This page answers the most common questions about Dirty Frag, its relationship to prior vulnerabilities in the same class, and what you should do to protect your systems.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/V4bel/dirtyfrag/llms.txt
Use this file to discover all available pages before exploring further.
Why chain two vulnerabilities?
Why chain two vulnerabilities?
Each variant has a blind spot that the other covers.The xfrm-ESP variant (CVE-2026-43284) provides an arbitrary 4-byte page-cache STORE primitive and is present on most distributions. However, it requires
CAP_NET_ADMIN, obtained via unshare(CLONE_NEWUSER | CLONE_NEWNET). Ubuntu sometimes blocks unprivileged user namespace creation through AppArmor policy — in that environment the ESP variant cannot be triggered.The RxRPC variant (CVE-2026-43500) requires no namespace privilege at all. However, the rxrpc.ko module is not shipped in most distributions by default — for example, the default build of RHEL 10.1 does not include it. Ubuntu, however, loads rxrpc.ko by default.Chaining the two variants makes the blind spots cancel out: on Ubuntu (AppArmor blocks namespace creation but rxrpc.ko is available), the RxRPC path runs. Everywhere else (namespace creation allowed, rxrpc.ko absent), the ESP path runs. A single binary achieves root on all major distributions.What is the relationship with Dirty Pipe and Copy Fail?
What is the relationship with Dirty Pipe and Copy Fail?
Dirty Frag belongs to the same bug class as Dirty Pipe and Copy Fail. All three exploit the kernel’s zero-copy send paths to modify read-only page cache pages in RAM.
- Dirty Pipe overwrites
struct pipe_bufferto contaminate page cache pages. - Copy Fail uses
splice(file → pipe → AF_ALG_fd)to plant a page-cache page into the TX SGL of an AEAD request, then triggers a 4-byte write during theauthencesnbyte-rearrangement step. - Dirty Frag reproduces the same pattern but at the
fragslot ofstruct sk_buff. The two variants targetesp_input(xfrm) andrxkad_verify_packet_1(RxRPC) respectively.
crypto_authenc_esn_decrypt), but it is triggered via the XFRM/ESP input path rather than AF_ALG. This means it works regardless of whether algif_aead is available — systems where the publicly known Copy Fail mitigation (blacklisting algif_aead) has been applied are still vulnerable to Dirty Frag.How do I fix my Linux system right now?
How do I fix my Linux system right now?
Because the embargo was broken before distribution patches were ready, no patched kernel package is available from any major distribution as of the disclosure date.Immediate workaround — blacklist the three vulnerable modules and clear the page cache:This disables IPsec ESP (esp4, esp6) and RxRPC. If your workload requires IPsec, contact your distribution for backport status.Longer term — once your distribution backports the patch for CVE-2026-43284, update your kernel. The upstream patch is at commit f4c50a4034e6. No upstream patch for CVE-2026-43500 exists yet.See the Mitigation page for full details.
Why call it 'Dirty Frag'?
Why call it 'Dirty Frag'?
The name follows the convention of the bug class it extends (“Dirty Pipe”, “Copy Fail”). The vulnerability dirties the
frag member of struct sk_buff — a splice-planted page-cache page is pinned into an skb frag and then cryptographic operations write back into that frag in-place, modifying the underlying read-only page cache.“Dirty Frag” is the most technically precise name: it describes exactly which kernel data structure is misused to achieve the write primitive.Does Copy Fail mitigation protect against Dirty Frag?
Does Copy Fail mitigation protect against Dirty Frag?
No. The common Copy Fail mitigation is to blacklist the
algif_aead kernel module. Dirty Frag’s xfrm-ESP variant uses the same crypto_authenc_esn_decrypt sink as Copy Fail, but it is triggered through the XFRM/IPsec ESP input path — algif_aead is not involved. If algif_aead is blacklisted on your system, you are still fully vulnerable to Dirty Frag.Use the module blacklist mitigation specifically targeting esp4, esp6, and rxrpc.Is a race condition required?
Is a race condition required?
No. Dirty Frag is a deterministic logic bug. The kernel unconditionally skips
skb_cow_data for certain skb shapes (ESP) or unconditionally performs in-place decryption without checking for splice-planted frags (RxRPC). No timing window, no retry loop, and the kernel does not panic when the exploit runs. The success rate is very high.What files does the exploit modify?
What files does the exploit modify?
The exploit modifies files in RAM only — the page cache. The underlying disk data is never written. After
echo 3 > /proc/sys/vm/drop_caches or a reboot, the page cache is evicted and the files are read fresh from disk, restoring the original content.- ESP variant: Overwrites the first 192 bytes of
/usr/bin/suin page cache with a root-shell ELF. - RxRPC variant: Overwrites bytes 4–15 of line 1 of
/etc/passwdin page cache to set an empty root password.