X-twitter Facebook-f Pinterest-p
X-twitter Facebook-f Pinterest-p

Dirty Frag is a new Linux bug putting your system at risk – and there’s no easy fix yet


redlock-gettyimages-1333105479

hh5800/iStock / Getty Images Plus via Getty Images

Follow ZDNET: Add us as a preferred source on Google.

ZDNET’s key takeaways

  • With one compromised account, Dirty Frag can expose your system.
  • No patch can protect you from all possible attacks yet.
  • To stay safe, you’ll need to block several services, including VPNs.

Linux has been having a rough few weeks. First, the Copy Fail security hole was uncovered by AI researchers. In that case, the patches were quickly made and distributed. We weren’t so lucky with the newly disclosed Linux kernel flaw, dubbed Dirty Frag, which was also, it seems, discovered with AI’s help, but patches are still in the works.

Also: Linux is getting a security wake-up call – why it was inevitable and I’m not worried

Security researcher Hyunwoo Kim, who disclosed the issue on May 7, describes Dirty Frag as an extension of the same bug class as previous high-profile Linux kernel flaws, 2022’s Dirty Pipe and Copy Fail. Like those flaws, Dirty Frag exploits kernel code paths that write to memory pages accessible to unprivileged user space, but it targets a different structure: the fragment field of sk_buff networking buffers.

Also: Immutable Linux delivers serious security – here are your 5 best options

Kim told the Linux kernel maintainers about the vulnerability at the end of April. Unfortunately, the coordinated disclosure and patch processes quickly went off the rails. On May 7, while distributions were still shipping fixes for the related Copy Fail flaw, detailed Dirty Frag technical information and a working proof-of-concept exploit for the xfrm-ESP component appeared online after an embargo break by an unrelated third party. Now, we’re all in trouble.

What is Dirty Frag?

Dirty Frag is a local privilege escalation vulnerability chain that exploits logic bugs in Linux’s networking and authentication stacks to corrupt data in the kernel’s page cache, enabling an unprivileged account to escalate to root. 

It works by targeting two separate networking subsystems: the IPsec Encapsulating Security Payload, or xfrm-ESP, path, tracked as CVE-2026-43284, and the RxRPC authentication path, tracked as CVE-2026-43500.

By chaining these flaws, attackers can modify what should be read-only, page-cache-backed system files in memory and then trigger them to run with elevated privileges, without ever touching your file system.

Also: This critical Linux vulnerability is putting millions of systems at risk – how to protect yours

Once in, Dirty Frag exploits “page-cache write primitives” in kernel fast paths used for encrypted networking and remote file system authentication. By carefully choosing the target, an attacker can overwrite pieces of ostensibly read-only files in memory, such as executables or configuration files, and then execute or reload the modified files as root. 

From there, the sky’s the limit, and attackers can do pretty much whatever they want.

The good news — yes, there is some — is that attackers typically need an existing foothold, such as an unprivileged shell via SSH, a web shell, or a compromised container, to use Dirty Frag to escalate.

On the other hand, because the underlying bug is a logic error rather than a timing-sensitive race, the exploit is unusually reliable and does not cause kernel panics when it fails. In other words, someone can attack your Linux system over and over again until they break in, and you’ll never know about it.

Defenders scrambled to assess exposure

It did not take long for attackers to take notice. Public exploit code was quickly mirrored across security blogs, GitHub repositories, and discussion forums, leaving defenders scrambling to assess exposure.

Also: Worried about the nationwide Canvas data breach? Take these 6 steps now

According to Microsoft’s threat intelligence team, Dirty Frag has already been observed in action. Hackers are using it to upgrade limited footholds on Linux systems to full root control across servers, cloud workloads, and containers.

So, who’s at risk? 

I’m sorry to say it’s pretty much everyone who uses any Linux distribution. Dirty Frag affects a wide range of Linux environments, from bare-metal servers and enterprise distributions to container hosts and cloud instances. This includes current and earlier releases of Ubuntu, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, Fedora, and openSUSE Tumbleweed, among others.

Canonical, Ubuntu’s parent company, warns: “In container deployments that may execute arbitrary third-party workloads, the vulnerability may additionally facilitate container escape scenarios, in addition to local privilege escalation on the host.” That’s the ultimate cloud-native computing nightmare.

Fortunately, “A proof-of-concept exploit has not been published yet for container escape.” 

So far. To the best of our knowledge. We hope.

Also: Best VPN services: Expert tested and recommended

While many of you were celebrating Mother’s Day, the Linux kernel community spent the weekend addressing the problem. CVE-2026-43284, the xfrm-ESP component, received an upstream fix in the mainline kernel on May 8, less than 24 hours after public disclosure, though that fix now needs to be backported across the many supported stable trees.

