{"vulnerability": "CVE-2026-43284", "sightings": [{"uuid": "38500b61-703f-4a62-adc9-b2d89f2e4832", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/dju.eurosky.social/post/3mldbu6eqg22c", "content": "petite erreur de frappe\nil s'agit du CVE-2026-43284 ;)", "creation_timestamp": "2026-05-08T08:12:14.078734Z"}, {"uuid": "4156aeff-59d2-4029-9ed6-8524f90a9a0a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/dju.eurosky.social/post/3mldbvjhscc2c", "content": "petite erreur de frappe\nil s'agit du CVE-2026-43284\nwww.openwall.com/lists/oss-se...", "creation_timestamp": "2026-05-08T08:12:58.952374Z"}, {"uuid": "a789b2bd-0fac-4065-a29f-f6af98bdbc48", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/klaver/ae3745e2b8551740dc907703a05b1949", "content": "---\n- name: \"Mitigate DirtyFrag (CVE-2026-43284)\"\n  hosts: \"all\"\n  become: true\n  gather_facts: false\n  tasks:\n\n    - name: \"Prevent esp4 kernel module from being loaded\"\n      ansible.builtin.lineinfile:\n        path: \"/etc/modprobe.d/mitigate-dirtyfrag.conf\"\n        line: \"install esp4 /bin/false\"\n        state: \"present\"\n        create: true\n        mode: \"0644\"\n        owner: \"root\"\n        group: \"root\"\n\n    - name: \"Unload esp4 kernel module\"\n      community.general.modprobe:\n        name: \"esp4\"\n        state: \"absent\"\n        persistent: \"absent\"\n      notify: \"Reboot if loaded module found\"\n\n    - name: \"Prevent esp6 kernel module from being loaded\"\n      ansible.builtin.lineinfile:\n        path: \"/etc/modprobe.d/mitigate-dirtyfrag.conf\"\n        line: \"install esp6 /bin/false\"\n        state: \"present\"\n        create: true\n        mode: \"0644\"\n        owner: \"root\"\n        group: \"root\"\n\n    - name: \"Unload esp6 kernel module\"\n      community.general.modprobe:\n        name: \"esp6\"\n        state: \"absent\"\n        persistent: \"absent\"\n      notify: \"Reboot if loaded module found\"\n\n    - name: \"Prevent rxrpc kernel module from being loaded\"\n      ansible.builtin.lineinfile:\n        path: \"/etc/modprobe.d/mitigate-dirtyfrag.conf\"\n        line: \"install rxrpc /bin/false\"\n        state: \"present\"\n        create: true\n        mode: \"0644\"\n        owner: \"root\"\n        group: \"root\"\n\n    - name: \"Unload rxrpc kernel module\"\n      community.general.modprobe:\n        name: \"rxrpc\"\n        state: \"absent\"\n        persistent: \"absent\"\n      notify: \"Reboot if loaded module found\"\n\n  handlers:\n    - name: \"Reboot if loaded module found\"\n      ansible.builtin.reboot:\n", "creation_timestamp": "2026-05-08T07:56:06.000000Z"}, {"uuid": "52601240-0e6c-4c0c-8e7b-a20fc4becc3f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/dju.eurosky.social/post/3mldcaiuoac2c", "content": "la faille #DirtyFrag a d\u00e9sormais son CVE:\nCVE-2026-43284", "creation_timestamp": "2026-05-08T08:19:07.624163Z"}, {"uuid": "60f54618-4939-47cb-988f-2050efa8ede4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mldgrdsyig2e", "content": "CVE-2026-43284 - xfrm: esp: avoid in-place decrypt on shared skb frags\nCVE ID : CVE-2026-43284\n \n Published : May 8, 2026, 7:21 a.m. | 1\u00a0hour, 4\u00a0minutes ago\n \n Description : In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: esp: avoid in-place decrypt ...", "creation_timestamp": "2026-05-08T09:40:07.538566Z"}, {"uuid": "84d343bb-7488-47b0-8d09-59c5f3a6e1c3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://infosec.exchange/users/decio/statuses/116538377568822089", "content": "[related]chez AlmaLinux\n\"Dirty Frag (CVE-2026-43284) vulnerability fix is ready for testing\"\ud83d\udc47 https://almalinux.org/blog/2026-05-07-dirty-frag/", "creation_timestamp": "2026-05-08T10:02:02.131003Z"}, {"uuid": "67c4aba0-11bf-4f9b-8258-1ad6a7c5c436", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://infosec.exchange/users/decio/statuses/116538375077982531", "content": "Les deux vuln\u00e9rabilit\u00e9s composant #DirtyFrag ont re\u00e7u leurs num\u00e9ros CVE :\n\ud83d\udd34 CVE-2026-43284 \u2014 xfrm-ESP Page-Cache Write (patch\u00e9 en mainline : f4c50a4034e6)\ud83d\udfe1 CVE-2026-43500 \u2014 RxRPC Page-Cache Write\nSi ce n'est pas encore fait, la mitigation reste de blacklister esp4, esp6 et rxrpc.\ud83d\udc47 https://vulnerability.circl.lu/vuln/CVE-2026-43284", "creation_timestamp": "2026-05-08T10:01:23.808611Z"}, {"uuid": "4427c4be-3dd8-49cb-b69f-7c94919e2be0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://infosec.exchange/users/wdormann/statuses/116539044705700152", "content": "And just to clarify about \"Dirty Frag\" vs. \"Copy Fail 2\":\nDirty Frag is TWO vulnerabilities:\n\nThe xfrm-ESP Page-Cache Write vulnerability has been assigned CVE-2026-43284 and patched in mainline at f4c50a4034e6.\nThe RxRPC Page-Cache Write vulnerability has been reserved as CVE-2026-43500 for tracking; no patch exists in any tree yet.\nCopy Fail 2 is a \"clean room\" rediscovery/exploitation of f4c50a4034e6\nSince Copy Fail 2 was published to GitHub 1 hour earlier than Dirty Frag was published.  The Dirty Frag writeup specifies that the embargo was broken, and as a result TWO vulnerabilities were disclosed.\nPersonally, I think that if you publish a patch for a vulnerability, and then you begin an embargo a week after it was published, that doesn't really count as an \"embargo\"?  \ud83e\udd37\u200d\u2642\ufe0f\nFun stuff...", "creation_timestamp": "2026-05-08T12:51:43.619832Z"}, {"uuid": "0810d7c6-63e3-45a8-abbe-5b5298a3b3df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/aoetk.bsky.social/post/3mldllohhqs2s", "content": "\u307e\u305f\u30ab\u30fc\u30cd\u30eb\u8106\u5f31\u6027\u3067\u3053\u3093\u306a\u306e\u304c\u51fa\u3066\u304d\u305f\u3093\u304b\u30fc\u3044\n\n/ Linux Kernel\u306eLPE(Local Privilege Escalation)\u8106\u5f31\u6027(Dirty Frag: CVE-2026-43284, CVE-2026-43500) security.sios.jp/vulnerabilit...", "creation_timestamp": "2026-05-08T11:06:29.971113Z"}, {"uuid": "e3f410b3-2611-4b70-8c4b-0d53c2ff7140", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/aoetk.fedibird.com.ap.brid.gy/post/3mldlq5pm74r2", "content": "\u307e\u305f\u30ab\u30fc\u30cd\u30eb\u8106\u5f31\u6027\u3067\u3053\u3093\u306a\u306e\u304c\u51fa\u3066\u304d\u305f\u3093\u304b\u30fc\u3044\n\n/ Linux Kernel\u306eLPE(Local Privilege Escalation)\u8106\u5f31\u6027(Dirty Frag: CVE-2026-43284, CVE-2026-43500) - SIOS SECURITY BLOG https://security.sios.jp/vulnerability/kernel-security-vulnerability-20260508/", "creation_timestamp": "2026-05-08T11:13:12.235863Z"}, {"uuid": "5de3f4dc-be1c-47fb-91a7-de89d9706a8c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://fosstodon.org/users/alpinelinux/statuses/116538695628774725", "content": "2 new vulnerabilities similar to coyfail:\n- CVE-2026-31431 (Dirty Frag)- CVE-2026-43284\nhttps://github.com/V4bel/dirtyfrag\nWe're waiting for a release containing the last one before pushing new kernels to aports.