CVE-2026-43284
In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place.
7 articles across 6 outlets · first covered May 8, 2026 · latest May 27, 2026
Tracked incidents
Coverage timeline
-
Moxa Linux Flaw Lets Local Users Gain Root Access via Dirty Fragsecurityonline.info · May 27, 2026
-
GitHub fixes SSRF bug CVE-2026-9312 and kernel flawssecurityonline.info · May 27, 2026
-
Dirty Frag Linux kernel flaw lets users gain root, patches issuedarstechnica.com · May 11, 2026
-
Dirty Frag exploit released, putting Linux root at riskwww.darkreading.com · May 11, 2026
-
Linux Kernel Dirty Frag Flaws Trigger Urgent Patch Rolloutwww.infosecurity-magazine.com · May 11, 2026
-
Dirty Frag (CVE-2026-43284) lets Linux users gain rootwww.securityweek.com · May 11, 2026
-
Dirty Frag Linux flaw (CVE-2026-43284) lets users gain rootwww.microsoft.com · May 8, 2026