Skip to main content
Sign in

CloudLinux Knowledge Base

  1. CloudLinux
  2. CloudLinux OS
  3. Known Issues

Vulnerability: Dirty Frag Local Privilege Escalation CVE-2026-43284

Kevin Feliz
  • Updated

Issue

A vulnerability was recently discovered in the Linux Kernel named "Dirty Frag", which allows for Local Privilege Escalation (LPE) to the root user. "Dirty Frag" (CVE-2026-43284) is a similar exploit to the recent "Copy/Fail" (CVE-2026-31431) vulnerability disclosed recently and is a continuation of a previous vulnerability named "Dirty Pipe" (CVE-2022-0847). This vulnerability is found in the Linux Kernel itself and thus is present in multiple Linux distributions.  

Environment

  • CloudLinux
  • Kernelcare

Solution

We are working on two primary paths for a permanent fix:

  1. Patched Kernels: New kernel builds for CL7h, CL8, CL9, and CL10 are currently in our build and QA pipeline.
  2. KernelCare Livepatches: For systems using KernelCare, livepatches are being developed to fix the issue without a reboot.

 

Immediate Mitigation (Manual Workaround):

If you cannot wait for the patched kernel and your server does not rely on IPsec/VPN tunnels (such as strongSwan or Libreswan), you should block the vulnerable modules immediately:

sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

This prevents the kernel from auto-loading the code used in the exploit.

To Revert (After Patching):

sudo rm /etc/modprobe.d/dirtyfrag.conf

Compatibility: esp4 / esp6 are the kernel-side ESP transforms used by IPsec. Disabling them breaks IPsec tunnels that rely on the kernel data path on the affected machine. Do not apply this mitigation to hosts that terminate or transit IPsec / strongSwan / Libreswan tunnels. rxrpc is the AF_RXRPC transport used almost exclusively by AFS clients and is not present on typical web-hosting servers.

For more details, please refer to:

Cause

Dirty Frag (CVE-2026-43284) is a Linux kernel local privilege escalation in the xfrm subsystem. The flaw lives in the ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path and is reachable via the XFRM user netlink interface, which auto-loads the relevant modules. A working public proof-of-concept exists; any unprivileged local user can use it to gain root in a single command.

Useful links

Comments

0 comments

Please sign in to leave a comment.

Related articles