DirtyFrag Linux Vulnerabilities (CVE-2026-43284 & CVE-2026-43500): Interim Mitigations for Critical Kernel Privilege Escalation Risks
On May 8th, 2026, security researchers and vendors disclosed a Linux kernel privilege escalation chain referred to as DirtyFrag, impacting systems utilizing vulnerable xfrm-ESP and RxRPC kernel components.
The vulnerabilities tracked as CVE-2026-43284 and CVE-2026-43500 may allow attackers with local system access to elevate privileges and potentially compromise affected Linux systems.
Until official vendor patches become broadly available, organizations are being encouraged to implement interim mitigations designed to disable vulnerable kernel modules and reduce exposure risk.
|
✓
|
Why This Matters
|
Affected Components
esp4 / esp6
Linux kernel IPsec ESP receive path modules associated with CVE-2026-43284.
ipcomp4 / ipcomp6
IPsec compression modules sharing the affected xfrm code paths referenced in vendor mitigation guidance.
rxrpc
Linux RxRPC protocol stack module associated with CVE-2026-43500.
Who Should Be Concerned?
- Linux administrators
- Cloud infrastructure teams
- Organizations using IPsec VPNs
- AFS / RxRPC environments
- Security and compliance teams
Operational Considerations
| Area | Impact |
|---|---|
| IPsec VPN | VPN tunnels may stop functioning after mitigation deployment. |
| RxRPC Services | AFS or kafs-based workloads may become unavailable. |
| Reboot Requirements | Some systems may require a reboot to fully unload vulnerable modules. |
Interim Mitigation Script
The following mitigation script was authored by Jason Kikta and is designed to implement the current vendor-recommended workaround until official Linux kernel patches are released.
The script:
