{"uuid": "912f06b3-01e7-422c-aa97-c9e8868fb824", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://gist.github.com/sayem314/dd8d3932a2e91d6a8a454b9986f6087e", "content": "Dirty Frag is a Linux kernel local privilege escalation chain involving the IPsec ESP stack and RxRPC. If a vulnerable host runs untrusted local code, containers, CI jobs, app sandboxes, or shared shell users, treat it as urgent.\n\nThe real fix is a patched kernel from your distribution. Until Debian or Ubuntu ship fixed kernels for your release, the mitigation below blocks the affected modules:\n\n- `esp4`\n- `esp6`\n- `rxrpc`\n\nSources:\n\n- https://github.com/V4bel/dirtyfrag\n- https://dirtyfrag.io/\n- https://openwall.com/lists/oss-security/2026/05/07/10\n\n## What this disables\n\nThis mitigation disables kernel IPsec ESP and RxRPC.\n\nLikely unaffected:\n\n- HTTPS/TLS\n- SSH\n- Docker bridge networking\n- WireGuard\n- Tailscale\n- OpenVPN\n- normal web apps and APIs\n\nLikely affected:\n\n- strongSwan/libreswan IPsec tunnels using ESP\n- software depending on RxRPC or AFS\n\nCheck before applying on VPN gateways:\n\n```bash\nip xfrm state\nsystemctl list-units --type=service --all 'strongswan*' 'ipsec*' 'libreswan*' 'openafs*' 'afsd*'\nps -eo comm,args | grep -E 'strongswan|charon|pluto|ipsec|openafs|afsd|rxrpc' | grep -v grep || true\n```\n\n## Quick check\n\n```bash\nuname -r\ngrep -E '^(esp4|esp6|rxrpc) ' /proc/modules || echo \"esp4, esp6, rxrpc are not currently loaded\"\nmodprobe -n -v esp4 2>/dev/null || true\nmodprobe -n -v esp6 2>/dev/null || true\nmodprobe -n -v rxrpc 2>/dev/null || true\n```\n\nIf one of these features is built directly into your kernel instead of available as a module, a modprobe blacklist cannot disable it. In that case, prioritize a fixed kernel and reboot.\n\n## Manual mitigation\n\n```bash\nsudo tee /etc/modprobe.d/disable-dirtyfrag.conf >/dev/null <<'EOF'\ninstall esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\nEOF\n\nsudo modprobe -r esp4 esp6 rxrpc 2>/dev/null || true\nsync\necho 3 | sudo tee /proc/sys/vm/drop_caches >/dev/null\n```\n\nVerify:\n\n```bash\nif grep -E '^(esp4|esp6|rxrpc) ' /proc/modules; then\n  echo \"STILL LOADED: reboot or investigate module users\"\nelse\n  echo \"Dirty Frag modules are not loaded\"\nfi\n\nfor module in esp4 esp6 rxrpc; do\n  echo \"== $module ==\"\n  modprobe -n -v \"$module\" 2>/dev/null || true\ndone\n```\n\nExpected `modprobe -n -v` output should include:\n\n```text\ninstall /bin/false\n```\n\n## Patch when your distro ships a kernel fix\n\nKeep normal security updates moving. The module block is a mitigation, not the final repair.\n\n```bash\nsudo apt update\nsudo apt full-upgrade\nsudo reboot\n```\n\nAfter reboot:\n\n```bash\nuname -r\ngrep -E '^(esp4|esp6|rxrpc) ' /proc/modules || true\n```\n\n## Ansible playbook\n\nSave as `dirtyfrag-mitigate.yml`:\n\n```yaml\n---\n- name: Mitigate Dirty Frag CVE-2026-43284 and CVE-2026-43500\n  hosts: all\n  become: true\n  gather_facts: false\n\n  vars:\n    dirtyfrag_modules:\n      - esp4\n      - esp6\n      - rxrpc\n\n  tasks:\n    - name: Check active IPsec xfrm state\n      ansible.builtin.command: ip xfrm state\n      register: dirtyfrag_xfrm_state\n      changed_when: false\n      failed_when: false\n\n    - name: Show active IPsec xfrm state warning\n      ansible.builtin.debug:\n        msg: \"Active xfrm state detected. Confirm this host is not an IPsec gateway before disabling esp4/esp6.