[ALERT] Dirty Frag (CVE-2026-43284, CVE-2026-43500) - Root Privilege Vulnerability

philm · 8 May 2026 04:16

A week after Copy Fail, researcher Hyunwoo Kim disclosed a second Linux kernel flaw in the same broad area — IPsec ESP and rxrpc — that they have named Dirty Frag. The bug lives in the in-place decryption fast paths of esp4, esp6, and rxrpc: when a socket buffer carries paged fragments that are not privately owned by the kernel (e.g. pipe pages attached via splice(2)/sendfile(2)/MSG_SPLICE_PAGES), the receive path decrypts directly over those externally-backed pages, exposing or corrupting plaintext that an unprivileged process still holds a reference to.

Like the previous Copy Fail vulnerability, Dirty Frag immediately yields root on all major distributions. Every supported Manjaro release is affected. Dirty Frag chains two distinct kernel bugs, each with its own CVE: CVE-2026-43284 covers the IPsec ESP half (esp4 / esp6), and CVE-2026-43500 (NVD entry pending) covers the rxrpc half. Per Hyunwoo Kim’s public disclosure on oss-security (2026-05-07), the responsible-disclosure embargo was broken before distributions could coordinate, and a working exploit is publicly available. A second public exploit, Copy Fail 2: Electric Boogaloo, targets the same vulnerability under a different name; both reach root through the same esp4/esp6/rxrpc code paths and are blocked by the same fix.

More information about the vulnerability:

Public disclosure on oss-security: oss-security - Dirty Frag: Universal Linux LPE
Researcher write-up: https://dirtyfrag.io
Upstream fix for ESP: Making sure you're not a bot!
initial rxrpc fix on the netdev list: Making sure you're not a bot!
updated rxrpc fix on netdev list: Making sure you're not a bot!

Temporary mitigation

You can neutralize the attack surface by blacklisting the affected modules. None of esp4, esp6, or rxrpc are loaded on a typical workload that does not use IPsec transport mode or AFS, so on most systems this is safe to apply immediately:

sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

This writes a modprobe config that prevents the three modules from loading, and unloads them if they happen to be loaded already (the rmmod is best-effort and silent if the module isn’t present). To revert, remove /etc/modprobe.d/dirtyfrag.conf.

The Dirty Frag exploit works by corrupting page-cache pages of sensitive files (such as /etc/passwd or /usr/bin/su). If you suspect the system may have already been targeted before you applied the mitigation, drop the page cache so any tampered pages are evicted and the next read comes fresh from disk:

sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'

This is safe to run on a live system — it only frees clean cache and dentry/inode entries — and pairs well with the blacklist above.

Upcoming Fixes

We are currently building some kernels with early patches applied:

You may want to switch to unstable branch as soon as they hit our repos or get them directly from our Github pages:

All current kernels are vulnerable to this exploit, unless communicated otherwise!

Update 2026-05-09

ESP issue (CVE-2026-43284) got fixed in most kernel trees as in:
Copy Fail 2: Electric Boogaloo is most likely patched with the already applied ESP patches on most kernels we now ship in our unstable branch.
rxrpc issue (CVE-2026-43500) is not yet fixed at upstream at all. There is now a v3-patch under review, which applies to 6.18 and 7.0 kernel series.

philm · 8 May 2026 04:39

Upstream partly patched some kernel series against ESP vulnerability:

nl.smart · 8 May 2026 07:55

Hi,

Thanks a lot for the reactivity.

Is a Manjaro kernel update planned ? I mean a kernel update apply with pacman, pamac.

philm · 8 May 2026 07:59

well, guess … There was already a section for it … @nl.smart

philm · 8 May 2026 08:10

Upstream released 6.6.138, 6.12.87, 6.18.28 and 7.0.5 to fix the first part of the vulnerability in ESP modules … Kernels are currently building on our end on Github CI.

