惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
MyScale Blog
MyScale Blog
Microsoft Azure Blog
Microsoft Azure Blog
N
Netflix TechBlog - Medium
M
MIT News - Artificial intelligence
GbyAI
GbyAI
人人都是产品经理
人人都是产品经理
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园_首页
爱范儿
爱范儿
博客园 - 三生石上(FineUI控件)
L
LangChain Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
云风的 BLOG
云风的 BLOG
Y
Y Combinator Blog
L
LINUX DO - 热门话题
Project Zero
Project Zero
罗磊的独立博客
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
MongoDB | Blog
MongoDB | Blog
Spread Privacy
Spread Privacy
S
Schneier on Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
J
Java Code Geeks
P
Palo Alto Networks Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
博客园 - Franky
T
Threat Research - Cisco Blogs
D
Docker
Hugging Face - Blog
Hugging Face - Blog
S
Securelist
Google DeepMind News
Google DeepMind News
T
The Exploit Database - CXSecurity.com
L
Lohrmann on Cybersecurity
月光博客
月光博客
V
Vulnerabilities – Threatpost
NISL@THU
NISL@THU
V
Visual Studio Blog
AWS News Blog
AWS News Blog
I
Intezer
T
The Blog of Author Tim Ferriss
P
Privacy International News Feed
T
Tor Project blog
F
Full Disclosure
P
Proofpoint News Feed
SecWiki News
SecWiki News
H
Heimdal Security Blog
Help Net Security
Help Net Security
The Hacker News
The Hacker News

Hacker News

Introducing Claude Opus 4.7 Qwen Studio The Future of Everything is Lies, I Guess: Where Do We Go From Here? GitHub - SeanFDZ/macmind: Single-layer transformer in HyperTalk for the classic Macintosh Show HN: Agent-cache – Multi-tier LLM/tool/session caching for Valkey and Redis Moving a large-scale metrics pipeline from StatsD to OpenTelemetry / Prometheus GitHub - Nightmare-Eclipse/RedSun: The Red Sun vulnerability repository GitHub - SethPyle376/hiraeth: Local AWS emulator focused on fast integration testing, with SQS support, SQLite-backed state, and a debug-friendly web UI. GitHub - macOS26/Agent: Any AI, replaces Claude Code, Cursor, OpenClaw. Over 18 LLM providers (Claude, OpenAI, Gemini, Ollama, Zai, HF, Qwen) wired into a native Mac app that writes code, builds Xcode projects, bumps versions, manages git, automates Safari, use AppleScript, JS or Accessibility, extend Agent! w/ MCP Servers, run tasks from your iPhone via Messages. YouTube now lets you turn off Shorts I Made a Terminal Pager Burgers | マクドナルド公式 Commands — HackerNews CLI documentation ChatGPT for Excel PiCore - Raspberry Pi Port of Tiny Core Linux Live Nation illegally monopolized ticketing market, jury finds Google Broke Its Promise to Me. Now ICE Has My Data. Founding Engineer at Adaptional | Y Combinator CRISPR takes important step toward silencing Down syndrome’s extra chromosome GitHub - saffron-health/libretto: The AI toolkit for building reliable browser automations US v. Heppner (S.D.N.Y. 2026) no attorney-client privilege for AI chats [pdf] Unexpected €54k billing spike in 13 hours: Firebase browser key without API restrictions used for Gemini requests Retrofitting JIT Compilers into C Interpreters IPv6 – Google The Accursèd Alphabetical Clock Cybersecurity Looks Like Proof of Work Now Fragments: April 14 Cal.com Goes Closed Source: Why AI Security Is Forcing Our Decision | Cal.com - Scheduling Software for Online Bookings Laravel raised money and now injects ads directly into your agent When moving fast, talking is the first thing to break Too much Discussion of the XOR swap trick – Heather Cafe Introduction to Spherical Harmonics for Graphics Programmers The Grand Line Building a Z-Machine in the worst possible language High-Level Rust: Getting 80% of the Benefits with 20% of the Pain GitHub - duguyue100/midnight-captain: Inspired by Midnight Commander, tailored to my taste. How to build a `git diff` driver · Jamie Tanna | Software Engineer Center for Responsible, Decentralized Intelligence at Berkeley The Local Universe’s Expansion Rate Is Clearer Than Ever, but Still Doesn’t Add Up - A new synthesis of astronomical measurements confirms a persistent mismatch that could point to physics beyond current models The air throughout our homes is infused with microplastics. But there are things you can do to breathe less of them The disturbing white paper Red Hat is trying to erase from the internet – OSnews The Future of Everything is Lies, I Guess: Annoyances ‘Abhorrent’: the inside story of the Polymarket gamblers betting millions on war Productive procrastination — Max van IJsselmuiden maps, territory and LMs 447 Terabytes per Square Centimetre at Zero Retention Energy: Non-Volatile Memory at the Atomic Scale on Fluorographane Show HN: Pardonned.com – A searchable database of US Pardons 20 Years on AWS and Never Not My Job The Seasons are Wrong Artemis II crew splashes down near San Diego after historic moon mission We gave an AI a 3 year retail lease in SF and asked it to make a profit | Andon Labs How a dancer with ALS used brainwaves to perform live On filing the corners off my MacBooks Installing every* Firefox extension OpenClaw’s memory is unreliable, and you don’t know when it will break Steve Blank Nowhere Is Safe Chimpanzees in Uganda locked in vicious 'civil war', say researchers watgo - a WebAssembly Toolkit for Go linux/Documentation/process/coding-assistants.rst at master · torvalds/linux GitHub - callumlocke/json-formatter: Makes JSON easy to read. Founding Product Engineer at Bild AI | Y Combinator A compelling title that is cryptic enough to get you to take action on it GitHub - Keychron/Keychron-Keyboards-Hardware-Design: Industrial design files for Keychron keyboards and mice. 100+ models with CAD assets in STEP, DXF, DWG, and PDF. Source-available, with commercial use allowed for original compatible accessories within the license terms. [ANNOUNCE] WireGuardNT v0.11 and WireGuard for Windows v0.6 Released 1D-Chess Helium Is Hard to Replace Cooperative Vectors Introduction | Evolve Keeping a Postgres queue healthy — PlanetScale Our response to the Axios developer tool compromise Do Americans read print books, e-books or audiobooks more? The Zettelkasten Method in Obsidian: A Practical Setup Guide Artemis II Is Competency Porn and We Are Starving For It WeakC4 Flight Viz — Cockpit View A Mexican surveillance giant you’ve never heard of is now watching the U.S. border Surelock: Deadlock-Free Mutexes for Rust RISC-V 101 – what is it and what does it mean for Canonical? | Ubuntu The Problem That Built an Industry How Much Linear Memory Access Is Enough? | Solidean Investigating Split Locks on x86-64 Simplest hash functions Sybilproof reputation mechanisms (2005) [pdf] What is a property? How Complex is my Code? Static code analysis in Kotlin — tools overview Toffoli gates are all you need PGLite evangelism dcmake: a new CMake debugger UI Clojure on Fennel part one: Persistent Data Structures Fragments: April 2 Python Release Python install manager 26.1 The Life and Death of the Book Review - Liberties Introducing Database Traffic Control — PlanetScale Bitcoin miners are losing $19,000 on every BTC produced as difficulty drops 7.8% God sleeps in the minerals Building slogbox Apple Silicon and Virtual Machines: Beating the 2 VM Limit Who was “Not Even Wrong” first? Pokemon Evolution Vs Darwinian Evolution The APL Programming Language Source Code
“Dirty Frag” (CVE-2026-43284): The Second Linux Root Exploit in Eight Days — Patch Your Server Now
ggallas · 2026-05-10 · via Hacker News