\"\n      when: dirtyfrag_xfrm_state.stdout | trim | length > 0\n\n    - name: Block Dirty Frag kernel modules from loading\n      ansible.builtin.copy:\n        dest: /etc/modprobe.d/disable-dirtyfrag.conf\n        owner: root\n        group: root\n        mode: \"0644\"\n        content: |\n          {% for module in dirtyfrag_modules %}\n          install {{ module }} /bin/false\n          {% endfor %}\n      register: dirtyfrag_blacklist\n\n    - name: Unload Dirty Frag modules if currently loaded\n      community.general.modprobe:\n        name: \"{{ item }}\"\n        state: absent\n      loop: \"{{ dirtyfrag_modules }}\"\n      register: dirtyfrag_unload\n      failed_when: false\n\n    - name: Flush filesystem buffers before clearing page cache\n      ansible.builtin.command: sync\n      changed_when: false\n      when: dirtyfrag_blacklist.changed or dirtyfrag_unload.changed\n\n    - name: Clear page cache after mitigation changes\n      ansible.builtin.command: sysctl -w vm.drop_caches=3\n      changed_when: true\n      when: dirtyfrag_blacklist.changed or dirtyfrag_unload.changed\n\n    - name: Check whether Dirty Frag modules are still loaded\n      ansible.builtin.shell: \"grep -E '^(esp4|esp6|rxrpc) ' /proc/modules\"\n      register: dirtyfrag_loaded\n      changed_when: false\n      failed_when: false\n\n    - name: Verify modprobe resolves modules to /bin/false\n      ansible.builtin.command: \"modprobe -n -v {{ item }}\"\n      loop: \"{{ dirtyfrag_modules }}\"\n      register: dirtyfrag_modprobe_check\n      changed_when: false\n      failed_when: false\n\n    - name: Show mitigation status\n      ansible.builtin.debug:\n        msg:\n          - \"config_changed={{ dirtyfrag_blacklist.changed }}\"\n          - \"loaded_modules={{ dirtyfrag_loaded.stdout | default('') }}\"\n          - \"modprobe_checks={{ dirtyfrag_modprobe_check.results | map(attribute='stdout') | list }}\"\n\n    - name: Fail if Dirty Frag modules are still loaded\n      ansible.builtin.fail:\n        msg: \"One or more Dirty Frag modules are still loaded. Reboot this host or inspect module users.\"\n      when: dirtyfrag_loaded.rc == 0\n```\n\nExample `inventory.yml`:\n\n```yaml\n---\nall:\n  children:\n    webservers:\n      hosts:\n        web-1:\n          ansible_host: 203.0.113.10\n          ansible_user: ubuntu\n        web-2:\n          ansible_host: 203.0.113.11\n          ansible_user: ubuntu\n    workers:\n      hosts:\n        worker-1:\n          ansible_host: 203.0.113.20\n          ansible_user: debian\n  vars:\n    ansible_become: true\n    ansible_python_interpreter: /usr/bin/python3\n```\n\nRun it:\n\n```bash\nansible-playbook -i inventory.yml dirtyfrag-mitigate.yml\n```\n\nRun only a selected group:\n\n```bash\nansible-playbook -i inventory.yml dirtyfrag-mitigate.yml --limit webservers\n```\n\n## Ansible role-style task\n\nIf you already have a common hardening role, put the modules in group vars:\n\n```yaml\ndisabled_kernel_modules:\n  - esp4\n  - esp6\n  - rxrpc\n```\n\nThen use this task block:\n\n```yaml\n- name: Block disabled kernel modules from loading\n  ansible.builtin.copy:\n    dest: \"/etc/modprobe.d/disable-{{ item }}.conf\"\n    owner: root\n    group: root\n    mode: \"0644\"\n    content: |\n      install {{ item }} /bin/false\n  loop: \"{{ disabled_kernel_modules | default([]) }}\"\n  register: disabled_kernel_module_blacklists\n\n- name: Unload disabled kernel modules if currently loaded\n  community.general.modprobe:\n    name: \"{{ item }}\"\n    state: absent\n  loop: \"{{ disabled_kernel_modules | default([]) }}\"\n  register: disabled_kernel_module_unloads\n  failed_when: false\n\n- name: Flush filesystem buffers before clearing page cache\n  ansible.builtin.command: sync\n  changed_when: false\n  when: disabled_kernel_module_blacklists.changed or disabled_kernel_module_unloads.changed\n\n- name: Clear page cache after Dirty Frag mitigation changes\n  ansible.builtin.command: sysctl -w vm.drop_caches=3\n  changed_when: true\n  when: disabled_kernel_module_blacklists.changed or disabled_kernel_module_unloads.changed\n```\n\n## Remove the manual mitigation later\n\nOnly do this after your running kernel is fixed and you have rebooted into it.\n\n```bash\nsudo rm /etc/modprobe.d/disable-dirtyfrag.conf\nsudo reboot\n```\n", "creation_timestamp": "2026-05-08T16:19:20.000000Z"}