Dirty Frag is a newly disclosed Linux kernel local privilege escalation chain tracked as CVE-2026-43284 and CVE-2026-43500. According to the disclosure, the issue can let attackers with local access gain root privileges by abusing flaws in the ESP (IPsec) and RxRPC subsystems. A public proof-of-concept exists, and no official patches were available at the time of disclosure.

The vulnerability has been described as a successor to Copy Fail (CVE-2026-31431). It was discovered by Hyunwoo Kim (@v4bel), and the same issue is also referred to as CopyFail2 in the source material. Organizations are being advised to treat the flaw as valid and exploitable under certain conditions.

What Dirty Frag Is

Dirty Frag combines two page-cache write primitives in the Linux kernel: one in xfrm-ESP and another in RxRPC. Both flaws allow modification of page-cache-backed memory that is not exclusively owned by the kernel. The result can be corruption of sensitive files and, ultimately, privilege escalation.

The source describes the exploit class as deterministic and highly reliable, similar to prior vulnerabilities such as Copy Fail and Dirty Pipe. That means the issue is not presented as a race-condition exploit. Instead, it relies on specific kernel interfaces and manipulation of page-backed buffers, including paths related to splice().

The root cause has not been confirmed beyond the disclosed flaw chain itself, but the material does state that the affected code paths date back to approximately 2017 for ESP and 2023 for RxRPC.

Affected Linux Systems and Scope

The full impact is still under investigation, and no complete version matrix is available yet. Even so, the disclosure identifies several products and distributions as affected or potentially affected.

• Linux Kernel (ESP subsystem): affected since approximately 2017
• Linux Kernel (RxRPC subsystem): affected since approximately 2023
• Ubuntu: multiple versions tested and affected
• RHEL 8, 9, and 10: affected
• CentOS Stream 10: affected
• AlmaLinux 8, 9, and 10: affected
• Fedora recent versions: affected
• openSUSE Tumbleweed: affected
• OpenShift 4: potentially affected

The disclosure also notes that the vulnerability was revealed before embargo expiration after details became public through reverse engineering of the fix. That means defenders should not wait for the issue to be treated as theoretical; the source advises organizations to assume it is actionable.

Conditions That Affect Exploitation

Dirty Frag requires local access to specific vulnerable kernel interfaces and the ability to manipulate page-backed buffers. The source also says exploitation usually requires higher-level permissions such as CAP_NET_ADMIN. As a result, the risk is described as lower in hardened containerized environments with default seccomp profiles, including many Kubernetes deployments.

At the same time, the risk remains significant for virtual machines and less restricted environments. Because the flaw chain is deterministic and a proof-of-concept is public, security teams are being urged to evaluate exposure carefully rather than assuming the issue is difficult to exploit.

Recommended Mitigations

Until official patches are released, the source recommends temporary mitigation by disabling the vulnerable kernel modules. It also warns that doing so may affect related functionality.

• Disable esp4, esp6, and rxrpc via modprobe configuration
• Remove the modules where possible
• Check operational impact before applying the mitigation
• Monitor vendor advisories and patch as soon as updates are available
• Restrict shell access and enforce least privilege
• Ensure SELinux or AppArmor is enforced
• Avoid granting unnecessary capabilities such as CAP_NET_ADMIN
• Watch for abnormal privilege escalation and exploit-like behavior
• Inspect the integrity of critical system binaries

The source specifically notes that disabling esp4 and esp6 may break IPsec functionality, while disabling rxrpc may affect AFS-based environments. It also mentions that some distributions, including AlmaLinux testing repositories, already have early patched kernels available.

Why Security Teams Should Pay Attention

Dirty Frag is important because it affects core Linux kernel components and may span a wide range of versions. The combination of local access requirements, page-cache manipulation, and root escalation makes it especially relevant for environments where users, services, or workloads have elevated capabilities.

Wiz customers can use the pre-built queries and advisory in the Wiz Threat Intel Center to search for relevant instances in their environment. Wiz Research said it will continue updating the advisory as the situation develops.

In short, Dirty Frag is an unpatched Linux privilege escalation chain that defenders should track closely, mitigate where possible, and patch as soon as vendor updates become available.