The RxRPC flaw, tracked as CVE-2026-43500, remains under evaluation. As of this writing, no upstream patch had been finalized. Linux vendors are issuing their own advisories and updates as they integrate the upstream changes.

What you should do immediately

Linux distributors, cloud providers, and hosting providers are urging customers to update to the latest kernel packages as they become available. They’re also urging administrators to blacklist esp4, esp6, and rxrpc modules as a stopgap. Keep in mind, however, that if you do so, you’re likely to disrupt IPsec VPNs or AFS-based workloads. On the other hand, you’ll be safer that way.

Also: Why Edge stores your passwords in plaintext, according to Microsoft

Debian and Ubuntu-related Linux distros

Canonical suggests the following steps. These will work on Ubuntu and related Linux distributions, like Mint.

Step 1. Block the modules

  • Block the modules by creating a /etc/modprobe.d/dirty-frag.conf file:
  • echo “install esp4 /bin/false” | sudo tee /etc/modprobe.d/dirty-frag.conf
  • echo “install esp6 /bin/false” | sudo tee -a /etc/modprobe.d/dirty-frag.conf
  • echo “install rxrpc /bin/false” | sudo tee -a /etc/modprobe.d/dirty-frag.conf
  • Regenerate the initramfs images to prevent the modules from being loaded during early boot:
  • sudo update-initramfs -u -k all

Step 2. Unload modules

  • Unload the modules, in case they are already loaded:
  • sudo rmmod esp4 esp6 rxrpc 2>/dev/null


Step 3. Confirm the modules aren’t loaded

  • Check whether the modules are still loaded:
  • grep -qE ‘^(esp4|esp6|rxrpc) ‘ /proc/modules && echo “Affected modules are loaded” || echo “Affected modules are NOT loaded”
  • If the previous action indicates that the modules are not loaded, no further action is required. However, unloading the modules may not be possible if applications are already using them. In these instances, a system reboot will enforce their blocking, but it will affect applications:
  • sudo reboot
  • Once kernel updates are available and installed, the mitigation can be removed:
  • sudo rm /etc/modprobe.d/dirty-frag.conf
  • sudo update-initramfs -u -k all

Also: The best mobile antivirus software: Expert tested and reviewed

Red Hat and related Linux distros

Red Hat suggests you run:

  • printf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf rmmod esp4 esp6 rxrpc 2>/dev/null; true

This approach, which will require disabling IPsec and AFS-based programs, will also work on CentOS, Rocky Linux, AlmaLinux, and other RHEL-related Linux distros.

Also: I’ve used Windows for decades, but I tried Linux to see if it’s truly ‘easy’ now – and one thing surprised me

SUSE Linux fixes

SUSE has a similar solution with the same warning about IPsec and AFS.

Create:

/etc/modprobe.d/10-copyfail2-fix.conf to remediate with the following lines:

  • blacklist esp4
  • blacklist esp6
  • blacklist rxrpc
  • install esp4 /bin/false
  • install esp6 /bin/false
  • install rxrpc /bin/false

The details vary from distro to distro, but the temporary fix is always the same: Use a modprobe configuration file to disable the potentially affected programs until the kernel patches are available and installed. 

Once that’s done, you can delete the emergency fixes and get back to business as usual.

Also: Google bets $32B on AI agent cyber force as security arms race escalates

Until full kernel fixes are broadly deployed and systems are rebooted, you should mitigate your system as soon as possible. After all, if you have even a single compromised user account, an attacker can use Dirty Frag to take complete control of your infrastructure.

Now, if you’ll excuse me, I have a bunch of servers and workstations to fix.





Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Android 17 is finally getting Apple’s Handoff feature, and it’s about time

Alleged Huawei zero-day blamed for the 2025 Luxembourg telecom crash

Drupal is rolling out an emergency security update on May 20. You cannot miss it

Microsoft dismantled Malware-signing network Fox Tempest

Why your new laptop has almost no ports (and why that’s actually great)

Alleged Huawei zero-day blamed for the 2025 Luxembourg telecom crash

Drupal is rolling out an emergency security update on May 20. You cannot miss it

Microsoft dismantled Malware-signing network Fox Tempest

After a year of introductory pricing, Plex Remote Watch Pass gets a 50% price bump

Alleged Huawei zero-day blamed for the 2025 Luxembourg telecom crash

Drupal is rolling out an emergency security update on May 20. You cannot miss it

Microsoft dismantled Malware-signing network Fox Tempest

Recent Reviews

Why your new laptop has almost no ports (and why that’s actually great)


The first computer my family owned was an 80286 IBM clone, and it had lots of ports, none of which looked the same. There was a big 5-pin DIN for the keyboard, a serial port, a parallel port, a game port for our joystick, and of course, the VGA port for the monitor.

