Microsoft has reported active campaign activity tied to a newly disclosed Linux local privilege escalation vulnerability called Dirty Frag. According to the company, the issue can let an unprivileged user escalate to root through vulnerable kernel networking and memory-fragment handling components. Microsoft says the vulnerability affects esp4, esp6 (CVE-2026-43284), and rxrpc (CVE-2026-43500), and it may be used after an initial compromise to expand access on a Linux host.

The report is focused on post-compromise risk. Microsoft says local privilege escalation flaws are often used after an attacker already has some level of access, such as through SSH, a web shell, a container escape, or a low-privileged account. In this case, Dirty Frag is notable because public reporting and proof-of-concept activity suggest the exploit was designed to be more reliable than traditional Linux local privilege escalation techniques that depend on race conditions.

Why Dirty Frag matters

Microsoft explains that gaining root access on a Linux system can significantly increase attacker control. Once elevated, an attacker may be able to disable security tooling, access sensitive credentials, tamper with logs, pivot laterally, and establish persistence. That is why a vulnerability that turns limited access into root access is especially important in enterprise environments.

Dirty Frag is also significant because it introduces multiple kernel attack paths involving rxrpc and esp/xfrm networking components. Microsoft says this can improve exploitation reliability across vulnerable environments. The company notes that these components may already be enabled in many organizations to support IPsec, VPN functionality, or other networking workloads.

Technical overview

Microsoft describes Dirty Frag as a Linux kernel issue involving networking and memory-fragment handling behavior. The report says the vulnerability abuses esp4, esp6, and rxrpc components. It also says the technique is similar to the previously disclosed CopyFail vulnerability (CVE-2026-31431) in that it attempts to manipulate Linux page cache behavior to achieve privilege escalation.

At the same time, Microsoft says Dirty Frag adds further attack paths that broaden the opportunities for exploitation and improve reliability. The company does not confirm a single root cause beyond the vulnerable kernel networking and memory-fragment handling components described in the report.

Observed attack activity and likely entry points

Microsoft Defender is currently seeing limited in-the-wild activity where privilege escalation involving su is observed, and the company says this may be indicative of techniques associated with either Dirty Frag or Copy Fail. The observed campaign follows a sequence that begins with an external connection gaining SSH access and spawning an interactive shell. It then stages and executes an ELF binary named ./update, which immediately triggers a privilege escalation via su.

After elevated access is obtained, Microsoft says the actor modifies a GLPI LDAP authentication file, with evidence of a .swp file from vim. The activity then includes reconnaissance of the GLPI directory and system configuration, inspection of an exploit artifact, and interaction with PHP session files. Microsoft reports that the actor deleted multiple session files, forcefully wiped additional ones, and then read remaining session data, which indicates both disruption of active sessions and access to session contents.

Mitigation guidance

Microsoft says the Linux Kernel Organization released patches for CVE-2026-43284 on May 8, 2026, and those patches are linked at the National Vulnerability Database. Customers who have not applied the patches are urged to do so as soon as possible.

As of May 8, 2026, patches for CVE-2026-43500 are not available. Microsoft says CVE-2026-43500 is reportedly reserved for the RxRPC issue but is not yet published in NVD. Because full remediation guidance is still evolving, organizations are advised to consider interim mitigation steps right away.

• Disable unused rxrpc kernel modules where operationally possible
• Assess whether esp4, esp6, and related xfrm/IPsec functionality can be reduced or limited
• Apply available kernel patches for CVE-2026-43284 without delay
• Review affected Linux environments for suspicious post-compromise activity

What defenders should watch for

Microsoft says Defender is actively monitoring related activity and investigating additional detections and protections. The company also notes that affected environments may include Ubuntu, RHEL, CentOS Stream, AlmaLinux, Fedora, openSUSE, and OpenShift deployments.

For organizations that rely on these platforms, the key takeaway is that Dirty Frag increases the danger of a compromise that already has a foothold. A limited account or exposed service may be enough to set the stage for root-level access if the vulnerable components are present and unpatched.

In short, Microsoft’s report frames Dirty Frag as an active Linux post-compromise risk with public proof-of-concept activity, confirmed patching for one CVE, and another issue that still awaits available fixes. Security teams should prioritize patching and review exposed Linux systems for signs of suspicious privilege escalation.