\nhttps://github.com/V4bel/dirtyfrag#cleanup mentions a mitigation in the meantime.", "creation_timestamp": "2026-05-08T11:22:57.462256Z"}, {"uuid": "287a1372-f393-4e12-b3f1-06d6e58958da", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/soara.bsky.social/post/3mldmlppj6c2l", "content": "\u4eca\u65e5\u51fa\u305f linux kernel \u306e\u8106\u5f31\u6027 \"Dirty Frag\" CVE-2026-43284 \u306b\u5bfe\u5fdc\u3057\u305f kernel (\u30d0\u30cb\u30e9\u30ab\u30fc\u30cd\u30eb)\u304c\u5404\u30d0\u30fc\u30b8\u30e7\u30f3\u3067\u51fa\u305f\u6a21\u69d8\n\n* 7.0.5\n* 6.18.28\n* 6.12.87\n* 6.6.138\n* 6.1.171\n* 5.15.205\n* 5.10.255", "creation_timestamp": "2026-05-08T11:24:21.776149Z"}, {"uuid": "3b3256ff-6a9f-4548-a010-6c0cb280779d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://infosec.exchange/users/decio/statuses/116538432803616915", "content": "Nouveaux kernels stables : 7.0.5 / 6.18.28 / 6.12.87 / 6.6.138\nIls embarquent un fix partiel pour #DirtyFrag (CVE-2026-43284) et Copy Fail 2.\nPartiel, car Greg Kroah-Hartman a confirm\u00e9 qu'un second patch est encore en d\u00e9veloppement et n'a pas encore \u00e9t\u00e9 merg\u00e9. \nLa mitigation par blacklist des modules reste donc recommand\u00e9e en attendant.\ud83d\udc47 https://lwn.net/Articles/1071775/\n#Linux #Kernel #CyberVeille", "creation_timestamp": "2026-05-08T10:16:04.837440Z"}, {"uuid": "6b67825a-dc2d-4543-a253-3e059d70c686", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/xc78xsgzsd-droid/7bb632be2e3e341b4e8b4cc79deac739", "content": "#!/bin/sh\n# ============================================================\n# DirtyFrag Vulnerability Checker\n# CVE-2026-43284 (xfrm/ESP) + CVE-2026-43500 (rxrpc)\n# Disclosed: 2026-05-07 | No patch available yet\n# ============================================================\n\nRED='\\033[0;31m'; YEL='\\033[1;33m'; GRN='\\033[0;32m'\nBLD='\\033[1m'; RST='\\033[0m'\n\nok()   { printf \"${GRN}[OK]${RST}     %s\\n\" \"$1\"; }\nwarn() { printf \"${YEL}[WARN]${RST}   %s\\n\" \"$1\"; }\nvuln() { printf \"${RED}[VULN]${RST}   %s\\n\" \"$1\"; }\ninfo() { printf \"         %s\\n\" \"$1\"; }\n\necho\nprintf \"${BLD}=== DirtyFrag Vulnerability Check ===${RST}\\n\"\nprintf \"    CVE-2026-43284 (ESP/xfrm) + CVE-2026-43500 (rxrpc)\\n\"\nprintf \"    Kernel: %s\\n\\n\" \"$(uname -r)\"\n\nVULN_COUNT=0\n\n# \u2500\u2500 1. Mitigation already in place? \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[1] Modprobe blacklist (/etc/modprobe.d/dirtyfrag.conf)${RST}\\n\"\nif [ -f /etc/modprobe.d/dirtyfrag.conf ] || \\\n   grep -rq 'install esp4 /bin/false' /etc/modprobe.d/ 2>/dev/null; then\n    ok \"Blacklist found \u2013 modules blocked from loading\"\n    MITIGATED=1\nelse\n    warn \"No blacklist found\"\n    MITIGATED=0\nfi\necho\n\n# \u2500\u2500 2. Vulnerable modules currently loaded? \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[2] Loaded kernel modules (esp4 / esp6 / rxrpc)${RST}\\n\"\nfor MOD in esp4 esp6 rxrpc; do\n    if lsmod 2>/dev/null | grep -q \"^${MOD} \"; then\n        vuln \"Module '${MOD}' is currently LOADED\"\n        VULN_COUNT=$((VULN_COUNT + 1))\n    else\n        ok \"Module '${MOD}' not loaded\"\n    fi\ndone\necho\n\n# \u2500\u2500 3. Modules available on disk? \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[3] Module files available on disk${RST}\\n\"\nKVER=$(uname -r)\nfor MOD in esp4 esp6 rxrpc; do\n    FOUND=$(find /lib/modules/${KVER} -name \"${MOD}.ko\" -o -name \"${MOD}.ko.xz\" \\\n                                     -o -name \"${MOD}.ko.zst\" 2>/dev/null | head -1)\n    if [ -n \"$FOUND\" ]; then\n        if [ \"$MITIGATED\" -eq 1 ]; then\n            warn \"Module '${MOD}' exists on disk (but loading is blocked)\"\n            info \"\u2192 $FOUND\"\n        else\n            vuln \"Module '${MOD}' exists and CAN be auto-loaded\"\n            info \"\u2192 $FOUND\"\n            VULN_COUNT=$((VULN_COUNT + 1))\n        fi\n    else\n        ok \"Module '${MOD}' not found on disk\"\n    fi\ndone\necho\n\n# \u2500\u2500 4. User namespace creation (xfrm/ESP exploit path) \u2500\u2500\u2500\u2500\nprintf \"${BLD}[4] Unprivileged user namespaces (CVE-2026-43284 path)${RST}\\n\"\nUSERNS=$(cat /proc/sys/user/max_user_namespaces 2>/dev/null)\nif [ \"$USERNS\" = \"0\" ]; then\n    ok \"user.max_user_namespaces = 0 (xfrm/ESP exploit path blocked)\"\nelse\n    USERNS=${USERNS:-\"unknown\"}\n    warn \"user.max_user_namespaces = ${USERNS} (ESP exploit path reachable)\"\n    info \"\u2192 Ubuntu: check AppArmor profile for namespace restriction\"\nfi\n\n# AppArmor namespace restriction (Ubuntu)\nif [ -f /sys/kernel/security/apparmor/profiles ]; then\n    if grep -q 'unprivileged_userns' /sys/kernel/security/apparmor/profiles 2>/dev/null || \\\n       [ -f /etc/apparmor.d/tunables/userns ]; then\n        ok \"AppArmor namespace restriction detected (Ubuntu-style mitigation)\"\n    fi\nfi\necho\n\n# \u2500\u2500 5. rxrpc-specific check \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[5] rxrpc path (CVE-2026-43500 \u2013 no namespace needed)${RST}\\n\"\nif lsmod 2>/dev/null | grep -q '^rxrpc '; then\n    vuln \"rxrpc is loaded \u2013 exploit path requires NO namespace privilege\"\n    VULN_COUNT=$((VULN_COUNT + 1))\nelif find /lib/modules/${KVER} -name 'rxrpc.ko*' 2>/dev/null | grep -q .; then\n    if [ \"$MITIGATED\" -eq 1 ]; then\n        ok \"rxrpc available but loading is blacklisted\"\n    else\n        vuln \"rxrpc module present and loadable (no namespace needed to exploit)\"\n        VULN_COUNT=$((VULN_COUNT + 1))\n    fi\nelse\n    ok \"rxrpc module not present on this system\"\nfi\necho\n\n# \u2500\u2500 6. Page cache integrity hint \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[6] Page cache integrity check (exploit IOC)${RST}\\n\"\nPASSWD_SIZE=$(stat -c%s /etc/passwd 2>/dev/null)\nSHADOW_SIZE=$(stat -c%s /etc/shadow 2>/dev/null)\nif [ -n \"$PASSWD_SIZE\" ] && [ \"$PASSWD_SIZE\" -lt 50 ]; then\n    vuln \"/etc/passwd suspiciously small (${PASSWD_SIZE} bytes) \u2013 possible tampering!\"\n    VULN_COUNT=$((VULN_COUNT + 1))\nelse\n    ok \"/etc/passwd size appears normal (${PASSWD_SIZE} bytes)\"\nfi\n\n# Check for unexpected root entries (new UID 0 lines)\nROOT_ENTRIES=$(grep -c ':0:' /etc/passwd 2>/dev/null)\nif [ \"$ROOT_ENTRIES\" -gt 2 ]; then\n    vuln \"Multiple UID-0 entries in /etc/passwd (${ROOT_ENTRIES}) \u2013 check for backdoor!\"\n    VULN_COUNT=$((VULN_COUNT + 1))\nelse\n    ok \"No unexpected UID-0 entries in /etc/passwd\"\nfi\necho\n\n# \u2500\u2500 Summary \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}=== Summary ===${RST}\\n\"\nKERNEL_YEAR=$(uname -r | grep -oE '^[0-9]+' )\nif [ \"$KERNEL_YEAR\" -ge 4 ] 2>/dev/null; then\n    info \"Kernel $(uname -r) is in the affected range (since Jan 2017)\"\nelse\n    info \"Kernel $(uname -r) \u2013 age unclear, manual review recommended\"\nfi\n\nif [ \"$MITIGATED\" -eq 1 ] && [ \"$VULN_COUNT\" -eq 0 ]; then\n    printf \"\\n${GRN}${BLD}[RESULT] Mitigation applied \u2013 system appears protected${RST}\\n\"\n    info \"\u2192 Revert /etc/modprobe.d/dirtyfrag.conf once a patched kernel is installed\"\nelif [ \"$VULN_COUNT\" -eq 0 ]; then\n    printf \"\\n${YEL}${BLD}[RESULT] No active modules loaded, but no blacklist in place${RST}\\n\"\n    info \"\u2192 Modules can still be auto-loaded. Apply mitigation to be safe.