Eight days after Copy Fail shook the Linux server world, another critical vulnerability has arrived — and this one also hands root access to anyone who can run code on your server.

It is called “Dirty Frag”. It was publicly disclosed on May 7, 2026. A working exploit already exists. And if your server has not been patched and rebooted since May 8, it is vulnerable right now.

What is Dirty Frag?

Dirty Frag is the informal name for a chained exploit that combines two Linux kernel vulnerabilities: CVE-2026-43284 and CVE-2026-43500. The first one is already patched; the second is still being rolled out to distributions as of this writing.

The root cause of CVE-2026-43284 lies in how the Linux kernel handles network packet memory in the IPsec/ESP path. When MSG_SPLICE_PAGES attaches pages from a pipe directly to a network buffer (skb), the IPv4/IPv6 datagram paths failed to mark those pages as shared.

This left an ESP-in-UDP packet made from shared pipe pages appearing to the kernel like an ordinary, privately-owned buffer — so ESP decryption would happen in-place directly over memory the skb does not own. An attacker who knows how to manipulate this behavior can achieve a controlled write into the kernel page cache and ultimately escalate to root.

In plain terms: the kernel trusted memory it should not have trusted, and an attacker can use that misplaced trust to take over the entire machine.

Unlike the previous DirtyPipe vulnerability, which relied on a narrow race condition in pipe buffer flag handling, Dirty Frag is a deterministic logic flaw. Researcher Hyunwoo Kim reports very high success rates and minimal kernel panic risk, with no timing window to lose. This makes it unusually reliable as exploits go.

How it connects to Copy Fail

Copy Fail (CVE-2026-31431), disclosed on April 29, exploited a logic bug in the Linux kernel’s cryptographic subsystem — specifically a flaw in the authencesn AEAD template that allowed a controlled 4-byte write into the kernel page cache. A 732-byte Python script was enough to gain root on every major Linux distribution built since 2017.

Dirty Frag follows the same fundamental pattern — a page cache write primitive turned into a root escalation — but through a completely different code path. Both vulnerabilities turn long-lived in-place processing optimizations into deterministic root primitives: Copy Fail through userspace crypto, Dirty Frag through IPsec receive.

The connection is not accidental. Researcher Hyunwoo Kim explicitly built on the bug class that Copy Fail introduced. Some in the security community have already started referring to CVE-2026-43284 as “Copy Fail 2.0.” What was presented as a rare kernel bug ten days ago is becoming a repeatable class of attack.

