INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Fragnesia Flaw Exploit Local Root Access

| 2026-05-14 13:00 HIGH MEDIUM
JSON
Executive Summary AI-generated
A new variant in the Dirty Frag family of Linux local privilege escalation flaws has surfaced, dubbed Fragnesia and tracked as CVE-2026-46300. This third root-level kernel bug was discovered three weeks ago by William Bowling of Zellic and the V12 team. The vulnerability allows unprivileged local users to gain root access through a working proof-of-concept exploit published on May 13, which involves rewriting opening bytes in /usr/bin/su with short payloads that drop to a root shell. This flaw affects all Linux kernels released before its discovery date of May 14 and enables arbitrary writes into the kernel page cache of read-only files, potentially leading to severe security breaches.
Technical Mitigations AI-generated
• Restrict unprivileged user namespaces • Monitor for suspicious namespace creation or XFRM manipulation • Disable esp4, esp6 and rxrpc kernel modules
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-43500CVE-2026-43500 CVE-2026-43284CVE-2026-43284 CVE-2026-31431CVE-2026-31431 CVE-2026-46300CVE-2026-46300
Target & Sectors
NORTH_AMERICA NORTH_AMERICA defensedefense
Incident Timeline
‎2026/04/11
Threat actors exploited a previously unknown flaw in the Linux kernel, specifically in the same area as last month's Copy Fail bug, to gain root access on affected systems.
infrastructure Linux
Nicknamed “Dirty Frag,” the issue was found in the same area of the Linux kernel that produced last month’s Copy Fail bug, and also allows anyone with a basic account on an affected computer to seize full administrative control.
organisation Copy Fail
Nicknamed “Dirty Frag,” the issue was found in the same area of the Linux kernel that produced last month’s Copy Fail bug, and also allows anyone with a basic account on an affected computer to seize full administrative control.
‎April 29
Threat actors exploited a newly disclosed Linux kernel local privilege escalation flaw (CVE-2026-31431) to gain root access for local users.
tactic Privilege Escalation
The disclosure follows two other Linux kernel local privilege escalation flaws disclosed in recent weeks, Copy Fail (CVE-2026-31431) on April 29 and Dirty Frag (CVE-2026-43284 and CVE-2026-43500) on May 7.
infrastructure Linux
The disclosure follows two other Linux kernel local privilege escalation flaws disclosed in recent weeks, Copy Fail (CVE-2026-31431) on April 29 and Dirty Frag (CVE-2026-43284 and CVE-2026-43500) on May 7.
organisation CVE-2026-31431
The disclosure follows two other Linux kernel local privilege escalation flaws disclosed in recent weeks, Copy Fail (CVE-2026-31431) on April 29 and Dirty Frag (CVE-2026-43284 and CVE-2026-43500) on May 7.
vulnerability CVE-2026-43284
The disclosure follows two other Linux kernel local privilege escalation flaws disclosed in recent weeks, Copy Fail (CVE-2026-31431) on April 29 and Dirty Frag (CVE-2026-43284 and CVE-2026-43500) on May 7.
vulnerability CVE-2026-43500
The disclosure follows two other Linux kernel local privilege escalation flaws disclosed in recent weeks, Copy Fail (CVE-2026-31431) on April 29 and Dirty Frag (CVE-2026-43284 and CVE-2026-43500) on May 7.
organisation CVE-2026
The disclosure follows two other Linux kernel local privilege escalation flaws disclosed in recent weeks, Copy Fail (CVE-2026-31431) on April 29 and Dirty Frag (CVE-2026-43284 and CVE-2026-43500) on May 7.
‎April 30
Linux maintainers received private information about a newly discovered flaw in Fragnesia on April 30.
infrastructure Linux
Kim reported the flaw he discovered privately to Linux maintainers on April 30, giving them time to prepare patches as per the standard coordinated disclosure process.
‎May 1
Threat actors exploited a newly discovered flaw in Linux, gaining root access to affected systems.
infrastructure Linux
CISA added Copy Fail to its catalog of flaws exploited in attacks on May 1 and ordered federal agencies to secure their Linux systems within two weeks, by May 15.