\"\nelse\n    printf \"\\n${RED}${BLD}[RESULT] SYSTEM LIKELY VULNERABLE (${VULN_COUNT} issue(s) found)${RST}\\n\"\n    info \"\u2192 Apply mitigation immediately (unless you use IPsec/kAFS):\"\n    printf \"\\n\"\n    printf '    sudo sh -c \"printf '\"'\"'install esp4 /bin/false\\ninstall esp6 /bin/false\\ninstall rxrpc /bin/false\\n'\"'\"' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true\"\\n'\n    printf \"\\n\"\n    info \"\u2192 Optionally drop page cache afterwards:\"\n    info \"  sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'\"\nfi\necho\n", "creation_timestamp": "2026-05-08T12:08:27.000000Z"}, {"uuid": "e9ba71ef-2538-4333-bf26-c82005c6126a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/dougburks.bsky.social/post/3mldpbqyaqc2k", "content": "OhMyDebn 3.7.1 now available with mitigation for Dirty Frag local privilege escalation CVE-2026-43284\n\nOhMyDebn is a debonair Linux desktop for power users. It gives you the stability of the Debian distro, the ease of use of the Cinnamon desktop, and the power of AI, containers, and virtualization.", "creation_timestamp": "2026-05-08T12:12:32.311177Z"}, {"uuid": "32642579-8baf-4015-b07f-ec5ee5ab6151", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/bykvaadm/7bb8937ebc4f0485fea26fa27af4c522", "content": "- name: Mitigate DirtyFrag (CVE-2026-43284 / CVE-2026-43500)\n    hosts: all\n    become: true\n    tasks:\n      - name: Caveats\n        debug:\n          msg: |\n            \u0412\u041d\u0418\u041c\u0410\u041d\u0418\u0415:\n            - esp4/esp6: \u0435\u0441\u043b\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f IPsec VPN (strongSwan, Libreswan \u0438 \u0434\u0440.) \u2014\n              \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435 \u0441\u043b\u043e\u043c\u0430\u0435\u0442 \u0442\u0443\u043d\u043d\u0435\u043b\u0438. \u0412 \u0442\u0430\u043a\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u0436\u0434\u0430\u0442\u044c \u043f\u0430\u0442\u0447\u0430 \u044f\u0434\u0440\u0430.\n            - rxrpc: \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u0434\u043b\u044f AFS/Kerberos, \u0432 \u0431\u043e\u043b\u044c\u0448\u0438\u043d\u0441\u0442\u0432\u0435 \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\n              \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e \u043e\u0442\u043a\u043b\u044e\u0447\u0430\u0442\u044c.\n            - CVE-2026-43500 (rxrpc) \u043f\u043e\u043a\u0430 \u043d\u0435 \u0437\u0430\u043f\u0430\u0442\u0447\u0435\u043d \u2014 \u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u043a\u0430 \u043c\u043e\u0434\u0443\u043b\u044f\n              \u0435\u0434\u0438\u043d\u0441\u0442\u0432\u0435\u043d\u043d\u0430\u044f \u0437\u0430\u0449\u0438\u0442\u0430 \u0434\u043e \u0432\u044b\u0445\u043e\u0434\u0430 \u043f\u0430\u0442\u0447\u0430 \u044f\u0434\u0440\u0430.\n            - \u041f\u043e\u0441\u043b\u0435 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 DirtyFrag page cache \u0437\u0430\u0441\u043e\u0440\u0451\u043d \u2014 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f\n              drop cache \u0438\u043b\u0438 \u0440\u0435\u0431\u0443\u0442.\n\n      - name: Blacklist vulnerable modules\n        copy:\n          dest: /etc/modprobe.d/dirtyfrag-mitigation.conf\n          content: |\n            install esp4 /bin/false\n            install esp6 /bin/false\n            install rxrpc /bin/false\n            blacklist esp4\n            blacklist esp6\n            blacklist rxrpc\n\n      - name: Unload modules if loaded\n        modprobe:\n          name: \"{{ item }}\"\n          state: absent\n        loop: [esp4, esp6, rxrpc]\n        failed_when: false\n        when: ansible_facts.get('ansible_virtualization_type') != 'container'\n\n      - name: Verify modules not loaded\n        shell: lsmod | grep -E '^(esp4|esp6|rxrpc)\\s'\n        register: check\n        failed_when: check.rc == 0\n        changed_when: false\n        when: ansible_facts.get('ansible_virtualization_type') != 'container'", "creation_timestamp": "2026-05-08T13:41:26.000000Z"}, {"uuid": "f85163d3-4a64-4107-bff6-c03e725d9acf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/m3nu/d85533bbf342edd3a9426711409a1b9a", "content": "", "creation_timestamp": "2026-05-08T13:45:53.000000Z"}, {"uuid": "0b255b26-f5ad-4b7f-b932-017beb6d3fbd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/sayem314/dd8d3932a2e91d6a8a454b9986f6087e", "content": "Dirty Frag is a Linux kernel local privilege escalation chain involving the IPsec ESP stack and RxRPC. If a vulnerable host runs untrusted local code, containers, CI jobs, app sandboxes, or shared shell users, treat it as urgent.\n\nThe real fix is a patched kernel from your distribution. Until Debian or Ubuntu ship fixed kernels for your release, the mitigation below blocks the affected modules:\n\n- `esp4`\n- `esp6`\n- `rxrpc`\n\nSources:\n\n- https://github.com/V4bel/dirtyfrag\n- https://dirtyfrag.io/\n- https://openwall.com/lists/oss-security/2026/05/07/10\n\n## What this disables\n\nThis mitigation disables kernel IPsec ESP and RxRPC.\n\nLikely unaffected:\n\n- HTTPS/TLS\n- SSH\n- Docker bridge networking\n- WireGuard\n- Tailscale\n- OpenVPN\n- normal web apps and APIs\n\nLikely affected:\n\n- strongSwan/libreswan IPsec tunnels using ESP\n- software depending on RxRPC or AFS\n\nCheck before applying on VPN gateways:\n\n```bash\nip xfrm state\nsystemctl list-units --type=service --all 'strongswan*' 'ipsec*' 'libreswan*' 'openafs*' 'afsd*'\nps -eo comm,args | grep -E 'strongswan|charon|pluto|ipsec|openafs|afsd|rxrpc' | grep -v grep || true\n```\n\n## Quick check\n\n```bash\nuname -r\ngrep -E '^(esp4|esp6|rxrpc) ' /proc/modules || echo \"esp4, esp6, rxrpc are not currently loaded\"\nmodprobe -n -v esp4 2>/dev/null || true\nmodprobe -n -v esp6 2>/dev/null || true\nmodprobe -n -v rxrpc 2>/dev/null || true\n```\n\nIf one of these features is built directly into your kernel instead of available as a module, a modprobe blacklist cannot disable it. In that case, prioritize a fixed kernel and reboot.\n\n## Manual mitigation\n\n```bash\nsudo tee /etc/modprobe.d/disable-dirtyfrag.conf >/dev/null <<'EOF'\ninstall esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\nEOF\n\nsudo modprobe -r esp4 esp6 rxrpc 2>/dev/null || true\nsync\necho 3 | sudo tee /proc/sys/vm/drop_caches >/dev/null\n```\n\nVerify:\n\n```bash\nif grep -E '^(esp4|esp6|rxrpc) ' /proc/modules; then\n  echo \"STILL LOADED: reboot or investigate module users\"\nelse\n  echo \"Dirty Frag modules are not loaded\"\nfi\n\nfor module in esp4 esp6 rxrpc; do\n  echo \"== $module ==\"\n  modprobe -n -v \"$module\" 2>/dev/null || true\ndone\n```\n\nExpected `modprobe -n -v` output should include:\n\n```text\ninstall /bin/false\n```\n\n## Patch when your distro ships a kernel fix\n\nKeep normal security updates moving. The module block is a mitigation, not the final repair.