Dirty Frag was discovered and reported by Hyunwoo Kim (@v4bel). This page consolidates the disclosure timelines for both CVEs and explains why the full exploit was published ahead of distribution patches.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/V4bel/dirtyfrag/llms.txt
Use this file to discover all available pages before exploring further.
RxRPC Page-Cache Write (CVE-2026-43500)
| Date | Event |
|---|---|
| 2026-04-29 | Submitted detailed information and a weaponized exploit achieving root on Ubuntu to security@kernel.org |
| 2026-04-29 | Submitted the patch for the RxRPC vulnerability to the netdev mailing list — information published publicly at this point |
| 2026-05-07 | Submitted detailed information and exploit to the linux-distros mailing list; embargo set to 5 days with a break-clause |
| 2026-05-07 | ESP vulnerability information published publicly by an unrelated third party, breaking the embargo |
| 2026-05-07 | After agreement from distribution maintainers, full Dirty Frag disclosure published |
| 2026-05-08 | CVE-2026-43500 reserved for tracking |
No upstream patch exists for CVE-2026-43500 as of the publication date. The submitted patch adds
|| skb->data_len to the skb_cloned gate in call_event.c and conn_event.c.xfrm-ESP Page-Cache Write (CVE-2026-43284)
| Date | Event |
|---|---|
| 2026-04-30 | Submitted detailed information and weaponized exploit to security@kernel.org |
| 2026-04-30 | Submitted the patch to the netdev mailing list — published publicly |
| 2026-04-30 (+9h) | Kuan-Ting Chen independently submitted a vulnerability report with reproducer to security@kernel.org |
| 2026-05-04 | Kuan-Ting Chen submitted the shared-frag approach patch to netdev |
| 2026-05-07 | Patch merged into the netdev tree |
| 2026-05-07 | Submitted to linux-distros mailing list; embargo set to 5 days with break-clause |
| 2026-05-07 | Embargo broken by third party; full disclosure authorized and published |
| 2026-05-08 | Patch merged into mainline |
| 2026-05-08 | CVE-2026-43284 assigned |
Why was the exploit published?
The linux-distros embargo included an explicit break-clause: if a third party published the exploit during the embargo window, the full Dirty Frag disclosure would be released immediately. On 2026-05-07, detailed information and exploit code for the ESP vulnerability were published publicly by an unrelated third party. After obtaining agreement from distribution maintainers, the complete Dirty Frag document was published the same day.Patch credits
The final merged patch for CVE-2026-43284 uses theSKBFL_SHARED_FRAG approach submitted by Kuan-Ting Chen on 2026-05-04. The original v1 patch (submitted 2026-04-30) called skb_cow_data() directly in the ESP input fast path. The shared-frag approach is more robust and was selected by the netdev maintainers. Kuan-Ting Chen is credited for writing the final patch.