Active attack: Dirty Frag Linux vulnerability expands post-compromise risk

Source: Microsoft Security Blog

Author: Microsoft Defender Security Research Team

URL: https://www.microsoft.com/en-us/security/blog/2026/05/08/active-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk/

ONE SENTENCE SUMMARY:

Dirty Frag is a Linux local privilege escalation exploiting esp4/esp6 and rxrpc kernel components, enabling reliable root escalation post-compromise.

MAIN POINTS:

1. Newly disclosed LPE “Dirty Frag” targets Linux kernel networking and memory-fragment handling.
2. Affected components include esp4, esp6 (CVE-2026-43284), and rxrpc (CVE-2026-43500).
3. Public PoCs suggest higher reliability than timing-sensitive race-condition Linux escalation techniques.
4. Attacks typically follow initial access via SSH, web-shells, container escape, or low-privileged accounts.
5. Impacted ecosystems include Ubuntu, RHEL, CentOS Stream, AlmaLinux, Fedora, openSUSE, and OpenShift.
6. Microsoft Defender is monitoring related activity and developing detections and protections.
7. Root access enables disabling security tools, credential theft, log tampering, lateral movement, and persistence.
8. Multiple kernel attack paths improve consistency across vulnerable environments.
9. Exploit behavior resembles CopyFail (CVE-2026-31431) via page cache manipulation, with added paths.
10. Exposure increases where IPsec/VPN and xfrm-related functionality keeps vulnerable modules enabled.

TAKEAWAYS:

1. Treat any foothold on vulnerable Linux hosts as potentially becoming root quickly.
2. Reduce attack surface by disabling unused rxrpc and, if feasible, esp/xfrm functionality.
3. Limit unnecessary local shell availability and harden container boundaries to slow post-compromise escalation.
4. Monitor aggressively for anomalous privilege changes and kernel-module load/unload activity.
5. Prepare rapid kernel patch deployment once vendor advisories and fixed builds are available.