\n\n```bash\nsudo apt update\nsudo apt full-upgrade\nsudo reboot\n```\n\nAfter reboot:\n\n```bash\nuname -r\ngrep -E '^(esp4|esp6|rxrpc) ' /proc/modules || true\n```\n\n## Ansible playbook\n\nSave as `dirtyfrag-mitigate.yml`:\n\n```yaml\n---\n- name: Mitigate Dirty Frag CVE-2026-43284 and CVE-2026-43500\n  hosts: all\n  become: true\n  gather_facts: false\n\n  vars:\n    dirtyfrag_modules:\n      - esp4\n      - esp6\n      - rxrpc\n\n  tasks:\n    - name: Check active IPsec xfrm state\n      ansible.builtin.command: ip xfrm state\n      register: dirtyfrag_xfrm_state\n      changed_when: false\n      failed_when: false\n\n    - name: Show active IPsec xfrm state warning\n      ansible.builtin.debug:\n        msg: \"Active xfrm state detected. Confirm this host is not an IPsec gateway before disabling esp4/esp6.\"\n      when: dirtyfrag_xfrm_state.stdout | trim | length > 0\n\n    - name: Block Dirty Frag kernel modules from loading\n      ansible.builtin.copy:\n        dest: /etc/modprobe.d/disable-dirtyfrag.conf\n        owner: root\n        group: root\n        mode: \"0644\"\n        content: |\n          {% for module in dirtyfrag_modules %}\n          install {{ module }} /bin/false\n          {% endfor %}\n      register: dirtyfrag_blacklist\n\n    - name: Unload Dirty Frag modules if currently loaded\n      community.general.modprobe:\n        name: \"{{ item }}\"\n        state: absent\n      loop: \"{{ dirtyfrag_modules }}\"\n      register: dirtyfrag_unload\n      failed_when: false\n\n    - name: Flush filesystem buffers before clearing page cache\n      ansible.builtin.command: sync\n      changed_when: false\n      when: dirtyfrag_blacklist.changed or dirtyfrag_unload.changed\n\n    - name: Clear page cache after mitigation changes\n      ansible.builtin.command: sysctl -w vm.drop_caches=3\n      changed_when: true\n      when: dirtyfrag_blacklist.changed or dirtyfrag_unload.changed\n\n    - name: Check whether Dirty Frag modules are still loaded\n      ansible.builtin.shell: \"grep -E '^(esp4|esp6|rxrpc) ' /proc/modules\"\n      register: dirtyfrag_loaded\n      changed_when: false\n      failed_when: false\n\n    - name: Verify modprobe resolves modules to /bin/false\n      ansible.builtin.command: \"modprobe -n -v {{ item }}\"\n      loop: \"{{ dirtyfrag_modules }}\"\n      register: dirtyfrag_modprobe_check\n      changed_when: false\n      failed_when: false\n\n    - name: Show mitigation status\n      ansible.builtin.debug:\n        msg:\n          - \"config_changed={{ dirtyfrag_blacklist.changed }}\"\n          - \"loaded_modules={{ dirtyfrag_loaded.stdout | default('') }}\"\n          - \"modprobe_checks={{ dirtyfrag_modprobe_check.results | map(attribute='stdout') | list }}\"\n\n    - name: Fail if Dirty Frag modules are still loaded\n      ansible.builtin.fail:\n        msg: \"One or more Dirty Frag modules are still loaded. Reboot this host or inspect module users.\"\n      when: dirtyfrag_loaded.rc == 0\n```\n\nExample `inventory.yml`:\n\n```yaml\n---\nall:\n  children:\n    webservers:\n      hosts:\n        web-1:\n          ansible_host: 203.0.113.10\n          ansible_user: ubuntu\n        web-2:\n          ansible_host: 203.0.113.11\n          ansible_user: ubuntu\n    workers:\n      hosts:\n        worker-1:\n          ansible_host: 203.0.113.20\n          ansible_user: debian\n  vars:\n    ansible_become: true\n    ansible_python_interpreter: /usr/bin/python3\n```\n\nRun it:\n\n```bash\nansible-playbook -i inventory.yml dirtyfrag-mitigate.yml\n```\n\nRun only a selected group:\n\n```bash\nansible-playbook -i inventory.yml dirtyfrag-mitigate.yml --limit webservers\n```\n\n## Ansible role-style task\n\nIf you already have a common hardening role, put the modules in group vars:\n\n```yaml\ndisabled_kernel_modules:\n  - esp4\n  - esp6\n  - rxrpc\n```\n\nThen use this task block:\n\n```yaml\n- name: Block disabled kernel modules from loading\n  ansible.builtin.copy:\n    dest: \"/etc/modprobe.d/disable-{{ item }}.conf\"\n    owner: root\n    group: root\n    mode: \"0644\"\n    content: |\n      install {{ item }} /bin/false\n  loop: \"{{ disabled_kernel_modules | default([]) }}\"\n  register: disabled_kernel_module_blacklists\n\n- name: Unload disabled kernel modules if currently loaded\n  community.general.modprobe:\n    name: \"{{ item }}\"\n    state: absent\n  loop: \"{{ disabled_kernel_modules | default([]) }}\"\n  register: disabled_kernel_module_unloads\n  failed_when: false\n\n- name: Flush filesystem buffers before clearing page cache\n  ansible.builtin.command: sync\n  changed_when: false\n  when: disabled_kernel_module_blacklists.changed or disabled_kernel_module_unloads.changed\n\n- name: Clear page cache after Dirty Frag mitigation changes\n  ansible.builtin.command: sysctl -w vm.drop_caches=3\n  changed_when: true\n  when: disabled_kernel_module_blacklists.changed or disabled_kernel_module_unloads.changed\n```\n\n## Remove the manual mitigation later\n\nOnly do this after your running kernel is fixed and you have rebooted into it.\n\n```bash\nsudo rm /etc/modprobe.d/disable-dirtyfrag.conf\nsudo reboot\n```\n", "creation_timestamp": "2026-05-08T16:19:20.000000Z"}, {"uuid": "71b1374f-0941-4a6b-b882-ceeb68320ff1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/eu-technology.bsky.social/post/3mldzrffwwl2y", "content": "New Linux \u2018Dirty Frag\u2019 zero-day gives root on all major distros\n\nhttps://www.europesays.com/uk/946255/\n\nA new Linux zero-day vulnerability, named Dirty Frag and tracked as CVE-2026-43284, allows local attackers to gain root\u2026", "creation_timestamp": "2026-05-08T15:20:23.239379Z"}, {"uuid": "3a6839fe-f3dc-4632-9590-6c1bfe7080ef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/eyalestrin.bsky.social/post/3mleevhyme22p", "content": "\"Dirty Frag\" Linux Kernel LPE Zero-Day (CVE-2026-43284, CVE-2026-43500) #patchmanagement", "creation_timestamp": "2026-05-08T18:39:18.209123Z"}, {"uuid": "53dfbd6d-91aa-476e-a5d2-b2d6177aeb17", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/yukotan.bsky.social/post/3mldt3l233k2c", "content": "CVE\u30ca\u30f3\u30d0\u30fc\u3064\u3044\u305f\u306d\u3002\n\n\"Dirty Frag Linux kernel local privilege escalation vulnerability (CVE-2026-43284) mitigations are now available. \"\n\nDirty Frag Linux kernel local privilege escalation vulnerability mitigations | Ubuntu \nubuntu.com/blog/dirty-f...", "creation_timestamp": "2026-05-08T13:20:40.993112Z"}, {"uuid": "541409d8-213f-4cee-a315-3d307834d851", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/kisai.me/post/3mldtc4wrns2a", "content": "\u898b\u3064\u3051\u305f\n\nCVE-2026-43284\nCVE-2026-43500\n\n\u3053\u308c\u304b\u306a", "creation_timestamp": "2026-05-08T13:24:15.656254Z"}, {"uuid": "10b2699b-00e6-4dba-bcd4-1e97e600d4f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/drgoon.bsky.social/post/3mldtdraztc2n", "content": "\"CVE-2026-43284 is now assigned.