Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/V4bel/dirtyfrag/llms.txt

Use this file to discover all available pages before exploring further.

The responsible disclosure embargo for Dirty Frag was broken by a third party before any distribution had prepared a patched kernel. As of the publication of this document, no distribution-level patch exists for either CVE-2026-43284 or CVE-2026-43500. Until your distribution releases a backported fix, you must take manual action to remove the vulnerable kernel modules and clear any page cache that may already have been modified.
Once the page cache is contaminated — either by a successful exploit or by testing — every subsequent read of the affected file (for example /etc/passwd or /usr/bin/su) returns the modified copy. The contamination persists until you run drop_caches or reboot. Rebooting alone restores the on-disk content but does not protect against re-exploitation if the modules remain loaded.

Primary mitigation

Run the following single command as root to blacklist the three vulnerable modules, unload them if they are currently loaded, and drop the page cache: 
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"
This command does three things in sequence:
  1. Blacklists esp4, esp6, and rxrpc by writing install rules to /etc/modprobe.d/dirtyfrag.conf. After this, modprobe will refuse to load any of the three modules.
  2. Unloads the modules with rmmod if they are currently present in the running kernel. Errors (for example, if a module was not loaded) are suppressed via 2>/dev/null.
  3. Drops the page cache with echo 3 > /proc/sys/vm/drop_caches, clearing any contaminated pages already present in RAM.

Step-by-step procedure

1

Run the blacklist command

Execute the primary mitigation command above as root. The command is intentionally written as a single sh -c invocation so you can paste it into any shell without line-continuation issues.
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"
2

Verify the modules are gone

Confirm that none of the three modules remain loaded:
lsmod | grep -E 'esp4|esp6|rxrpc'
The command should produce no output. If any module still appears, the rmmod step may have failed because another kernel module depends on it. Identify and remove the dependent module first, then re-run rmmod.
3

Monitor for distribution patches and update

Watch your distribution’s security advisory channel for a kernel update that includes the backported fix. Once a patched kernel is available, install it and reboot. You can then remove the blacklist file if desired:
rm /etc/modprobe.d/dirtyfrag.conf

Clearing the page cache after running the exploit

If you ran the exploit for testing purposes (on an authorized system), clear the contaminated page cache before continuing to use the system: 
echo 3 > /proc/sys/vm/drop_caches
Alternatively, rebooting the system achieves the same result.

Current patch status

CVE-2026-43284 (xfrm-ESP): The fix is merged in mainline at commit f4c50a4034e6 (2026-05-08). The patch sets the SKBFL_SHARED_FRAG flag on page frags that enter the kernel via splice in the IPv4/IPv6 datagram append paths, and checks this flag in the skip_cow branch of esp_input / esp6_input so that externally pinned pages are always routed through skb_cow_data(). Wait for your distribution to backport this commit.CVE-2026-43500 (RxRPC): No upstream patch exists yet. The submitted patch adds || skb->data_len to the guard condition in call_event.c and conn_event.c, ensuring that non-linear skbs (including those with spliced frags) are isolated via skb_copy() before in-place decryption. Monitor the netdev mailing list and your distribution’s advisories for when this is merged and backported.

Build docs developers (and LLMs) love

Get started for freeTalk to us