惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threat Research - Cisco Blogs
博客园 - 聂微东
小众软件
小众软件
P
Proofpoint News Feed
Security Archives - TechRepublic
Security Archives - TechRepublic
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
TaoSecurity Blog
TaoSecurity Blog
博客园 - 司徒正美
罗磊的独立博客
N
News and Events Feed by Topic
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Security Affairs
S
Security @ Cisco Blogs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The GitHub Blog
The GitHub Blog
月光博客
月光博客
S
Secure Thoughts
P
Proofpoint News Feed
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Forbes - Security
Forbes - Security
H
Heimdal Security Blog
W
WeLiveSecurity
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
L
LangChain Blog
T
The Blog of Author Tim Ferriss
NISL@THU
NISL@THU
Google DeepMind News
Google DeepMind News
Cloudbric
Cloudbric
H
Hacker News: Front Page
The Last Watchdog
The Last Watchdog
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
Cisco Blogs
博客园 - 三生石上(FineUI控件)
博客园_首页
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
S
Schneier on Security
Project Zero
Project Zero
SecWiki News
SecWiki News
爱范儿
爱范儿
The Register - Security
The Register - Security
AI
AI
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Y
Y Combinator Blog
L
Lohrmann on Cybersecurity
Application and Cybersecurity Blog
Application and Cybersecurity Blog
P
Privacy International News Feed
J
Java Code Geeks
S
Securelist
C
Cyber Attacks, Cyber Crime and Cyber Security
V
Visual Studio Blog