\n\nThat was for the first issue, and that is now fixed in the latest round of stable kernel updates.  The second has CVE-2026-43500 reserved for it if you need to track this, and is not fixed in any released kernel version yet.\"", "creation_timestamp": "2026-05-08T13:25:11.122609Z"}, {"uuid": "dcb5c07d-bb50-4dae-b239-3e6966e2e04a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://mastodon.social/ap/users/115755483699003887/statuses/116539544258210938", "content": "\ud83d\udfe0 CVE-2026-43284 - High (7.8)\nIn the Linux kernel, the following vulnerability has been resolved:\nxfrm: esp: avoid in-place decrypt on shared skb frags\nMSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCPmarks such skbs with SKBFL_SHARED_FRAG after skb_spli...\n\ud83d\udd17 https://www.thehackerwire.com/vulnerability/CVE-2026-43284/\n#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack", "creation_timestamp": "2026-05-08T14:58:52.220147Z"}, {"uuid": "3fd17337-7c1d-45fe-a76d-f7a584a03011", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/lanesystems.bsky.social/post/3mle2op6s6k2j", "content": "#DirtyFrag #Linux flaw one-ups #CopyFail with no patches and public root exploit\nwww.theregister.com/security/202...\n\nFresh privilege escalation bug now assigned CVE-2026-43284.\n#CyberSecurity #InfoSec #Vulnerability #CVE202643284", "creation_timestamp": "2026-05-08T15:36:35.578948Z"}, {"uuid": "247c707e-a90e-420a-9015-08afbbdfc68b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/Anarcat.kolektiva.social.ap.brid.gy/post/3mle3b6xlyga2", "content": "#Debian security team just released DSA-6253-1 which addresses #dirtyfrag local root escalation which has been issued CVE-2026-43284 and CVE-2026-43500", "creation_timestamp": "2026-05-08T15:50:40.349460Z"}, {"uuid": "a2932f23-5971-47c3-8aea-c0ee5c499f25", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/threatintel.microsoft.com/post/3mleath2kmz2p", "content": "A newly disclosed Linux local privilege escalation vulnerability known as \u201cDirty Frag\u201d enables escalation from an unprivileged user to root through vulnerable kernel networking & memory-fragment handling components, including esp4, esp6 (CVE-2026-43284), and rxrpc (CVE-2026-43500). msft.it/6015v3WNc", "creation_timestamp": "2026-05-08T17:26:35.596821Z"}, {"uuid": "ba563038-65c6-4087-8d4b-c9fbcb67e74a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://cyber.gc.ca/en/alerts-advisories/al26-011-vulnerabilities-affecting-linux-cve-2026-43284-cve-2026-43500", "content": "", "creation_timestamp": "2026-05-08T10:39:10.000000Z"}, {"uuid": "0d919f10-75bc-4835-a41f-dae65065138e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://ccb.belgium.be/advisories/warning-dirty-frag-new-linux-local-privilege-escalation-vulnerability-was-disclosed", "content": "", "creation_timestamp": "2026-05-08T09:28:10.000000Z"}, {"uuid": "e268db2e-4a69-40d1-9444-4b9373f9f147", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://mstdn.social/users/jschauma/statuses/116540434561235145", "content": "#DirtyFrag status/advisories:\nAlmaLinux:https://almalinux.org/blog/2026-05-07-dirty-frag/\nDebian:https://security-tracker.debian.org/tracker/CVE-2026-43500https://security-tracker.debian.org/tracker/CVE-2026-43284\nGentoo:https://bugs.gentoo.org/974307\nRedHat:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2026-43284https://access.redhat.com/security/cve/cve-2026-43284nothing yet on CVE-2026-43500\nRocky:https://kb.ciq.com/article/rocky-linux/rl-dirty-frag-mitigation\nSUSE / OpenSUSE:https://www.suse.com/security/cve/CVE-2026-43500.htmlhttps://www.suse.com/security/cve/CVE-2026-43284.htmlhttps://www.suse.com/c/addressing-copy-fail2-aka-dirtyfrag-in-suse-virtualization/\nUbuntu:https://ubuntu.com/security/CVE-2026-43284https://ubuntu.com/security/CVE-2026-43500https://ubuntu.com/blog/dirty-frag-linux-vulnerability-fixes-available\nAWS:https://aws.amazon.com/security/security-bulletins/rss/2026-027-aws/ https://explore.alas.aws.amazon.com/CVE-2026-43284.html", "creation_timestamp": "2026-05-08T18:45:22.306700Z"}, {"uuid": "50b13d0c-857d-48d1-b335-89de7c91cf9e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/jschauma.mstdn.social.ap.brid.gy/post/3mlefaalbezb2", "content": "#DirtyFrag status/advisories:\n\nAlmaLinux:\nhttps://almalinux.org/blog/2026-05-07-dirty-frag/\n\nDebian:\nhttps://security-tracker.debian.org/tracker/CVE-2026-43500\nhttps://security-tracker.debian.org/tracker/CVE-2026-43284\n\nGentoo:\nhttps://bugs.gentoo.org/974307\n\nRedHat [\u2026]", "creation_timestamp": "2026-05-08T18:46:05.473406Z"}, {"uuid": "dc0b9f68-ad47-495b-b7b6-8e020d2c409a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://mastodon.social/ap/users/115426718704364579/statuses/116540356170458190", "content": "\ud83d\udcf0 Critical Unpatched 'Dirty Frag' Linux Zero-Day Allows Instant Root Access\n\ud83d\udea8 CRITICAL ZERO-DAY: 'Dirty Frag' (CVE-2026-43284) vulnerability in Linux kernel disclosed with NO PATCH. Allows immediate root privilege escalation. Flaw has existed for 9 years. Admins must seek mitigations now! \ud83d\udc27\ud83d\udd25 #Linux #ZeroDay #CyberSecurity\n\ud83d\udd17 https://cyber.netsecops.io", "creation_timestamp": "2026-05-08T18:25:16.716299Z"}, {"uuid": "ed0ba886-f832-42e6-af1a-4d467e89af18", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/netsecio.bsky.social/post/3mlee4yqpyw2b", "content": "\ud83d\udea8 CRITICAL ZERO-DAY: 'Dirty Frag' (CVE-2026-43284) vulnerability in Linux kernel disclosed with NO PATCH. Allows immediate root privilege escalation. Flaw has existed for 9 years. Admins must seek mitigations now! \ud83d\udc27\ud83d\udd25 #Linux #ZeroDay #CyberSecurity", "creation_timestamp": "2026-05-08T18:25:37.755295Z"}, {"uuid": "c0c858a9-ee7d-488f-a0db-bb5653540f25", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/wdormann.infosec.exchange.ap.brid.gy/post/3mldrhyvw6se2", "content": "And just to clarify about \"Dirty Frag\" vs. \"Copy Fail 2\":\n\n**Dirty Frag** is **TWO** vulnerabilities:\n\n  1. The xfrm-ESP Page-Cache Write vulnerability has been assigned CVE-2026-43284 and patched in mainline at f4c50a4034e6.\n  2. The RxRPC Page-Cache Write [\u2026] \n\n[Original post on infosec.exchange]", "creation_timestamp": "2026-05-08T12:51:53.744413Z"}, {"uuid": "2a478491-bfcf-42f1-92ff-327718898116", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://www.cert.at/de/warnungen/2026/5/linux-lpe-dirty-frag-copy-fail-2", "content": "08. Mai 2026\n\nBeschreibung\n\nAm 7. Mai 2026 wurden zwei neue Schwachstellen im Linux-Kernel öffentlich gemacht, die unter den Namen „Dirty Frag“ und „Copy Fail 2: Electric Boogaloo“ bekannt sind. Beide Schwachstellen ermöglichen lokalen, nicht privilegierten Benutzer:innen eine Eskalation auf root. Sie liegen in den In-Place-Entschlüsselungspfaden der Kernel-Module esp4, esp6 (IPsec/ESP) sowie rxrpc und nutzen Page-Cache-Writeprimitives aus, indem über splice(2), sendfile(2) bzw. MSG_SPLICE_PAGES angehängte, nicht kernelseitig privat gehaltene Seiten direkt überschrieben werden.