How to Disable the Linux "Dirty Frag" Kernel Vulnerabilities (CVE-2026-43284 & CVE-2026-43500)
The Linux kernel security landscape has recently been shaken by the disclosure of the “Dirty Frag” vulnerabilities, primarily tracked under CVE-2026-43284, CVE-2026-43500, and the related variant CVE-2026-46300. Similar to past exploits like Dirty Pipe and Copy Fail, Dirty Frag leverages page-cache corruption to allow a local, unprivileged user to escalate their privileges to root.
If you are running Linux servers in multi-tenant environments, or hosting containers with shared kernels, you should patch or mitigate this vulnerability immediately.
What is the “Dirty Frag” Vulnerability?
The vulnerability resides in how the Linux kernel handles shared socket buffer (sk_buff) fragments. In specific network paths—namely the IPsec ESP (esp4, esp6) and RxRPC (rxrpc) subsystems—the kernel performs decryption on these buffers in-place.
Due to a failure in enforcing copy-on-write (COW) protections on shared page fragments, a local attacker can exploit this in-place decryption behavior. By carefully timing packets, they can force the kernel to write decrypted network data directly into the system’s file-backed page-cache memory rather than private packet memory. Overwriting the page cache of critical system files (like /etc/passwd or system binaries) allows the attacker to gain full root privileges.
The Recommended Fix: Update the Kernel
The most reliable solution is to update your Linux kernel to a patched version provided by your distribution (such as Ubuntu, Red Hat, Debian, or Fedora).
Run the standard update command for your package manager:
# On Ubuntu / Debian
sudo apt update && sudo apt install --only-upgrade linux-image-generic
# On RHEL / Rocky Linux / Fedora
sudo dnf upgrade kernelNote: A system reboot is required after the update to boot into the new, patched kernel.
Temporary Mitigation: Disabling the Vulnerable Modules
If you cannot reboot or upgrade your kernel immediately, you can mitigate the vulnerability by blocking the affected kernel modules from being loaded. The vulnerable modules are:
esp4(IPv4 Encapsulating Security Payload)esp6(IPv6 Encapsulating Security Payload)rxrpc(RxRPC protocol support, used by the Andrew File System - AFS)
[!WARNING] Disabling these modules will break services that rely on them. Specifically, IPsec/VPN tunnels using kernel-level ESP and AFS mounts will stop working. Standard SSL/TLS, SSH, and WireGuard VPNs are not affected.
Step 1: Blacklist the Modules
Create a modprobe configuration file to prevent the modules from being loaded:
sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf"Using install [module] /bin/false is more secure than blacklist [module] because it actively prevents other services or manual commands from auto-loading the module.
Step 2: Unload the Modules
If the modules are already loaded in memory, you need to unload them:
sudo rmmod esp4 esp6 rxrpcIf any of the modules are in use by active connections (e.g., an active IPsec tunnel), rmmod will fail. In that case, you must stop the dependent services first or schedule a system reboot to apply the mitigation.
Step 3: Verify the Mitigation
You can verify that the modules are disabled by attempting to load them manually. The command should fail:
sudo modprobe esp4If successfully mitigated, you will see an error message similar to:
modprobe: ERROR: could not insert 'esp4': Invalid argument (as modprobe runs /bin/false instead of inserting the module).
Reverting the Mitigation
Once you have successfully upgraded your kernel to a patched version, you can restore full functionality by removing the configuration file:
sudo rm -f /etc/modprobe.d/dirtyfrag.conf