Latest news

LG G6 vs. LG G5: I compared the latest OLED TV models, and it's a surprisingly tough choice I saw the 'MacBook Pro for Linux users' for the first time, and it's a legit Windows threat I tested Surfshark's new Dausos VPN protocol - here's how it compares to WireGuard How to easily encrypt your files on an Android phone - for free I'm not giving up on DJI cameras yet - not when they can upset my GoPro like this The best website builders for small businesses in 2026: Expert tested and reviewed Why I'm recommending last year's phones over 2026 models - with one exception This powerful Gemini setting made my AI results way more personal and accurate After testing this HP laptop, I get why its 'boring' design is adored by business users The best TV antenna of 2026: Expert tested Your old iPad or Android tablet can be your new smart home panel - here's how Apple's original AirTag still tracks effectively, and you can get a 4-pack for its best price ever T-Mobile will give you an iPad for $99 when you sign up for a new line - here's how How to qualify for Apple's education discount - and get a $499 MacBook Neo for school T-Mobile will give you a Samsung Galaxy Watch 8 for free - how to get yours Prolonged AI use can be hazardous to your health and work: 4 ways to stay safe Verizon will give you a free iPad or Apple Watch with your next iPhone - how the deal works The best laptops of 2026: Expert tested and reviewed I hid 4 Bluetooth trackers (including AirTags) to test their reliability - here's how Android rivals compared I stopped using my iPhone's hotspot after testing this 5G router - and that won't change The best Kindles in 2026: Expert recommended Does Best Buy price match? Everything to know about matching prices online and in-store The best WordPress hosting services of 2026: Expert tested and reviewed The best Apple Watch of 2026: Expert tested and reviewed The best TV screen cleaners of 2026: Expert recommended The best 50-inch TVs of 2026: Expert tested I traded my Sonos Era 300 for Denon's new home speaker - and see no reason to go back AI-powered website builders have come a long way - here's your best option in 2026 Amazon just slashed $250 off the Google Pixel 10 - and a Prime subscription isn't required I found the apps slowing down my PC - how to kill the biggest memory hogs These companies are actually upskilling their workers for AI - here's how they do it Verizon will give you Meta Ray-Bans for free with this Fios Internet deal - how to get yours I tried the new Gemini app for Mac - it has one major advantage over the web version How Google's updated AI Mode will ease your tab clutter when you search Why this MagSafe battery pack is our readers' favorite model right now - especially at its price T-Mobile will give you a Google Pixel 10a for free - plus an extra gift OpenAI's Codex Desktop can run your computer now - and has its own browser Want to build a startup that gets acquired? This founder shares 5 proven tips Google to pay $135M settlement to Android phone users - how to claim your share if you qualify Want to stand out on LinkedIn? Try this career strategist's top 3 tips for strengthening your profile I've used Dell's new XPS 16 for a week, and it's the Windows laptop to beat in 2026 You can get 50% off YouTube Premium for 1 year right now - but the deal ends soon Tidal vs. Qobuz: I tried both hi-res streaming services, and they couldn't be more different This stroller turns into a carry on-suitcase, and I recommend it for traveling parents The best small business VoIP providers of 2026: Expert tested and reviewed Protect your devices with our pick for the best antivirus software, now over 60% off MacBook Neo vs. Surface: Why spiraling RAM prices are bruising Microsoft's PC business but not Apple's I tried Google's new desktop app for Windows, and I'll never search the old way again Microsoft's Windows 11 laptop deal for students comes with a $500 bonus - what's included You can buy an LG B5 OLED for $1,500 off at Best Buy - and it comes with a free 4K TV Why Zorin OS 18.1 is simply the best Linux distro - for anyone Why Netgear just got the first FCC router ban exemption in the US Microsoft's latest Windows update now confirms if your PC is Secure Boot-protected - how it works Can this $70 Linux app make up for the lack of Photoshop? I tried it to find out 'Like handing out the blueprint to a bank vault': Why AI led one company to abandon open source iPhone charging slowly? 6 quick fixes to try before blaming your battery Roku TV vs. Fire Stick: Why I'm looking beyond streaming resolution when comparing the two AI is getting better at your job, but you have time to adjust, according to MIT The best internal communication tools of 2026: Expert tested and reviewed Half of all US employees use AI at work now - and waste almost 8 hours a week doing it I've been subscribed to a data removal service a month now - what I wish I knew sooner You can use Linux 7.0 on these 7 distros today - here's what to expect How I share audio from my Android phone to multiple earbuds (and why it's a big deal) Why the Apple Watch's 20-minute calibration test is worth your time - especially if you're data curious I used the 'Plus Five' rule to fix my iPhone's slow wireless charging - here's how it works I tested Artix Linux: An enjoyable systemd-free distro for experienced users (and ChromeOS speeds) I spent two years testing wind power at home - here's why solar is still my preferred source I camera-tested the Samsung Galaxy S26 Ultra with Oppo and Xiaomi - this model won it for me How I boosted my portable solar panels' power by up to 30% - 11 expert-approved tips I see why Ubuntu 26.04 is more than just a performance bump for thrill-seeking gamers France is ditching Windows for digital sovereignty - and its new Linux stack is taking shape As an Android user, this MagSafe wallet is the clearest reason why Qi2 magnets shouldn't be ignored The best Zoom alternatives in 2026: Expert tested and reviewed KDE Linux is the purest form of Plasma I've used in months - but there's a catch LG C6 vs. LG C5: Why the 2025 model is still the smarter OLED TV model buy for me How I disabled 'fast startup' on my Windows 11 laptop to stop overnight battery drain 30 years later, I returned to Enlightenment Linux to test the Elive beta - and it's much better Here's my favorite email trick for cleaning up inbox clutter - automatically The $30 Google TV stick may be the budget Chromecast successor we've been waiting for The best AR and MR glasses in 2026: Expert tested and reviewed This handy electric screwdriver is now 50% off - here's where to snag the deal This Ryobi yard essentials bundle packs a free power tool - how to get yours After trying these boomless headphones in the office, I'm feeling hopeful for the future of work tech I used this EcoFlow battery to run my 3,000-sq-ft home in a blackout - here's how it kept my AC on Microsoft's Windows Insider Program is no longer a confusing mess Forget Shokz: I tried the Suunto Spark earbuds for a month, and they've sold me on air conduction iOS 26.4 brings essential upgrades to your iPhone - including a vital security fix YouTube Premium is getting a price increase in June - but you can save $32 with one change Your router may be vulnerable to Russian hackers, FBI warns: 5 steps to take now I walked 3,000 steps with my Apple Watch, Google Pixel, and Oura Ring - this tracker was most accurate I stopped guessing which AA batteries are dead - this charging station keeps them in check for me My favorite Android Auto find is these hidden shortcuts that are highly customizable AirDrop is coming to older Samsung phones - is yours supported? How to get it early I'm no longer using Google Photos as just a cloud storage - 5 tools that elevate the app The best data removal services of 2026: Expert tested and reviewed The best Samsung TVs of 2026: Expert tested and reviewed The best mobile scanning apps of 2026: Expert tested and reviewed The best HP laptops of 2026: Expert tested and reviewed After using Lenovo's new Yoga laptop, I'm wondering if Windows makers are running out of ideas Samsung S95H vs. Samsung S95F: I compared the OLED TVs and wasn't prepared for the upset
Dirty Frag is a new Linux bug putting your system at risk - and there's no easy fix yet
2026-05-11 · via Latest news
redlock-gettyimages-1333105479
hh5800/iStock / Getty Images Plus via Getty Images

Follow ZDNET: Add us as a preferred source on Google.


