DirtyFrag - Successor to CopyFail via Networking Subsystems
Intelligence Database
High SeverityScore: 8.8

CVE-2026-43284
DirtyFrag - Successor to CopyFail via Networking Subsystems

May 5, 2026
CVSS: 8.8
Complexity
Low
User Inter.
None
Privileges
Root
Scope
Changed

Vulnerability Analysis

DirtyFrag is a sophisticated successor to the CopyFail vulnerability class. Disclosed in early May 2026, it utilizes a chain of vulnerabilities in the Linux kernel's networking subsystems to achieve in-place writes to page-cache-backed memory.

Note on Naming: DirtyFrag refers to the combination of CVE-2026-43284 (IPsec) and CVE-2026-43500 (RxRPC), which both allow similar exploitation patterns.

Technical Breakdown

DirtyFrag targets components responsible for handling fragmented memory blocks and network packets. Specifically, it exploits vulnerabilities in:

  • CVE-2026-43284: The ESP/XFRM (IPsec) subsystem.
  • CVE-2026-43500: The RxRPC (Remote Procedure Call) subsystem.

Exploitation Strategy

Similar to CopyFail and Dirty Pipe, the goal is to corrupt the page cache. By manipulating how the kernel reassembles fragmented network packets or handles cryptographic transforms in the networking stack, an attacker can trick the kernel into writing attacker-controlled data into memory pages that are mapped to read-only files on disk.

Comparison: CopyFail vs. DirtyFrag

FeatureCopyFailDirtyFrag
SubsystemCrypto (AF_ALG)Networking (IPsec/RxRPC)
DeterminismHighHigh (Condition dependent)
PrerequisitesAF_ALG accessNamespaces or specific modules
Bug ClassLogic / SGL HandlingMemory / Fragmentation

Mitigation & Remediation

1. Temporary Mitigation

Successful exploitation often requires the ability to create user or network namespaces to interact with the vulnerable subsystems. Disabling unprivileged user namespaces can serve as a temporary mitigation in environments where they are not required.

# Temporary mitigation: Disable unprivileged user namespaces
sudo sysctl -w kernel.unprivileged_userns_clone=0

# Ensure the change persists across reboots
echo "kernel.unprivileged_userns_clone=0" | sudo tee -a /etc/sysctl.conf

2. Module Blacklisting

If your system does not require IPsec or RxRPC, you can prevent the modules from being loaded.

echo "blacklist xfrm_user" | sudo tee /etc/modprobe.d/dirtyfrag-mitigation.conf
echo "blacklist rxrpc" | sudo tee -a /etc/modprobe.d/dirtyfrag-mitigation.conf

3. Verification Script

Security administrators can verify if unprivileged namespaces are enabled using:

# Returns 1 if unprivileged namespaces are enabled
cat /proc/sys/kernel/unprivileged_userns_clone

Indicators of Compromise (IoC)

  • Auditd Logs: Monitor for syscalls related to namespace creation (CLONE_NEWUSER, CLONE_NEWNET) followed by unusual socket activity.
  • Network Telemetry: High volumes of malformed or fragmented ESP packets from local or internal sources.

References & Sources

  • Fragnesia (CVE-2026-46300): A related variant leveraging the esp/xfrm module with a specific focus on IPv6 fragmentation.

Threat Response Advisory

Our intelligence team monitors these vulnerabilities 24/7. For real-time threat detection and custom mitigation playbooks, contact our SOC response unit.