INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Kernel Vulnerability Exploit via Unpatched Software

| 2026-05-11 14:30 MEDIUM MEDIUM
JSON
Executive Summary AI-generated
The discovery of a critical Linux kernel vulnerability, dubbed "Dirty Frag," has sent shockwaves through the cybersecurity community. This previously unknown flaw allows an attacker with local access to obtain root privileges on vulnerable devices, posing significant risks to major Linux distributions and their users. The vulnerability, which dates back to late April 2026, is tracked as CVE-2026-31431 and has a severity rating of 8.8 on the Common Vulnerability Scoring System (CVSS). As a result, Linux distribution maintainers are rushing to patch the vulnerabilities in their systems, with some already releasing patches for two separate high-severity page-cache vulnerabilities. The discovery highlights the importance of keeping software up-to-date and secure, particularly when it comes to critical operating systems like Linux.
Technical Mitigations AI-generated
* Disable vulnerable kernel modules by running the following script as a temporary mitigation for Dirty Frag: sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true" * Assess operational impact before applying mitigation (disabling esp4 / esp6 may break IPsec functionality, disabling rxrpc may impact AFS-based environments) * Apply patches as soon as they are available * Harden local access paths: restrict shell access and enforce least privilege
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
EmbargoEmbargo CVE-2026-43500CVE-2026-43500 CVE-2026-43284CVE-2026-43284 CVE-2026-31431CVE-2026-31431
Target & Sectors
Global Scope
Incident Timeline
‎late April 2026
Linux developers released the affected new kernel version on late April 2026.
infrastructure Linux
The vulnerability, comprised of two chained issues in subsystems of the Linux kernel and known as ‘ Dirty Frag ,’ was detected in late April 2026 by independent security researcher Hyunwoo Kim.
‎April 2026
Threat actors used a local privilege escalation (LPE) flaw in the Linux kernel to target devices with vulnerable RxRPC subsystems, exploiting CVE-2026-43500.
infrastructure Linux
He found a local privilege escalation (LPE) flaw in the Linux kernel that could allow an attacker with local access to a vulnerable device to obtain root privileges on all major Linux distributions.
The researchers believe Dirty Frag could be exploited for a variety of intrusion paths, including: Compromising SSH accounts Web-shell access on internet-facing applications Container escapes into the host environment Abusing low-privileged service accounts Post-exploitation activity following phishing or remote access compromise Meanwhile, maintainers of Linux distributions are progressively releasing patches for CVE-2026-43284 and CVE-2026-43500.
This vulnerability has a similar impact to ‘ Copy Fail ,’ a nine-year-old flaw in the Linux kernel tracked as CVE-2026-31431.
Lee’s work inspired Kim to look for similar vulnerabilities in the Linux kernel.
“After consultation with the [Linux distributions] maintainers, and at the maintainers' request, I am publicly releasing this Dirty Frag document,” Kim wrote.
The first, tracked as CVE-2026-43284 , is a write-what-where condition vulnerability in the xfrm-ESP (IPsec) subsystem of the Linux kernel that has been exploitable since 2017.
CVE-2026-43284 has a severity rating (CVSS) of 8.8 The second one, tracked as CVE-2026-43500 , is an out-of-bounds write in the RxRPC subsystem of the Linux kernel that has been exploitable since 2023.
organisation LPE
He found a local privilege escalation (LPE) flaw in the Linux kernel that could allow an attacker with local access to a vulnerable device to obtain root privileges on all major Linux distributions.
organisation CVE-2026
The researchers believe Dirty Frag could be exploited for a variety of intrusion paths, including: Compromising SSH accounts Web-shell access on internet-facing applications Container escapes into the host environment Abusing low-privileged service accounts Post-exploitation activity following phishing or remote access compromise Meanwhile, maintainers of Linux distributions are progressively releasing patches for CVE-2026-43284 and CVE-2026-43500.
organisation CVE-2026-31431
This vulnerability has a similar impact to ‘ Copy Fail ,’ a nine-year-old flaw in the Linux kernel tracked as CVE-2026-31431.
organisation IPsec
The first, tracked as CVE-2026-43284 , is a write-what-where condition vulnerability in the xfrm-ESP (IPsec) subsystem of the Linux kernel that has been exploitable since 2017.
organisation CVSS
CVE-2026-43284 has a severity rating (CVSS) of 8.8 The second one, tracked as CVE-2026-43500 , is an out-of-bounds write in the RxRPC subsystem of the Linux kernel that has been exploitable since 2023.
organisation Theori
Copy Fair was discovered in April by Taeyang Lee, a vulnerability researcher at offensive security firm Theori.
organisation Dirty Frag
Quickly, Kim and other members of the vulnerability research community worked to develop ways to fix the Dirty Frag vulnerability.
organisation PoC
Observed In-the-Wild Activity Could Be Linked to Dirty Frag Exploitation Kim also published a proof-of-concept (PoC) exploit for Dirty Frag.
