Dirty Frag Linux kernel flaw allows reliable root escalation

Dirty Frag is a newly disclosed Linux kernel vulnerability chain that gives attackers reliable privilege escalation from any unprivileged account to full root control. Discovered by security researcher Hyunwoo Kim, it belongs to the same bug class as 2022's Dirty Pipe and the recent Copy Fail flaw. Dirty Frag targets two separate networking subsystems: the IPsec Encapsulating Security Payload path (xfrm-ESP, tracked as CVE-2026-43284) and the RxRPC authentication path (CVE-2026-43500). By chaining these logic errors, attackers can modify read-only page-cache-backed system files in memory and execute them with elevated privileges—without touching the filesystem. Because the bugs are logic errors rather than race conditions, the exploit is highly reliable and won't cause kernel panics on failure, allowing repeated attempts undetected.

The vulnerability affects essentially all Linux distributions, and the situation is urgent: detailed exploit code and a proof-of-concept were published online on May 7 after an embargo break, and Microsoft's threat intelligence team has already observed Dirty Frag being used in the wild to escalate footholds on servers, cloud workloads, and containers. Patches are still being developed by kernel maintainers, and no complete fix exists yet. In the meantime, defenders are advised to block certain services, including VPNs and IPsec, to reduce attack surface. Given the exploit's reliability and availability, any Linux system with an unprivileged shell is at immediate risk.