CVE-2026-43284HIGHCVSS 8.8

CVE-2026-43284

Published May 8, 2026·Updated Jul 1, 2026

Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().

Public Exploits & PoCs24 found

[POC] CVE-2026-43284 — Dirty-Frag-Kubernetes-PoC

A proof-of-concept demonstrating how a default, unprivileged Kubernetes Pod can achieve node-level code execution on Amazon EKS by exploiting the Dirty Frag (CVE-2026-43284) Linux kernel page-cache corruption vulnerability through shared container image layers.

5

[POC] CVE-2026-43284 — dirty-frag-check

Read-only checker for CVE-2026-43284 / CVE-2026-43500 (Dirty Frag) Linux kernel local-root vulns

2

[POC] CVE-2026-43284 — CVE-2026-43284-DirtyFrag-PoC

Proof-of-concept for CVE-2026-43284 — 4-byte XFRM/ESP page-cache write primitive to patch a setuid binary (x86_64, user namespaces). Includes kernel preflight + SUID scan.

2

[POC] CVE-2026-43284 — DirtyFrag-for-dummies

A tiny explanation + PoC for CVE-2026-43284

[POC] CVE-2026-43284 — dirtyfrag-arm64

arm64/aarch64 port of V4bel/dirtyfrag (CVE-2026-43284). ESP-only - rxrpc path kernel-oopses on arm64 due to flush_dcache_page

[POC] CVE-2026-43284 — CVE-2026-43284-CVE-2026-43500-scan

Dirtyfrag CVE-2026-43284 & CVE-2026-43500 Scan

[POC] CVE-2026-43284 — CVE-2026-43284

CVE-2026-43284

[POC] CVE-2026-43284 — Dirty-Frag-Analysis

Dirty Frag (CVE-2026-43284/43500) - Linux Kernel LPE Deep Technical Analysis by Bomb

[POC] CVE-2026-43284 — Paranoid-Dirty-Frag-CVE-2026-43284

Paranoid disable Linux IPsec ESP support (esp4/esp6) and RxRPC support.

[POC] CVE-2026-43284 — 202605_dirty_frag

CVE-2026-43284 & CVE-2026-43500 discovered by Hyunwoo Kim

PoC: dirtyfrag-cve-2026-43284-auditd-detection

This repository contains a lab validation report and detection artefacts for DirtyFrag CVE-2026-43284, a Linux local privilege escalation issue related to the XFRM/ESP page-cache write path. The focus is on auditd telemetry, event correlation, and SOC-oriented detection logic.

PoC: DirtyFrag

Add go CVE-2026-43284 / CVE-2026-43500 (dirtyfrag) local privilege escalation exploit

PoC: Dirty-Frag-CVE-2026-43284

Lab detection exercise for DirtyFrag (CVE-2026-43284) - Linux kernel privilege escalation via xfrm-ESP page cache corruption. Full write-up covering exploit execution, detection gaps, and corrected EQL rules using Elastic Stack

PoC: Reporte-de-Escalada-de-Privilegios-Local-Dirty-Frag

Se realizó una evaluación de vulnerabilidades sobre una máquina virtual con Kali Linux utilizando un script detector para la vulnerabilidad Dirty Frag, asociada a las CVE-2026-43284 y CVE-2026-43500. Posteriormente se ejecutó un Proof of Concept (PoC) público escrito en lenguaje C para validar la posibilidad de realizar una escalada local

PoC: Dirtyfrag-go

A Go implementation of dirtyfrag (CVE-2026-43284 / CVE-2026-43500)

PoC: Dirty-Frag-CVE-2026-43284

A report on Dirty Frag, which is a Linux Local Privilege Escalation (LPE) vulnerability chain that allows an unprivileged user to gain root access

PoC: CVE-2026-43284

Dirty Frag - kernel Linux critical Vulnerability

PoC: CVE-2026-43284

dirty frag

PoC: XCP_ng_CVE-2026-43284_tester

Tester for CVE-2026-43284

PoC: DirtyFrag-Detector

CVE-2026-43284/CVE-2026-43500 'DirtyFrag' Benign patch & mitigation detection script

PoC: rust_dirtyfrag

CVE-2026-43284的rust版本实现

PoC: dirtyfrag-patches

Kernel patches for Dirty Frag vulnerability (CVE-2026-43284, CVE-2026-43500)

PoC: CVE-2026-43284

Tracking CVE-2026-43284

PoC: DIRTY-FRAG-Detection-with-Wazuh-4.14.4

Wazuh 4.14.4 detection rules for CVE-2026-43284 / CVE-2026-43500 (Dirty Frag) - Linux Local Privilege Escalation via page cache write

Community Discussion

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free