‎2026/05/04
Red Hat acknowledged the discovery of Dirty Frag and published an exploit describing its technical aspects on May 4, 2026.
organisation PoC
Security researcher Hyunwoo Kim disclosed the flaw, dubbed "Dirty Frag," and published a proof of concept (PoC) exploit last week on X .
‎2026/05/06
Linux kernel versions prior to May 13, 2026, were affected by the Dirty Frag vulnerability.
infrastructure Linux
Bowling said this flaw belongs to the Dirty Frag vulnerability class, which was disclosed last week, and affects all Linux kernels released before May 13, 2026.
‎May 7
Threat actors used a previously unknown Linux kernel local privilege escalation flaw (CVE-2026-31431) to gain root access for local users on May 7.
tactic Privilege Escalation
The disclosure follows two other Linux kernel local privilege escalation flaws disclosed in recent weeks, Copy Fail (CVE-2026-31431) on April 29 and Dirty Frag (CVE-2026-43284 and CVE-2026-43500) on May 7.
infrastructure Linux
The disclosure follows two other Linux kernel local privilege escalation flaws disclosed in recent weeks, Copy Fail (CVE-2026-31431) on April 29 and Dirty Frag (CVE-2026-43284 and CVE-2026-43500) on May 7.
organisation CVE-2026-31431
The disclosure follows two other Linux kernel local privilege escalation flaws disclosed in recent weeks, Copy Fail (CVE-2026-31431) on April 29 and Dirty Frag (CVE-2026-43284 and CVE-2026-43500) on May 7.
vulnerability CVE-2026-43284
The disclosure follows two other Linux kernel local privilege escalation flaws disclosed in recent weeks, Copy Fail (CVE-2026-31431) on April 29 and Dirty Frag (CVE-2026-43284 and CVE-2026-43500) on May 7.
vulnerability CVE-2026-43500
The disclosure follows two other Linux kernel local privilege escalation flaws disclosed in recent weeks, Copy Fail (CVE-2026-31431) on April 29 and Dirty Frag (CVE-2026-43284 and CVE-2026-43500) on May 7.
organisation CVE-2026
The disclosure follows two other Linux kernel local privilege escalation flaws disclosed in recent weeks, Copy Fail (CVE-2026-31431) on April 29 and Dirty Frag (CVE-2026-43284 and CVE-2026-43500) on May 7.
‎May 8
Threat actors exploited a newly discovered flaw in AlmaLinux and Ubuntu operating systems to gain root access for local users.
organisation AlmaLinux
AlmaLinux and Ubuntu both published patches and mitigations by May 8.
‎2026/05/11
Linux systems with the Dirty Frag flaw were exploited to gain root access by threat actors using this vulnerability.
infrastructure Linux
Dirty Frag also allows for container escape, and similarly affects nearly all Linux distributions in use today.
‎May 12
Threat actors exploited a newly discovered flaw in the Fragnesia software, gaining root access to local Linux systems.
organisation the Autonomous Validation Summit
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
general_metric 14 May
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
‎May 13
The proof-of-concept exploit was published alongside the disclosure on May 13.
organisation PoC
A working proof-of-concept (PoC) exploit was published alongside the disclosure on May 13.
‎May 13, 2026
Threat actors exploited a known vulnerability in Linux, specifically the Dirty Frag flaw, which allows local users to gain root access.
infrastructure Linux
Bowling said this flaw belongs to the Dirty Frag vulnerability class, which was disclosed last week, and affects all Linux kernels released before May 13, 2026.
‎2026/05/14
Dirty Frag works by chaining two separate kernel flaws, the xfrm-ESP Page-Cache Write vulnerability (CVE-2026-43284) and a RxRPC Page-Cache Write security issue (CVE-2026-43500), to modify protected system files in memory without authorization.
infrastructure Linux
A new variant in the Dirty Frag family of Linux local privilege escalation flaws has surfaced, the third root-level Linux kernel bug disclosed in three weeks.
