Dirty Frag: Linux Kernel ESP Decryption Flaw Enables Local Privilege Escalation to Root

What Is Happening

A critical vulnerability in the Linux kernel's ESP (Encapsulating Security Payload) handling allows local attackers to escalate privileges to root. Tracked as CVE-2026-43284, the flaw stems from how the kernel handles shared socket buffer (skb) fragments when processing ESP-in-UDP packets. When MSG_SPLICE_PAGES attaches pipe pages directly to a UDP skb, the IPv4/IPv6 datagram paths fail to set the SKBFL_SHARED_FRAG flag that TCP correctly applies. This causes ESP input processing to decrypt data in place over memory pages that are not privately owned by the skb, corrupting shared memory and enabling write-what-where exploitation.

This vulnerability is part of a chain dubbed "Dirty Frag" by researchers, which pairs CVE-2026-43284 with CVE-2026-43500 for reliable privilege escalation. Public exploit code was released before patches became available for several distributions, creating an immediate exposure window. The flaw affects kernel versions dating back to 4.11, meaning a substantial portion of production Linux systems, including servers, containers, and cloud instances, are potentially vulnerable.

The CVSS score of 7.8 (HIGH) with a Changed scope indicates that successful exploitation can impact resources beyond the vulnerable component. The attack requires local access and low privileges but no user interaction, making it attractive for post-compromise escalation in multi-user environments or container escape scenarios.

Affected Versions

Patched versions:

• 5.10.255 and later (LTS branch)
• 5.15.205 and later (LTS branch)
• 6.1.171 and later (LTS branch)

Patch commits:

• 50ed1e7873100f77abad20fd31c51029bc49cd03
• 52646cbd00e765a6db9c3afe9535f26218276034
• 5d55c7336f8032d434adcc5fab987ccc93a44aec
• 71a1d9d985d26716f74d21f18ee8cac821b06e97

Distribution-specific updates should be tracked via your vendor's security advisory pages. Kernels in the 5.11.x branch and between 5.16 and 6.1.170 that are not part of an LTS release may not receive backported fixes; upgrade to a supported branch.

What Being on an Affected Version Means

An attacker with local shell access, even as an unprivileged user, can exploit this vulnerability to gain root privileges on the system. The attack leverages the memory corruption primitive created when ESP decrypts in place over shared pipe pages. By carefully constructing ESP-in-UDP packets and controlling the pipe buffer contents, an attacker can achieve arbitrary write capability (CWE-123), overwriting kernel structures to escalate privileges.

The attack path begins with any local access vector: a compromised web application, SSH access with limited permissions, a container breakout attempt, or a malicious insider. From there, the attacker crafts the exploit locally, gains root, and can then access all data on the system, install persistent backdoors, pivot to other networked systems using harvested credentials, or disable security controls. In containerized environments, this flaw may enable escape from container isolation if the host kernel is vulnerable. Systems running IPsec VPN configurations with ESP-in-UDP encapsulation have the vulnerable code path active, though the flaw can be triggered regardless of whether IPsec is intentionally configured.

Mitigation Steps

1. Update to a patched kernel version immediately. For LTS branches, upgrade to kernel 5.10.255, 5.15.205, or 6.1.171 or later. Check your distribution's package manager for the specific package version containing the fix:

• Debian/Ubuntu: apt update && apt upgrade linux-image-$(uname -r)
• RHEL/CentOS/Fedora: dnf update kernel or check Red Hat's security advisory for backported fixes
• SUSE: zypper update kernel-default

1. If immediate patching is not possible, restrict local access. Reduce the number of users and services with shell access to affected systems. Audit sudo configurations and remove unnecessary privilege grants.

1. Disable ESP-in-UDP processing if not required. If your environment does not use IPsec with UDP encapsulation (commonly used for NAT traversal), you can unload the esp4_offload and esp6_offload modules and blacklist them:

```

modprobe -r esp4_offload esp6_offload

echo "blacklist esp4_offload" >> /etc/modprobe.d/disable-esp-udp.conf

echo "blacklist esp6_offload" >> /etc/modprobe.d/disable-esp-udp.conf

```

1. Monitor for exploitation attempts. Watch for unusual process privilege changes using auditd rules:

```

-a always,exit -F arch=b64 -S execve -F euid=0 -F auid!=0 -k privilege_escalation

```

Review /var/log/audit/audit.log for type=EXECVE events where a non-root user spawns root processes unexpectedly. Endpoint detection tools should alert on known Dirty Frag exploit signatures if detection rules have been updated.

1. Verify patch application. After updating, confirm the running kernel version with uname -r and ensure the system has rebooted into the patched kernel.

Given that public exploit code exists and the vulnerability enables full root compromise from any local user, patching should be treated as an emergency priority for all affected Linux systems.