Updated May 10: This article regarding the critical Dirty Frag Linux kernel zero-day vulnerability that gives attackers root access with no patch available has been updated to include comments from security experts at Black Duck, Bugcrowd and Sectigo.
If you thought that Linux was somehow the safe and secure choice of operating system, you might want to think again. Hot on the heels of the Copy Fail access vulnerability that had remained hidden for 9 years comes news that a new zero-day, with no patch available and granting hackers root, has been confirmed. On Friday, May 8, 2026, the Dirty Frag vulnerability was publicly disclosed after a strict embargo tregarding the vulnerability was broken. As such, and with a proof of concept exploit known, it’s now only a matter of time before threat actors use this in the wild to attack systems. Here’s what we know about CVE-2026-43284 and the workaround you can employ to mitigate against attacks.
What We Know About CVE-2026-43284, The Linux Dirty Frag Zero-Day
Why is it always a Friday? Just as security teams and end users alike look forward to the weekend, a security issue rears its ugly head, putting a stop to all that. With the major Linux distributions still rolling out patches for the Copy Fail vulnerability, which the U.S. Cybersecurity and Infrastructure Security Agency has confirmed is now being exploited by attackers, comes news that an even worse issue is out there. Dirty Frag, officially now tracked by the Common Vulnerabilities and Exposures database as CVE-2026-43284, has been confirmed and publicly disclosed, all before a patch is ready to roll.
The reason for the May 8 public disclosure, according to the security researcher responsible, Hyunwoo Kim, was someone breaking the embargo that was in place. “Because the embargo has now been broken, no patches or CVEs exist for
these vulnerabilities,” Kim said. After consulting with the Linux Distros Openwall maintainers, and at their request, Kim confirmed, “I am publicly releasing this Dirty Frag document.”
Amazingly, just like Copy Fail before it in terms of age, the Dirty Frag privilege escalation flaw has been present in the Linux kernel, specifically its algif_aead cryptographic algorithm interface, for around nine years.
Also, like Copy Fail, Kim said, “Dirty Frag likewise allows immediate root privilege escalation on all major distributions, and it chains two separate vulnerabilities.”
Here’s what leading security experts have to say about the Dirty Frag Linux kernel vulnerability.
“This vulnerability is like both Copy Fail and Dirty Pipe in that they attack page caches in the system, where in-place crypto operations take place,” Ben Ronallo, principal cybersecurity engineer at Black Duck, told me, “but Dirty Frag is not limited to a single Linux subsystem.” With full code exploit now published, Ronallo said, echoing my earlier warning, “it’s only a matter of hours or days before this is weaponized.”
David Brumley, chief AI and science officer at Bugcrowd, meanwhile, said that while Dirty Frag is in the same vulnerability class as Copy Fail, “virtually every Linux distribution is vulnerable, and the fix for Copy Fail alone is insufficient.” That Copy Fail was uncovered using advanced AI analysis, yet Dirty Frag was missed, is cause for some concern. “It is a reminder that vulnerability classes are rarely exhausted by a single pass,” Brumley said, “even a very good one. Independent researchers still matter because they bring different intuitions, different workflows, and different failure modes.”
Jason Soroko, senior fellow at Sectigo, warned that the threat significance of Dirty Frag “is amplified by its highly deterministic nature,” explaining that “because the exploit does not rely on a timing window or race conditions, attackers can achieve immediate root access with an exceptionally high success rate without risking a kernel panic.”
How To Mitigate The Linux Dirty Frag Attack Risk Before A Patch Arrives
To mitigate Linux attacks now that the zero-day has been publicly disclosed, and before a patch is ready to roll out, users are advised by Kim to remove the modules in which the vulnerabilities occur as follows:
sh -c “printf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true”
Dirty Frag has been tested as being applicable to the following Linux distribution versions:
- Ubuntu 24.04.4: 6.17.0-23-generic
- RHEL 10.1: 6.12.0-124.49.1.el10_1.x86_64
- openSUSE Tumbleweed: 7.0.2-1-default
- CentOS Stream 10: 6.12.0-224.el10.x86_64
- AlmaLinux 10: 6.12.0-124.52.3.el10_1.x86_64
- Fedora 44: 6.19.14-300.fc44.x86_64_
You can read more technical details and keep up to date with developments related to the latest Linux kernel zero-day at the official Dirty Frag information site.
