Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Both of these increasing threats stem from bugs in the kernel’s cached pages, allowing untrusted users to modify them. They look for network caches and memory-fragment holding components. Specifically, CVE-2026-43284 attacks the esp4 and esp6() methods, and CVE-2026-43500 zeroes in on rxrpc. Last week’s CopyFail used an error page in the Authencesn AEAD template method, which is used for IPsec serial numbers. The 2022 Dirty Pipe vulnerability also originated from a flaw that allowed attackers to rewrite web caches.
Researchers from the security company Automox he wrote:
Dirty Frag belongs to the same virus family as Dirty Pipe and Copy Fail, but it looks different frag a member of the kernel change sk_buff rather than pipe_buffer. It is used component () planting references to a read-only cache page (for example, /etc/passwd or /usr/bin/su) to frag the part of the forwarder skb. The receiver’s kernel code then performs encryption operations on the fragment, and updates the page cache in RAM. Any subsequent reading of the file will see a corrupted version, even if the attacker had read access.
CVE-2026-43284 occurs in the esp_input() method on the IPsec ESP receive method. If the skb object is not linear but does not contain a frag list, the code skips skb_cow_data() and removes the AEAD instead from the planted frag. From there, an attacker can control the file system and the 4-byte value of each store.
CVE-2026-43500, currently, is rxkad_verify_packet_1(). This method removes the RxRPC payload using only one method. Compressed pages are both source and destination. This, combined with the decryption key being freely extracted using add_key (rxrpc), allows an attacker to rewrite the contents of the header.
What is used separately is unreliable. Some versions of Ubuntu use AppArmor to prevent untrusted users from creating content in the namespace. This, in turn, disables the ESP process. Most other distributions by default do not run rxrpc.ko, which disables the RxRPC arm. However, when tied together, these two achievements allowed the attackers to gain a foothold in every major territory that Kim was tested on. Once the transaction is complete, attackers can use SSH access, use web shells, container escapes, or compromise low-level accounts.
“Dirty Frag is known because it introduces several kernel attack methods that include rxrpc and esp/xfrm networking components to improve the reliability of the exploit,” Microsoft researchers said. he wrote. “Instead of relying on small windows or unstable vulnerabilities that are often associated with increased access to Linux privileges, Dirty Frag appears to be designed to increase stability in vulnerable environments.”
Wiz researchers with Google he said Actions will not have the chance to leave a more secure environment like Kubernetes with secure settings. “However, the risk remains significant for virtual machines or environments that are not limited.”
The best solution for any Linux user is to install patches immediately. Although maintenance may require a restart, the protection against a major threat like Dirty Frag outweighs the cost of disruption. Anyone who cannot install immediately should follow the mitigation measures described above. Additional instructions can be found Here.
