
A newly disclosed Linux kernel flaw tracked as CVE-2026-43284, dubbed Dirty Frag, lets unprivileged local users gain root privileges by corrupting the page cache, according to advisories from Moxa and warnings from Microsoft.
The vulnerability scores CVSS 8.8 and is described as a chaining issue that combines the xfrm‑ESP page‑cache write weakness (CVE-2026-43284) with the RxRPC page‑cache write weakness (CVE-2026-43500). Both affect the esp4, esp6 and rxrpc networking modules and can be exploited without relying on a race condition.
Exploitation works by performing in‑place cryptographic operations on read‑only page‑cache pages, allowing an attacker to overwrite files such as /etc/passwd or /usr/bin/su and escalate to root. The technique is considered more reliable than traditional race‑condition‑based local privilege escalation methods.
Microsoft has reported that Dirty Frag may already have been seen in‑the‑wild, following the earlier exploitation of the related Copy Fail flaw (CVE-2026-31431). While no specific threat actor has been named, the bug could be used after an initial foothold gained via SSH, a web shell or a container escape.
The flaw impacts major distributions including Ubuntu, RHEL, CentOS Stream, AlmaLinux, Fedora and openSUSE, and poses a risk both to bare‑metal hosts and to containerised environments where a successful exploit could lead to host compromise. Moxa’s advisory notes that disabling the rxrpc module is an immediate mitigation while patches are prepared.
Defenders should consider denylisting the vulnerable esp4, esp6 and rxrpc modules, applying vendor‑supplied kernels or live patches where available, and monitoring for abnormal page‑cache modifications. Tools such as BPF‑LSM can be used to block suspicious AF_ALG binds as an interim measure.
Prioritising patch deployment and verifying that the mitigations are in place will reduce the chance of local privilege escalation, especially in environments where untrusted users may obtain shell access.