- Creates a persistent modprobe blacklist configuration
- Prevents vulnerable modules from loading
- Attempts to unload currently loaded vulnerable modules
- Verifies mitigation compliance after execution
Execution Example
chmod +x remediation.sh sudo ./remediation.sh
Mitigation Script
#!/bin/bash
#================================================================
# HEADER
#================================================================
# SYNOPSIS
# Applies the vendor-recommended interim mitigation for the Linux
# "Dirty Frag" kernel privilege escalation chain (CVE-2026-43284
# xfrm-ESP and CVE-2026-43500 RxRPC) by blacklisting the affected
# modules (esp4, esp6, ipcomp4, ipcomp6, rxrpc) via modprobe and
# unloading them from the running kernel.
#
# DESCRIPTION
# Writes /etc/modprobe.d/dirtyfrag.conf with "install" stubs that
# point each vulnerable module at /bin/false. This is the modprobe
# idiom for "refuse to load this module under any circumstance",
# and it covers both direct (`modprobe esp4`) and indirect
# (alias / dependency) load paths. After the file is written we
# attempt to `rmmod` each module so the running kernel is no longer
# exposed; rmmod failures are tolerated when the module is in use,
# in which case a reboot is required to fully apply the mitigation
# (we emit a clear notice in that case).
#
# Module coverage rationale:
# * esp4, esp6 — IPsec ESP receive path (CVE-2026-43284).
# * ipcomp4,
# ipcomp6 — IPsec IP-Compression. Shares the affected xfrm
# code path; called out by AWS Security Bulletin
# 2026-027 as part of the mitigation set.
# * rxrpc — RxRPC protocol stack (CVE-2026-43500).
#
# The remediation is idempotent — running it repeatedly has no
# additional effect once the blacklist file is in place and the
# modules are unloaded.
#
# WARNING
# This mitigation disables IPsec ESP (esp4 / esp6), IPsec
# IP-Compression (ipcomp4 / ipcomp6), and RxRPC (rxrpc) kernel
# modules. Hosts that rely on these subsystems will lose
# functionality:
# * IPsec VPN tunnels (strongSwan, Libreswan, racoon, etc.) will
# stop establishing or carrying traffic — including any tunnels
# that negotiate IPComp.
# * AFS clients / kafs that depend on RxRPC will break.
# Review impact before scheduling on VPN concentrators or AFS hosts.
#
# Once the upstream xfrm-ESP fix (commit f4c50a4034e6...) and the
# pending RxRPC fix have shipped in your distribution's kernel and
# the host has rebooted onto the patched kernel, this mitigation
# can be reverted: delete /etc/modprobe.d/dirtyfrag.conf and reboot
# (or `modprobe esp4 esp6 ipcomp4 ipcomp6 rxrpc` to reload
# immediately).
#
# PREREQUISITES
# * Linux endpoint with /etc/modprobe.d/ writable by root (Automox
# agent runs as root, so this is satisfied on supported distros).
# * Recommended: schedule during a maintenance window if IPsec or
# RxRPC services are in use, since unloading the modules will
# interrupt active sessions.
#
# USAGE
# ./remediation.sh
#
# EXIT CODES
# 0 — mitigation applied and verified (file present, modules
# unloaded OR flagged for next reboot).
# 1 — mitigation could not be written or verified.
#
#================================================================
# IMPLEMENTATION
# version 1.1
# author Jason Kikta
#
#================================================================
# HISTORY
# 2026-05-08 : JKikta : Worklet created.
# 2026-05-08 : JKikta : Added ipcomp4/ipcomp6 to coverage per AWS
# Security Bulletin 2026-027; added CVE refs
# (CVE-2026-43284, CVE-2026-43500).
#
#================================================================
# END_OF_HEADER
#================================================================
BLACKLIST_FILE="/etc/modprobe.d/dirtyfrag.conf"
VULN_MODULES=("esp4" "esp6" "ipcomp4" "ipcomp6" "rxrpc")
echo "Writing modprobe blacklist to $BLACKLIST_FILE..."
if ! cat > "$BLACKLIST_FILE" <<'EOF'
install esp4 /bin/false
install esp6 /bin/false
install ipcomp4 /bin/false
install ipcomp6 /bin/false
install rxrpc /bin/false
EOF
then
echo "Failed to write $BLACKLIST_FILE"
exit 1
fi
chmod 0644 "$BLACKLIST_FILE"
chown root:root "$BLACKLIST_FILE" 2>/dev/null || true
REBOOT_REQUIRED=0
for mod in "${VULN_MODULES[@]}"; do
if grep -q "^${mod} " /proc/modules 2>/dev/null; then
echo "Attempting to unload kernel module '${mod}'..."
if rmmod "$mod" 2>/dev/null; then
echo " Unloaded '${mod}'."
else
echo " '${mod}' is in use and cannot be unloaded now; a reboot will complete mitigation."
REBOOT_REQUIRED=1
fi
else
echo "Kernel module '${mod}' is not loaded."
fi
done
VERIFY_FAILED=0
if [[ ! -f "$BLACKLIST_FILE" ]]; then
echo "Verification failed: $BLACKLIST_FILE is missing after write."
VERIFY_FAILED=1
else
for mod in "${VULN_MODULES[@]}"; do
if ! grep -Eq "^[[:space:]]*install[[:space:]]+${mod}[[:space:]]+(/bin/false|/bin/true)([[:space:]]|$)" "$BLACKLIST_FILE"; then
echo "Verification failed: '$BLACKLIST_FILE' is missing the install stub for '${mod}'."
VERIFY_FAILED=1
fi
done
fi
if [[ "$VERIFY_FAILED" -ne 0 ]]; then
echo "Remediation failed verification."
exit 1
fi
if [[ "$REBOOT_REQUIRED" -eq 1 ]]; then
echo "Persistent mitigation applied. REBOOT REQUIRED to fully unload in-use module(s)."
exit 0
fi
echo "Dirty Frag mitigation applied successfully: blacklist installed and modules unloaded."
exit 0
SIEM Detection Queries
Splunk
index=linux_logs ("esp4" OR "esp6" OR "ipcomp4" OR "ipcomp6" OR "rxrpc")
| stats count by host
Elastic (KQL)
process.command_line : ("*esp4*" or "*esp6*" or "*ipcomp4*" or "*ipcomp6*" or "*rxrpc*")
Microsoft Sentinel
Syslog | where SyslogMessage contains "esp4"
Wazuh
rule.groups: linux AND
data.command: ("esp4" OR "esp6" OR "rxrpc")
Need Assistance Assessing Linux Exposure?DBT provides vulnerability management, infrastructure penetration testing, Linux hardening guidance, SIEM monitoring, and incident response services to help organizations reduce exposure to emerging threats such as DirtyFrag. |
Contact DBT |
Source: Vendor mitigation guidance and mitigation script authored by Jason Kikta.
This article is provided for informational purposes only. Organizations should validate all mitigations within a controlled environment before deployment into production systems.
© 2026 Direct Business Technologies All rights reserved.