ZDNET's key takeaways

  • With one compromised account, Dirty Frag can expose your system.
  • No patch can protect you from all possible attacks yet.
  • To stay safe, you'll need to block several services, including VPNs.

Linux has been having a rough few weeks. First, the Copy Fail security hole was uncovered by AI researchers. In that case, the patches were quickly made and distributed. We weren't so lucky with the newly disclosed Linux kernel flaw, dubbed Dirty Frag, which was also, it seems, discovered with AI's help, but patches are still in the works.

Also: Linux is getting a security wake-up call - why it was inevitable and I'm not worried

Security researcher Hyunwoo Kim, who disclosed the issue on May 7, describes Dirty Frag as an extension of the same bug class as previous high-profile Linux kernel flaws, 2022's Dirty Pipe and Copy Fail. Like those flaws, Dirty Frag exploits kernel code paths that write to memory pages accessible to unprivileged user space, but it targets a different structure: the fragment field of sk_buff networking buffers.

Also: Immutable Linux delivers serious security - here are your 5 best options

Kim told the Linux kernel maintainers about the vulnerability at the end of April. Unfortunately, the coordinated disclosure and patch processes quickly went off the rails. On May 7, while distributions were still shipping fixes for the related Copy Fail flaw, detailed Dirty Frag technical information and a working proof-of-concept exploit for the xfrm-ESP component appeared online after an embargo break by an unrelated third party. Now, we're all in trouble.

What is Dirty Frag?

Dirty Frag is a local privilege escalation vulnerability chain that exploits logic bugs in Linux's networking and authentication stacks to corrupt data in the kernel's page cache, enabling an unprivileged account to escalate to root. 

It works by targeting two separate networking subsystems: the IPsec Encapsulating Security Payload, or xfrm-ESP, path, tracked as CVE-2026-43284, and the RxRPC authentication path, tracked as CVE-2026-43500.

By chaining these flaws, attackers can modify what should be read-only, page-cache-backed system files in memory and then trigger them to run with elevated privileges, without ever touching your file system.

Also: This critical Linux vulnerability is putting millions of systems at risk - how to protect yours

Once in, Dirty Frag exploits "page-cache write primitives" in kernel fast paths used for encrypted networking and remote file system authentication. By carefully choosing the target, an attacker can overwrite pieces of ostensibly read-only files in memory, such as executables or configuration files, and then execute or reload the modified files as root. 

From there, the sky's the limit, and attackers can do pretty much whatever they want.

The good news -- yes, there is some -- is that attackers typically need an existing foothold, such as an unprivileged shell via SSH, a web shell, or a compromised container, to use Dirty Frag to escalate.

On the other hand, because the underlying bug is a logic error rather than a timing-sensitive race, the exploit is unusually reliable and does not cause kernel panics when it fails. In other words, someone can attack your Linux system over and over again until they break in, and you'll never know about it.

Defenders scrambled to assess exposure

It did not take long for attackers to take notice. Public exploit code was quickly mirrored across security blogs, GitHub repositories, and discussion forums, leaving defenders scrambling to assess exposure.

Also: Worried about the nationwide Canvas data breach? Take these 6 steps now

According to Microsoft's threat intelligence team, Dirty Frag has already been observed in action. Hackers are using it to upgrade limited footholds on Linux systems to full root control across servers, cloud workloads, and containers.

So, who's at risk? 

I'm sorry to say it's pretty much everyone who uses any Linux distribution. Dirty Frag affects a wide range of Linux environments, from bare-metal servers and enterprise distributions to container hosts and cloud instances. This includes current and earlier releases of Ubuntu, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, Fedora, and openSUSE Tumbleweed, among others.