Linux distros are rolling out patches for a new high-severity kernel privilege escalation vulnerability that allows attackers to run malicious code as root.
Those who can't immediately patch their devices should use the same mitigation used for Dirty Frag commands to remove vulnerable kernel modules (however, it's important to note that this will break AFS distributed network file systems and IPsec VPNs): rmmod esp4 esp6 rxrpc printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf Fragnasia's disclosure comes as Linux distros are still rolling out patches for " Copy Fail ," another privilege escalation vulnerability now actively exploited in the wild .
" In April, Linux distros patched another root-privilege escalation vulnerability (dubbed Pack2TheRoot) in the PackageKit daemon that had gone unnoticed for a decade.
A public exploit is available for a nine-year old vulnerability that affects the Linux kernel, paving the way for root privilege escalation.
New Fragnesia Flaw Hands Linux Local Users Root Access.
The flaw affects all Linux kernels released before that date and allows unprivileged local users to gain root by writing arbitrary bytes into the kernel page cache of read-only files.
However, several Linux distributions have begun shipping their own backported patches.
New Fragnesia Linux flaw lets attackers gain root privileges.
Known as Fragnasia and tracked as CVE-2026-46300 , this security flaw stems from a logic bug in the Linux XFRM ESP-in-TCP subsystem that can enable unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files.
Just as Fragnasia, Dirty Frag has a publicly available PoC exploit that local attackers can use to gain root privileges on major Linux distributions.
"It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition.
" To secure systems against attacks, Linux users are advised to apply kernel updates for their environment as soon as possible.
'Dirty Frag' Exploit Poised to Blow Up on Enterprise Linux Distros.
The flaw, which actually is two vulnerabilities chained together, is in the same class as previously discovered Linux flaws Dirty Pipe and Copy Fail , but affects a different kernel data structure than those issues.
The vulnerability affects a wide range of Linux distributions, including Ubuntu, Red Hat Enterprise Linux (RHEL), CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora — none of which are fully patched yet.
Expands Scope of Previous Linux Kernel Bugs
Dirty Frag not only affects a different aspect of the Linux kernel than Copy Fail or Dirty Pipe, it also has a broader scope and thus is likely more dangerous, he said.
The flaw "refers to two distinct issues in the IPsec ESP (esp4/esp6) and rxrpc modules" in the Linux  kernel, according to Red Hat.
Dirty Frag, like Dirty Pipe and Copy Fail, involves weaknesses in the Linux kernel’s handling of page-cache memory writes.
The Linux kernel keeps file contents in RAM using the page cache for speed.
The Linux Kernel Organization already released patches to fix CVE-2026-43284 on Friday, which defenders are urged to apply quickly; however, patches for CVE-2026-43500 are not yet available.
Red Hat and the administrators of other major Linux distros are readying their own fixes for DirtyFrag.
Red Hat is expediting the release of fixes, according to its advisory, while Canonical Ubuntu said a fix will be distributed through Ubuntu's Linux kernel image packages, according to a blog post published Friday.
Don't Hesitate, Mitigate In the meantime, there are a number of steps that enterprises using affected versions of Linux can take to mitigate Dirty Frag.
9-Year-Old Dirty Frag Vulnerability Enables Root Access on Linux Systems.
Dirty Frag is the collective name researchers assigned to two Linux vulnerabilities that existed in the Linux kernel for around nine years before being discovered.
Red Hat, a major American software firm, has released a report on two Linux kernel vulnerabilities collectively dubbed Dirty Frag.
It works by linking two different vulnerabilities together to achieve root privileges on most Linux distributions that Kim tested.
Impacted Versions and Safety Steps Dirty Frag affects many Linux versions, including Red Hat Enterprise Linux 8, 9, and 10, OpenShift 4, Ubuntu, Fedora, CentOS Stream, and AlmaLinux.
