The “Dirty Frag” vulnerability is a chained local privilege escalation (LPE) issue in the Linux kernel that combines flaws in the ESP/XFRM and RXRPC subsystems to allow an unprivileged local attacker to gain root access on major Linux distributions. The attack abuses kernel page-cache manipulation and network protocol handling to overwrite privileged binaries and execute arbitrary code with elevated privileges. Exploitation differs by distribution: the ESP issue affects systems permitting unprivileged user namespaces, while the RXRPC issue impacts distributions with RXRPC enabled, such as Ubuntu. Together, the vulnerabilities provide broad cross-distribution root compromise capability, with mitigations involving disabling vulnerable kernel modules (esp4, esp6, and rxrpc) until upstream patches are fully merged and deployed.
What is the recommended workaround until a patch is available? RHEL does not load these modules with modprobe The following command followed by a reboot seems to work: grubby --update-kernel=ALL --args=module_blacklist=esp4,esp6,rxrpc However, I don't know if it's the recommended solution or if there is one that is better / more safe. https://access.redhat.com/security/cve/cve-2026-43284 Also, it does not list RHEL7 as affected or unaffected or under investigation still no https://access.redhat.com/security/cve/cve-2026-43500 which seems to be another CVE related to dirty frag
(In reply to Yannick Bergeron from comment #5) > What is the recommended workaround until a patch is available? RHEL does not > load these modules with modprobe > > The following command followed by a reboot seems to work: grubby > --update-kernel=ALL --args=module_blacklist=esp4,esp6,rxrpc > However, I don't know if it's the recommended solution or if there is one > that is better / more safe. > > https://access.redhat.com/security/cve/cve-2026-43284 > Also, it does not list RHEL7 as affected or unaffected or under investigation > > still no https://access.redhat.com/security/cve/cve-2026-43500 which seems > to be another CVE related to dirty frag Hi Yannick, The Red Hat Security Bulletin(https://access.redhat.com/security/vulnerabilities/RHSB-2026-003) for this CVE has mitigation steps detailed that should assist while we work on a patch. The CVE page does seem to show both RHEL 6 and 7 as Under Investigation when i look at it, so please check again. If it's still not displaying properly you can reach out to me directly via email and I'll reach out to the team responsible to see if there might be an issue with the back end not displaying correctly.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:16061 https://access.redhat.com/errata/RHSA-2026:16061
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:16062 https://access.redhat.com/errata/RHSA-2026:16062
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:16100 https://access.redhat.com/errata/RHSA-2026:16100
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:16196 https://access.redhat.com/errata/RHSA-2026:16196
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:16203 https://access.redhat.com/errata/RHSA-2026:16203
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:16195 https://access.redhat.com/errata/RHSA-2026:16195
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2026:16201 https://access.redhat.com/errata/RHSA-2026:16201
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:16202 https://access.redhat.com/errata/RHSA-2026:16202
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2026:16204 https://access.redhat.com/errata/RHSA-2026:16204
Are we still waiting for a kernel fix for the general Red Hat Enterprise Linux 9 channel? I don't see listed above.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:16206 https://access.redhat.com/errata/RHSA-2026:16206
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:16254 https://access.redhat.com/errata/RHSA-2026:16254
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:16328 https://access.redhat.com/errata/RHSA-2026:16328
This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:16314 https://access.redhat.com/errata/RHSA-2026:16314
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:16312 https://access.redhat.com/errata/RHSA-2026:16312
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.18 Via RHSA-2026:16160 https://access.redhat.com/errata/RHSA-2026:16160
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.19 Via RHSA-2026:16161 https://access.redhat.com/errata/RHSA-2026:16161
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.21 Via RHSA-2026:16155 https://access.redhat.com/errata/RHSA-2026:16155
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2026:16171 https://access.redhat.com/errata/RHSA-2026:16171
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.20 Via RHSA-2026:16157 https://access.redhat.com/errata/RHSA-2026:16157
(In reply to Cole Towsley from comment #6) > (In reply to Yannick Bergeron from comment #5) > > What is the recommended workaround until a patch is available? RHEL does not > > load these modules with modprobe > > > > The following command followed by a reboot seems to work: grubby > > --update-kernel=ALL --args=module_blacklist=esp4,esp6,rxrpc > > However, I don't know if it's the recommended solution or if there is one > > that is better / more safe. > > > > https://access.redhat.com/security/cve/cve-2026-43284 > > Also, it does not list RHEL7 as affected or unaffected or under investigation > > > > still no https://access.redhat.com/security/cve/cve-2026-43500 which seems > > to be another CVE related to dirty frag > > Hi Yannick, > > The Red Hat Security > Bulletin(https://access.redhat.com/security/vulnerabilities/RHSB-2026-003) > for this CVE has mitigation steps detailed that should assist while we work > on a patch. The CVE page does seem to show both RHEL 6 and 7 as Under > Investigation when i look at it, so please check again. If it's still not > displaying properly you can reach out to me directly via email and I'll > reach out to the team responsible to see if there might be an issue with the > back end not displaying correctly. Our cyber team use qualys to detect that RHEL7 is "vulnerable" despite RH public statement otherwise. Is it safe to add workarounds to stop qualys noise? rmmod esp4 esp6 echo "install esp4 /bin/false" >> /etc/modprobe.d/disable-esp.conf echo "install esp6 /bin/false" >> /etc/modprobe.d/disable-esp.conf
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2026:16180 https://access.redhat.com/errata/RHSA-2026:16180