Olli · 8 May 2026 09:46

thanks for your fast action @philm ! unfortunally this part of the kernel will cause many more issues in the upcoming days and weeks, so stay alerted. copy-fail was just a first climpse of the problem that was detected via this ai-slop. dirty-frag is a deeper examination that shows up much more intrusion-bugs related to copy-fail but it seems that the whole mechanism isn’t safe.

GuilleManja · 8 May 2026 09:57

Buen dia, pregunta, es necesario escribir la sentencia que fue enviada para mitigar el efecto de Dirty Frag o es solo para servidores, empresas, etc.?
Muchas gracias

System:
  Kernel: 7.0.3-1-MANJARO arch: x86_64 bits: 64 compiler: gcc v: 15.2.1
    clocksource: tsc avail: acpi_pm
    parameters: BOOT_IMAGE=/boot/vmlinuz-7.0-x86_64
    root=UUID=0fb091fc-3271-483e-818a-5dc21ccbd08d rw quiet apparmor=1
    security=apparmor resume=UUID=e4ab7b14-ec9e-4155-b5eb-28717df67c17
    udev.log_priority=3
  Desktop: KDE Plasma v: 6.6.4 tk: Qt v: N/A info: frameworks v: 6.25.0
    wm: kwin_wayland tools: avail: xscreensaver vt: 1 dm: SDDM Distro: Manjaro
    base: Arch Linux
Machine:
  Type: Laptop System: Dell product: Latitude 3420 v: N/A
    serial: <superuser required> Chassis: type: 10 serial: <superuser required>
  Mobo: Dell model: 0KMD3M v: A00 serial: <superuser required> part-nu: 0A7B
    uuid: <superuser required> Firmware: UEFI vendor: Dell v: 1.3.1
    date: 04/23/2021
Battery:
  ID-1: BAT0 charge: 30.9 Wh (89.1%) condition: 34.7/41 Wh (84.7%) volts: 11.34
    min: 11.25 model: SMP DELL MGCM514 type: Li-poly serial: <filter> charging:
    status: discharging type: adaptive
    avail: adaptive,custom,fast,standard,trickle cycles: N/A
Memory:
  System RAM: total: 12 GiB available: 11.42 GiB used: 2.91 GiB (25.5%)
  Message: For most reliable report, use superuser + dmidecode.
  Array-1: capacity: 32 GiB slots: 2 modules: 2 EC: None
    max-module-size: 16 GiB note: est.
  Device-1: DIMM 1 type: DDR4 detail: synchronous size: 8 GiB
    speed: 3200 MT/s volts: curr: 1 width (bits): data: 64 total: 64
    manufacturer: 0198000080AD part-no: 9905700-053.A00G serial: <filter>
  Device-2: DIMM 2 type: DDR4 detail: synchronous size: 4 GiB
    speed: 3200 MT/s volts: curr: 1 width (bits): data: 64 total: 64
    manufacturer: 01980000802C part-no: KCDT82-MIE serial: <filter>
CPU:
  Info: model: 11th Gen Intel Core i5-1135G7 bits: 64 type: MT MCP
    arch: Tiger Lake gen: core 11 level: v4 note: check built: 2020
    process: Intel 10nm family: 6 model-id: 0x8C (140) stepping: 1
    microcode: 0xBE
  Topology: cpus: 1x dies: 1 clusters: 4 cores: 4 threads: 8 tpc: 2
    smt: enabled cache: L1: 320 KiB desc: d-4x48 KiB; i-4x32 KiB L2: 5 MiB
    desc: 4x1.2 MiB L3: 8 MiB desc: 1x8 MiB
  Speed (MHz): avg: 400 min/max: 400/4200 scaling: driver: intel_pstate
    governor: powersave cores: 1: 400 2: 400 3: 400 4: 400 5: 400 6: 400 7: 400
    8: 400 bogomips: 22118