\n\nFunktionsfähige Proof-of-Concept-Exploits (PoCs) sind öffentlich verfügbar und ermöglichen die Eskalation auf root in einem einzigen Aufruf.\n\nCVE-Nummer(n): CVE-2026-43284 (Dirty Frag), N/A (Copy Fail 2)\n\nCVSS Base Score: noch nicht vergeben\n\nAuswirkungen\n\nLokale, nicht privilegierte Angreifer:innen können durch Ausnutzung der Schwachstellen beliebige Inhalte im Page-Cache des Kernels überschreiben und sich dadurch root-Rechte auf dem betroffenen System verschaffen. Es handelt sich um deterministische Logikfehler ohne Race-Condition; bei einem Fehlschlag tritt keine Kernel-Panik auf, die Erfolgswahrscheinlichkeit wird als hoch beschrieben.\n\nDer xfrm-ESP-Pfad setzt die Möglichkeit zur Erstellung von User-Namespaces voraus. Der RxRPC-Pfad benötigt diese Voraussetzung nicht, ist jedoch nur auf Distributionen ausnutzbar, in denen das Modul rxrpc.ko verfügbar bzw. geladen ist. Durch Verkettung beider Pfade lässt sich auf den meisten gängigen Distributionen root erlangen.\n\nBestehende Gegenmaßnahmen gegen „Copy Fail“ (CVE-2026-31431), insbesondere das Sperren des Moduls algif_aead, schützen NICHT gegen „Dirty Frag“ oder „Copy Fail 2“.\n\nBetroffene Systeme\n\nBetroffen sind die meisten aktuellen Linux-Distributionen mit aktiviertem Page-Cache-Pfad in esp4/esp6 bzw. rxrpc. Die zugrundeliegenden Code-Stellen existieren laut Hersteller- und Forscher:innen-Angaben seit Kernel-Commit cac2661c53f3 (xfrm-ESP, Januar 2017) bzw. 2dc334f1a63a (RxRPC, Juni 2023). Die folgende Aufstellung ist daher nicht abschließend; sie führt nur diejenigen Distributionen auf, deren Hersteller die Betroffenheit bisher öffentlich bestätigt haben oder für die der Forscher die Ausnutzung explizit getestet hat:\n\n\n\nUbuntu 24.04 (vom Forscher getestet auf Kernel 6.17)\n\nRed Hat Enterprise Linux 10.1 (vom Forscher getestet); Red Hat hat in RHSB-2026-003 die Betroffenheit zudem für Red Hat OpenShift Container Platform 4 bestätigt\n\nCentOS Stream 10\n\nAlmaLinux 8, 9 und 10 (gepatcht in kernel-4.18.0-553.123.2.el8_10, kernel-5.14.0-611.54.3.el9_7 bzw. kernel-6.12.0-124.55.2.el10_1 und neuer)\n\nFedora 44\n\nopenSUSE Tumbleweed\n\nCloudLinux 7h, 8, 9 und 10 (CloudLinux 7 wird vom Hersteller noch untersucht)\n\nBlueOnyx 5210R, 5211R, 5212R\n\n\nAmazon Linux untersucht laut Sicherheitsbulletin 2026-027-AWS aktuell den genauen Umfang der betroffenen Versionen.\n\nDistributionen, die unprivilegierte User-Namespaces standardmäßig blockieren (z. B. Ubuntu via AppArmor in bestimmten Konfigurationen), sind über den xfrm-ESP-Pfad nicht angreifbar, bleiben aber über den RxRPC-Pfad anfällig, sofern das Modul vorhanden ist.\n\nAbhilfe\n\nZum Zeitpunkt der Veröffentlichung dieser Warnung liegen für die meisten Distributionen noch keine vollständig gepatchten Kernel vor. Der Upstream-Fix für den ESP-Pfad wurde am 7. Mai 2026 in den netdev-Tree aufgenommen (Commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4); der RxRPC-Fix ist noch nicht gemergt. Einzelne Distributionen (u. a. AlmaLinux, CloudLinux) haben gepatchte Kernel bzw. KernelCare-Livepatches in Vorbereitung oder bereits in Test bzw. Auslieferung.\n\nCERT.at empfiehlt, die folgenden Maßnahmen umzusetzen:\n\n\n\nSicherheitsaktualisierungen der jeweiligen Distribution einspielen, sobald diese verfügbar sind, und das System neu starten.\n\nBis zur Verfügbarkeit gepatchter Kernel die betroffenen Kernel-Module sperren, sofern sie nicht produktiv benötigt werden. Die Module esp4 und esp6 werden für IPsec-Tunnel (z. B. strongSwan, Libreswan) verwendet; rxrpc wird nahezu ausschließlich von AFS-Clients genutzt. Auf Systemen, die diese Funktionen nicht einsetzen, kann das Sperren der Module ohne Funktionsverlust erfolgen, beispielsweise durch Eintragen entsprechender Regeln in /etc/modprobe.d/ und Entladen aktuell geladener Module.\n\nAuf Hosts, die IPsec-Tunnel terminieren oder weiterleiten, dürfen die Module esp4/esp6 nicht gesperrt werden. In diesem Fall ist die Installation eines gepatchten Kernels bzw. eines Livepatches abzuwarten.\n\n\nMehrschichtige Mitigationen (Modul-Blacklist über modprobe.d sowie zusätzlich modprobe.blacklist=... als Kernel-Parameter) erhöhen die Wirksamkeit, insbesondere gegen ein automatisches Nachladen über Netlink aus User-Namespaces heraus.\n\nHinweis\n\nGenerell empfiehlt CERT.at, sämtliche Software aktuell zu halten und dabei insbesondere auf automatische Updates zu setzen. Regelmäßige Neustarts stellen sicher, dass diese auch zeitnah aktiviert werden.\n\n\n\nInformationsquelle(n):\n\nDirty Frag - Disclosure und PoC durch Hyunwoo Kim (Englisch)https://github.com/V4bel/dirtyfrag\n\nGreg Kroah-Hartman zur CVE-Vergabe auf der oss-security-Mailingliste (Englisch)https://seclists.org/oss-sec/2026/q2/441\n\nCopy Fail 2: Electric Boogaloo - Write-up und PoC (Englisch)https://afflicted.sh/blog/posts/copy-fail-2.html\n\nAlmaLinux: Dirty Frag vulnerability fix is ready for testing (Englisch)https://almalinux.org/blog/2026-05-07-dirty-frag/\n\nCloudLinux: Dirty Frag - Mitigation and Kernel Update (Englisch)https://blog.cloudlinux.com/dirty-frag-mitigation-and-kernel-update\n\nRed Hat: How to mitigate the „Dirty Frag“ vulnerability in OpenShift 4 (RHSB-2026-003) (Englisch)https://access.redhat.com/solutions/7142250\n\nRed Hat Security Bulletin RHSB-2026-003 (Englisch)https://access.redhat.com/security/vulnerabilities/RHSB-2026-003\n\nAmazon: Dirty Frag and other issues in Amazon Linux kernels (Englisch)https://aws.amazon.com/security/security-bulletins/rss/2026-027-aws/\n\nBlueOnyx: Security Advisory: Dirty Frag & Copy Fail 2 - Two New Linux LCE Vulnerabilities (Englisch)https://www.blueonyx.it/news/sec-adv-dirtyfrag-copyfail2.html\n\nUpstream-Fix für den ESP-Pfad (netdev/net.git) (Englisch)https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4", "creation_timestamp": "2026-05-08T09:29:25.000000Z"}, {"uuid": "7542769b-5143-439f-a251-7a9076cb40d6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/nicolas17.xyz/post/3mleijak4qk24", "content": "Did you update your Linux kernel *again* to protect against the last privilege escalation bug?\n\nNo, not CopyFail (CVE-2026-31431), the new DirtyFrag (CVE-2026-43284, CVE-2026-43500).", "creation_timestamp": "2026-05-08T19:44:03.706718Z"}, {"uuid": "ca48ffc8-b4b7-44f6-9b63-8c3674f9fa60", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/Linux-Maintainers.activitypub.awakari.com.ap.brid.gy/post/3mleiuxfnowo2", "content": "AL26-011 - Vulnerabilities affecting Linux - CVE-2026-43284 and CVE-2026-43500 Introduction to Malware Binary Triage (IMBT) Course Looking to level up your skills? Get 10% off using coupon code: MW...