In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().
[POC] CVE-2026-43284 — Dirty-Frag-Kubernetes-PoC
A proof-of-concept demonstrating how a default, unprivileged Kubernetes Pod can achieve node-level code execution on Amazon EKS by exploiting the Dirty Frag (CVE-2026-43284) Linux kernel page-cache corruption vulnerability through shared container image layers.
[POC] CVE-2026-43284 — dirty-frag-check
Read-only checker for CVE-2026-43284 / CVE-2026-43500 (Dirty Frag) Linux kernel local-root vulns
[POC] CVE-2026-43284 — CVE-2026-43284-DirtyFrag-PoC
Proof-of-concept for CVE-2026-43284 — 4-byte XFRM/ESP page-cache write primitive to patch a setuid binary (x86_64, user namespaces). Includes kernel preflight + SUID scan.
[POC] CVE-2026-43284 — DirtyFrag-for-dummies
A tiny explanation + PoC for CVE-2026-43284
[POC] CVE-2026-43284 — dirtyfrag-arm64
arm64/aarch64 port of V4bel/dirtyfrag (CVE-2026-43284). ESP-only - rxrpc path kernel-oopses on arm64 due to flush_dcache_page
[POC] CVE-2026-43284 — CVE-2026-43284-CVE-2026-43500-scan
Dirtyfrag CVE-2026-43284 & CVE-2026-43500 Scan
[POC] CVE-2026-43284 — CVE-2026-43284
CVE-2026-43284
[POC] CVE-2026-43284 — Dirty-Frag-Analysis
Dirty Frag (CVE-2026-43284/43500) - Linux Kernel LPE Deep Technical Analysis by Bomb
[POC] CVE-2026-43284 — Paranoid-Dirty-Frag-CVE-2026-43284
Paranoid disable Linux IPsec ESP support (esp4/esp6) and RxRPC support.
[POC] CVE-2026-43284 — 202605_dirty_frag
CVE-2026-43284 & CVE-2026-43500 discovered by Hyunwoo Kim
PoC: dirtyfrag-cve-2026-43284-auditd-detection
This repository contains a lab validation report and detection artefacts for DirtyFrag CVE-2026-43284, a Linux local privilege escalation issue related to the XFRM/ESP page-cache write path. The focus is on auditd telemetry, event correlation, and SOC-oriented detection logic.
PoC: DirtyFrag
Add go CVE-2026-43284 / CVE-2026-43500 (dirtyfrag) local privilege escalation exploit
PoC: Dirty-Frag-CVE-2026-43284
Lab detection exercise for DirtyFrag (CVE-2026-43284) - Linux kernel privilege escalation via xfrm-ESP page cache corruption. Full write-up covering exploit execution, detection gaps, and corrected EQL rules using Elastic Stack
PoC: Reporte-de-Escalada-de-Privilegios-Local-Dirty-Frag
Se realizó una evaluación de vulnerabilidades sobre una máquina virtual con Kali Linux utilizando un script detector para la vulnerabilidad Dirty Frag, asociada a las CVE-2026-43284 y CVE-2026-43500. Posteriormente se ejecutó un Proof of Concept (PoC) público escrito en lenguaje C para validar la posibilidad de realizar una escalada local
PoC: Dirtyfrag-go
A Go implementation of dirtyfrag (CVE-2026-43284 / CVE-2026-43500)
PoC: Dirty-Frag-CVE-2026-43284
A report on Dirty Frag, which is a Linux Local Privilege Escalation (LPE) vulnerability chain that allows an unprivileged user to gain root access
PoC: CVE-2026-43284
Dirty Frag - kernel Linux critical Vulnerability
PoC: CVE-2026-43284
dirty frag
PoC: XCP_ng_CVE-2026-43284_tester
Tester for CVE-2026-43284
PoC: DirtyFrag-Detector
CVE-2026-43284/CVE-2026-43500 'DirtyFrag' Benign patch & mitigation detection script
PoC: rust_dirtyfrag
CVE-2026-43284的rust版本实现
PoC: dirtyfrag-patches
Kernel patches for Dirty Frag vulnerability (CVE-2026-43284, CVE-2026-43500)
PoC: CVE-2026-43284
Tracking CVE-2026-43284
PoC: DIRTY-FRAG-Detection-with-Wazuh-4.14.4
Wazuh 4.14.4 detection rules for CVE-2026-43284 / CVE-2026-43500 (Dirty Frag) - Linux Local Privilege Escalation via page cache write
Hacker News
"Dirty Frag" (CVE-2026-43284): The Second Linux Root Exploit in Eight Days
31Dirty Frag (CVE-2026-43284, CVE-2026-43500): Mitigation
3Dirty Frag: a kernel zero-day vs. container and microVM sandboxes
3CVE-2026-43284 ("Dirty Frag") Alma Linux
3Just released: Dirty Frag (CVE-2026-43284 / CVE-2026-43500) Detection Script
2CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Get alerted for CVEs like this
Register your stack and get notified within minutes when a matching CVE drops.
Start monitoring free