotely. The danger is that once an attacker gets in (via a vulnerable WordPress plugin, a web shell, weak SSH credentials, or a compromised container), Dirty Frag allows them to immediately escalate to the root and then disable security tools, read credentials, alter logs, move laterally, or persist on the server.

On shared hosting servers, a single compromised account could turn into an entire server compromise.

The solution: step by step

Step 1: Update the kernel

Patched kernels are now available in production repositories starting May 8, 2026. This is the only real fix.

For AlmaLinux, CloudLinux, Rocky Linux, CentOS Stream, RHEL:

sudo dnf clean metadata && sudo dnf upgrade
sudo reboot

For Debian/Ubuntu:

sudo apt update && sudo apt upgrade
sudo reboot

For CloudLinux with KernelCare (no reboot required):

kcarectl --update

After rebooting, confirm that you are running the patched kernel:

uname -r

Compare the result with the patched version in your distribution’s security advisory before considering the server protected.

Step 2: Interim Mitigation (if you cannot restart immediately)

If a reboot is not possible immediately, it may block vulnerable modules from loading. The Dirty Frag white paper offers a mitigation that removes the modules containing the vulnerabilities and clears the page cache:

printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \
  > /etc/modprobe.d/dirtyfrag.conf
rmmod esp4 esp6 rxrpc 2>/dev/null
echo 3 > /proc/sys/vm/drop_caches

Important before applying this: Verify that your server does not use IPsec VPN tunnels, encrypted site-to-site networks, or Kubernetes network policies that depend on esp4 either esp6. Disabling these modules on a server with IPsec enabled will break those connections. If in doubt, apply the kernel update.

After installing the patched kernel and rebooting the server, roll back the mitigation by removing the /etc/modprobe.d/dirtyfrag.conf archive.

Step 3: Combine with copy error correction

If you have not already addressed the copy bug (CVE-2026-31431), treat both vulnerabilities as a combined remediation effort, given their similarity and overlapping mitigation steps. A single kernel update and reboot covers both. Verify that your running kernel has patches for CVE-2026-31431 and CVE-2026-43284 before considering the server clean.

What does this mean in the future?

Two universal Linux kernel privilege escalation vulnerabilities in eight days is not normal. Dirty Frag is the second in this period, after Copy Fail. With a working public proof of concept released before patches and exploitation reduced to a handful of standard system calls, defenders must assume that any local foothold on an unpatched host can become root in seconds.

The Dirty Frag disclosure also went awry: an unrelated third party leaked details of the exploit before distributions finished packaging patches, forcing a premature public disclosure while CVE-2026-43500 was still unpatched. This is the same pattern that made Copy Fail so dangerous in its early hours.

The practical lesson is that the time between attackers learning about a vulnerability and exploiting it in the wild is now measured in hours, not days. Kernel updates should be treated with the same urgency as application security patches: applied as soon as they are available, not during the next scheduled maintenance period.

For any server running web hosting workloads: apply the patch today, reboot and verify. Then set alerts so that the next time this happens, you’ll know within an hour.