He added, “Copy Fail, Dirty Pipe, and Dirty Frag are all exploiting the same root cause, but Dirty Frag is not limited to a single Linux subsystem, whereas Copy Fail is limited to only algif_aead and Dirty Pipe is limited to pipe_buffer.”
Dirty Frag: Linux kernel hit by second major security flaw in two weeks.
A second major Linux vulnerability has been disclosed in as many weeks, this time by an independent security researcher who published a working exploit after a coordinated disclosure embargo collapsed.
Copy Fail had prompted concern as it provided hackers with an escape route from cloud containers, meaning a compromised application running inside a supposedly isolated environment can break out and take control of the entire host server — a major risk given the cloud industry’s dependence on Linux distributions.
It was discovered by Hyunwoo Kim, and exploits the same underlying design flaw in how Linux manages files in memory.
“Because the embargo has currently been broken, no patch or CVE exists,” Kim wrote on the oss-security mailing list, adding that after consulting Linux maintainers, and at their request, he had decided to publish his writeup.
The Dirty Frag flaw is being tracked as two linked vulnerabilities — CVE-2026-43284 and CVE-2026-43500 — each affecting a different part of the Linux kernel's networking code.
Red Hat confirmed both flaws affect its enterprise Linux products and issued an advisory , classifying them as Important severity and expediting patches across supported RHEL releases.
SUSE, Debian, Fedora and Amazon Linux had all acknowledged the issue with patches in progress.
The patching process — which for open source software like Linux depends on a global network of volunteer and corporate maintainers, each responsible for their own distribution — can struggle to keep up even under ideal conditions.
organisation PoC
Zellic's head of assurance, William Bowling , who discovered this new universal local privilege escalation flaw, also shared a proof-of-concept (PoC) exploit that achieves a memory-write primitive in the kernel that is used to corrupt the page cache memory of the /usr/bin/su binary to get a shell with root privileges on vulnerable systems.
organisation Zellic
Zellic's head of assurance, William Bowling , who discovered this new universal local privilege escalation flaw, also shared a proof-of-concept (PoC) exploit that achieves a memory-write primitive in the kernel that is used to corrupt the page cache memory of the /usr/bin/su binary to get a shell with root privileges on vulnerable systems.
organisation the /usr/bin/su
Zellic's head of assurance, William Bowling , who discovered this new universal local privilege escalation flaw, also shared a proof-of-concept (PoC) exploit that achieves a memory-write primitive in the kernel that is used to corrupt the page cache memory of the /usr/bin/su binary to get a shell with root privileges on vulnerable systems.
organisation IPsec
Those who can't immediately patch their devices should use the same mitigation used for Dirty Frag commands to remove vulnerable kernel modules (however, it's important to note that this will break AFS distributed network file systems and IPsec VPNs): rmmod esp4 esp6 rxrpc printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf Fragnasia's disclosure comes as Linux distros are still rolling out patches for " Copy Fail ," another privilege escalation vulnerability now actively exploited in the wild .
The flaw "refers to two distinct issues in the IPsec ESP (esp4/esp6) and rxrpc modules" in the Linux  kernel, according to Red Hat.
CVE-2026-43284 targets the IPsec path to overwrite memory, but it usually needs namespace permissions, which some systems, like Ubuntu, can block.
According to researchers, the Dirty Frag vulnerability has existed for around nine years, and caused by a logic flaw in the networking sections of the system that handle the IPSec ESP (esp4 and esp6) and rxrpc modules.
organisation PackageKit
" In April, Linux distros patched another root-privilege escalation vulnerability (dubbed Pack2TheRoot) in the PackageKit daemon that had gone unnoticed for a decade.
organisation Microsoft Defender
"Microsoft Defender is currently seeing limited in-the-wild activity where privilege escalation involving 'su' is observed, and which may be indicative of techniques associated with either "Dirty Frag" or "Copy Fail," read a blog post published Friday by the team.
organisation the RxRPC
According to a GitHub post by Kim, who goes by the handle "V4bel," Dirty Frag works by chaining two separate kernel flaws — the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability — to modify protected system files in memory without authorization and achieve privilege escalation.
