【AI前沿】Linux bitten by second severe vulnerability in as many weeks

ANOTHER? WHAT THE FRAG?Linux bitten by second severe vulnerability in as many weeksProduction-version patches are coming online and should be installed pronto.Dan Goodin–May 11, 2026 6:28 pm|88Credit:

      Getty ImagesCredit:

      Getty ImagesText
    settingsStory textSizeSmallStandardLargeWidth*StandardWideLinksStandardOrange* Subscribers onlyLearn moreMinimize to navLinux users have been bitten by yet another vulnerability that gives containers and untrusted users the ability to gain root access, marking the second time in as many weeks that a severe threat has caught defenders off guard.The threat, known as Dirty Frag, allows low-privilege users, including those using virtual machines, to gain root control of servers. Attacks are particularly suitable in shared environments, where a server is used by multiple parties. Hackers can also gain root as long as they have access to a separate exploit that gives a toehold into a machine. Exploit code was leaked online three days ago and works reliably across virtually all Linux distributions. Microsoft hassaidit has spotted signs that hackers are experimenting with Dirty Frag in the wild.Immediate and significant threatThe leaked exploit is deterministic, meaning it works precisely the same way each time it’s run and across different Linux distributions. It causes no crashes, making it stealthy to run. A vulnerability known as Copy Fail, disclosedlast weekwith no patches available to end users, possesses the same characteristics.“The ‘Dirty Frag’ vulnerability presents an immediate and significant threat to Linux systems, as it allows unauthorized users to gain root access by exploiting unpatched kernel flaws,” researchers from security firm Aviatrixwrote Monday. “With proof-of-concept exploits publicly available and signs of limited in-the-wild exploitation, organizations must act swiftly to apply patches and implement mitigations to protect their systems from potential compromise.”Dirty Frag was discovered anddisclosedlate last week by researcher Hyunwoo Kim. The exploit chains together code for exploiting two vulnerabilities—tracked as CVE-2026-43284 and CVE-2026-43500. Shortly after the disclosure, someone else leaked key details, effectively making the vulnerability a zero-day. With that, Kimpublishedthe source code for the proof-of-concept exploit he had developed. Whilebothvulnerabilitieswere patched in the Linux kernel, none of the distributions had incorporated the fix.At the time this post went live, several distributors had released patches. Known distributors includedDebian,AlmaLinux, andFedora. People who are interested in other distributions should check with the official provider.Both privilege escalation vulnerabilities stem from bugs in the kernel’s handling of page caches stored in memory, allowing untrusted users to modify them. They target caches in networking and memory-fragment handling components. Specifically, CVE-2026-43284 attacks the esp4 and esp6 () processes, and CVE-2026-43500 zeroes in on rxrpc. Last week’s CopyFail exploited faulty page caching in the authencesn AEAD template process, which is used for IPsec extended sequence numbers. A 2022 vulnerability named Dirty Pipe also stemmed from flaws that allow attackers to overwrite page caches.Researchers from security firm Automoxwrote:Dirty Frag belongs to the same bug family as Dirty Pipe and Copy Fail, but it targets thefragmember of the kernel’sstruct sk_buffrather thanpipe_buffer. The exploit usessplice()to plant a reference to a read-only page-cache page (for example,/etc/passwdor/usr/bin/su) into thefragslot of a sender-sideskb. Receiver-side kernel code then performs in-place cryptographic operations on that frag, modifying the page cache in RAM. Every subsequent read of the file sees the corrupted version, even though the attacker only ever had read access.CVE-2026-43284 is found in the esp_input() process on the IPsec ESP receive path. When an skb object is non-linear but lacks a frag list, the code skips skb_cow_data() and decrypts AEAD in place on the planted frag. From there, an attacker can control the file offset and the 4-byte value of each store.CVE-2026-43500, meanwhile, resides in rxkad_verify_packet_1(). The process decrypts RxRPC payloads using a single-block process. Splice-pinned pages become both a source and destination. That, paired with the decryption key being freely extracted using the add_key (rxrpc), allows an attacker to rewrite contents in memory.Either exploit used separately is unreliable. Some Ubuntu configurations use AppArmor to prevent untrusted users from creating namespace contents. That, in turn, neutralizes the ESP technique. Most other distributions by default don’t run rxrpc.ko, which neutralizes the RxRPC arm. When chained together, however, the two exploits allow attackers to obtain root on every major distribution Kim tested. Once the exploits run, attackers can use SSH access, web-shell execution