An interesting factor of Dirty Frag is that chaining the two sub-vulnerabilities (CVE-2026-43284 and CVE-2026-43500) covers each other’s blind spots. Neither flaw alone provides a sufficiently reliable primitive for full root escalation. However, when combined, the chained exploit achieves immediate root on most distributions.

Who is affected?

Every server running a mainstream Linux kernel built from roughly 2017 onwards is affected. Every supported AlmaLinux release is affected. CVE-2026-43284 affects AlmaLinux 8, 9, and 10 through the esp4/esp6 modules, which are part of the standard kernel package on every release.

The full list of affected distributions includes Red Hat Enterprise Linux, AlmaLinux, Debian, Ubuntu, Fedora, Arch Linux, CentOS, CloudLinux, and Amazon Linux.

For web hosting environments specifically, the threat vector is the same as Copy Fail: the attacker does not need to break in remotely. The danger is that once an attacker gets in — through a vulnerable WordPress plugin, a web shell, weak SSH credentials, or a compromised container — Dirty Frag lets them immediately escalate to root and then disable security tools, read credentials, tamper with logs, move laterally, or persist on the server.

On shared hosting servers, a single compromised account could become a full server compromise.

The fix — step by step

Step 1: Update the kernel

Patched kernels are now available in production repositories as of May 8, 2026. This is the only real fix.

For AlmaLinux, CloudLinux, Rocky Linux, CentOS Stream, RHEL:

sudo dnf clean metadata && sudo dnf upgrade
sudo reboot

For Debian / Ubuntu:

sudo apt update && sudo apt upgrade
sudo reboot

For CloudLinux with KernelCare (no reboot required):

kcarectl --update

After rebooting, confirm you are running the patched kernel:

uname -r

Compare the output against the patched version in your distribution’s security advisory before considering the server protected.

Step 2: Interim mitigation (if you cannot reboot immediately)

If a reboot is not immediately possible, you can block the vulnerable modules from loading. The Dirty Frag technical writeup offers a mitigation that removes the modules containing the vulnerabilities and clears the page cache:

printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \
  > /etc/modprobe.d/dirtyfrag.conf
rmmod esp4 esp6 rxrpc 2>/dev/null
echo 3 > /proc/sys/vm/drop_caches

Important before applying this: verify that your server does not use IPsec VPN tunnels, site-to-site encrypted networking, or Kubernetes network policies that depend on esp4 or esp6. Disabling these modules on a server with active IPsec will break those connections. If in doubt, apply the kernel update instead.

After the patched kernel is installed and the server is rebooted, revert the mitigation by removing the /etc/modprobe.d/dirtyfrag.conf file.

Step 3: Combine with Copy Fail remediation

If you have not yet addressed Copy Fail (CVE-2026-31431), treat both vulnerabilities as a combined remediation effort, given their similarity and overlapping mitigation steps. A single kernel update and reboot covers both. Check that your running kernel is patched for both CVE-2026-31431 and CVE-2026-43284 before considering the server clean.

What this means going forward

Two universal Linux kernel privilege escalation vulnerabilities in eight days is not normal. Dirty Frag is the second in this period, following Copy Fail. With a working public proof-of-concept released ahead of patches and exploitation reduced to a handful of standard syscalls, defenders should assume any local foothold on an unpatched host can become root within seconds.

The disclosure of Dirty Frag also went badly: an unrelated third party leaked the exploit details before distributions had finished packaging patches, forcing a premature public disclosure while CVE-2026-43500 was still unpatched. This is the same pattern that made Copy Fail so dangerous in its first hours.

The practical lesson is that the time between a vulnerability being known to attackers and being exploited in the wild is now measured in hours, not days. Kernel updates must be treated with the same urgency as application security patches — applied as soon as they are available, not during the next scheduled maintenance window.

For any server running web hosting workloads: patch today, reboot, verify. Then set up alerting so the next time this happens, you know within the hour.

Sources

Help Net Security: https://www.helpnetsecurity.com/2026/05/08/dirty-frag-linux-vulnerability-cve-2026-43284-cve-2026-43500/

AlmaLinux security advisory: https://almalinux.org/blog/2026-05-07-dirty-frag/

Tenable Research FAQ: https://www.tenable.com/blog/dirty-frag-cve-2026-43284-cve-2026-43500-frequently-asked-questions-linux-kernel-lpe

Sysdig detection guide: https://www.sysdig.com/blog/dirty-frag-cve-2026-43284-and-cve-2026-43500-detecting-unpatched-local-privilege-escalation-via-linux-kernel-esp-and-rxrpc

SUSE CVE entry: https://www.suse.com/security/cve/CVE-2026-43284.html

Ubuntu CVE page: https://ubuntu.com/security/CVE-2026-43284

Ubuntu blog (fixes available): https://ubuntu.com/blog/dirty-frag-linux-vulnerability-fixes-available

CloudLinux blog (Dirty Frag): https://blog.cloudlinux.com/dirty-frag-mitigation-and-kernel-update

Knightli mitigation guide: https://www.knightli.com/en/2026/05/09/dirty-frag-cve-2026-43284-linux-lpe-mitigation/