惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
WordPress大学
WordPress大学
博客园 - 【当耐特】
Engineering at Meta
Engineering at Meta
IT之家
IT之家
Apple Machine Learning Research
Apple Machine Learning Research
小众软件
小众软件
美团技术团队
S
SegmentFault 最新的问题
The GitHub Blog
The GitHub Blog
Martin Fowler
Martin Fowler
Recorded Future
Recorded Future
H
Help Net Security
aimingoo的专栏
aimingoo的专栏
Y
Y Combinator Blog
博客园_首页
A
About on SuperTechFans
MongoDB | Blog
MongoDB | Blog
阮一峰的网络日志
阮一峰的网络日志
V
Visual Studio Blog
D
DataBreaches.Net
人人都是产品经理
人人都是产品经理
大猫的无限游戏
大猫的无限游戏
B
Blog
The Register - Security
The Register - Security
I
InfoQ
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
雷峰网
雷峰网
Last Week in AI
Last Week in AI
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
月光博客
月光博客
酷 壳 – CoolShell
酷 壳 – CoolShell
Blog — PlanetScale
Blog — PlanetScale
N
Netflix TechBlog - Medium
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
有赞技术团队
有赞技术团队
Stack Overflow Blog
Stack Overflow Blog
Jina AI
Jina AI
Security Archives - TechRepublic
Security Archives - TechRepublic
Hacker News - Newest:
Hacker News - Newest: "LLM"
U
Unit 42
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
W
WeLiveSecurity
Latest news
Latest news
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - 叶小钗
L
Lohrmann on Cybersecurity
博客园 - Franky
Recent Commits to openclaw:main
Recent Commits to openclaw:main
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