Canonical, Ubuntu's parent company, warns: "In container deployments that may execute arbitrary third-party workloads, the vulnerability may additionally facilitate container escape scenarios, in addition to local privilege escalation on the host." That's the ultimate cloud-native computing nightmare.

Fortunately, "A proof-of-concept exploit has not been published yet for container escape." 

So far. To the best of our knowledge. We hope.

Also: Best VPN services: Expert tested and recommended

While many of you were celebrating Mother's Day, the Linux kernel community spent the weekend addressing the problem. CVE-2026-43284, the xfrm-ESP component, received an upstream fix in the mainline kernel on May 8, less than 24 hours after public disclosure, though that fix now needs to be backported across the many supported stable trees.

The RxRPC flaw, tracked as CVE-2026-43500, remains under evaluation. As of this writing, no upstream patch had been finalized. Linux vendors are issuing their own advisories and updates as they integrate the upstream changes.

What you should do immediately

Linux distributors, cloud providers, and hosting providers are urging customers to update to the latest kernel packages as they become available. They're also urging administrators to blacklist esp4, esp6, and rxrpc modules as a stopgap. Keep in mind, however, that if you do so, you're likely to disrupt IPsec VPNs or AFS-based workloads. On the other hand, you'll be safer that way.

Also: Why Edge stores your passwords in plaintext, according to Microsoft

Debian and Ubuntu-related Linux distros

Canonical suggests the following steps. These will work on Ubuntu and related Linux distributions, like Mint.

Step 1. Block the modules

  • Block the modules by creating a /etc/modprobe.d/dirty-frag.conf file:
  • echo "install esp4 /bin/false" | sudo tee /etc/modprobe.d/dirty-frag.conf
  • echo "install esp6 /bin/false" | sudo tee -a /etc/modprobe.d/dirty-frag.conf
  • echo "install rxrpc /bin/false" | sudo tee -a /etc/modprobe.d/dirty-frag.conf
  • Regenerate the initramfs images to prevent the modules from being loaded during early boot:
  • sudo update-initramfs -u -k all

Step 2. Unload modules

  • Unload the modules, in case they are already loaded:
  • sudo rmmod esp4 esp6 rxrpc 2>/dev/null


Step 3. Confirm the modules aren't loaded

  • Check whether the modules are still loaded:
  • grep -qE '^(esp4|esp6|rxrpc) ' /proc/modules && echo "Affected modules are loaded" || echo "Affected modules are NOT loaded"
  • If the previous action indicates that the modules are not loaded, no further action is required. However, unloading the modules may not be possible if applications are already using them. In these instances, a system reboot will enforce their blocking, but it will affect applications:
  • sudo reboot
  • Once kernel updates are available and installed, the mitigation can be removed:
  • sudo rm /etc/modprobe.d/dirty-frag.conf
  • sudo update-initramfs -u -k all

Also: The best mobile antivirus software: Expert tested and reviewed

Red Hat and related Linux distros

Red Hat suggests you run:

  • printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf rmmod esp4 esp6 rxrpc 2>/dev/null; true

This approach, which will require disabling IPsec and AFS-based programs, will also work on CentOS, Rocky Linux, AlmaLinux, and other RHEL-related Linux distros.

Also: I've used Windows for decades, but I tried Linux to see if it's truly 'easy' now - and one thing surprised me

SUSE Linux fixes

SUSE has a similar solution with the same warning about IPsec and AFS.

Create:

/etc/modprobe.d/10-copyfail2-fix.conf to remediate with the following lines:

  • blacklist esp4
  • blacklist esp6
  • blacklist rxrpc
  • install esp4 /bin/false
  • install esp6 /bin/false
  • install rxrpc /bin/false

The details vary from distro to distro, but the temporary fix is always the same: Use a modprobe configuration file to disable the potentially affected programs until the kernel patches are available and installed. 

Once that's done, you can delete the emergency fixes and get back to business as usual.

Also: Google bets $32B on AI agent cyber force as security arms race escalates

Until full kernel fixes are broadly deployed and systems are rebooted, you should mitigate your system as soon as possible. After all, if you have even a single compromised user account, an attacker can use Dirty Frag to take complete control of your infrastructure.

Now, if you'll excuse me, I have a bunch of servers and workstations to fix.