  Flags: 3dnowprefetch abm acpi adx aes aperfmperf apic arat
    arch_capabilities arch_perfmon art avx avx2 avx512_bitalg avx512_vbmi2
    avx512_vnni avx512_vp2intersect avx512_vpopcntdq avx512bw avx512cd
    avx512dq avx512f avx512ifma avx512vbmi avx512vl bmi1 bmi2 bts cat_l2
    cdp_l2 clflush clflushopt clwb cmov constant_tsc cpuid cpuid_fault cx16
    cx8 de ds_cpl dtes64 dtherm dts epb ept ept_ad erms est f16c flexpriority
    flush_l1d fma fpu fsgsbase fsrm fxsr gfni ht hwp hwp_act_window hwp_epp
    hwp_notify hwp_pkg_req ibpb ibrs ibrs_enhanced ibt ida intel_pt invpcid
    lahf_lm lm mca mce md_clear mmx monitor movbe movdir64b movdiri msr mtrr
    nonstop_tsc nopl nx ospke pae pat pbe pcid pclmulqdq pdcm pdpe1gb pebs pge
    pku pln pni popcnt pse pse36 pts rdpid rdrand rdseed rdt_a rdtscp rep_good
    sdbg sep sha_ni smap smep split_lock_detect ss ssbd sse sse2 sse4_1 sse4_2
    ssse3 stibp syscall tm tm2 tpr_shadow tsc tsc_adjust tsc_deadline_timer
    tsc_known_freq umip user_shstk vaes vme vmx vnmi vpclmulqdq vpid x2apic
    xgetbv1 xsave xsavec xsaveopt xsaves xtopology xtpr
  Vulnerabilities:
  Type: gather_data_sampling mitigation: Microcode
  Type: ghostwrite status: Not affected
  Type: indirect_target_selection mitigation: Aligned branch/return thunks
  Type: itlb_multihit status: Not affected
  Type: l1tf status: Not affected
  Type: mds status: Not affected
  Type: meltdown status: Not affected
  Type: mmio_stale_data status: Not affected
  Type: old_microcode status: Not affected
  Type: reg_file_data_sampling status: Not affected
  Type: retbleed status: Not affected
  Type: spec_rstack_overflow status: Not affected
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via
    prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer
    sanitization
  Type: spectre_v2 mitigation: Enhanced / Automatic IBRS; IBPB: conditional;
    PBRSB-eIBRS: SW sequence; BHI: SW loop, KVM: SW loop
  Type: srbds status: Not affected
  Type: tsa status: Not affected
  Type: tsx_async_abort status: Not affected
  Type: vmscape status: Not affected
Graphics:
  Device-1: Intel TigerLake-LP GT2 [Iris Xe Graphics] vendor: Dell driver: i915
    v: kernel alternate: xe arch: Xe process: Intel 10nm built: 2020-21 ports:
    active: eDP-1 empty: DP-1,HDMI-A-1 bus-ID: 00:02.0 chip-ID: 8086:9a49
    class-ID: 0300
  Device-2: Microdia Integrated_Webcam_HD driver: uvcvideo type: USB rev: 2.0
    speed: 480 Mb/s lanes: 1 mode: 2.0 bus-ID: 3-6:3 chip-ID: 0c45:6d1a
    class-ID: 0e02
  Display: wayland server: X.org v: 1.21.1.22 with: Xwayland v: 24.1.11
    compositor: kwin_wayland driver: X: loaded: modesetting alternate: fbdev,vesa
    dri: iris gpu: i915 display-ID: 0
  Monitor-1: eDP-1 model: BOE Display 0x07e8 built: 2019 res: mode: 1366x768
    hz: 60 scale: 100% (1) dpi: 112 gamma: 1.2 size: 309x173mm (12.17x6.81")
    diag: 354mm (13.9") ratio: 16:9 modes: 1366x768
  API: EGL v: 1.5 hw: drv: intel iris platforms: device: 0 drv: iris