Ubuntu blog

Tracing a memory leak bug in PID 1 and contributing an upstream fix: a Linux support story | Ubuntu MAAS installation: bare metal provisioning is easier than ever | Ubuntu Januscape vulnerability CVE-2026-53359 mitigations available | Ubuntu Managing Ubuntu on bare metal at scale Ubuntu Server: a platform made for enterprise scale | Ubuntu Building an open source chain of trust: new research uncovers key blockers and ways forward | Ubuntu Beyond safety and security: Why automotive open source demands dependability  | Ubuntu DirtyClone Linux kernel local privilege escalation vulnerability fixes available | Ubuntu pedit COW kernel local privilege escalation vulnerability mitigations | Ubuntu Canonical becomes Gold Sponsor of Trifecta Tech Foundation | Ubuntu Challenges designers face in open source (and how to fix them) | Ubuntu Hunting a 16-year-old SQLite bug with TLA+: is dqlite affected? | Ubuntu Anbox Cloud on C4A metal: Android, at scale, without friction | Ubuntu Canonical announces live kernel patching for Arm64 | Ubuntu How to use RISC-V custom instructions with Ubuntu | Ubuntu Ubuntu Summit 26.04: connected by open source | Ubuntu So you need to add microcontrollers to your fleet: now what? | Ubuntu Validating real-world skills through Canonical Academy | Ubuntu Virtualized Android comes to Anbox Cloud | Ubuntu Template: Streamlining open source design contributions | Ubuntu Beyond Mythos: responding to a new threat landscape | Ubuntu A look into Ubuntu Core 26: Building a local AI inference appliance in a virtual machine | Ubuntu A decade of Ubuntu on IBM Z and IBM LinuxONE | Ubuntu AI at the edge: simplifying infrastructure with Cisco and Canonical | Ubuntu The next era of telco clouds: get open infrastructure choice with Sylva and Canonical Kubernetes | Ubuntu What is RDMA over Converged Ethernet (RoCE)? | Ubuntu Beyond tokens per watt – using Ubuntu 26.04 LTS for AI | Ubuntu A look into Ubuntu Core 26: Deploying AI models on Renesas RZ/V series for production | Ubuntu RISC-V profiles – why is RVA23 significant? | Ubuntu AI with AMD ROCm on Ubuntu: your questions answered | Ubuntu Ubuntu and Ubuntu Pro on Azure Cobalt 200 VMs | Ubuntu What is InfiniBand? | Ubuntu How Canonical Support solves hard Linux performance bugs  – even in 12-year old code | Ubuntu Securing AI agent workflows on Ubuntu with the new NVIDIA OpenShell snap | Ubuntu Canonical announces optimized Ubuntu images for TPU virtual machines by Google Cloud | Ubuntu VMware hypervisor deployment using MAAS | Ubuntu Migrating from Apache Spark 3 to Spark 4 | Ubuntu Introducing Workshop: launch sandboxed development environments on Ubuntu with a single command | Ubuntu Run agentic workloads on Arm and Ubuntu | Ubuntu Decoding design: How design and engineering thrive together in open source | Ubuntu Developing web apps with local LLM inference | Ubuntu PinTheft Linux kernel vulnerability mitigation | Ubuntu Canonical announces fully Managed Kubeflow AI operations platform on the Microsoft Azure Marketplace | Ubuntu A look into Ubuntu Core 26: Cloud-powered edge computing with AWS IoT Greengrass and Azure IoT Edge | Ubuntu CVE-2026-46333 (ssh-keysign-pwn) Linux kernel vulnerability mitigations | Ubuntu Finding the blind spot: How Canonical hunts logic flaws with AI | Ubuntu Fragnesia Linux kernel local privilege escalation vulnerability mitigations | Ubuntu Rethinking BYOD security: protecting data without trusting devices | Ubuntu Three weeks to go: A sneak peek of the Ubuntu Summit 26.04 experience | Ubuntu How to use Ubuntu on Windows | Ubuntu Fixes available for CVE-2026-31431 (Copy Fail) Linux Kernel Local Privilege Escalation Vulnerability | Ubuntu Run NVIDIA Nemotron 3 Nano Omni locally in a single command | Ubuntu Why Web Engineering is great | Ubuntu Ubuntu 16.04 LTS has reached the end of standard Expanded Security Maintenance with Ubuntu Pro. Here are your options. | Ubuntu Understanding disaggregated GenAI model serving with llm-d | Ubuntu From Jammy to Resolute: how Ubuntu’s toolchains have evolved | Ubuntu Hybrid search and reranking: a deeper look at RAG | Ubuntu Canonical expands Ubuntu support to next-generation MediaTek Genio 520 and 720 platforms | Ubuntu Intentional leadership at Canonical | Ubuntu Ubuntu Pro comes to Nutanix bare-metal Kubernetes | Ubuntu RISC-V 101 – what is it and what does it mean for Canonical? | Ubuntu Ubuntu Summit 26.04 is coming: Save the date and share your story! | Ubuntu How to manage Ubuntu fleets using on-premises Active Directory and ADSys | Ubuntu Simplify bare metal operations for sovereign clouds | Ubuntu How to Harden Ubuntu SSH: From static keys to cloud identity | Ubuntu The “scanner report has to be green” trap | Ubuntu Modern Linux identity management: from local auth to the cloud with Ubuntu | Ubuntu Canonical welcomes NVIDIA’s donation of the GPU DRA driver to CNCF | Ubuntu Hot code burns: the supply chain case for letting your containers cool before you ship | Ubuntu
Dirty Frag Linux kernel local privilege escalation vulnerability mitigations | Ubuntu
Luci Stanesc · 2026-05-08 · via Ubuntu blog

Two local privilege escalation (LPE) vulnerabilities affecting the Linux kernel have been publicly disclosed on May 7, 2026. The vulnerabilities have been assigned the IDs CVE-2026-43284 and CVE-2026-43500 and are referred to as “Dirty Frag.” The affected components are Linux kernel modules. The first vulnerability impacts the modules that provide support for ESP (Encapsulating Security Protocol), one of the protocols used for IPsec (Internet Protocol Security). The second vulnerability impacts the modules that provide support for RxRPC, a protocol used for AFS (Andrew File System), a distributed file system. The vulnerabilities affect multiple Linux distributions, including all Ubuntu releases.

CVE-2026-43284 is assessed by the kernel.org CNA to have a CVSS 3.1 score of 8.8 (HIGH). CVE-2026-43500 is assessed by the NVD and CISA to have a CVSS 3.1 score of 7.8 (HIGH), aligned with the assessment by Canonical prior to the scores being assigned.

Linux kernel package updates are available that fix these vulnerabilities. This blog had been published on the day the vulnerability was publicly disclosed, describing mitigations that disable the affected components. The mitigations are no longer necessary if the Linux kernel updates are applied.

Impact

Deployments without container workloads

On hosts that do not run container workloads, the vulnerability allows a local user to elevate privileges to the root user. The published exploit executes in this type of deployment.

Container deployments

In container deployments that may execute arbitrary third-party workloads, the vulnerability may additionally facilitate container escape scenarios, in addition to local privilege escalation on the host. A proof-of-concept exploit has not been published yet for container escape.

