1. Description
CVE-2026-43284 and CVE-2026-43500 ("Dirty Frag") are local privilege escalation (LPE) vulnerabilities affecting the Linux kernel's xfrm-ESP (IPsec) and RxRPC subsystems.
The flaws can be chained by an unprivileged local user to overwrite sensitive cached files, including /etc/passwd and setuid binaries, to achieve deterministic privilege escalation to root.
2. Mitigation Steps
Apply the following workaround on all affected servers. This uses an execution override to instantly and permanently block the affected kernel modules from loading. NO REBOOT IS REQUIRED.
Step 1 — Verify the modules are not currently running
Ensure the modules are not active in memory before applying the block:
lsmod | grep -E "esp4|esp6|rxrpc"
Expected output: (no output).
If any modules appear in the output, unload them immediately using sudo rmmod rxrpc esp6 esp4 before proceeding.
Step 2 — Force-disable the modules via override
Create a configuration file that instructs the kernel to execute /bin/false instead of loading the vulnerable modules. This permanently blocks both automatic on-demand loading and direct manual loading:
sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag-block.conf"
Step 3 — Clear the kernel dependency cache
Force the kernel to instantly reload its module configuration parameters so the changes take effect immediately on your running system:
sudo depmod -a
Step 4 — Verify mitigation
Attempt to manually force-load one of the disabled modules to prove the operating system successfully rejects and blocks the request:
sudo modprobe esp4 lsmod | grep esp4
Expected output: (no output).
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article