In comparison, a modern computer has much less diversity in the port department. Not only are there fewer types of ports, but the total number may be quite low as well. When we move to modern laptops, it can be much more minimalist. Some laptops have just a single port on the entire machine! Is this a bad thing? As with anything, the extremes are rarely ideal, but I’d say overall, this has been a pretty positive development for PCs.

The port explosion era was never sustainable

It was more like a port infection

You see, the reason we had so many ports for so long is that people kept inventing new interfaces to make up for the shortcomings of existing ones. However, instead of the newer, better interfaces making the old ones obsolete, they just became additive as perfectly summarized in this classic XKCD comic.

A comic illustrates how competing standards multiply: first showing 14 competing standards, then people agreeing to create one universal standard, followed by a final panel showing there are now 15 competing standards. Credit: Randall Munroe (CC-BY-NC)

In laptops, the need for so many ports reached ridiculous heights. In this video posted by X user PC Philanthropy, you can see his Sager/Clevo D9T absolutely packed with all the trimmings leading to a rather massive laptop.

It is undeniably a cool machine, but obviously goes against the principle of portable computing. Also, every port you install means power and space that could have been taken up by something else. That’s true for laptops and desktops.



















Quiz
8 Questions · Test Your Knowledge

PC ports and motherboard I/O
Trivia challenge

Think you know your USB from your PCIe? Put your connector knowledge to the test.

PortsStandardsHardwareConnectorsMotherboards

Which USB connector type is fully reversible, meaning it can be plugged in either way?

Correct! USB Type-C features a symmetrical oval design that lets you insert it in either orientation. Introduced in 2014, it has become the dominant connector for modern devices and supports everything from data transfer to video output and fast charging.

Not quite — the answer is USB Type-C. The older USB Type-A connector (the flat rectangular one) famously required you to flip it at least twice before getting it right. USB Type-C’s reversible design was one of its biggest selling points when it launched in 2014.

What does the ‘x16’ in a PCIe x16 slot refer to?

Exactly right! PCIe x16 means the slot has 16 data lanes, allowing significantly more bandwidth than smaller x1 or x4 slots. This is why discrete graphics cards almost always use x16 slots — they need that extra throughput to feed pixel data to your display.

Not quite — the ‘x16’ refers to the number of data lanes. More lanes mean more simultaneous data paths between the CPU and the card. Graphics cards use x16 slots because their massive data demands require all 16 of those lanes working together.

Which port on a motherboard is most commonly used to connect a display directly to the CPU’s integrated graphics?

That’s correct! The HDMI and DisplayPort connectors found on a motherboard’s rear I/O panel are wired directly to the CPU’s integrated graphics unit. If you have a discrete GPU installed, you should use that card’s outputs instead for best performance.

The right answer is the HDMI or DisplayPort connectors on the rear I/O panel. These ports bypass the discrete GPU entirely and tap into the CPU’s built-in graphics. It’s a common troubleshooting trap — plugging a monitor into the motherboard instead of the GPU and wondering why nothing works.

What is the primary function of the 24-pin ATX connector on a motherboard?

Spot on! The 24-pin ATX connector is the main power connector that delivers multiple voltage rails — including 3.3V, 5V, and 12V — from the power supply to the motherboard. Without it seated properly, your PC simply won’t power on at all.

The correct answer is delivering power from the PSU to the motherboard. The 24-pin ATX connector is the big wide plug you’ll find on every modern motherboard. It supplies several different voltage levels that the board distributes to components. PCIe cards get their supplemental power from separate 6- or 8-pin connectors directly from the PSU.

Which of the following rear I/O ports transmits both audio and video in a single cable and is most commonly found on modern motherboards?

Correct! HDMI carries both high-definition audio and video over a single cable, making it one of the most convenient display connectors available. It became standard on motherboards as integrated graphics improved, and modern versions support 4K and even 8K resolutions.

The answer is HDMI. VGA is analog-only and carries no audio, DVI-D is digital video only without audio, and S-Video is an older analog format. HDMI bundles both audio and video digitally, which is why it became the go-to connector for TVs, monitors, and motherboard rear panels alike.

What maximum theoretical data transfer speed does USB 3.2 Gen 2×2 support?

Impressive! USB 3.2 Gen 2×2 achieves 20 Gbps by using two 10 Gbps lanes simultaneously — that’s what the ‘2×2’ means. It requires a USB Type-C connector and is most commonly found on high-end motherboards, making it ideal for fast external SSDs.

The correct answer is 20 Gbps. The ‘2×2’ in the name is the key clue — it bonds two 10 Gbps channels together. USB naming got notoriously confusing around this era, with the same physical port potentially supporting very different speeds depending on the generation label printed in the spec sheet.