These flaws are found in the xfrm-ESP Page-Cache Write and the RxRPC Page-Cache Write.
organisation Copy Fail
It is a local privilege escalation (LPE) vulnerability similar to the recently reported Copy Fail, allowing an unprivileged user with a basic local account to gain root access.
In fact, there are signs Dirty Frag already is under limited exploitation, although it's unclear if attackers targeted Dirty Frag or Copy Fail, according to the Microsoft Defender Security Resarch Team.
organisation LPE
It is a local privilege escalation (LPE) vulnerability similar to the recently reported Copy Fail, allowing an unprivileged user with a basic local account to gain root access.
organisation New Fragnesia Linux
New Fragnesia Linux flaw lets attackers gain root privileges.
organisation Dirty Pipe
The flaw, which actually is two vulnerabilities chained together, is in the same class as previously discovered Linux flaws Dirty Pipe and Copy Fail , but affects a different kernel data structure than those issues.
He said that this bug is like older ones called Dirty Pipe and Copy Fail, but it uses a different part of the system called the fragment field.
organisation Ubuntu, Red Hat Enterprise Linux
The vulnerability affects a wide range of Linux distributions, including Ubuntu, Red Hat Enterprise Linux (RHEL), CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora — none of which are fully patched yet.
organisation AlmaLinux
The vulnerability affects a wide range of Linux distributions, including Ubuntu, Red Hat Enterprise Linux (RHEL), CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora — none of which are fully patched yet.
Impacted Versions and Safety Steps Dirty Frag affects many Linux versions, including Red Hat Enterprise Linux 8, 9, and 10, OpenShift 4, Ubuntu, Fedora, CentOS Stream, and AlmaLinux.
organisation esp4/esp6
The flaw "refers to two distinct issues in the IPsec ESP (esp4/esp6) and rxrpc modules" in the Linux  kernel, according to Red Hat.
organisation Red Hat
The flaw "refers to two distinct issues in the IPsec ESP (esp4/esp6) and rxrpc modules" in the Linux  kernel, according to Red Hat.
organisation RAM
The Linux kernel keeps file contents in RAM using the page cache for speed.
organisation The Linux Kernel Organization
The Linux Kernel Organization already released patches to fix CVE-2026-43284 on Friday, which defenders are urged to apply quickly; however, patches for CVE-2026-43500 are not yet available.
organisation DirtyFrag
Red Hat and the administrators of other major Linux distros are readying their own fixes for DirtyFrag.
organisation Canonical Ubuntu
Red Hat is expediting the release of fixes, according to its advisory, while Canonical Ubuntu said a fix will be distributed through Ubuntu's Linux kernel image packages, according to a blog post published Friday.
organisation Impacted Versions
Impacted Versions and Safety Steps Dirty Frag affects many Linux versions, including Red Hat Enterprise Linux 8, 9, and 10, OpenShift 4, Ubuntu, Fedora, CentOS Stream, and AlmaLinux.
organisation Red Hat Enterprise
Impacted Versions and Safety Steps Dirty Frag affects many Linux versions, including Red Hat Enterprise Linux 8, 9, and 10, OpenShift 4, Ubuntu, Fedora, CentOS Stream, and AlmaLinux.
organisation Important
Red Hat confirmed both flaws affect its enterprise Linux products and issued an advisory , classifying them as Important severity and expediting patches across supported RHEL releases.
organisation SUSE
SUSE, Debian, Fedora and Amazon Linux had all acknowledged the issue with patches in progress.
organisation Amazon Linux
SUSE, Debian, Fedora and Amazon Linux had all acknowledged the issue with patches in progress.
organisation CVE-2026
The two flaws that comprise Dirty Frag are tracked CVE-2026-43284 and CVE-2026-43500 , both of which were assigned 7.8 CVSS scores and a severity impact of "Important" by Red Hat.
