Overview
- Kernel maintainers, who assigned CVE-2026-43284 to the xfrm-ESP bug Friday, merged a mainline fix while the linked RxRPC issue (CVE-2026-43500) remains unpatched.
- Dirty Frag chains two page‑cache write bugs in the IPsec ESP and RxRPC code paths to let an unprivileged user rewrite cached copies of protected files and gain root.
- The exploit is a deterministic logic bug that avoids race conditions, works across major distros like Ubuntu, RHEL, Fedora, AlmaLinux, CentOS Stream, and openSUSE, and ships with a public proof‑of‑concept.
- Distributors urge a temporary block on esp4, esp6, and rxrpc modules to cut off the vulnerable paths, warning that this can disrupt IPsec VPNs and AFS, as they build and test kernel updates and live patches.
- The attack alters only in‑memory page cache, so on‑disk file hashes may look clean until caches are dropped or the host reboots, which raises risk on multi‑tenant and container hosts where any foothold can quickly become full control.