\n\n#Malware #News\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-08T19:50:39.247258Z"}, {"uuid": "69d60f58-fa02-4988-b817-a45b676ac494", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/pigondrugs.bsky.social/post/3mlekajztdm2e", "content": "~Cybergcca~\nAlert on unpatched Linux LPE flaws (Dirty Frag) with active PoCs, plus Edge & cPanel updates.\n-\nIOCs: CVE-2026-43284, CVE-2026-43500\n-\n#Linux #ThreatIntel #Vulnerability", "creation_timestamp": "2026-05-08T20:14:58.568562Z"}, {"uuid": "9dab4d5d-0d33-43f6-9e3f-7c0713a21029", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/Larvitz.burningboard.net.ap.brid.gy/post/3mlel6wnhxjs2", "content": "CVE-2026-43284 / \"Dirty Frag\" .. Antoher one of those nasty local-privilege-escallations.\n\nQuickfix for Centos/Fedora based systems:\n\nprintf 'install esp4 /bin/false\\ninstall esp6 /bin/false\\ninstall rxrpc /bin/false\\n' > /etc/modprobe.d/dirtyfrag.conf && rmmod esp4 esp6 rxrpc 2>/dev/null; true [\u2026]", "creation_timestamp": "2026-05-08T20:32:03.637706Z"}, {"uuid": "d556c705-9298-4479-90dd-1b1b8424a437", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mlenmpi3zb2z", "content": "DirtyFrag exploits two Linux kernel bugs, CVE-2026-43284 and CVE-2026-43500, enabling local root access on major distros including Ubuntu, RHEL, Fedora, CentOS Stream, AlmaLinux, and openSUSE. #LinuxRoot #KernelExploit #USA", "creation_timestamp": "2026-05-08T21:15:28.625073Z"}, {"uuid": "d04c16b7-d955-4772-906a-b8072ee8de3b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/Senci/6dd521104fd36bf9c679975fb9e8b89c", "content": "#!/usr/bin/env bash\n# Dirty Frag mitigation + verification\n# CVE-2026-43284 (xfrm-ESP) / CVE-2026-43500 (RxRPC)\n# Works on Rocky/RHEL and Arch \u2014 idempotent, no reboot required.\n\nset -euo pipefail\n\nCONF=/etc/modprobe.d/dirtyfrag.conf\nMODS=(esp4 esp6 rxrpc)\n\n[[ $EUID -eq 0 ]] || {\n  echo \"must run as root\" >&2\n  exit 1\n}\n\necho \"=== Dirty Frag mitigation ===\"\necho \"host:   $(hostname)\"\necho \"kernel: $(uname -r)\"\necho\n\n# 1. report whether vulnerable .ko files are present on this kernel\necho \"[1/5] vulnerable modules on disk:\"\nfor m in \"${MODS[@]}\"; do\n  f=$(find \"/lib/modules/$(uname -r)\" -name \"${m}.ko*\" 2>/dev/null | head -1)\n  [[ -n $f ]] && echo \"  - $m: $f\" || echo \"  - $m: not built for this kernel\"\ndone\necho\n\n# 2. write blacklist\necho \"[2/5] writing $CONF\"\ncat >\"$CONF\" <<'EOF'\n# Dirty Frag mitigation \u2014 block xfrm-ESP and RxRPC page-cache-write LPE\n# CVE-2026-43284 (esp4/esp6), CVE-2026-43500 (rxrpc)\n# Remove this file once distro kernel ships backports.\ninstall esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\nEOF\nchmod 0644 \"$CONF\"\n\n# 3. unload anything currently loaded\necho \"[3/5] unloading currently loaded modules:\"\nfor m in \"${MODS[@]}\"; do\n  if lsmod | awk '{print $1}' | grep -qx \"$m\"; then\n    if rmmod \"$m\" 2>/dev/null; then\n      echo \"  - $m: unloaded\"\n    else\n      echo \"  - $m: in use, could not unload (reboot to clear)\"\n    fi\n  else\n    echo \"  - $m: not loaded\"\n  fi\ndone\n\n# 4. flush page cache (cleans up if exploit had been run pre-mitigation)\necho \"[4/5] flushing page cache\"\nsync\necho 3 >/proc/sys/vm/drop_caches\necho \"  - done\"\n\n# 5. verify autoload is blocked (dry-run, does not execute /bin/false)\necho\necho \"[5/5] verifying autoload is blocked:\"\nfail=0\nfor m in \"${MODS[@]}\"; do\n  if modprobe -n -v \"$m\" 2>&1 | grep -q '/bin/false'; then\n    echo \"  - $m: BLOCKED \u2713\"\n  else\n    echo \"  - $m: NOT BLOCKED \u2717\"\n    fail=1\n  fi\ndone\n\necho\nif [[ $fail -eq 0 ]]; then\n  echo \"=== mitigation applied successfully \u2014 no reboot required ===\"\n  exit 0\nelse\n  echo \"=== mitigation FAILED \u2014 investigate $CONF and modprobe config ===\"\n  exit 2\nfi\n", "creation_timestamp": "2026-05-08T19:04:16.000000Z"}, {"uuid": "a971ec9e-3148-46c6-8708-ba38e8c00cb8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://t.me/GithubRedTeam/83400", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-43284\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a attaattaatta\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Go\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-08 18:44:58\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCVE-2026-31431 + CVE-2026-43284 golang hotfix\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-08T19:00:04.000000Z"}, {"uuid": "1d98b8fb-8738-4fd8-88b5-2c56095fb415", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/ze-benedito.capivarinha.club.ap.brid.gy/post/3mlejhxe4zog2", "content": "Debian soltou a corre\u00e7\u00e3o do dirty frag no trixie-security \ud83c\udf89\n\nhttps://security-tracker.debian.org/tracker/CVE-2026-43284", "creation_timestamp": "2026-05-08T20:01:20.421813Z"}, {"uuid": "4bdc4fc5-1c5d-402e-8b41-4209c1a8aa94", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/mel-echosphere.bsky.social/post/3mlene27n652h", "content": "\u4f55\u304c\u8d77\u304d\u308b\u304b\u3002\n\n\u30ed\u30b0\u30a4\u30f3\u3057\u3066\u3044\u308b\u4e00\u822c\u30e6\u30fc\u30b6\u30fc\u304c\u3001\u7ba1\u7406\u8005\u6a29\u9650\u3092\u596a\u3048\u308b\u3002\u30bf\u30a4\u30df\u30f3\u30b0\u306e\u904b\u3082\u8981\u3089\u306a\u3044\u2014\u2014\u78ba\u5b9f\u306b\u52d5\u304f\u3002\n\n\u901a\u4fe1\u6697\u53f7\u51e6\u7406\u306e\u5185\u90e8\u3067\u3001\u4ed6\u4eba\u306e\u30e1\u30e2\u30ea\u9818\u57df\u306b\u76f4\u63a5\u66f8\u304d\u8fbc\u3093\u3067\u3057\u307e\u3046\u69cb\u9020\u4e0a\u306e\u6b20\u9665\u30022017\u5e74\u306e\u30b3\u30fc\u30c9\u5909\u66f4\u304b\u30899\u5e74\u9593\u3001\u6c17\u3065\u304b\u308c\u306a\u3044\u307e\u307e\u6b8b\u3063\u3066\u3044\u305f\u3002\ud83d\udd4a\ufe0f\n\nCVE-2026-43284 \u306f\u4fee\u6b63\u6e08\u307f\u3002CVE-2026-43500 \u306f\u4fee\u6b63\u306a\u3057\u3002\n\nDirty Pipe \u2192 Copy Fail \u2192 Dirty Frag\u3002\u540c\u3058\u7a2e\u985e\u306e\u7a74\u304c\u4e16\u4ee3\u3092\u8d8a\u3048\u3066\u62e1\u304c\u3063\u3066\u3044\u308b\u3002\u4e00\u3064\u585e\u3044\u3067\u3082\u3001\u540c\u3058\u4ed5\u7d44\u307f\u3067\u7d44\u307e\u308c\u305f\u5225\u306e\u7d4c\u8def\u304b\u3089\u6765\u308b\u3002", "creation_timestamp": "2026-05-08T21:10:37.006915Z"}, {"uuid": "74ba7c0e-7d55-4134-a991-1e3268a2025f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/83407", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a DIRTYFAIL\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a KaraZajac\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a C\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-08 19:58:21\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nDetector + PoC for Linux page-cache write vulnerabilities: Copy Fail (CVE-2026-31431) and Dirty Frag (CVE-2026-43284/43500). Authorized security research only.