    device: 1 drv: swrast gbm: drv: iris surfaceless: drv: iris wayland:
    drv: iris x11: drv: iris
  API: OpenGL v: 4.6 compat-v: 4.5 vendor: intel mesa v: 26.0.6-arch1.1
    glx-v: 1.4 direct-render: yes renderer: Mesa Intel Iris Xe Graphics (TGL GT2)
    device-ID: 8086:9a49 memory: 11.16 GiB unified: yes display-ID: :1.0
  API: Vulkan v: 1.4.341 layers: 6 device: 0 type: integrated-gpu name: Intel
    Iris Xe Graphics (TGL GT2) driver: mesa intel v: 26.0.6-arch1.1
    device-ID: 8086:9a49 surfaces: N/A
  Info: Tools: api: clinfo, eglinfo, glxinfo, vulkaninfo
    de: kscreen-console,kscreen-doctor wl: wayland-info
    x11: xdpyinfo, xprop, xrandr
Audio:
  Device-1: Intel 500 Series Family On-Package High Definition Audio
    vendor: Dell driver: sof-audio-pci-intel-tgl alternate: snd_soc_avs,
    snd_sof_pci_intel_tgl, snd_hda_intel bus-ID: 00:1f.3 chip-ID: 8086:a0c8
    class-ID: 0401
  API: ALSA v: k7.0.3-1-MANJARO status: kernel-api with: aoss
    type: oss-emulator tools: alsactl,alsamixer,amixer
  Server-1: sndiod v: N/A status: off tools: aucat,midicat,sndioctl
  Server-2: JACK v: 1.9.22 status: off tools: N/A
  Server-3: PipeWire v: 1.6.4 status: active with: 1: pipewire-pulse
    status: active 2: pipewire-media-session status: active
    tools: pactl,pw-cat,pw-cli
Network:
  Device-1: Intel Wi-Fi 6 AX201 driver: iwlwifi v: kernel bus-ID: 00:14.3
    chip-ID: 8086:a0f0 class-ID: 0280
  IF: wlp0s20f3 state: up mac: <filter>
  IP v4: <filter> type: dynamic noprefixroute scope: global
    broadcast: <filter>
  IP v6: <filter> type: noprefixroute scope: link
  Device-2: Realtek RTL8111/8168/8211/8411 PCI Express Gigabit Ethernet
    vendor: Dell driver: r8169 v: kernel pcie: gen: 1 speed: 2.5 GT/s lanes: 1
    port: 3000 bus-ID: 2c:00.0 chip-ID: 10ec:8168 class-ID: 0200
  IF: enp44s0 state: down mac: <filter>
  Info: services: NetworkManager,wpa_supplicant
  WAN IP: <filter>
Bluetooth:
  Device-1: Intel AX201 Bluetooth driver: btusb v: 0.8 type: USB rev: 2.0
    speed: 12 Mb/s lanes: 1 mode: 1.1 bus-ID: 3-10:4 chip-ID: 8087:0026
    class-ID: e001
  Report: rfkill ID: hci0 rfk-id: 1 state: up address: see --recommends
Logical:
  Message: No logical block device data found.
RAID:
  Message: No RAID data found.
Drives:
  Local Storage: total: 1.36 TiB used: 100.22 GiB (7.2%)
  SMART Message: Unable to run smartctl. Root privileges required.
  ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Kingston model: SNVS500G
    size: 465.76 GiB block-size: physical: 512 B logical: 512 B speed: 31.6 Gb/s
    lanes: 4 tech: SSD serial: <filter> fw-rev: EDFK0N01 temp: 28.9 C
    scheme: GPT
  ID-2: /dev/sda maj-min: 8:0 vendor: Toshiba model: MQ04ABF100
    size: 931.51 GiB block-size: physical: 4096 B logical: 512 B speed: 6.0 Gb/s
    tech: HDD rpm: 5400 serial: <filter> fw-rev: 01 scheme: GPT
  Message: No optical or floppy data found.
Partition:
  ID-1: / raw-size: 78.12 GiB size: 76.35 GiB (97.73%) used: 66.73 GiB (87.4%)
