New ‘Dirty Frag’ exploit targets Linux kernel for root access
Summary
A new Linux privilege escalation vulnerability named "Dirty Frag" has been disclosed, allowing attackers to gain root access. This exploit chain abuses weaknesses in the Linux kernel's handling of fragmented memory and combines two vulnerabilities in the IPsec ESP subsystem (CVE-2026-43284) and RxRPC networking protocol (CVE-2026-43500). Microsoft reports that exploitation attempts are already underway and are being used in conjunction with other Linux kernel exploits.
IFF Assessment
This vulnerability allows attackers to gain root access on Linux systems, which is a significant threat to defenders.
Severity
The vulnerability allows for privilege escalation to root access (High impact) and can be exploited after initial compromise, such as through SSH access or a web shell (Attack Vector: Local, Attack Complexity: Low). The exploit also avoids common instability issues, making it more reliable.
CISA KEV: Listed as actively exploited. Federal patch due: May 16, 2022. Known ransomware use: Unknown.
Defender Context
Defenders should be aware of the "Dirty Frag" exploit and its active exploitation in the wild, especially if their environments utilize Linux distributions like Ubuntu, RHEL, CentOS Stream, AlmaLinux, Fedora, openSUSE, and OpenShift. Prompt patching of the affected kernel components is crucial to mitigate the risk of privilege escalation.