Linux Bitten by Second Severe Vulnerability in as Many Weeks

Linux bitten by second severe vulnerability in as many weeks - Ars Technica

Manage your consent preferences

If you are a resident of Colorado, Connecticut, Virginia, Utah, Oregon, Texas, Montana, Delaware, Iowa, Nebraska, New Hampshire, and New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, or Rhode Island you have the right to opt-out of Targeted Advertising, including our “sale” and/or “sharing” of your Personal Information (“Opt-Out”). We and our third-party business partners use Personal Information in accordance with our Privacy Policy to serve advertising believed to be of interest to you (“Targeted Advertising”). If you are a California resident, you also have the right to limit the use and disclosure of your Sensitive Personal information in particular circumstances. Please note that you may need to Opt-Out on each website, mobile app, browser, and device you use, and if you clear your browser cookies, you may need to repeat this process. However, if you have created an account to log in across several of our websites and/or mobile apps, we will make reasonable efforts to apply your Opt-Out request to each of those websites and apps. ◦ To Opt-Out of Targeted Advertising on this site: Move the “Allow Targeted Advertising" toggle below to the left and press “Confirm My Choices”◦ To Opt-Out of other “sales”, including for list rentals, data co-ops, and to limit the use and disclosure of your Sensitive Personal Information: Please provide information on the privacy center and press “submit.” You can also submit this request by calling 1-877-241-4999. This information will not be used or disclosed for any purpose other than for processing this request.

Essential

• [x] On

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

• * *

Performance

• [x] On

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

• * *

Audience Measurement

• [x] On

We use audience measurement cookies in order to carry out aggregated traffic measurement and generate performance statistics essential for the proper functioning of the site and the provision of its content (for example to measure performance, to detect navigation problems, to optimization technical performance or ergonomics, to estimate server power needed and to analyse content performance). The use of these cookies is strictly limited to measuring the site's audience. These cookies do not allow the tracking of navigation on other websites and the data collected is not combined or shared with third parties. You can refuse the use of this cookie by switching off the slider to the right.

• * *

Functional

• [x] On

This website uses functional cookies and services to remember your preferences and choices, such as language preferences, font sizes, region selections, and customized layouts. They enable this website to offer enhanced and personalized functionalities.

• * *

Social Media

• [x] Off

These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

• * *

Allow Sale/Targeted Advertising?

• [x] On

We may transfer or share your personal information to third parties for the purposes of targeted advertising. You can learn more about what information is used for this purpose in our privacy notice.

Confirm My Choices Reject All Accept All

Privacy Policy

Powered by

Skip to contentArs Technica home

Sections

ForumSubscribeSearch

• AI
• Biz & IT
• Cars
• Culture
• Gaming
• Health
• Policy
• Science
• Security
• Space
• Tech

• Feature
• Reviews

• AI
• Biz & IT
• Cars
• Culture
• Gaming
• Health
• Policy
• Science
• Security
• Space
• Tech

ForumSubscribe

Story text

Size Width * Links

• Subscribers only

Learn more

Pin to story

Theme

• HyperLight
• Day & Night
• Dark
• System

[Search](https://arstechnica.com/search/ "Search")

Sign In

Sign in dialog...

Sign in

ANOTHER? WHAT THE FRAG?

Linux bitten by second severe vulnerability in as many weeks

Production-version patches are coming online and should be installed pronto.

Dan Goodin – May 11, 2026 10:28 PM|[15](https://arstechnica.com/security/2026/05/linux-bitten-by-second-severe-vulnerability-in-as-many-weeks/#comments "15 comments")


Credit: Getty Images

Credit: Getty Images

Text settings

Story text

Size Width * Links

• Subscribers only

Learn more

Minimize to nav

Linux users have been bitten by yet another vulnerability that gives containers and untrusted users the ability to gain root access, marking the second time in as many weeks that a severe threat has caught defenders off guard.

The threat, known as Dirty Frag, allows low-privilege users, including those using virtual machines, to gain root control of servers. Attacks are particularly suitable in shared environments, where a server is used by multiple parties. Hackers can also gain root as long as they have access to a separate exploit that gives a toehold into a machine. Exploit code was leaked online three days ago and works reliably across virtually all Linux distributions. Microsoft has said it has spotted signs that hackers are experimenting with Dirty Frag in the wild.

Immediate and significant threat

The leaked exploit is deterministic, meaning it works precisely the same way each time it’s run and across different Linux distributions. It causes no crashes, making it stealthy to run. A vulnerability known as Copy Fail, disclosed last week with no patches available to end users, possesses the same characteristics.

“The ‘Dirty Frag’ vulnerability presents an immediate and significant threat to Linux systems, as it allows unauthorized users to gain root access by exploiting unpatched kernel flaws,” researchers from security firm Aviatrix wrote Monday. “With proof-of-concept exploits publicly available and signs of limited in-the-wild exploitation, organizations must act swiftly to apply patches and implement mitigations to protect their systems from potential compromise.”

Dirty Frag was discovered and disclosed late last week by researcher Hyunwoo Kim. The exploit chains together code for exploiting two vulnerabilities—tracked as CVE-2026-43284 and CVE-2026-43500. Shortly after the disclosure, someone else leaked key details, effectively making the vulnerability a zero-day. With that, Kim published the source code for the proof-of-concept exploit he had developed. While bothvulnerabilities were patched in the Linux kernel, none of the distributions had incorporated the fix.