CVE-2026-43284 targets the IPsec path to overwrite memory, but it usually needs namespace permissions, which some systems, like Ubuntu, can block.
organisation CVSS
The two flaws that comprise Dirty Frag are tracked CVE-2026-43284 and CVE-2026-43500 , both of which were assigned 7.8 CVSS scores and a severity impact of "Important" by Red Hat.
organisation V12
According to new analysis from cloud security firm Wiz, the vulnerability, dubbed Fragnesia and tracked as CVE-2026-46300, was discovered by William Bowling of Zellic and the V12 team.
organisation TCP
An attacker can engineer that confusion by feeding file contents into a TCP socket and then enabling ESP-in-TCP encryption on the same socket after the fact.
organisation AES
The kernel then proceeds to decrypt the queued bytes directly over the cached file pages, with the AES-GCM keystream producing controlled overwrites in memory.
organisation /usr/bin/su
In the PoC released by Bowling , the technique was used to rewrite the opening bytes of /usr/bin/su with a short payload that drops to a root shell.
organisation Dirty Frag
According to researchers, the Dirty Frag vulnerability has existed for around nine years, and caused by a logic flaw in the networking sections of the system that handle the IPSec ESP (esp4 and esp6) and rxrpc modules.
"Fragnesia is a member of the Dirty Frag vulnerability class.
"In particular, xfrm-ESP Page-Cache Write in the Dirty Frag vulnerability chain shares the same sink as Copy Fail," he explained, adding that it also extends Dirty Pipe's and Copy Fail's bug class.
organisation Dirty Pipe's
"In particular, xfrm-ESP Page-Cache Write in the Dirty Frag vulnerability chain shares the same sink as Copy Fail," he explained, adding that it also extends Dirty Pipe's and Copy Fail's bug class.
organisation BOD
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
organisation Microsoft Defender Security Resarch Team
In fact, there are signs Dirty Frag already is under limited exploitation, although it's unclear if attackers targeted Dirty Frag or Copy Fail, according to the Microsoft Defender Security Resarch Team.
organisation GitHub
It was in fact the Copy Fail flaw that first inspired Kim to explore the research that led to the discovery of Dirty Frag, he said in the GitHub post.
organisation Andrew File System
IPsec provides encrypted network communication and is commonly used for VPNs and site-to-site tunnels, while the rxrpc module implements the RxRPC protocol, which underpins Andrew File System (AFS), a distributed network filesystem.
organisation SuseLinux
SuseLinux administrators also said they are preparing kernel updates and livepatches to address the issue.
organisation SSH
Moreover, "any hardening measures that limit local access help reduce the risk of exploitation," according to Red Hat, including disabling SSH, ensuring SELinux is in enforcing mode, using the default Security Context Constraints (SCC), running workloads as non-root, and restricting "oc debug" access to trusted cluster administrators.
organisation SELinux
Moreover, "any hardening measures that limit local access help reduce the risk of exploitation," according to Red Hat, including disabling SSH, ensuring SELinux is in enforcing mode, using the default Security Context Constraints (SCC), running workloads as non-root, and restricting "oc debug" access to trusted cluster administrators.
While Red Hat is rushing to release official fixes, they suggest that keeping SELinux in enforcing mode and running workloads as non-root can help keep systems secure for now.
organisation Security Context Constraints (SCC
Moreover, "any hardening measures that limit local access help reduce the risk of exploitation," according to Red Hat, including disabling SSH, ensuring SELinux is in enforcing mode, using the default Security Context Constraints (SCC), running workloads as non-root, and restricting "oc debug" access to trusted cluster administrators.
organisation Hackread.com
Experts’ Perspectives Several industry experts have shared their perspectives with Hackread.com regarding the discovery and the risks it poses.
organisation Principal Cybersecurity Engineer
Ben Ronallo, Principal Cybersecurity Engineer at Black Duck, noted that there are technically two CVEs: “The first contains the primary details of the vulnerability class while the second is currently reserved for any unpatched kernels over time.”
organisation Black Duck
Ben Ronallo, Principal Cybersecurity Engineer at Black Duck, noted that there are technically two CVEs: “The first contains the primary details of the vulnerability class while the second is currently reserved for any unpatched kernels over time.”
