Microsoft has detected active exploitation of Dirty Frag, a Linux privilege escalation chain that grants root access across major distributions and ships with a working proof-of-concept exploitable in a single command.
Dubbed Dirty Frag (also called Copy Fail 2), the exploit chains two flaws in the IPsec (xfrm-ESP) and RxRPC subsystems. The vulnerabilities are tracked as CVE-2026-43284 and CVE-2026-43500.
Unlike typical LPE exploits that rely on race conditions and unstable timing windows, this vulnerability is a deterministic logic bug with a high success rate that doesn't crash the Linux kernel on failure. The exploit was responsibly disclosed to maintainers on April 30 by researcher Hyunwoo Kim, but the embargo broke when an unrelated third-party published technical details and exploit code publicly. Kim responded by releasing a full writeup and PoC. The xfrm-ESP flaw dates back to a January 2017 commit, while the RxRPC vulnerability was introduced in June 2023.
Microsoft's Defender telemetry shows limited in-the-wild activity consistent with Dirty Frag or its predecessor Copy Fail. The observed campaign follows a clear pattern: attackers gain SSH access, spawn an interactive shell, stage and execute an ELF binary, then immediately escalate privileges via the su command.
Post-exploitation activity includes modifying GLPI LDAP authentication files, reconnaissance, and forcefully deleting PHP session files to disrupt active sessions.
"Once local access is established, successful exploitation may allow attackers to escalate privileges to root and gain broad control over the affected Linux host."
Dirty Frag affects Ubuntu 24.04.4, RHEL 10.1, CentOS Stream 10, AlmaLinux 10, Fedora 44, openSUSE Tumbleweed, and OpenShift deployments. The exploit chains two page-cache write primitives that bypass each other's blind spots. In environments where user namespace creation is allowed, the ESP variant runs. On Ubuntu, where AppArmor blocks namespace creation, the RxRPC variant works because the rxrpc.ko module loads by default.
"The bug lives in the in-place decryption fast paths of esp4, esp6, and rxrpc. When a socket buffer carries paged fragments that are not privately owned by the kernel, the receive path decrypts directly over those externally-backed pages."
Exploitation requires access to specific kernel interfaces and the ability to manipulate page-backed buffers. Hardened containerized environments with default seccomp profiles are less exposed, though the risk is significant for virtual machines and less restricted hosts.
Distributions including Red Hat, Ubuntu, Fedora, AlmaLinux, and Amazon Linux have begun releasing patches. A temporary mitigation involves blocklisting the esp4, esp6, and rxrpc modules, though disabling esp4/esp6 may break IPsec functionality.
Kim warned that systems already applying the Copy Fail mitigation (algif_aead blacklist) remain vulnerable to Dirty Frag, which was disclosed to maintainers on April 30.
