Two local privilege escalation flaws in the Linux kernel were publicly disclosed on May 7, 2026, and Canonical groups them under the name Dirty Frag. Both let an unprivileged user gain root on the machine, so they are worth dealing with right away. If you run Ubuntu servers or workstations, check this today.
The first one is CVE-2026-43284, with a CVSS 3.1 score of 8.8 (high). It hits the ESP (Encapsulating Security Protocol) modules, the ones used in IPsec setups such as StrongSwan. The second is CVE-2026-43500, CVSS 7.8 (high), and it affects the RxRPC modules, the protocol behind the Andrew File System (AFS) for distributed file operations.
Both share the same local exploitation pattern: someone who already has an account on the system, even an unprivileged one, can abuse the flaw in these modules and end up running code as root. No physical access, no complicated remote exploit chains.
Who is affected
Canonical has shipped patches across the whole supported range:
- Bionic Beaver (18.04 LTS) — Linux 4.15 and 5.4 HWE kernels
- Focal Fossa (20.04 LTS) — 5.4 and 5.15 HWE kernels
- Jammy Jellyfish (22.04 LTS) — 5.15 and 6.8 HWE kernels
- Noble Numbat (24.04 LTS) — 6.8 and 6.17 HWE kernels
- Questing Quokka (25.10) and Resolute Raccoon (26.04 LTS)
Trusty Tahr and Xenial Xerus are marked as not affected. If you are still on one of those, you have plenty of other reasons to plan an upgrade anyway.
What to do
The direct route is to apply the kernel security updates:
sudo apt update && sudo apt upgradeSince this is the kernel, a reboot is needed for the patch to take effect:
sudo rebootIf you cannot patch right away, say a server you cannot reboot at this moment, Canonical suggests blocking the vulnerable modules manually in the meantime. You do this by creating a file under /etc/modprobe.d/:
echo "install esp4 /bin/false" | sudo tee /etc/modprobe.d/dirty-frag.conf
echo "install esp6 /bin/false" | sudo tee -a /etc/modprobe.d/dirty-frag.conf
echo "install rxrpc /bin/false" | sudo tee -a /etc/modprobe.d/dirty-frag.confThen regenerate the initramfs for every installed kernel:
sudo update-initramfs -u -k allAnd unload any modules already live in memory:
sudo rmmod esp4 esp6 rxrpc 2>/dev/nullTo check whether they are still loaded:
grep -qE '^(esp4|esp6|rxrpc) ' /proc/modules && echo "Affected modules are loaded" || echo "Affected modules are NOT loaded"Keep in mind that blocking esp4 and esp6 breaks IPsec, and dropping rxrpc takes AFS offline. This is a stopgap: if you depend on those services, the real fix is to patch and reboot.
If you want to review the rest of this round of kernel mitigations, take a look at Fragnesia (CVE-2026-46300), which shares part of the ESP module problem. All the details on the distro live on the Ubuntu page.
Source
Dirty Frag Linux kernel local privilege escalation vulnerability mitigations, published on Canonical’s blog.