On 8 May 2026 the Canadian Centre for Cyber Security published alert AL26-011 about two Linux kernel vulnerabilities that, taken together, let an unprivileged local user become root. The pair is known as Dirty Frag and combines CVE-2026-43284 with CVE-2026-43500.
What the two flaws are
CVE-2026-43284 is a write-what-where condition (CWE-123) in the Encapsulating Security Payload modules, esp4 and esp6. A write-what-where primitive means the attacker controls both where they write in kernel memory and what they write, which opens the door to corrupting internal structures and from there running arbitrary code in kernel context.
CVE-2026-43500 sits in the RxRPC subsystem, the protocol the kernel uses for remote procedure calls over UDP (AFS relies on it, among others). On its own it lets a local attacker escalate privileges.
The Dirty Frag name points at fragment handling, where both problems originate. The trick isn’t either bug in isolation but chaining them: RxRPC sets up the escalation and the ESP write primitive finishes the job, all the way to root.
Who is affected
Any Linux system with the esp4, esp6 or rxrpc modules loaded. ESP is part of IPsec, so machines that terminate VPN tunnels, or any kernel that loads those modules by default, fall into the risk group. RxRPC tends to autoload when a component requests it, which widens the surface beyond people who run AFS on purpose.
The access required is local. That lowers the bar on multi-user servers, Kubernetes nodes, CI/CD runners and any environment where untrusted code can run under an ordinary account. In those settings the wall between “unprivileged user” and “full control of the box” is exactly what Dirty Frag knocks down.
Severity
The Canadian Centre rated the pair high risk and flagged something uncommon: working public proof-of-concept exploits already existed on the alert date. PoCs in circulation change the math, because they shorten the gap between disclosure and real-world exploitation. On top of that, as of 8 May there was no single patch covering every stable kernel branch at once.
Mitigation
Until your distribution ships its fixes, the advice in the alert is to shrink the attack surface. If you don’t use IPsec or AFS, disable the vulnerable modules through modprobe configuration, for example by adding blacklist lines for esp4, esp6 and rxrpc. Check what’s loaded first:
uname -r
lsmod | grep -E 'esp4|esp6|rxrpc'The rest is standard practice when the vector is local: limit who has an account on the machine, restrict administrative privileges and watch logs for abnormal activity. Check with your distribution for the exact version that fixes each CVE, since the patch timeline varied between branches. If you manage the Linux kernel mainline, review the installed version and apply the update as soon as it lands.
This pattern of local escalation by chaining two kernel bugs isn’t new. We saw it recently with Copy Fail (CVE-2026-31431) in algif_aead and with CrackArmor in AppArmor: the common thread is that an unprivileged account is enough to end up as root.
Source
- Canadian Centre for Cyber Security, alert AL26-011: https://www.cyber.gc.ca/en/alerts-advisories/al26-011-vulnerabilities-affecting-linux-cve-2026-43284-cve-2026-43500
- NVD, CVE-2026-43284: https://nvd.nist.gov/vuln/detail/CVE-2026-43284