Ars Video

[What Happens to the Developers When AI Can Code? | Ars Frontiers](https://www.arstechnica.com/video/watch/what-happens-to-the-developers-when-ai-can-code-ars-frontiers)

At the time this post went live, several distributors had released patches. Known distributors included Debian, AlmaLinux, and Fedora. People who are interested in other distributions should check with the official provider.

Both privilege escalation vulnerabilities stem from bugs in the kernel’s handling of page caches stored in memory, allowing untrusted users to modify them. They target caches in networking and memory-fragment handling components. Specifically, CVE-2026-43284 attacks the esp4 and esp6 () processes, and CVE-2026-43500 zeroes in on rxrpc. Last week’s CopyFail exploited faulty page caching in the authencesn AEAD template process, which is used for IPsec extended sequence numbers. A 2022 vulnerability named Dirty Pipe also stemmed from flaws that allow attackers to overwrite page caches.

Researchers from security firm Automox wrote:

Dirty Frag belongs to the same bug family as Dirty Pipe and Copy Fail, but it targets the frag member of the kernel’s struct sk_buff rather than pipe_buffer. The exploit uses splice() to plant a reference to a read-only page-cache page (for example, /etc/passwd or /usr/bin/su) into the frag slot of a sender-side skb. Receiver-side kernel code then performs in-place cryptographic operations on that frag, modifying the page cache in RAM. Every subsequent read of the file sees the corrupted version, even though the attacker only ever had read access.

CVE-2026-43284 is found in the esp_input() process on the IPsec ESP receive path. When an skb object is non-linear but lacks a frag list, the code skips skb_cow_data() and decrypts AEAD in place on the planted frag. From there, an attacker can control the file offset and the 4-byte value of each store.

CVE-2026-43500, meanwhile, resides in rxkad_verify_packet_1(). The process decrypts RxRPC payloads using a single-block process. Splice-pinned pages become both a source and destination. That, paired with the decryption key being freely extracted using the add_key (rxrpc), allows an attacker to rewrite contents in memory.

Either exploit used separately is unreliable. Some Ubuntu configurations use AppArmor to prevent untrusted users from creating namespace contents. That, in turn, neutralizes the ESP technique. Most other distributions by default don’t run rxrpc.ko, which neutralizes the RxRPC arm. When chained together, however, the two exploits allow attackers to obtain root on every major distribution Kim tested. Once the exploits run, attackers can use SSH access, web-shell execution, container escapes, or compromise low-privilege accounts.

“Dirty Frag is notable because it introduces multiple kernel attack paths involving rxrpc and esp/xfrm networking components to improve exploitation reliability,” Microsoft researchers wrote. “Rather than relying on narrow timing windows or unstable corruption conditions often associated with Linux local privilege escalation exploits, Dirty Frag appears designed to increase consistency across vulnerable environments.”

Researchers at Google-owned Wiz said exploits will be less likely to break out of hardened containerized environments such as Kubernets with default security settings in place. “However, the risk remains significant for virtual machines or less restricted environments.”

The best response for anyone using Linux is to install patches immediately. While fixes likely require a reboot, protection from a threat as severe as Dirty Frag outweighs the cost of disruptions. Anyone who can’t install immediately should follow the mitigation steps laid out in the posts linked above. Additional guidance can be found here.

Dan GoodinSenior Security Editor

Dan GoodinSenior Security Editor

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

[15 Comments](https://arstechnica.com/security/2026/05/linux-bitten-by-second-severe-vulnerability-in-as-many-weeks/#comments "15 comments")

Comments

Forum view

Loading comments...

[Prev story](https://arstechnica.com/cars/2026/05/take-a-look-inside-audis-new-big-three-row-q9-suv/ "Go to: Audi has a new Q9 flagship coming soon: Here's its interior")

Most Read

1.  1.Huge landslide created a 500-meter-high tsunami in a major tourist area
2. 2.Sony's failed war against Internet piracy may doom other copyright lawsuits
3. 3.Starlink shuts down its GPS-style cheat code. Researchers may unlock it anyway.
4. 4.Singer Dua Lipa sues Samsung for $15 million for using her image on TV boxes
5. 5.Engineers at NASA's Jet Propulsion Lab make a breakthrough in rotor technology

Customize

[](https://arstechnica.com/) Ars Technica has been separating the signal from the noise for over 25 years. With our unique combination of technical savvy and wide-ranging interest in the technological arts and sciences, Ars is the trusted source in a sea of information. After all, you don’t need to know everything, only what’s important.

[](https://bsky.app/profile/arstechnica.com)[](https://mastodon.social/@arstechnica)[](https://www.facebook.com/arstechnica)[](https://www.youtube.com/@arstechnica)[](https://www.instagram.com/arstechnica/)

More from Ars

• About Us
• Staff Directory
• Ars Newsletters
• General FAQ
• Posting Guidelines
• AI Policy
• RSS Feeds

Contact

• Contact us
• [Advertise with us](mailto:adinquiries@condenast.com)
• Reprints

Manage Preferences

© 2026 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement and Privacy Policy and Cookie Statement and Ars Technica Addendum and Your California Privacy Rights. Ars Technica may earn compensation on sales from links on this site. Read our affiliate link policy. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices

Sign in dialog...

Sign in