CVE-2026-43284KEVEXPLOITEDPATCHED

linux · linux_kernel

xfrm: esp: avoid in-place decrypt on shared skb frags

Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().

Affected Products

Vendor	Product	Versions
linux	linux_kernel	cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, cac2661c53f35cbe651bef9b07026a5a05ab8ce0, 4.11

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
linux	linux	mitre_affected	90%
open source	linux kernel	cert_advisory	90%

References

Related News (41 articles)

Tier B

CERT-FR1d ago

Multiples vulnérabilités dans le noyau Linux d'Ubuntu (26 juin 2026)

→ No new info (linked only)

Tier B

CERT-FR1d ago

Multiples vulnérabilités dans le noyau Linux de Red Hat (26 juin 2026)

→ No new info (linked only)

Tier B

CERT-FR15d ago

Multiples vulnérabilités dans le noyau Linux de SUSE (12 juin 2026)

→ No new info (linked only)

Tier D

The Hacker News18d ago

Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models

→ No new info (linked only)

Tier A

Fortinet PSIRT24d ago

Linux Kernel vulnerability Dirty Frag

→ No new info (linked only)

Tier B

CERT-FR26d ago

Multiples vulnérabilités dans les produits Mitel (01 juin 2026)

→ No new info (linked only)

Tier C

Rapid7 Blog29d ago

Metasploit Wrap Up 05/29/2026

→ No new info (linked only)

Tier C

Exploit-DB29d ago

[local] Linux Kernel - Local Privilege Escalation

→ No new info (linked only)

Tier B

CCCS Canada30d ago

Mitel security advisory (AV26-524)

→ No new info (linked only)

Tier E

Hacker News30d ago

Dirty Frag: a kernel zero-day vs. container and microVM sandboxes

→ No new info (linked only)

Tier C

Exploit-DB31d ago

[local] Linux Kernel - Local Privilege Escalation

→ No new info (linked only)

Tier B

CCCS Canada32d ago

[Control Systems] Moxa security advisory (AV26-509)

→ No new info (linked only)

Tier B

CERT-FR36d ago

Multiples vulnérabilités dans le noyau Linux de SUSE (22 mai 2026)

→ No new info (linked only)

Tier B

CERT/CC Vuln Notes38d ago

VU#980487: Local privilege escalation in Linux Kernel (Dirty Frag)

→ No new info (linked only)

Tier B

CERT-FR43d ago

Multiples vulnérabilités dans le noyau Linux de SUSE (15 mai 2026)

→ No new info (linked only)

Tier B

CERT-FR43d ago

Multiples vulnérabilités dans le noyau Linux de Red Hat (15 mai 2026)

→ No new info (linked only)

Tier B

CERT-FR43d ago

Multiples vulnérabilités dans le noyau Linux de Debian (15 mai 2026)

→ No new info (linked only)

Tier C

oss-security44d ago

Re: Linux kernel LPE ("fragnesia", copyfail 3.0)

→ No new info (linked only)

Tier D

Infosecurity Magazine44d ago

New Fragnesia Flaw Hands Linux Local Users Root Access

→ No new info (linked only)

Tier C

oss-security44d ago

Re: Linux kernel LPE ("fragnesia", copyfail 3.0)

→ No new info (linked only)

Tier C

oss-security45d ago

Re: Linux kernel LPE ("fragnesia", copyfail 3.0)

→ No new info (linked only)

Tier E

Reddit r/cybersecurity45d ago

Detecting CopyFail and DirtyFrag by thinking outside the box

→ No new info (linked only)

Tier D

Heise Security46d ago

Anonymisierendes Linux Tails: Notfallupdate 7.7.3 fixt DirtyFrag-Lücke

→ No new info (linked only)

Tier E

Hacker News47d ago

Just released: Dirty Frag (CVE-2026-43284 / CVE-2026-43500) Detection Script

→ No new info (linked only)

Tier D

The Record47d ago

Dirty Frag: Linux kernel hit by second major security flaw in two weeks

→ No new info (linked only)

Tier D

CSO Online47d ago

New ‘Dirty Frag’ exploit targets Linux kernel for root access

→ No new info (linked only)

Tier A

Microsoft MSRC47d ago

CVE-2026-43284 xfrm: esp: avoid in-place decrypt on shared skb frags

→ No new info (linked only)

Tier D

SecurityWeek47d ago

New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks

→ No new info (linked only)

Tier B

CERT-FR47d ago

Bulletin d'actualité CERTFR-2026-ACT-021 (11 mai 2026)

→ No new info (linked only)

Tier E

Hacker News49d ago

"Dirty Frag" (CVE-2026-43284): The Second Linux Root Exploit in Eight Days

→ No new info (linked only)

Tier E

Hacker News49d ago

CVE-2026-43284 ("Dirty Frag") Alma Linux

→ No new info (linked only)

Tier E

Hacker News49d ago

Dirty Frag: Ongoing Linux Kernel Privilege Escalation Vulnerability Since 2017

→ No new info (linked only)

