New ‘Dirty Frag’ exploit targets Linux kernel for root access

A newly disclosed Linux privilege escalation issue dubbed “Dirty Frag” is giving attackers a cleaner path to post-compromise escalation to root privileges. According to Microsoft, a couple of vulnerabilities constituting the issue, affecting Linux kernel networking and memory-fragment handling components, are already seeing active exploitation in the wild. The exploitation attempts look indistinguishable from the recently disclosed Copy Fail campaigns. “Dirty Frag may be leveraged after initial compromise through SSH access, web-shell execution, container escape, or compromise of a low-privileged account,” Microsoft researchers said in a security blog post , adding that affected environments may include Ubuntu, RHEL, CentOS Stream, AlmaLinux, Fedora, openSUSE, and OpenShift deployments. Microsoft also said the exploit stands out because it avoids many of the instability issues typically associated with Linux local privilege escalation exploits using race-condition dependent bugs. Turning Linux memory fragmentation into root access According to Microsoft, the Dirty Frag exploit chain abuses weaknesses in how the Linux kernel handles fragmented memory pages, allowing attackers to overwrite protected page-cache-backed data and escalate privileges to root access. The attack combines two separate vulnerabilities affecting the Linux IPsec Encapsulating Security Payload (ESP) subsystem ( CVE-2026-43284 ) and the RxRPC networking protocol ( CVE-2026-43500 ). “Once local access is established, successful exploitation may allow attackers to escalate privileges to root and gain broad control over the affected Linux host,” the researchers said. Dirty Frag is the latest addition to a growing family of Linux kernel page-cache corruption vulnerabilities that includes Dirty Pipe (CVE-2022-0847) and the recently disclosed Copy Fail (CVE-2026-31431) bug. “This vulnerability is like both Copy Fail and Dirty Pipe in that they attack page caches in the system where in place crypto operations take place,” said Ben Ronallo , principal cybersecurity engineer at Black Duck. “Copy Fail, Dirty Pipe, and Dirty Frag are all exploiting the same root cause, but Dirty Frag is not limited to a single Linux subsystem, whereas Copy Fail is limited to only algif_aead and Dirty Pipe is limited to pipe_buffer.” Attackers are already exploiting Dirty Frag Microsoft warned that Dirty Frag is already being actively exploited in the wild, primarily as a post-compromise privilege escalation tool. The company said attackers are using the vulnerability after obtaining an initial foothold on vulnerable Linux systems, allowing them to elevate privileges from a low-level user account to full root access. “Microsoft Defender is currently seeing limited in-the-wild activity where privilege escalation involving ‘su’ is observed, and which may be indicative of techniques associated with either ‘Dirty Frag’ or ‘Copy Fail,’” the researchers said, adding that the attack began with SSH access, followed by the execution of a malicious ELF binary that quickly escalated privileges using ‘su.’ Su, short for switch user, is a command-line tool in Linux systems to switch from the current user to another, typically root, to execute commands with elevated privileges. Defenders urged to disable vulnerable kernel modules Users don’t yet have a complete fix. While the Linux Kernel Organization patched CVE-2026-43284 in a release on May 8, 2026, fixes for CVE-2026-43500 are awaited. With fixes still rolling out unevenly across Linux ecosystems, Microsoft and other researchers are urging organizations to apply temporary mitigations immediately. Recommended actions include disabling the vulnerable esp4, esp6, and rxrpc kernel modules if they are not operationally required. Microsoft additionally recommended reducing unnecessary local shell access, monitoring abnormal privilege escalation, and strengthening containerized workload controls to reduce opportunities for attackers to escalate into full system compromise. “Mitigation alone may not reverse changes already introduced through successful exploitation attempts,” the researchers warned, adding that an exploitation prior to mitigation can persist malicious modifications in memory or cached file content.