{"uuid": "81163c51-8766-4c1e-92fa-1eaceab8ca66", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/alon710/755073f444e7d3aa947b92060157b8e4", "content": "# CVE-2026-43284: CVE-2026-43284: \"Dirty Frag\" Local Privilege Escalation via Linux Kernel Page Cache Corruption\n\n> **CVSS Score:** 8.8\n> **Published:** 2026-05-08\n> **Full Report:** https://cvereports.com/reports/CVE-2026-43284\n\n## Summary\nCVE-2026-43284, identified as \"Dirty Frag\", is a critical local privilege escalation vulnerability in the Linux kernel's handling of shared socket buffer fragments during Encapsulating Security Payload (ESP) decryption. The flaw permits unprivileged local adversaries to corrupt the Linux page cache, establishing a write-what-where primitive that can be leveraged to overwrite read-only system files such as /etc/passwd and achieve immediate root privilege escalation.\n\n## TL;DR\nA logic error in the Linux kernel allows unprivileged users to overwrite the memory cache of read-only files by exploiting the MSG_SPLICE_PAGES flag alongside ESP-in-UDP decryption. This enables direct manipulation of critical configuration files and arbitrary code execution as root.\n\n## Exploit Status: ACTIVE\n\n## Technical Details\n\n- **CWE ID**: CWE-123, CWE-787\n- **Attack Vector**: Local (AV:L)\n- **CVSS v3.1**: 8.8\n- **EPSS Score**: 0.00007\n- **Impact**: Local Privilege Escalation (Root)\n- **Exploit Status**: Active Exploitation\n- **Vulnerable Subsystem**: ESP / MSG_SPLICE_PAGES\n\n## Affected Systems\n\n- Linux Kernel\n- Ubuntu\n- Debian\n- Red Hat Enterprise Linux\n- **Linux Kernel**: >= 4.11, < 5.10.255 (Fixed in: `5.10.255`)\n- **Linux Kernel**: >= 5.12, < 5.15.205 (Fixed in: `5.15.205`)\n- **Linux Kernel**: >= 5.16, < 6.1.171 (Fixed in: `6.1.171`)\n- **Linux Kernel**: >= 6.2, < 6.6.138 (Fixed in: `6.6.138`)\n- **Linux Kernel**: >= 6.7, < 6.12.87 (Fixed in: `6.12.87`)\n- **Linux Kernel**: >= 6.13, < 6.18.28 (Fixed in: `6.18.28`)\n- **Linux Kernel**: >= 7.0, < 7.0.5 (Fixed in: `7.0.5`)\n\n## Mitigation\n\n- Upgrade the Linux kernel to the latest stable release containing the fix.\n- Disable or block UDP port 4500 if ESP-in-UDP is not required.\n- Implement eBPF-based behavioral monitoring (e.g., Falco) to detect the MSG_SPLICE_PAGES exploit pattern.\n\n**Remediation Steps:**\n1. Identify all hosts running vulnerable kernel versions (4.11 through 7.0.5).\n2. Schedule emergency maintenance windows for critical infrastructure.\n3. Apply distribution-specific kernel updates (e.g., apt update linux-image-generic).\n4. Reboot the affected systems to load the patched kernel.\n5. Verify the active kernel version using 'uname -r' post-reboot.\n\n## References\n\n- [NVD Vulnerability Detail - CVE-2026-43284](https://nvd.nist.gov/vuln/detail/CVE-2026-43284)\n- [Wiz Blog: Dirty Frag Linux Kernel Local Privilege Escalation](https://www.wiz.io/blog/dirty-frag-linux-kernel-local-privilege-escalation-via-esp-and-rxrpc)\n- [Microsoft Security Blog: Active Attack Dirty Frag](https://www.microsoft.com/en-us/security/blog/2026/05/08/active-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk/)\n- [Linux Kernel Source Patch](https://git.kernel.org/stable/c/a6cb440f274a22456ef3e86b457344f1678f38f9)\n- [OSS-Security Mailing List Announcement](http://www.openwall.com/lists/oss-security/2026/05/08/7)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-43284) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-12T06:50:29.000000Z"}