\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-08T20:00:04.000000Z"}, {"uuid": "2cee0bae-7b8d-4c1c-a272-7cd2c5c2a779", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mleq4zjrfm2s", "content": "Two Linux kernel vulnerabilities, CVE-2026-43284 and CVE-2026-43500 (Dirty Frag), enable local users to escalate privileges by overwriting page cache across many distros. Monitoring ESP and RxRPC recommended. #LinuxKernel #RootAccess #USA", "creation_timestamp": "2026-05-08T22:00:23.279873Z"}, {"uuid": "7d3ce138-7aff-4954-916c-b96991216ac6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/dragostech.bsky.social/post/3mler7ebhyc26", "content": "\"Dirty Frag\" clickbait update: ESP (CVE-2026-43284) patched in mainline + stable (7.0.5, 6.18.28, 6.12.87, 6.6.138, 6.1.171). RxRPC (CVE-2026-43500) still unpatched upstream. AWS adds ipcomp4/ipcomp6 to the blacklist alongside esp4/esp6/rxrpc. AlmaLinux shipped both. Ubuntu/Debian mitigation only.", "creation_timestamp": "2026-05-08T22:20:51.242177Z"}, {"uuid": "f1fdef27-cd15-43f3-8623-e037b98ccf21", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/aaronngray.bsky.social/post/3mlepvoqhu22t", "content": "CVE-2026-43284 - Dirty Frag Linux kernel local privilege escalation vulnerability mitigation\n\nsudo ipsec down \nsudo ipsec status", "creation_timestamp": "2026-05-08T21:56:16.914396Z"}, {"uuid": "15503729-c209-4467-a652-16df736e948f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/aaronngray.bsky.social/post/3mlepyf5dgs2t", "content": "CVE-2026-43284 - Dirty Frag Linux kernel local privilege escalation vulnerability mitigation\n\nOn Ubuntu and Debian its normally disabled by default !\n\n> sudo ipsec status\n> sudo ipsec down ", "creation_timestamp": "2026-05-08T21:57:47.572209Z"}, {"uuid": "3ac82b7f-fdba-4421-b6e3-3793f54765ba", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://www.acn.gov.it/portale/w/dirty-frag-rilevata-poc-per-l-elevazione-di-privilegi-in-linux-cve-2026-43284", "content": "Disponibile un Proof of Concept (PoC) per lo sfruttamento della vulnerabilit\u00e0 denominata Dirty Frag, identificata tramite la CVE-2026-43284, presente nel Kernel Linux. La vulnerabilit\u00e0 interessa i moduli esp4 ed esp6 del sottosistema IPsec, utilizzato per la cifratura del traffico di rete e delle VPN, e il modulo rxrpc, utilizzato dal protocollo di rete AFS. La vulnerabilit\u00e0, qualora sfruttata, potrebbe consentire a un utente non privilegiato, l\u2019ottenimento di privilegi di root sul sistema.", "creation_timestamp": "2026-05-08T09:21:59.000000Z"}, {"uuid": "101ee9dc-5975-4d6b-ad58-46457fc23e58", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/hoyhoy.bsky.social/post/3mletgr2n3c26", "content": "CVE-2026-43284 on RHEL8", "creation_timestamp": "2026-05-08T22:59:36.061253Z"}, {"uuid": "482289f0-4380-436d-b233-7290315da22b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "Telegram/L06xv0vm_v9B-lUjnDANUtY1-6vQFMFDzrcYuiA5m0MAZkY", "content": "", "creation_timestamp": "2026-05-08T21:00:04.000000Z"}, {"uuid": "80a323d9-5505-4798-a643-d807307853ee", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/roberio-batista.bsky.social/post/3mletrfj72k23", "content": "Vulnerabilidade ID: CVE-2026-43284.\n\nOs componentes afetados s\u00e3o os m\u00f3dulos do kernel Linux. \n\nOs kerneis diretamente ligados as vers\u00f5es Debian.\n\nsecurity-tracker.debian.org/tracker/CVE-...", "creation_timestamp": "2026-05-08T23:04:43.605039Z"}, {"uuid": "efa8fd38-d386-4734-9f16-eef7d25b159f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/unraid.net/post/3mleyipgro32d", "content": "\ud83d\udea8 Unraid OS 7.2.6 is now available.\n\nThis is an important security release that upgrades the Linux kernel to address the \"Dirty Frag\" local privilege escalation vulnerability (CVE-2026-43284 & CVE-2026-43500).  \n\nAll users should update their systems immediately to stay protected. \ud83d\udee1\ufe0f", "creation_timestamp": "2026-05-09T00:30:04.913513Z"}, {"uuid": "31829aba-7c93-4b37-beef-07a28ab8d8f0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116542111365493280", "content": "Our CTI team identified a lot of activities targeting Linux Kernel (CVE-2026-43284) https://vuldb.com/vuln/362045/cti", "creation_timestamp": "2026-05-09T01:51:37.165231Z"}, {"uuid": "b406b3aa-163d-4183-aea5-93f6fc9889ff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlf77ax52d2i", "content": "Top 3 CVE for last 7 days:\nCVE-2026-31431: 202 interactions\nCVE-2026-0073: 79 interactions\nCVE-2026-41940: 66 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-0073: 66 interactions\nCVE-2026-43284: 61 interactions\nCVE-2026-7270: 32 interactions\n", "creation_timestamp": "2026-05-09T02:30:08.930788Z"}, {"uuid": "b21459f8-7500-48f1-820b-fe5748143e7b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/unraid.net/post/3mlewtdz2522l", "content": "\ud83d\udea8 Unraid OS 7.2.6 is now available.   \n\nThis is an important security release that upgrades the Linux kernel to address the \"Dirty Frag\" local privilege escalation vulnerability (CVE-2026-43284 & CVE-2026-43500).  \n\nAll users should update their systems immediately to stay protected. \ud83d\udee1\ufe0f", "creation_timestamp": "2026-05-09T00:00:14.553919Z"}, {"uuid": "c6142cdc-5fa1-4a02-bdc6-ace77a52217c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/slackers.it/post/3mleww4snfr22", "content": "3/11\n\naway you may blacklist or remove the kernel modules esp4.ko and esp6.ko\n  (CVE-2026-43284) and rxrpc.ko (CVE-2026-43500).\n  Also remove the modules from the kernel if they have been loaded:\n    rmmod esp4 esp6 rxrpc\n  And, drop the file caches in case in-memory program copies", "creation_timestamp": "2026-05-09T00:01:47.341898Z"}, {"uuid": "9c6085dd-89c2-48e6-9792-778d9d4007a6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/slackers.it/post/3mleww5tzpy22", "content": "4/11\n\nhave already\n  been compromised. Make sure possibly affected programs do not have any\n  open sessions first:\n    sh -c \"echo 3 > /proc/sys/vm/drop_caches\"\n  For more information, see:\n    https://github.com/V4bel/dirtyfrag\n    https://www.cve.org/CVERecord?id=CVE-2026-43284", "creation_timestamp": "2026-05-09T00:01:48.830091Z"}, {"uuid": "34581625-a9bd-403d-8dd8-2f5d647dcae9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/slackers.it/post/3mlewwdh2f62i", "content": "9/11\n\n(CVE-2026-43284) and rxrpc.ko (CVE-2026-43500).\n  Also remove the modules from the kernel if they have been loaded:\n    rmmod esp4 esp6 rxrpc\n  And, drop the file caches in case in-memory program copies have already\n  been compromised. Make sure possibly affected programs do not", "creation_timestamp": "2026-05-09T00:01:54.361469Z"}, {"uuid": "92a8107b-b955-45cd-ab66-451b20b3495f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/slackers.it/post/3mlewwemek424", "content": "10/11\n\nhave any\n  open sessions first:\n    sh -c \"echo 3 > /proc/sys/vm/drop_caches\"\n  For more information, see:\n    https://github.com/V4bel/dirtyfrag\n    https://www.cve.org/CVERecord?id=CVE-2026-43284\n  (* Security fix *)\ntesting/packages/linux-7.0.x/kernel-headers-7.0.5-x86-1.txz:", "creation_timestamp": "2026-05-09T00:01:55.639105Z"}]}