惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Engineering at Meta
Engineering at Meta
T
The Blog of Author Tim Ferriss
Recent Announcements
Recent Announcements
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
The Register - Security
The Register - Security
MongoDB | Blog
MongoDB | Blog
U
Unit 42
B
Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
P
Privacy International News Feed
L
LINUX DO - 最新话题
博客园_首页
博客园 - Franky
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tor Project blog
V
Visual Studio Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
P
Privacy & Cybersecurity Law Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
K
Kaspersky official blog
C
Cisco Blogs
博客园 - 【当耐特】
阮一峰的网络日志
阮一峰的网络日志
I
Intezer
罗磊的独立博客
MyScale Blog
MyScale Blog
Last Week in AI
Last Week in AI
A
About on SuperTechFans
G
GRAHAM CLULEY
Y
Y Combinator Blog
Microsoft Security Blog
Microsoft Security Blog
GbyAI
GbyAI
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
D
DataBreaches.Net
The Hacker News
The Hacker News
Spread Privacy
Spread Privacy
AWS News Blog
AWS News Blog
I
InfoQ
T
The Exploit Database - CXSecurity.com
Simon Willison's Weblog
Simon Willison's Weblog
博客园 - 叶小钗
Project Zero
Project Zero

CERT Recently Published Vulnerability Notes

CERT/CC Vulnerability Note VU#326070 CERT/CC Vulnerability Note VU#529388 CERT/CC Vulnerability Note VU#725167 VU#564823: GNU Wget enables SSRF via unvalidated FTP PASV IPs CERT/CC Vulnerability Note VU#152953 CERT/CC Vulnerability Note VU#734812 CERT/CC Vulnerability Note VU#849433 CERT/CC Vulnerability Note VU#213560 CERT/CC Vulnerability Note VU#828543 CERT/CC Vulnerability Note VU#639124 CERT/CC Vulnerability Note VU#936962 CERT/CC Vulnerability Note VU#226679 CERT/CC Vulnerability Note VU#457458 CERT/CC Vulnerability Note VU#380058 CERT/CC Vulnerability Note VU#862559 CERT/CC Vulnerability Note VU#616257 CERT/CC Vulnerability Note VU#595768 CERT/CC Vulnerability Note VU#615987 CERT/CC Vulnerability Note VU#265691 CERT/CC Vulnerability Note VU#873170 CERT/CC Vulnerability Note VU#158530 CERT/CC Vulnerability Note VU#780781 CERT/CC Vulnerability Note VU#777338 CERT/CC Vulnerability Note VU#471747 CERT/CC Vulnerability Note VU#937808 CERT/CC Vulnerability Note VU#260001 CERT/CC Vulnerability Note VU#748485 CERT/CC Vulnerability Note VU#518910 CERT/CC Vulnerability Note VU#890999 CERT/CC Vulnerability Note VU#414811 CERT/CC Vulnerability Note VU#915947 CERT/CC Vulnerability Note VU#536588 CERT/CC Vulnerability Note VU#951662 CERT/CC Vulnerability Note VU#655822 CERT/CC Vulnerability Note VU#221883 CERT/CC Vulnerability Note VU#330121 CERT/CC Vulnerability Note VU#577436 CERT/CC Vulnerability Note VU#624941 CERT/CC Vulnerability Note VU#907705 CERT/CC Vulnerability Note VU#665416 CERT/CC Vulnerability Note VU#976247 CERT/CC Vulnerability Note VU#772695 CERT/CC Vulnerability Note VU#431821 CERT/CC Vulnerability Note VU#504749 CERT/CC Vulnerability Note VU#458422 CERT/CC Vulnerability Note VU#481830
CERT/CC Vulnerability Note VU#980487
2026-05-21 · via CERT Recently Published Vulnerability Notes

Overview

A privilege escalation vulnerability, nicknamed "Dirty Frag," has been discovered in the Linux kernel versions 4.10 and later. This vulnerability is a result of chaining together two previously discovered vulnerabilities, xfrm-ESP Page-Cache Write CVE-2026-43284 and the RxRPC Page-Cache Write CVE-2026-43500. This vulnerability was publicly disclosed on May 07, 2026.

Description

Dirty Frag is a Linux kernel vulnerability affecting the IPv4/IPv6 fragmentation and reassembly subsystem. The issue stems from improper handling of overlapping or malformed fragment offsets during the reassembly process. An attacker capable of sending crafted network packets to a vulnerable host can exploit the flaw to trigger memory corruption conditions.

The publicly documented proof of concept demonstrates that fragmentation logic can be manipulated such that the kernel processes inconsistent fragment states, enabling a controlled write out-of-bounds scenario. When successfully exploited, this can result in local or remote denial of service (kernel panic) and, depending on configuration and kernel build options, may create a primitive for more advanced memory manipulation.

The vulnerability arises from insufficient validation of fragment metadata during reassembly, specifically around:

  • Incorrect or incomplete enforcement of fragment boundary checks
  • Acceptance of overlapping fragments in unsafe sequences
  • Inadequate cleanup when transitions occur between valid and invalid fragment states

The fragment queue logic in affected kernels does not fully verify that fragment offsets, sizes, and overlap conditions remain consistent throughout reassembly. This allows malformed sequences to be processed without proper rejection.

Impact

The primary security concern is potential privilege escalation, similar in nature to the previously disclosed VU#260001 ("Copy Fail") vulnerability.

Depending on system configuration, kernel hardening features, and network exposure, successful exploitation may result in:

  • Local or remote denial of service through kernel panic
  • Memory corruption within the Linux networking stack
  • Privilege escalation
  • Container escape in certain containerized environments
  • Additional exploit primitives when chained with other vulnerabilities

Solution

Update Linux distribution

Update your distribution’s kernel package as soon as vendor patches become available. Most major Linux distributions are expected to release fixes through their standard update channels.

Workarounds (if patching is not immediately possible):

1) Disable at-risk modules (if loaded and loadable):
Use the following command to remove the modules in which the vulnerabilities occur and clear the page cache.
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"

Note: you can verify if a module is currently being used using lsmod and the Used field or reviewing refcnt data in /sys/module/<module_name>/refcnt for e.g., cat /sys/module/esp4/refcnt

2) If affected modules esp4, esp6, rxrpc are compiled into the kernel (not a dynamic module), the following parameter can be added to grub, systemd-boot, or grubby, depending on your boot configuration:
initcall_blacklist=esp4,esp6,rxrpc
This prevents the module from initializing at boot time. A system reboot is required for this change to take effect.

Mitigation for Containers

For containerized environments, where this vulnerability may be leveraged for container escape, consider applying one or more of the following mitigations:

  • Secure computing (seccomp) filtering: Restrict or deny system calls that create sockets using the AF_ALG address family (protocol 38) and AF_RXRPC (protocol 33) .
  • AppArmor policies: Use AppArmor to block creation of AF_ALG sockets and AF_RXRPC via the network alg rule.
  • eBPF-based enforcement: Deploy BPF-based controls to deny socket creation with address family AF_ALG (38) and AF_RXRPC (33).

Acknowledgements

This vulnerability was disclosed by Hyunwoo Kim. This document was written by Bob Kemerer.

Vendor Information

Filter by content: Additional information available

 Sort by:


Other Information

CVE IDs: CVE-2026-43284 CVE-2026-43500
API URL: VINCE JSON | CSAF
Date Public: 2026-05-20
Date First Published: 2026-05-20
Date Last Updated: 2026-05-20 21:23 UTC
Document Revision: 1