CVE-2026-43284

high

Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().

From the Tenable Blog

Dirty Frag (CVE-2026-43284,CVE-2026-43500): Linux Kernel Privilege Escalation FAQ | Tenable®
Dirty Frag (CVE-2026-43284,CVE-2026-43500): Linux Kernel Privilege Escalation FAQ | Tenable®

Published: 2026-05-08

Dirty Frag (CVE-2026-43284, CVE-2026-43500) is a Linux kernel local privilege escalation exploit chain with a public PoC affecting major Linux distributions.

References

https://www.securityweek.com/dirtyclone-linux-kernel-vulnerability-leads-to-root-access/

https://latesthackingnews.com/2026/06/28/dirtyclone-privilege-escalation-dirty-linux-family/

https://securityaffairs.com/194338/uncategorized/dirtyclone-fourth-linux-kernel-flaw-in-six-weeks-escalates-to-root.html

https://thehackernews.com/2026/06/new-dirtyclone-linux-kernel-flaw-lets.html

https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/

https://www.cisa.gov/news-events/ics-advisories/icsa-26-174-06

https://securityaffairs.com/192436/uncategorized/dirtydecrypt-poc-released-for-yet-another-linux-flaw.html

https://kb.cert.org/vuls/id/980487

https://www.infosecurity-magazine.com/news/fragnesia-linux-kernel-lpe-root/

https://www.bleepingcomputer.com/news/security/new-fragnesia-linux-flaw-lets-attackers-gain-root-privileges/

https://aws.amazon.com/security/security-bulletins/rss/2026-030-aws/

https://aws.amazon.com/security/security-bulletins/rss/2026-029-aws/

https://www.infosecurity-magazine.com/news/dirty-frag-linux-kernel/

https://www.darkreading.com/vulnerabilities-threats/dirty-frag-exploit-blow-up-enterprise-linux-distros

https://therecord.media/dirty-frag-linux-kernel-hit-by-second-major-bug

https://docs.cloud.google.com/support/bulletins/index#gcp-2026-030

https://arstechnica.com/security/2026/05/linux-bitten-by-second-severe-vulnerability-in-as-many-weeks/

https://www.databreachtoday.com/dirty-frag-gives-root-on-linux-distros-a-31641

https://www.bleepingcomputer.com/news/security/new-linux-dirty-frag-zero-day-with-poc-exploit-gives-root-privileges/

https://access.redhat.com/security/cve/cve-2026-43284

https://almalinux.org/blog/2026-05-07-dirty-frag/

https://www.vicarius.io/vsociety/posts/cve-2026-43284-mitigation-script-dirty-frag-linux-kernel-local-privilege-escalation

https://www.vicarius.io/vsociety/posts/cve-2026-43284-detection-script-dirty-frag-linux-kernel-local-privilege-escalation

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43284.json

https://git.kernel.org/stable/c/fe785bb3a8096dffcc4048a85cd0c83337eeecad

https://git.kernel.org/stable/c/f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4

https://git.kernel.org/stable/c/b54edf1e9a3fd3491bdcb82a21f8d21315271e0d

https://git.kernel.org/stable/c/ab8b995323e5237041472d07e5055f5f7dcdf15b

https://git.kernel.org/stable/c/a6cb440f274a22456ef3e86b457344f1678f38f9

https://git.kernel.org/stable/c/8253aab4659ca16116b522203c2a6b18dccacea7

https://git.kernel.org/stable/c/71a1d9d985d26716f74d21f18ee8cac821b06e97

https://git.kernel.org/stable/c/5d55c7336f8032d434adcc5fab987ccc93a44aec

https://git.kernel.org/stable/c/52646cbd00e765a6db9c3afe9535f26218276034

https://git.kernel.org/stable/c/50ed1e7873100f77abad20fd31c51029bc49cd03

https://bugzilla.redhat.com/show_bug.cgi?id=2467771

https://access.redhat.com/security/cve/CVE-2026-43284

https://access.redhat.com/errata/RHSA-2026:33486

https://access.redhat.com/errata/RHSA-2026:26542

https://access.redhat.com/errata/RHSA-2026:23233

https://access.redhat.com/errata/RHSA-2026:21695

https://access.redhat.com/errata/RHSA-2026:19577

https://access.redhat.com/errata/RHSA-2026:19575

https://access.redhat.com/errata/RHSA-2026:19574

https://access.redhat.com/errata/RHSA-2026:19573

https://access.redhat.com/errata/RHSA-2026:19572

https://access.redhat.com/errata/RHSA-2026:19569

https://access.redhat.com/errata/RHSA-2026:19568

https://access.redhat.com/errata/RHSA-2026:19564

https://access.redhat.com/errata/RHSA-2026:19225

https://access.redhat.com/errata/RHSA-2026:19074

https://access.redhat.com/errata/RHSA-2026:18025

https://access.redhat.com/errata/RHSA-2026:17795

https://access.redhat.com/errata/RHSA-2026:16328

https://access.redhat.com/errata/RHSA-2026:16314

https://access.redhat.com/errata/RHSA-2026:16312

https://access.redhat.com/errata/RHSA-2026:16254

https://access.redhat.com/errata/RHSA-2026:16206

https://access.redhat.com/errata/RHSA-2026:16204

https://access.redhat.com/errata/RHSA-2026:16203

https://access.redhat.com/errata/RHSA-2026:16202

https://access.redhat.com/errata/RHSA-2026:16201

https://access.redhat.com/errata/RHSA-2026:16196

https://access.redhat.com/errata/RHSA-2026:16195

https://access.redhat.com/errata/RHSA-2026:16180

https://access.redhat.com/errata/RHSA-2026:16176

https://access.redhat.com/errata/RHSA-2026:16171

https://access.redhat.com/errata/RHSA-2026:16161

https://access.redhat.com/errata/RHSA-2026:16160

https://access.redhat.com/errata/RHSA-2026:16157

https://access.redhat.com/errata/RHSA-2026:16155

https://access.redhat.com/errata/RHSA-2026:16100

https://access.redhat.com/errata/RHSA-2026:16062

https://access.redhat.com/errata/RHSA-2026:16061

http://www.openwall.com/lists/oss-security/2026/05/14/4

http://www.openwall.com/lists/oss-security/2026/05/14/2

http://www.openwall.com/lists/oss-security/2026/05/13/6

http://www.openwall.com/lists/oss-security/2026/05/08/7

Details

Source: Mitre, NVD

Published: 2026-05-08

Updated: 2026-07-01

Named Vulnerability: copy.fail 2Named Vulnerability: DirtyFragNamed Vulnerability: Dirty FragNamed Vulnerability: Copy Fail 2

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 7.8

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.93235

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability of Interest