DIRTY FRAG

Severity · CriticalCVSS · 9.1 / 9.6Linux 6.6 – 6.12

A Linux kernel local privilege escalation chain that writes attacker-controlled bytes into the page cache of suid binaries and /etc/passwd via splice(). Two variants — one in xfrm-ESP, one in RxRPC. The RxRPC variant has no upstream patch and only requires a local user.

No filesystem write occurs — corruption lives only in the page cache, but every subsequent read sees it until the cache is flushed.

The two variants

CVE-2026-43284 — xfrm-ESP (IPsec). 4-byte write per SA via ESN seq_hi. Needs user namespaces. Patched in f4c50a4034e6.

CVE-2026-43500 — RxRPC (AFS). 8-byte write per trigger via pcbc(fcrypt) decrypt. Unpatched upstream.

Indicators of compromise

/etc/passwd root entry with empty password (root::) in the page cache.
Shellcode signature 31 ff 31 f6 31 c0 b0 6a in /usr/bin/su page cache.
XFRM SAs with sequential SPI pattern 0xDEADBE1x.
RxRPC keys in process keyrings on hosts that don't run AFS.

Mitigations

Blocklist esp4 / esp6 if you don't use IPsec.
Blocklist rxrpc if you don't use AFS.
sysctl -w kernel.unprivileged_userns_clone=0 to break the ESP variant's prerequisite.

References

V4bel/dirtyfrag — original write-up and PoC
NVD · CVE-2026-43284
NVD · CVE-2026-43500

01Am I affected?

A host is likely affected if any of these is true:

Linux kernel 6.6 through 6.12 without the CVE-2026-43284 backport.
esp4, esp6, or rxrpc modules are loaded, available, or built into the kernel.
kernel.unprivileged_userns_clone = 1 (default on Ubuntu / Debian / Fedora).
Untrusted local users — multi-tenant servers, shared CI runners, container hosts.

02Install Swamp

The @swamp/cve/dirtyfrag extension scans a host and emits a structured report. Included workflow also iterates a list of IPs and you get a per-machine patch report across your whole fleet.

Install swamp:

$ curl -fsSL https://swamp-club.com/install.sh | sh

Initialize a new repo (run this in a new empty directory):

$ swamp repo init

Pull the scanner:

$ swamp extension pull @swamp/cve/dirtyfrag

Create the scanner instance:

$ swamp model create @swamp/cve/dirtyfrag dirtyfrag-scanner

Am I vulnerable:

$ swamp model method run dirtyfrag-scanner scan

Mitigate:

$ swamp model method run dirtyfrag-scanner mitigate

03Run across your fleet

Pass a comma-separated list of hosts and your SSH credentials and the scanFleet method runs the scan against each one in parallel:

swamp model method run dirtyfrag-scanner scanFleet \
    --input hosts=34.204.74.133,3.94.251.138 \
    --input sshUser=ubuntu \
    --input sshKey=~/.ssh/dirtyfrag-fleet.pem

04Scan Results

# Dirty Frag Scan Results

2 hosts scanned: 2 vulnerable, 0 clean

┌─────────────────┬────────────────┬──────────┬─────────────┬───────────────┬──────────┬────────────┐
│ Host            │ Kernel         │ Risk     │ ESP (43284) │ RxRPC (43500) │ IOCs     │ Status     │
├─────────────────┼────────────────┼──────────┼─────────────┼───────────────┼──────────┼────────────┤
│ ip-172-31-35-99 │ 7.0.0-1004-aws │ CRITICAL │ Vulnerable  │ Vulnerable    │ XFRM SAs │ VULNERABLE │
├─────────────────┼────────────────┼──────────┼─────────────┼───────────────┼──────────┼────────────┤
│ ip-172-31-45-27 │ 7.0.0-1004-aws │ CRITICAL │ Vulnerable  │ Vulnerable    │ XFRM SAs │ VULNERABLE │
└─────────────────┴────────────────┴──────────┴─────────────┴───────────────┴──────────┴────────────┘

05Mitigate across your fleet

The mitigate method re-scans each host, then on the vulnerable ones writes a modprobe blocklist for esp4/ esp6/ rxrpc, unloads them from the running kernel, and flushes the page cache. Clean hosts are skipped automatically.

dryRun defaults to true — the method prints the commands it would run and changes nothing. Pass dryRun=false to actually apply.

swamp model method run dirtyfrag-scanner mitigate \
    --input hosts=34.204.74.133,3.94.251.138 \
    --input sshUser=ubuntu \
    --input sshKey=~/.ssh/dirtyfrag-fleet.pem \
    --input dryRun=false

06Mitigation Results

# Dirty Frag Mitigation: APPLIED

┌───────────────┬────────────────┬─────────┐
│ Host          │ Kernel         │ Status  │
├───────────────┼────────────────┼─────────┤
│ 34.204.74.133 │ 7.0.0-1004-aws │ APPLIED │
├───────────────┼────────────────┼─────────┤
│ 3.94.251.138  │ 7.0.0-1004-aws │ APPLIED │
└───────────────┴────────────────┴─────────┘

## Commands

┌──────┬────────────────────────────────────────────────────────────────────────┬─────────────────────────────────────────────┐
│ Step │ Command                                                                │ Purpose                                     │
├──────┼────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────┤
│ 1    │ printf 'install esp4 /bin/false\n...' > /etc/modprobe.d/dirtyfrag.conf │ Blocklist esp4/esp6/rxrpc modules           │
├──────┼────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────┤
│ 2    │ rmmod esp4; rmmod esp6; rmmod rxrpc                                    │ Unload modules from running kernel          │
├──────┼────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────┤
│ 3    │ echo 3 > /proc/sys/vm/drop_caches                                      │ Flush page cache (clears corrupted entries) │
└──────┴────────────────────────────────────────────────────────────────────────┴─────────────────────────────────────────────┘