A week after Copy Fail (CVE-2026-31431) lit up the page-cache write attack surface in the Linux kernel, researcher Hyunwoo Kim (“V4bel”) has dropped a second pair of bugs that, chained together, give immediate root on most distributions. Kim and the wider community are calling the chain Dirty Frag, and the disclosure went out wide on May 8 after an unrelated third party broke the coordinated embargo a day early. One half of the chain is patched in mainline. The other half is not.
If you patched Copy Fail and called it done, you are not done.
The two bugs
Dirty Frag is two distinct page-cache write primitives in two unrelated networking subsystems:
- CVE-2026-43284 — xfrm-ESP page-cache write, also branded “Copy Fail 2.0 — Electric Boogaloo.” Lives in the kernel modules backing IPsec ESP transport. Mainline patch landed as commit
f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4and is flowing into distro kernels now. - CVE-2026-43500 — RxRPC page-cache write, in the modules that implement RxRPC, the transport AFS and a handful of niche distributed-storage stacks rely on. CVE is reserved, the patch is on netdev as an RFC, and no Linux distribution has shipped a fixed kernel image for this one yet.
Each bug on its own is awkward. Per Kim’s own writeup, neither primitive alone gives a reliable enough corruption to drive root. Chained, they cover one another’s blind spots — the xfrm-ESP write lands what RxRPC cannot, the RxRPC write lands what xfrm-ESP cannot, and the resulting exploit pops root on stock kernels with no fancy infoleak prerequisite. SANS ISC handler Yee Ching Tok confirmed the chain reproduces “immediate root on most distributions” against unmitigated targets.
How disclosure went sideways
Kim privately reported both flaws to kernel maintainers on April 29-30 and posted patches to the netdev list. On May 7 he handed full exploit details to the linux-distros private list to coordinate distro-side staging. Same day, an unrelated third party published the technical write-up and a working PoC for one of the two flaws in public, on GitHub, before any distro had a fixed kernel ready. With the cat already out of the bag, distro maintainers cleared Kim to disclose the rest of the chain.
Net effect: PoC is in the wild, CVE-2026-43284 has mainline and most-distro coverage, and CVE-2026-43500 is sitting exposed with no shipped fix.
Affected and unfixed
Distros that have published Dirty Frag advisories so far: Red Hat Enterprise Linux (RHSB-2026-003), AlmaLinux, Ubuntu, CloudLinux, Amazon Linux. Debian, Fedora, Arch, and CentOS are tracking but have not all shipped patched kernel packages for the RxRPC half as of this writing. If your fleet runs RHEL/Alma/Rocky/Ubuntu/Amazon Linux, check the advisory pages above directly — patched kernel packages for CVE-2026-43284 are landing on a rolling basis, but you will not get a reboot-and-done resolution until CVE-2026-43500 ships too.
What to do right now
Until both kernel packages are installed and the box is rebooted, treat these modules as load-bearing for the exploit chain and either blacklist or unload them:
xfrm_user,xfrm_algo,esp4,esp6(xfrm-ESP side)rxrpc,kafs(RxRPC / AFS side)
modprobe -r will get you most of the way; persisting via /etc/modprobe.d/dirty-frag-blacklist.conf survives reboot. The catch: if you actually use IPsec transport mode or AFS, blacklisting these modules breaks the workload. For most server fleets — web tier, app tier, K8s nodes that don’t terminate IPsec — neither module is required for normal operation, and unloading them is the cheap mitigation. For VPN concentrators, mobile/edge IPsec endpoints, or anything that mounts AFS, you cannot unload and you have to wait for the kernel package, which is precisely the bad position.
Reverse the mitigations after both fixed kernel packages are installed and the system has rebooted onto the patched kernel — leaving xfrm blacklisted on a host that needs IPsec is its own outage waiting to happen.
Why this matters more than a typical LPE
Page-cache write primitives are a category that the kernel community has been chasing since Dirty COW in 2016 and Dirty Pipe in 2022. Copy Fail re-opened the door last week. Dirty Frag confirms the door isn’t a one-off — there is a class of bugs here, in unrelated networking subsystems, that all reduce to “write into page cache the kernel believes is read-only.” Each new primitive that ships with a public PoC compresses the time-to-mass-exploitation for unprivileged-shell-to-root, which is the second stage of basically every cloud and container intrusion that starts with a webshell, a CI runner takeover, or a poisoned dependency.
CISA added Copy Fail to KEV on May 1, eight days after the original PoC dropped. Expect Dirty Frag to follow the same arc — likely faster, given the chain reproduces on stock kernels without exotic infoleaks.
References
- Help Net Security writeup of Dirty Frag — https://www.helpnetsecurity.com/2026/05/08/dirty-frag-linux-vulnerability-cve-2026-43284-cve-2026-43500/
- NVD entry for CVE-2026-43284 — https://nvd.nist.gov/vuln/detail/CVE-2026-43284
- Mainline kernel commit for CVE-2026-43284 — https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4
- Red Hat security bulletin RHSB-2026-003 — https://access.redhat.com/security/vulnerabilities/RHSB-2026-003
- AlmaLinux Dirty Frag advisory — https://almalinux.org/blog/2026-05-07-dirty-frag/
- Ubuntu Dirty Frag advisory — https://ubuntu.com/blog/dirty-frag-linux-vulnerability-fixes-available
- CloudLinux mitigation guidance — https://blog.cloudlinux.com/dirty-frag-mitigation-and-kernel-update
- Amazon Linux security bulletin — https://aws.amazon.com/security/security-bulletins/rss/2026-027-aws/
- SANS ISC diary — https://isc.sans.edu/diary/rss/32968
- “Copy Fail 2.0 — Electric Boogaloo” repo — https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo