Alibaba Cloud Security has detected a local privilege escalation vulnerability in the Linux Kernel, code-named "Dirty Frag" (no complete CVE identifier is currently available). This vulnerability allows a local unprivileged attacker to obtain root privileges on mainstream Linux distributions without a race condition by chaining two page-cache write flaws in xfrm-ESP (CVE-2026-43284) and RxRPC.

Alibaba Cloud Security recommends that you perform a self-check as soon as possible. If your systems are within the affected scope, update and remediate them promptly to prevent compromise.

Vulnerability Details

The Linux Kernel is one of the world's most widely used open-source operating system kernels and provides core low-level functions such as hardware management, process scheduling, memory management, file systems, and network communication. The root cause of this vulnerability lies in flaws in the xfrm-ESP (esp4/esp6) and RxRPC (rxrpc) modules. An attacker can craft specific network packets to trigger the kernel to write attacker-controlled data into the page cache of any readable file (such as a setuid binary). By chaining the two vulnerabilities, an attacker can bypass standard permission controls and achieve local privilege escalation on any mainstream distribution.

The technical details and PoC for this vulnerability have now been publicly disclosed.

Risk Level

High

Affected Versions

commit cac2661c53f3 <= Linux Kernel (xfrm-ESP) < commit f4c50a4034e6

Linux Kernel (RxRPC) >= commit 2dc334f1a63a

The following operating systems and versions are currently known to be affected:

Ubuntu 24.04.4

Red Hat Enterprise Linux 10

CentOS 10

AlmaLinux 10

Fedora 44

openSUSE Tumbleweed

Affected status of Alinux versions:

Alinux 2

Alinux 3

Alinux 4

By default, Alinux kernels compile the XFRM-ESP module only as a module (CONFIG_INET_ESP=m) and do not compile the RXRPC module (CONFIG_AF_RXRPC is not set). Therefore, Alinux is affected only by the ESP attack path (xfrm-ESP), and not by the RxRPC attack path.

Detection Method

1.Check whether the modules are loaded

lsmod | grep -E 'esp4|esp6|rxrpc'

2.Check whether the modules are built into the kernel (this determines whether the modprobe blacklist mitigation is effective)

grep -E 'CONFIG_INET_ESP|CONFIG_RXRPC' /boot/config-$(uname -r)

# =y indicates built-in, so the blacklist is ineffective; =m indicates module, so the blacklist is effective

3.Check whether User Namespace is allowed (affects the ESP variant)

cat /proc/sys/kernel/unprivileged_userns_clone

# 1 = allowed (ESP variant may be exploitable); 0 = blocked

Remediation Recommendations

1.The official patch for CVE-2026-43284 has been released. After assessing whether your business is affected, apply the patch promptly.

2.Mitigation Measures:

(1) Add the esp4, esp6, and rxrpc modules to the modprobe blacklist to prevent automatic loading, and immediately unload any already loaded modules (if they are not currently in use)

sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf" sudo rmmod esp4 esp6 rxrpc 2>/dev/null ||true

Note: This mitigation may interrupt IPsec (VPN) and RxRPC (AFS file systems), so evaluate it based on your actual business situation.

In addition, it is recommended to apply this mitigation only on machines where the vulnerability exploit has not been run; otherwise, the mitigation may be ineffective.

Alibaba Cloud has verified through PoC testing that this mitigation is effective for Alinux 3 and Alinux 4.

(2) Restrict unprivileged users from creating User Namespaces through sysctl to block the ESP variant sysctl -w user.max_user_namespaces=0 Note: This mitigation affects container runtimes (such as Docker and Podman that rely on User Namespaces). It is recommended only for non-container environments.

[Note]: Back up your data before upgrading to avoid unexpected issues.

References

https://github.com/V4bel/dirtyfrag

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4

https://avd.aliyun.com/detail?id=AVD-2026-43284

We will continue to track developments and provide updates as soon as possible. If you have any questions, please contact the relevant technical support team. We will make every effort to assist you with the upgrade and hardening process.

Alibaba Cloud Security Team