Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/V4bel/dirtyfrag/llms.txt

Use this file to discover all available pages before exploring further.

Dirty Frag spans two vulnerabilities with different introduction points in kernel history, but together they affect every kernel version currently shipped by any major Linux distribution. The xfrm-ESP variant has been present for roughly nine years; the RxRPC variant was introduced more recently but still covers all distributions that the ESP variant cannot reach alone.

Vulnerability scope

xfrm-ESP Page-Cache Write (CVE-2026-43284)

The vulnerable branch in esp_input() was introduced by commit cac2661c53f3 on 2017-01-17 and remained present in all Linux kernel versions up to current upstream. The mainline patch (f4c50a4034e6, merged 2026-05-08) closes this path by checking the SKBFL_SHARED_FRAG flag before skipping skb_cow_data(). Distribution backports are pending. Effective lifetime: approximately 9 years.

RxRPC Page-Cache Write (CVE-2026-43500)

The missing copy-out guard in rxkad_verify_packet_1() was introduced by commit 2dc334f1a63a in June 2023 and affects all kernel versions up to current upstream. A patch has been submitted (adding || skb->data_len to the guard in call_event.c and conn_event.c) but has not yet been merged into any tree.

Tested distributions

The following distributions and kernel versions have been tested and confirmed exploitable.
DistributionKernel version
Ubuntu 24.04.46.17.0-23-generic
RHEL 10.16.12.0-124.49.1.el10_1.x86_64
openSUSE Tumbleweed7.0.2-1-default
CentOS Stream 106.12.0-224.el10.x86_64
AlmaLinux 106.12.0-124.52.3.el10_1.x86_64
Fedora 446.19.14-300.fc44.x86_64

Why both variants are needed

No single variant covers every distribution on its own. The two variants complement each other to fill each other’s gaps:
  • Ubuntu enforces an AppArmor policy that blocks unprivileged user namespace creation, so the xfrm-ESP variant (which requires unshare(CLONE_NEWUSER)) cannot be triggered. However, Ubuntu ships and loads rxrpc.ko by default, making the RxRPC variant available without any elevated privilege.
  • RHEL, CentOS, Fedora, openSUSE, AlmaLinux allow unprivileged namespace creation, so the xfrm-ESP variant works. These distributions do not ship rxrpc.ko in their default builds, so the RxRPC variant is not applicable.
Chaining both variants in a single exploit binary produces a tool that succeeds across all of the above distributions. See the chaining page for the exact decision logic.
The ~9-year lifetime of the xfrm-ESP vulnerability means that even long-term-support distributions tracking very old kernel branches (such as RHEL 8 / 9 or Ubuntu 20.04) are affected, not just distributions shipping recent kernels.

Mitigation until patches arrive

Because the embargo was broken before distribution patches could be prepared, no patched kernel is available from any distribution vendor at this time. See the mitigation page for the recommended immediate steps to disable the vulnerable kernel modules and clear any contaminated page cache.

Build docs developers (and LLMs) love

Get started for freeTalk to us