DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-43284: CVE-2026-43284: "Dirty Frag" Local Privilege Escalation via Linux Kernel Page Cache Corruption

#security #cve #cybersecurity

CVE-2026-43284: "Dirty Frag" Local Privilege Escalation via Linux Kernel Page Cache Corruption

Vulnerability ID: CVE-2026-43284
CVSS Score: 8.8
Published: 2026-05-08

CVE-2026-43284, identified as "Dirty Frag", is a critical local privilege escalation vulnerability in the Linux kernel's handling of shared socket buffer fragments during Encapsulating Security Payload (ESP) decryption. The flaw permits unprivileged local adversaries to corrupt the Linux page cache, establishing a write-what-where primitive that can be leveraged to overwrite read-only system files such as /etc/passwd and achieve immediate root privilege escalation.

TL;DR

A logic error in the Linux kernel allows unprivileged users to overwrite the memory cache of read-only files by exploiting the MSG_SPLICE_PAGES flag alongside ESP-in-UDP decryption. This enables direct manipulation of critical configuration files and arbitrary code execution as root.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-123, CWE-787
  • Attack Vector: Local (AV:L)
  • CVSS v3.1: 8.8
  • EPSS Score: 0.00007
  • Impact: Local Privilege Escalation (Root)
  • Exploit Status: Active Exploitation
  • Vulnerable Subsystem: ESP / MSG_SPLICE_PAGES

Affected Systems

  • Linux Kernel
  • Ubuntu
  • Debian
  • Red Hat Enterprise Linux
  • Linux Kernel: >= 4.11, < 5.10.255 (Fixed in: 5.10.255)
  • Linux Kernel: >= 5.12, < 5.15.205 (Fixed in: 5.15.205)
  • Linux Kernel: >= 5.16, < 6.1.171 (Fixed in: 6.1.171)
  • Linux Kernel: >= 6.2, < 6.6.138 (Fixed in: 6.6.138)
  • Linux Kernel: >= 6.7, < 6.12.87 (Fixed in: 6.12.87)
  • Linux Kernel: >= 6.13, < 6.18.28 (Fixed in: 6.18.28)
  • Linux Kernel: >= 7.0, < 7.0.5 (Fixed in: 7.0.5)

Code Analysis

Commit: a6cb440

Fix missing SKBFL_SHARED_FRAG flag and enforce skb_cow_data in ESP subsystem.

@@ -0,0 +1,5 @@
+if (skb_cloned(skb) || skb_header_cloned(skb) ||
+    (skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG)) {
+    err = skb_cow_data(skb, 0, &trailer);
+    if (err < 0) goto error;
+}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub (Original Researcher): Original proof-of-concept provided by the researcher.
  • GitHub: Universal local privilege escalation script.
  • GitHub: Kubernetes node escape proof-of-concept.
  • GitHub: Exploit port for ARM64 architectures.

Mitigation Strategies

  • Upgrade the Linux kernel to the latest stable release containing the fix.
  • Disable or block UDP port 4500 if ESP-in-UDP is not required.
  • Implement eBPF-based behavioral monitoring (e.g., Falco) to detect the MSG_SPLICE_PAGES exploit pattern.

Remediation Steps:

  1. Identify all hosts running vulnerable kernel versions (4.11 through 7.0.5).
  2. Schedule emergency maintenance windows for critical infrastructure.
  3. Apply distribution-specific kernel updates (e.g., apt update linux-image-generic).
  4. Reboot the affected systems to load the patched kernel.
  5. Verify the active kernel version using 'uname -r' post-reboot.

References

Read the full report for CVE-2026-43284 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)