    fs: ext4 dev: /dev/nvme0n1p2 maj-min: 259:2 label: N/A
    uuid: 0fb091fc-3271-483e-818a-5dc21ccbd08d
  ID-2: /boot/efi raw-size: 301 MiB size: 300.4 MiB (99.79%)
    used: 348 KiB (0.1%) fs: vfat dev: /dev/nvme0n1p1 maj-min: 259:1
    label: NO_LABEL uuid: 1C6D-8153
  ID-3: /home raw-size: 381.48 GiB size: 374.43 GiB (98.15%)
    used: 33.5 GiB (8.9%) fs: ext4 dev: /dev/nvme0n1p4 maj-min: 259:4 label: N/A
    uuid: ae4fdda7-02c7-4b07-847d-0ca5d01636a3
Swap:
  Kernel: swappiness: 60 (default) cache-pressure: 100 (default) zswap: yes
    compressor: zstd max-pool: 20%
  ID-1: swap-1 type: partition size: 5.86 GiB used: 0 KiB (0.0%) priority: -1
    dev: /dev/nvme0n1p3 maj-min: 259:3 label: N/A
    uuid: e4ab7b14-ec9e-4155-b5eb-28717df67c17
Unmounted:
  ID-1: /dev/sda1 maj-min: 8:1 size: 1000 MiB fs: vfat label: N/A
    uuid: 7616-A725
  ID-2: /dev/sda2 maj-min: 8:2 size: 921.73 GiB fs: ext4 label: endeavouros
    uuid: c5836b3c-5bb7-4d47-8d49-56202845d398
  ID-3: /dev/sda3 maj-min: 8:3 size: 8.8 GiB fs: swap label: swap
    uuid: 0a93cecb-4ed9-4925-aff6-72849d60ff7e
USB:
  Hub-1: 1-0:1 info: hi-speed hub with single TT ports: 1 rev: 2.0
    speed: 480 Mb/s (57.2 MiB/s) lanes: 1 mode: 2.0 chip-ID: 1d6b:0002
    class-ID: 0900
  Hub-2: 2-0:1 info: super-speed hub ports: 4 rev: 3.1
    speed: 10 Gb/s (1.16 GiB/s) lanes: 1 mode: 3.2 gen-2x1 chip-ID: 1d6b:0003
    class-ID: 0900
  Hub-3: 3-0:1 info: hi-speed hub with single TT ports: 12 rev: 2.0
    speed: 480 Mb/s (57.2 MiB/s) lanes: 1 mode: 2.0 chip-ID: 1d6b:0002
    class-ID: 0900
  Device-1: 3-4:2 info: Logitech Nano Receiver type: mouse,HID
    driver: logitech-djreceiver,usbhid interfaces: 2 rev: 2.0
    speed: 12 Mb/s (1.4 MiB/s) lanes: 1 mode: 1.1 power: 98mA
    chip-ID: 046d:c52f class-ID: 0300
  Device-2: 3-6:3 info: Microdia Integrated_Webcam_HD type: video
    driver: uvcvideo interfaces: 2 rev: 2.0 speed: 480 Mb/s (57.2 MiB/s) lanes: 1
    mode: 2.0 power: 500mA chip-ID: 0c45:6d1a class-ID: 0e02
  Device-3: 3-10:4 info: Intel AX201 Bluetooth type: bluetooth driver: btusb
    interfaces: 2 rev: 2.0 speed: 12 Mb/s (1.4 MiB/s) lanes: 1 mode: 1.1
    power: 100mA chip-ID: 8087:0026 class-ID: e001
  Hub-4: 4-0:1 info: super-speed hub ports: 4 rev: 3.1
    speed: 10 Gb/s (1.16 GiB/s) lanes: 1 mode: 3.2 gen-2x1 chip-ID: 1d6b:0003
    class-ID: 0900
Sensors:
  System Temperatures: cpu: 34.0 C mobo: 30.0 C
  Fan Speeds (rpm): fan-1: 0
Info:
  Processes: 269 Power: uptime: 29m states: freeze,mem,disk suspend: s2idle
    wakeups: 0 hibernate: platform avail: shutdown, reboot, suspend, test_resume
    image: 4.51 GiB services: org_kde_powerdevil,upowerd Init: systemd v: 260
    default: graphical tool: systemctl
  Packages: 1716 pm: pacman pkgs: 1683 libs: 466 tools: pamac,yay pm: flatpak
    pkgs: 33 Compilers: clang: 22.1.3 gcc: 15.2.1 Shell: Zsh v: 5.9 default: Bash
    v: 5.3.9 running-in: konsole inxi: 3.3.40
    ~ 