organisation National Cyber Security Centre
Looming patch wave The Copy Fail and Dirty Frag disclosures are an early illustration of a problem Britain's National Cyber Security Centre had warned about just days earlier, when the agency’s chief technology officer Ollie Whitehouse said AI tools were about to prompt a surge of urgent software updates.
organisation HackerOne
In March, HackerOne paused its bug bounty program citing a “worsening imbalance between vulnerability discoveries and the ability for open source maintainers to remediate them,” and attributing the shift to AI-assisted research expanding the speed and volume of vulnerability discovery.
organisation NCSC
The NCSC said that administrators preparing for a patch wave now could help limit disruption later, warning that delays in applying fixes during periods of heightened vulnerability discovery could significantly increase the risk of compromise.
‎May 15
Threat actors exploited a newly discovered flaw in Linux, gaining root access to affected systems.
infrastructure Linux
CISA added Copy Fail to its catalog of flaws exploited in attacks on May 1 and ordered federal agencies to secure their Linux systems within two weeks, by May 15.
Tactical Metrics
Metrics
infrastructure
‎Linux
Affected Product
A new variant in the Dirty Frag family of Linux local privilege escalation flaws has surfaced, the third root-level Linux kernel bug disclosed in three weeks.
The disclosure follows two other Linux kernel local privilege escalation flaws disclosed in recent weeks, Copy Fail (CVE-2026-31431) on April 29 and Dirty Frag (CVE-2026-43284 and CVE-2026-43500) on May 7.
New Fragnesia Flaw Hands Linux Local Users Root Access.
The flaw affects all Linux kernels released before that date and allows unprivileged local users to gain root by writing arbitrary bytes into the kernel page cache of read-only files.
However, several Linux distributions have begun shipping their own backported patches.
Linux distros are rolling out patches for a new high-severity kernel privilege escalation vulnerability that allows attackers to run malicious code as root.
Those who can't immediately patch their devices should use the same mitigation used for Dirty Frag commands to remove vulnerable kernel modules (however, it's important to note that this will break AFS distributed network file systems and IPsec VPNs): rmmod esp4 esp6 rxrpc printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf Fragnasia's disclosure comes as Linux distros are still rolling out patches for " Copy Fail ," another privilege escalation vulnerability now actively exploited in the wild .
" In April, Linux distros patched another root-privilege escalation vulnerability (dubbed Pack2TheRoot) in the PackageKit daemon that had gone unnoticed for a decade.
New Fragnesia Linux flaw lets attackers gain root privileges.
Known as Fragnasia and tracked as CVE-2026-46300 , this security flaw stems from a logic bug in the Linux XFRM ESP-in-TCP subsystem that can enable unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files.
Bowling said this flaw belongs to the Dirty Frag vulnerability class, which was disclosed last week, and affects all Linux kernels released before May 13, 2026.
Just as Fragnasia, Dirty Frag has a publicly available PoC exploit that local attackers can use to gain root privileges on major Linux distributions.
"It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition.
" To secure systems against attacks, Linux users are advised to apply kernel updates for their environment as soon as possible.
CISA added Copy Fail to its catalog of flaws exploited in attacks on May 1 and ordered federal agencies to secure their Linux systems within two weeks, by May 15.
A public exploit is available for a nine-year old vulnerability that affects the Linux kernel, paving the way for root privilege escalation.
'Dirty Frag' Exploit Poised to Blow Up on Enterprise Linux Distros.
The flaw, which actually is two vulnerabilities chained together, is in the same class as previously discovered Linux flaws Dirty Pipe and Copy Fail , but affects a different kernel data structure than those issues.
The vulnerability affects a wide range of Linux distributions, including Ubuntu, Red Hat Enterprise Linux (RHEL), CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora — none of which are fully patched yet.
Expands Scope of Previous Linux Kernel Bugs
Dirty Frag not only affects a different aspect of the Linux kernel than Copy Fail or Dirty Pipe, it also has a broader scope and thus is likely more dangerous, he said.