organisation esp4 / esp6
These include the following steps: Assessing operational impact before applying mitigation (disabling esp4 / esp6 may break IPsec functionality, disabling rxrpc may impact AFS-based environments)
organisation SELinux/AppArmor
Applying patches as soon as they are available Hardening local access paths: restrict shell access and enforce least privilege, ensure SELinux/AppArmor is enforced and avoid granting unnecessary capabilities (e.g. CAP_NET_ADMIN)
organisation e.g. CAP_NET_ADMIN
Applying patches as soon as they are available Hardening local access paths: restrict shell access and enforce least privilege, ensure SELinux/AppArmor is enforced and avoid granting unnecessary capabilities (e.g. CAP_NET_ADMIN)
‎April 30
Threat actors used the Linux kernel security team's contact information to obtain a patch for the newly discovered vulnerabilities on April 30.
infrastructure Linux
Kim said he contacted the Linux kernel security team on April 30.
‎May 8
The Linux kernel security team disclosed two separate high-severity page-cache vulnerabilities on May 8.
tactic Privilege Escalation
In a blog post published on May 8, the Microsoft Defender Security Research Team said it has identified “limited in-the-wild activity” where privilege escalation involving ‘su’ is observed, which may be indicative of techniques associated with either Dirty Frag or Copy Fail.
organisation Microsoft Defender Security Research Team
In a blog post published on May 8, the Microsoft Defender Security Research Team said it has identified “limited in-the-wild activity” where privilege escalation involving ‘su’ is observed, which may be indicative of techniques associated with either Dirty Frag or Copy Fail.
organisation Copy Fail
In a blog post published on May 8, the Microsoft Defender Security Research Team said it has identified “limited in-the-wild activity” where privilege escalation involving ‘su’ is observed, which may be indicative of techniques associated with either Dirty Frag or Copy Fail.
infrastructure Linux
Meanwhile, the Linux kernel security team disclosed two separate high-severity page-cache vulnerabilities on May 8 which, chained together, make Dirty Frag.
observable dirtyfrag.conf
"printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true" In another blog post , also published on May 8, Google Cloud-owned Wiz shared a list of mitigation steps.
organisation Wiz
"printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true" In another blog post , also published on May 8, Google Cloud-owned Wiz shared a list of mitigation steps.
organisation the Openwall Project’s
However, on May 8 he notified users of the Openwall Project’s open source security email thread that the embargo on the new vulnerability disclosure had been broken before patches were ready.
‎2026/05/11
Linux developers scrambled to release patches for the newly disclosed vulnerabilities in the new Linux kernel.
infrastructure Linux
Rushed Patches Follow Broken Embargo on New Linux Kernel Vulnerabilities.
Major Linux distributions are rushing to fix two new vulnerabilities after the disclosure embargo was broken.
organisation New Linux Kernel
Rushed Patches Follow Broken Embargo on New Linux Kernel Vulnerabilities.
Tactical Metrics
Metrics
infrastructure
‎Linux
Affected Product
He found a local privilege escalation (LPE) flaw in the Linux kernel that could allow an attacker with local access to a vulnerable device to obtain root privileges on all major Linux distributions.
The researchers believe Dirty Frag could be exploited for a variety of intrusion paths, including: Compromising SSH accounts Web-shell access on internet-facing applications Container escapes into the host environment Abusing low-privileged service accounts Post-exploitation activity following phishing or remote access compromise Meanwhile, maintainers of Linux distributions are progressively releasing patches for CVE-2026-43284 and CVE-2026-43500.
Rushed Patches Follow Broken Embargo on New Linux Kernel Vulnerabilities.
Major Linux distributions are rushing to fix two new vulnerabilities after the disclosure embargo was broken.
The vulnerability, comprised of two chained issues in subsystems of the Linux kernel and known as ‘ Dirty Frag ,’ was detected in late April 2026 by independent security researcher Hyunwoo Kim.
This vulnerability has a similar impact to ‘ Copy Fail ,’ a nine-year-old flaw in the Linux kernel tracked as CVE-2026-31431.
Lee’s work inspired Kim to look for similar vulnerabilities in the Linux kernel.
Kim said he contacted the Linux kernel security team on April 30.
“After consultation with the [Linux distributions] maintainers, and at the maintainers' request, I am publicly releasing this Dirty Frag document,” Kim wrote.
Meanwhile, the Linux kernel security team disclosed two separate high-severity page-cache vulnerabilities on May 8 which, chained together, make Dirty Frag.
The first, tracked as CVE-2026-43284 , is a write-what-where condition vulnerability in the xfrm-ESP (IPsec) subsystem of the Linux kernel that has been exploitable since 2017.
CVE-2026-43284 has a severity rating (CVSS) of 8.8 The second one, tracked as CVE-2026-43500 , is an out-of-bounds write in the RxRPC subsystem of the Linux kernel that has been exploitable since 2023.
Intelligence Sources
Infosecurity-Magazine 2026-05-11
Infosecurity-Magazine 2026-05-11