English translation:
Good morning, question, is it necessary to write the sentence that was sent to mitigate the effect of
Dirty Frag or is it only for servers, companies, etc.?
Thank you so much

jonas.eberle · 8 May 2026 10:14

It allows everybody that runs as a user on your system, including programs (!), to become root!
My recommendation is: Yes, apply the Temporary Mitigation to every system that you plan to use until the Kernel Updates are available unless you take the utmost care that nothing potentially exploiting it is coming onto your system!

GuilleManja · 8 May 2026 10:25

Good morning, and thank you for writing; ok I will do what you recommend.
Thank you very much again!!!

jagercode · 8 May 2026 10:51

Thank you, @philm

kumral_linux · 8 May 2026 15:59

Yet again amazing response. This is why i love linux. And thanks to all manjaro contributors. Mitigation applied.

faguirre · 8 May 2026 22:41

Thanks for the update and for the quick work on getting these kernels built! Since this is my first post here, I wanted to say hello and also ask: will there be a follow-up post in this thread once the fixes are available in the repositories?

philm · 9 May 2026 05:17

Well, it is super simple. This issue is complex and even upstream can’t provide a proper fix for this yet. Kernels are complex by nature. And with AI a lot of stuff can be done faster than before. Hence, the issue was so long undetected but present for several years. So if you have a Linux-box and internet enabled and know about this, well you can become root on any machine by opening the console and download the exploit with a one-liner.

Since this is in the public already, I try to cover it from our end as needed. The first post gets updated on a regular basis.

To be save, apply the mitigation. If you want to help: switch to unstable branch and keep updating your system and give feedback.

You can be sure that a lot of kernel updates will follow the upcoming days …

philm · 9 May 2026 05:32

Copy Fail 2: Electric Boogaloo is most likely patched with the already applied ESP patches on most kernels we now ship in our unstable branch.

Olli · 9 May 2026 05:46

well running a server with manjaro-unstable sounds stupid but it works !!! thanks @philm . i wish debian would act as fast as you cause i’m lost that debian-support isn’t delivering so quick. credits to manjaro

BG405 · 9 May 2026 06:11

For what it’s worth, I was speaking with a friend last night who uses LMDE. It seems the kernels are being patched, but maybe not quite as fast as we’re getting used to being the case here.

Naturally, thanks @philm for these efforts. It is really appreciated.

Olli · 9 May 2026 06:37

i’m curious about the different sources on which kernels are already patched, especially about the kernel 6.12… phil’s list point out that only 6.12.87 is patched while debian’s sources declare 6.12.86 (which they are using now) as patched. i have no clue what kernel to use when everyone submits different opinions.

philm · 9 May 2026 06:39

No, none of the 6.12.x are completely patched. The rxrpc half only applies to 6.18.x and 7.0.x and is still under review: oss-security - Re: Dirty Frag: Universal Linux LPE as seen here: Making sure you're not a bot!

Olli · 9 May 2026 06:44

thanks, i’ll trust your word. what a mess, weekends should get officially renamed to ‘patch-days’.

AwwsmGaurav · 9 May 2026 06:55

These AI discovered exploits are only strengthening Linux Kernel ultimately… I think this will be a temporary phase we go through as white hat security researchers catch up with AI tools.

Hoping no such embargo breakages happen again and are handled like Copy Fail (the first one), which I am sure will be precautions in place to avoid such incidents, I understand it’s hard to avoid because of GPL rules… Surely there will be a way to handle it.

Ultimately this is much better than closed source OS, who knows what kind of backdoors are in place on those systems…