Dirty Frag: Using the Page Caches as an Attack Surface

Dirty Frag is a Linux local privilege escalation (LPE) chain published on May 7, 2026. It combines two previously unknown kernel vulnerabilities can allow an unprivileged local user to escalate to root on many major Linux distributions.

• xfrm-ESP Page-Cache Write (CVE-2026-43284)
• RxRPC Page-Cache Write (CVE-2026-43500)

As of May 8, 2026, CVE-2026-43284 had been patched in mainline Linux, while public reporting indicated that CVE-2026-43500 did not yet have patches available.

The Dirty Pipe Connection:

Dirty Frag is the third discovery of a bug class that all share similar logic. A zero-copy send path plants an attacker-controlled or attacker-readable page into a kernel data structure as a raw reference. A downstream consumer assumes that buffer is privately owned by the kernel and performs an in-place write. The attacker controls where that write lands, in a page they only had read access to.

BugYearSinkPrimitive Dirty Pipe (CVE-2022-0847)2022struct pipe_bufferPage-cache overwrite via stale PIPE_BUF_FLAG_CAN_MERGE Copy Fail (CVE-2026-31431)Apr 2026algif_aead TX SGL4-byte STORE during crypto_authenc_esn_decrypt() byte rearrangement Dirty Frag (CVE-2026-43284, CVE-2026-43500)May 2026frag of struct sk_buff4-byte STORE (ESP) and 8-byte STORE (RxRPC) into nonlinear skb frag

Dirty Frag exists on the receive side of a network protocol that performs in-place crypto on skb_shinfo(skb)->frags[]. Since splice_to_socket() automatically sets MSG_SPLICE_PAGES, a page cache page that the attacker only has read access to gets pinned into frags[0] as-is. The receiver-side kernel then does its in-place STORE on top of it.

CVE-2026-43284: xfrm-ESP Page-Cache Write

Registering an XFRM SA needs CAP_NET_ADMIN privileges, which means the attacker has to first create a new user namespace via unshare(CLONE_NEWUSER | CLONE_NEWNET). On distributions that allow unprivileged user namespaces (RHEL, Fedora, openSUSE, AlmaLinux), this is easily achieved. However, on systems like Ubuntu, AppArmor sometimes blocks unprivileged user-namespace creation. This is exactly why the second CVE in the chain exists.

CVE-2026-43500: RxRPC Page-Cache Write

The publicly available exploit’s chosen target is /etc/passwd line 1. In this implementation, 12 bytes forces a rewrite via three sequential 8-byte STOREs to produce an empty password field for root. Successful exploitation then leads to simply using a “su –“ without a prompt. Moreover, this vulnerability requires normal user privileges alone. add_key(“rxrpc”, …), socket(AF_RXRPC), socket(AF_ALG), splice(), and recvmsg() are all unprivileged APIs. Hence, no user-namespace creation is needed. This is why the Dirty Frag exploit chain works on hardened Ubuntu systems even where ESP is blocked.

The Security Blind Spot:

The Dirty Frag exploit does not touch any files on a hard drive. Security tools that depend on hashing the file on a disk will not detect a Dirty Frag exploitation, as the malicious cache exists only in RAM. Furthermore, the page cache is contaminated until either “echo 3 > /proc/sys/vm/drop_caches” runs or the system reboots. The drop_caches command frees the Linux kernel’s page cache, dentries, and inodes and is often used in testing or debugging to simulate a “cold cache” state without rebooting.

If the threat actor is able to corrupt /usr/bin/su, it effectively remains available for execution until reboot, serving as a reliable backdoor.

Affected Versions:

More vulnerability details are still being uncovered and we will update this list as additional information is available. Primarily, Linux Kernel (ESP subsystem) since 2017 and the RxRPC subsystem of the Linux Kernel since 2023 are vulnerable. Additionally, these vendors have confirmed that patches are being prepared:

• Ubuntu
• Red Hat Enterprise Linux
• CentOS Stream
• AlmaLinux
• Fedora
• openSUSE

Qualys QID Coverage

Qualys has released the following QIDs to address the Dirty Frag chain:

• QID 387289 – Linux Kernel Local Privilege Escalation Vulnerability (Dirty Frag) (CVE-2026-43284)
• QID 387288 – Linux Kernel Local Privilege Escalation Vulnerability (Dirty Frag) (CVE-2026-43500)
• QID 944291 – AlmaLinux Security Update for kernel (ALSA-2026:A006)
• QID 944290 – AlmaLinux Security Update for kernel (ALSA-2026:A005)
• QID 944287 – AlmaLinux Security Update for kernel-rt (ALSA-2026:A007)

The following QIDs are in the final stages of verification and expected to be released soon:

• QID 6276440 – Debian Security Update for linux (CVE-2026-43284)
• QID 288685 – Fedora Security Update for kernel (FEDORA-2026-87dc12705e)
• QID 288684 – Fedora Security Update for kernel (FEDORA-2026-abc00fb4e8)
• QID 762499 – SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1778-1)
• QID 6276373 – Debian Security Update for linux (CVE-2026-43500)

Qualys customers can also search for this vulnerability by their CVE IDs: CVE-2026-43284 and CVE-2026-43500. Information about additional QIDs pertaining to these CVEs can be found in our Vulnerability Detection Pipeline.

Remediate at Scale With TruRisk Eliminate

TruRisk Eliminate offers a comprehensive risk reduction solution designed to help security and IT teams proactively address nearly 100% of CISA KEVs and ransomware vulnerabilities.

To address these vulnerabilities, leverage Qualys TruRisk Eliminate to:

• Patch these vulnerabilities, or
• Apply out-of-the-box mitigations until a patch can be deployed

Because these vulnerabilities are Qualys patchable, you should immediately deploy the patches and fix them. Relevant patches were added to the Qualys patch catalog and are ready to be deployed using the Qualys agent.

📌 来源: Qualys Security Blog | 🆔 CVE-2026-43284, CVE-2026-31431, CVE-2022-0847, CVE-2026-43500 | 📅 0