{“lastseen”:”2026-05-09T08:05:08″,”description”:”Dirty Frag is a Linux local privilege escalation (LPE) chain published on May 7, 2026. It combines two previously unknown kernel vulnerabilities can allow an unprivileged local user to escalate to root on many major Linux distributions.\\n\\n * xfrm-ESP Page-Cache Write (CVE-2026-43284) \\n\\n\\n * RxRPC Page-Cache Write (CVE-2026-43500) \\n\\n\\n\\n\\u003e As of May 8, 2026, CVE-2026-43284 had been patched in mainline Linux, while public reporting indicated that CVE-2026-43500 did not yet have patches available.\\n\\n**The Dirty Pipe Connection:**\\n\\nDirty Frag is the third discovery of a bug class that all share similar logic. A zero-copy send path plants an attacker-controlled or attacker-readable page into a kernel data structure as a raw reference. A downstream consumer assumes that buffer is privately owned by the kernel and performs an in-place write. The attacker controls where that write lands, in a page they only had read access to _._\\n\\n**_Bug_**** __**| **_Year_**** __**| **_Sink_**** __**| **_Primitive_**** __** \\n—|—|—|— \\n_Dirty Pipe (CVE-2022-0847)___| 2022| struct pipe_buffer| Page-cache overwrite via stale PIPE_BUF_FLAG_CAN_MERGE \\n _Copy Fail (CVE-2026-31431)___| Apr 2026| algif_aead TX SGL| 4-byte STORE during crypto_authenc_esn_decrypt() byte rearrangement \\n** _Dirty Frag_** _ (CVE-2026-43284, CVE-2026-43500)___| May 2026| frag of struct sk_buff| 4-byte STORE (ESP) and 8-byte STORE (RxRPC) into nonlinear skb frag \\n \\nDirty Frag exists on the receive side of a network protocol that performs in-place crypto on skb_shinfo(skb)-\\u003efrags[]. Since splice_to_socket() automatically sets MSG_SPLICE_PAGES, a page cache page that the attacker only has read access to gets pinned into frags[0] as-is. The receiver-side kernel then does its in-place STORE on top of it.\\n\\n# CVE-2026-43284: xfrm-ESP Page-Cache Write\\n\\nRegistering an XFRM SA needs CAP_NET_ADMIN privileges, which means the attacker has to first create a new user namespace via unshare(CLONE_NEWUSER | CLONE_NEWNET). On distributions that allow unprivileged user namespaces (RHEL, Fedora, openSUSE, AlmaLinux), this is easily achieved. However, on systems like Ubuntu, AppArmor sometimes blocks unprivileged user-namespace creation. This is exactly why the second CVE in the chain exists.\\n\\n# CVE-2026-43500: RxRPC Page-Cache Write\\n\\nThe publicly available exploit’s chosen target is \/etc\/passwd line 1. In this implementation, 12 bytes forces a rewrite via three sequential 8-byte STOREs to produce an empty password field for root. Successful exploitation then leads to simply use a \u201csu \u2013\u201c without a prompt. Moreover, this vulnerability requires normal user privileges alone. add_key(\\”rxrpc\\”, \u2026), socket(AF_RXRPC), socket(AF_ALG), splice(), and recvmsg() are all unprivileged APIs. Hence, no user-namespace creation is needed. This is why the Dirty Frag exploit chain works on hardened Ubuntu systems even where ESP is blocked.\\n\\n**The Security Blind Spot:**\\n\\nThe Dirty Frag exploit does not touch any files on a hard drive. Security tools that depend on hashing the file on a disk will not detect a Dirty Frag exploitation as the malicious cache exists only in RAM. Furthermore, the page cache is contaminated until either \u201cecho 3 \\u003e \/proc\/sys\/vm\/drop_caches\u201d runs or the system reboots. The drop_caches command frees the Linux kernel\u2019s page cache, dentries, and inodes and is often used in testing or debugging to simulate a \u201ccold cache\u201d state without rebooting. \\n\\nIf the threat actor is able to corrupt \/usr\/bin\/su, it effectively remains available for execution until reboot, serving as a reliable backdoor.\\n\\n**Affected Versions:**\\n\\nMore vulnerability details are still being uncovered and we will update this list as additional information is available. Primarily, Linux Kernel (ESP subsystem) since 2017 and the RxRPC subsystem of the Linux Kernel since 2023 are vulnerable. Additionally, these vendors have confirmed that patches are being prepared:\\n\\n 1. Ubuntu\\n 2. Red Hat Enterprise Linux\\n 3. CentOS Stream \\n 4. AlmaLinux\\n 5. Fedora\\n 6. openSUSE\\n\\n\\n\\n## Qualys QID Coverage\\n\\nQualys has released the following QIDs to address the Dirty Frag chain:\\n\\n 1. QID 387289 – Linux Kernel Local Privilege Escalation Vulnerability (Dirty Frag) (CVE-2026-43284)\\n 2. QID 387288 – Linux Kernel Local Privilege Escalation Vulnerability (Dirty Frag) (CVE-2026-43500)\\n 3. QID 944291 – AlmaLinux Security Update for kernel (ALSA-2026:A006)\\n 4. QID 944290 – AlmaLinux Security Update for kernel (ALSA-2026:A005)\\n 5. QID 944287 – AlmaLinux Security Update for kernel-rt (ALSA-2026:A007)\\n\\n\\n\\nThe following QIDs are in the final stages of verification and expected to be released soon:\\n\\n 1. QID 6276440 – Debian Security Update for linux (CVE-2026-43284)\\n 2. QID 288685 – Fedora Security Update for kernel (FEDORA-2026-87dc12705e)\\n 3. QID 288684 – Fedora Security Update for kernel (FEDORA-2026-abc00fb4e8)\\n 4. QID 762499 – SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1778-1)\\n 5. QID 6276373 – Debian Security Update for linux (CVE-2026-43500)\\n\\n\\n\\nQualys customers can also search for this vulnerability by their CVE IDs: CVE-2026-43284 and CVE-2026-43500. Information about additional QIDs pertaining to these CVEs can be found in our Vulnerability Detection Pipeline.\\n\\n## Remediate at Scale With TruRisk Eliminate\\n\\nTruRisk Eliminate offers a comprehensive risk reduction solution designed to help security and IT teams proactively address nearly 100% of CISA KEVs and ransomware vulnerabilities.\\n\\nTo address these vulnerabilities, leverage Qualys TruRisk Eliminate to:\\n\\n * Patch these vulnerabilities, or\\n * Apply out-of-the-box mitigations until a patch can be deployed\\n\\n\\n\\nBecause these vulnerabilities are Qualys patchable, you should immediately deploy the patches and fix them. Relevant patches were added to the Qualys patch catalog and are ready to be deployed using the Qualys agent.”,”published”:”2026-05-09T07:22:34″,”modified”:”2026-05-09T07:22:34″,”type”:”qualysblog”,”title”:”Dirty Frag: Using the Page Caches as an Attack Surface”,”source”:””,”references”:””,”id”:”QUALYSBLOG:4117DBF9D73BE798BE159CA2C926D4D5″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2022-0847″,”CVE-2026-31431″,”CVE-2026-43284″,”CVE-2026-43500″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.qualys.com\/category\/vulnerabilities-threat-research”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-09T08:05:08″,”description”:”Dirty Frag is a Linux local privilege escalation (LPE) chain published on May 7, 2026. It combines two previously unknown kernel vulnerabilities can allow an…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,28,12,15,13,120,7,11,5],"class_list":["post-52704","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-qualysblog","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n