What is the role of the M.2 slot found on most modern motherboards?

Well done! M.2 is a compact form-factor slot that most commonly hosts NVMe SSDs, which connect via PCIe lanes for blazing-fast storage speeds. Some M.2 slots also support SATA-based SSDs and Wi-Fi/Bluetooth combo cards, making the slot surprisingly versatile.

The correct answer is housing compact storage drives or wireless cards. M.2 replaced the older mSATA standard and supports both PCIe NVMe drives and SATA drives depending on the slot’s keying. NVMe M.2 drives can achieve sequential read speeds many times faster than traditional SATA SSDs.

Which audio connector color on a standard PC rear I/O panel is designated for the main stereo line output to speakers or headphones?

That’s right! The green 3.5mm jack is the standard line-out port used for speakers and headphones in the PC audio color-coding scheme. Blue is line-in for recording, and pink is the microphone input — a color system that’s been consistent across PC motherboards for decades.

The correct answer is green. PC audio jacks follow a long-standing color convention: green for headphones and speakers, blue for line-in (recording from external sources), and pink for the microphone. It’s one of those legacy standards that has quietly persisted even as USB and digital audio have become more common.

Challenge Complete

Your Score

/ 8

Thanks for playing!

USB-C (almost) solved the problem

So close, but not quite there yet

Released to the public in the mid ’90s, USB came to the rescue. The “U” is for “Universal” and for the most part USB has lived up to that promise. Now there was one port that handled data and power. More importantly, USB is fully backwards compatible. So if you plug a USB 1.1 device into a modern USB port, it should work. Whether you can get software drivers for it is another story, but it will talk to the host device.

USB-C has proven to be less universal than I’d like, and the situation is still far better than it used to be. A single USB-C port on one of my laptops can act as a video output for just about anything, even an old VGA monitor.

A Macbook, CRT monitor, and iPad connected together. Credit: Sydney Louw Butler/How-To Geek

My smaller laptops don’t need special chargers anymore, and the latest laptops can pull 240W over USB-C, which is enough for all but the beefiest desktop replacement machines. There is no type of peripheral I can think of that doesn’t give you the option to use it over USB.

But the complaints aren’t so much that we only get USB these days, it’s more that we get so little of it.

Minimal I/O enables better hardware design

Harder, better, faster, stronger

When you only put a handful of USB-C ports on a mobile computer, you reap numerous benefits. The low profile of USB-C means the laptop can be thinner, and the frame can be a stronger and more rigid unibody design. Internally, you have room for more battery, larger performance components, or better cooling.

A green Apple MacBook Neo on display on a wooden table with a product sign behind it. Credit: Patrick Campanale / How-To Geek

It also means the internals can be simpler, and cheaper to design and fabricate, though whether those savings are passed on to customers is another story altogether.

Wireless and cloud-first workflows reduce physical dependency

I guess they are “air” ports

Perhaps the first sign of major change was when smartphones dropped headphone jacks, but the fact is that wireless technologies are now good enough for most peripheral and data connections. So, there’s no need to connect them directly to a port on a computer. Which, in turn, means that there’s no reason to have as many ports on the computer in the first place.

I can’t remember the last time I used a wired mouse or keyboard, and I only use Ethernet for devices that need extremely high speeds, low latency, or improved reliability. For normal day-to-day use, modern Wi-Fi is just fine. So while your laptop might not have as many wired ports on the outside, those wireless chips on the inside still give it numerous connectivity options for audio, input, and data transfer.

You could even make the same argument about storage to some extent, with many thin and light systems leaning on cloud storage to make up for a lack of ports to connect external storage.

MacBook Neo colors on a white background.

Operating System

macOS

CPU

A18 Pro

The MacBook Neo with the A18 Pro chip is Apple’s most affordable laptop yet, with all-day battery life and buttery-smooth performance in a thin and light profile.


The dongle backlash misses the bigger picture

The last bit of the port protest centers around dongles, but I never understood the complaints. Having one port that can be broken out into whatever ports you need using a little box is amazing. It makes ports optional and gives you the choice. If you never plug your laptop into anything, why deal with all the ports you’ll never use?

Likewise, if you only ever use ports with your laptop when you dock it at a desk, then you can just leave your dongle ready to go on your desk, but throwing a small dongle in your laptop sleeve or bag in case you might need it is a small price to pay for all the benefits of minimal IO.



Source link

AI Model Claude Opus turns bugs into exploits for just $2,283

Top Cyber Security Tabletop Exercise Examples and Scenarios for 2026

Third-party AI hack triggers Vercel breach, internal environments accessed

Copyright © 2024 All Rights Reserved.