The flaw "refers to two distinct issues in the IPsec ESP (esp4/esp6) and rxrpc modules" in the Linux  kernel, according to Red Hat.
Dirty Frag, like Dirty Pipe and Copy Fail, involves weaknesses in the Linux kernel’s handling of page-cache memory writes.
The Linux kernel keeps file contents in RAM using the page cache for speed.
The Linux Kernel Organization already released patches to fix CVE-2026-43284 on Friday, which defenders are urged to apply quickly; however, patches for CVE-2026-43500 are not yet available.
Red Hat and the administrators of other major Linux distros are readying their own fixes for DirtyFrag.
Red Hat is expediting the release of fixes, according to its advisory, while Canonical Ubuntu said a fix will be distributed through Ubuntu's Linux kernel image packages, according to a blog post published Friday.
Don't Hesitate, Mitigate In the meantime, there are a number of steps that enterprises using affected versions of Linux can take to mitigate Dirty Frag.
9-Year-Old Dirty Frag Vulnerability Enables Root Access on Linux Systems.
Dirty Frag is the collective name researchers assigned to two Linux vulnerabilities that existed in the Linux kernel for around nine years before being discovered.
Red Hat, a major American software firm, has released a report on two Linux kernel vulnerabilities collectively dubbed Dirty Frag.
It works by linking two different vulnerabilities together to achieve root privileges on most Linux distributions that Kim tested.
Impacted Versions and Safety Steps Dirty Frag affects many Linux versions, including Red Hat Enterprise Linux 8, 9, and 10, OpenShift 4, Ubuntu, Fedora, CentOS Stream, and AlmaLinux.
He added, “Copy Fail, Dirty Pipe, and Dirty Frag are all exploiting the same root cause, but Dirty Frag is not limited to a single Linux subsystem, whereas Copy Fail is limited to only algif_aead and Dirty Pipe is limited to pipe_buffer.”
Dirty Frag: Linux kernel hit by second major security flaw in two weeks.
A second major Linux vulnerability has been disclosed in as many weeks, this time by an independent security researcher who published a working exploit after a coordinated disclosure embargo collapsed.
Nicknamed “Dirty Frag,” the issue was found in the same area of the Linux kernel that produced last month’s Copy Fail bug, and also allows anyone with a basic account on an affected computer to seize full administrative control.
Copy Fail had prompted concern as it provided hackers with an escape route from cloud containers, meaning a compromised application running inside a supposedly isolated environment can break out and take control of the entire host server — a major risk given the cloud industry’s dependence on Linux distributions.
Dirty Frag also allows for container escape, and similarly affects nearly all Linux distributions in use today.
It was discovered by Hyunwoo Kim, and exploits the same underlying design flaw in how Linux manages files in memory.
Kim reported the flaw he discovered privately to Linux maintainers on April 30, giving them time to prepare patches as per the standard coordinated disclosure process.
“Because the embargo has currently been broken, no patch or CVE exists,” Kim wrote on the oss-security mailing list, adding that after consulting Linux maintainers, and at their request, he had decided to publish his writeup.
The Dirty Frag flaw is being tracked as two linked vulnerabilities — CVE-2026-43284 and CVE-2026-43500 — each affecting a different part of the Linux kernel's networking code.
Red Hat confirmed both flaws affect its enterprise Linux products and issued an advisory , classifying them as Important severity and expediting patches across supported RHEL releases.
SUSE, Debian, Fedora and Amazon Linux had all acknowledged the issue with patches in progress.
The patching process — which for open source software like Linux depends on a global network of volunteer and corporate maintainers, each responsible for their own distribution — can struggle to keep up even under ideal conditions.
Intelligence Sources
Dark Reading 2026-05-11
HackRead 2026-05-11
TheRecord 2026-05-11
BleepingComputer 2026-05-14
Infosecurity-Magazine 2026-05-14
Infosecurity-Magazine 2026-05-14