Mitigation regression risk

Update: Linux kernel package updates that fix these vulnerabilities are available and mitigations described here are no longer needed. We recommend that you install the Linux kernel update and only apply the mitigations if that is not possible.

The mitigations disable the kernel modules that are used for IPsec ESP and RxRPC, respectively. The mitigations will affect functionality if these are in use by either:

  • IPsec deployments. These are common with VPN implementations such as StrongSwan.
  • AFS (Andrew File System) or another application of RxRPC.

As the vulnerabilities are independent, disabling only the esp4/esp6 modules or only the rxrpc modules would leave the remaining ones exploitable.

Affected releases

The vulnerability fix is distributed through the Linux kernel image packages. A mitigation which disables the affected modules can be applied according to the instructions below, which have been published on the public disclosure date of the vulnerability. The mitigation is no longer necessary if the Linux kernel updates are applied.

ReleasePackage NameFixed Version
Trusty Tahr (14.04 LTS)linuxNot affected
Xenial Xerus (16.04 LTS)linuxNot affected
Bionic Beaver (18.04 LTS)linuxLinux 4.15: 4.15.0-251.263
Linux 5.4 (HWE): 5.4.0-231.251~18.04.1
Focal Fossa (20.04 LTS)linuxLinux 5.4: 5.4.0-231.251
Linux 5.15 (HWE): 5.15.0-181.191~20.04.1
Jammy Jellyfish (22.04 LTS)linuxLinux 5.15: 5.15.0-181.191
Linux 6.8 (HWE): 6.8.0-124.124~22.04.1
Noble Numbat (24.04 LTS)linuxLinux 6.8: 6.8.0-124.124
Linux 6.17 (HWE): 6.17.0-35.35~24.04.1
Questing Quokka (25.10)linux6.17.0-35.35
Resolute Raccoon (26.04 LTS)linux7.0.0-22.22

How to check if you are impacted

On your system, run the following command to get the version of the currently running kernel and compare the listed version to the corresponding table above.

uname -r

The list of installed kernel packages can be obtained using the following command:

dpkg -l 'linux-image*' | grep ^ii

Security updates

We recommend you upgrade all packages:

sudo apt update && sudo apt upgrade

If this is not possible and the Linux kernel is installed via a meta package, its update can be targeted directly:

sudo apt update
dpkg-query -W -f '${source:Package}\t${binary:Package}\n' | awk '$1 ~ "^linux-meta" { print $2 }' | xargs sudo apt install --only-upgrade

Once the security updates for the Linux kernel are installed, a reboot is required:

sudo reboot

The unattended-upgrades feature is enabled by default for Ubuntu 16.04 LTS onwards. This service:  

  • Applies new security updates every 24 hours automatically.
  • If you have this enabled, the patches above will be automatically applied within 24 hours of being available, but a reboot is still required.

Manual mitigation

Update: Linux kernel security updates that fix the vulnerability are now available. The mitigations described in this section are no longer needed and should only be applied if the Linux kernel cannot be updated. If you have previously configured the mitigations, please follow the instructions in the ‘Disabling the mitigation’ section below.

The mitigations block the affected kernel modules from loading. This requires three steps:

  1. Prevent the modules from loading in the future.
  2. Unload the modules.
  3. Check whether step 2 was successful; if not, reboot the system.

Step 1 – block the modules:

Block the modules by creating a /etc/modprobe.d/dirty-frag.conf file:

echo "install esp4 /bin/false" | sudo tee /etc/modprobe.d/dirty-frag.conf
echo "install esp6 /bin/false" | sudo tee -a /etc/modprobe.d/dirty-frag.conf
echo "install rxrpc /bin/false" | sudo tee -a /etc/modprobe.d/dirty-frag.conf

Regenerate the initramfs images, to prevent the modules from being loaded during early boot:

sudo update-initramfs -u -k all

Step 2 – unload modules:

Unload the modules, in case they are already loaded:

sudo rmmod esp4 esp6 rxrpc 2>/dev/null 

Step 3 – confirm the modules aren’t loaded:

Check whether the modules are still loaded:

grep -qE '^(esp4|esp6|rxrpc) ' /proc/modules && echo "Affected modules are loaded" || echo "Affected modules are NOT loaded"

If the previous action indicates that the modules are not loaded, no further action is required. However, unloading the modules may not be possible if they are in use by applications. In these instances, a system reboot will enforce their blocking, but will affect applications:

sudo reboot

Disabling the mitigation

Once kernel updates are installed, the mitigation can be removed:

sudo rm /etc/modprobe.d/dirty-frag.conf
sudo update-initramfs -u -k all