Tier C

Qualys Blog49d ago

Dirty Frag: Using the Page Caches as an Attack Surface

→ No new info (linked only)

Tier E

Hacker News49d ago

Dirty Frag Linux kernel local privilege escalation vulnerability mitigations

→ No new info (linked only)

Tier E

Hacker News50d ago

Dirty Frag (CVE-2026-43284, CVE-2026-43500): Mitigation

→ No new info (linked only)

Tier B

CCCS Canada50d ago

AL26-011 - Vulnerabilities affecting Linux - CVE-2026-43284 and CVE-2026-43500

→ No new info (linked only)

Tier D

Help Net Security50d ago

Dirty Frag: Unpatched Linux vulnerability delivers root access

→ No new info (linked only)

Tier B

BSI Advisories50d ago

[NEU] [hoch] Linux Kernel (Dirty Frag): Mehrere Schwachstellen ermöglichen Erlangen von Administratorrechten

→ No new info (linked only)

Tier C

VulDB50d ago

CVE-2026-43284 | Linux Kernel up to 6.6.137/6.12.86/6.18.27/7.0.4 xfrm skb_splice_from_iter privilege escalation

→ No new info (linked only)

Tier C

oss-security50d ago

Re: Dirty Frag: Universal Linux LPE

→ No new info (linked only)

Tier C

Linux Kernel CVEs50d ago

CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags

→ No new info (linked only)

CVSS 3.18.8 HIGH

VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA KEV✅ Yes

Actively exploited✅ Yes

Patch available

50ed1e7873100f77abad20fd31c51029bc49cd03b54edf1e9a3fd3491bdcb82a21f8d21315271e0d71a1d9d985d26716f74d21f18ee8cac821b06e9752646cbd00e765a6db9c3afe9535f2621827603406.6.1386.12.876.18.287.0.5

PublishedMay 8, 2026

Last enriched24d agov23

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-31431EXPKEV

crypto: algif_aead - Revert to operating out-of-place

Trending: 121

HIGHCVE-2026-43500EXPKEV

rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

Trending: 110

HIGHCVE-2026-46333EXP

ptrace: slightly saner 'get_dumpable()' logic

Trending: 78

HIGHCVE-2026-46300EXP

net: skbuff: preserve shared-frag marker during coalescing

Trending: 68

HIGHCVE-2026-43503EXP

net: skbuff: propagate shared-frag marker through frag-transfer helpers

Trending: 58

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 8, 2026

Added to CISA KEV

May 8, 2026

Discovered by ZDM

May 8, 2026

Updated: affectedVersions

May 8, 2026

Updated: cweIds, tags

May 8, 2026

Updated: description, cweIds, exploitAvailable, activelyExploited, tags

May 8, 2026

Updated: description, affectedVersions, tags

May 8, 2026

Updated: affectedVersions, cweIds, tags

May 9, 2026

Updated: description, severity

May 9, 2026

Updated: cweIds, tags

May 11, 2026

Updated: description, cweIds, tags

May 11, 2026

Updated: description, severity

May 11, 2026

Updated: affectedVersions, cweIds, tags

May 12, 2026

Updated: description, iocs, tags

May 13, 2026

Updated: affectedVersions, tags

May 14, 2026

Updated: affectedVersions, severity

May 14, 2026

Updated: description, affectedVersions, tags

May 20, 2026

Updated: cweIds, tags

May 26, 2026

Updated: affectedVersions, cweIds, tags

May 28, 2026

Updated: description, severity, tags

May 28, 2026

Updated: severity, cweIds, tags

May 29, 2026

Updated: description, affectedVersions, severity, iocs

May 29, 2026

Updated: description

May 29, 2026

Updated: cvssEstimate, description

Jun 3, 2026

Updated: description, cweIds

Jun 3, 2026

Actively Exploited

Jun 14, 2026

Exploit Available

Jun 14, 2026

Patch Available

Jun 14, 2026

Version History

v23

Last enriched 24d ago

v23Tier A24d ago

Added detailed description of CVE-2026-43500 and included a new CWE ID.

descriptioncweIds

via Fortinet PSIRT

v22Tier A24d ago

Updated CVSS from 8.8 to 7.9 and added detailed technical description of the vulnerabilities.

cvssEstimatedescription

via Fortinet PSIRT

v21Tier C29d ago

Updated description with more technical detail about the vulnerabilities and added the tag 'Dirty Frag'.

description

via Rapid7 Blog

v20Tier C29d ago

Updated description with new technical details, added CVE-2026-46300, changed severity to CRITICAL, and included new IoCs and tags.

descriptionaffectedVersionsseverityiocs

via Exploit-DB

v19Tier C29d ago

Updated affected versions, severity to HIGH, added new CWE-463, and included new tags related to Fragnesia.

severitycweIdstags

via Exploit-DB

v18Tier C30d ago

Updated description with detailed exploit information, changed severity to CRITICAL, and added new affected versions and tags.

descriptionseveritytags

via Exploit-DB

v17Tier C30d ago

Updated description with detailed exploit information, added affected versions, changed severity to CRITICAL, and included new CWE IDs and tags.

affectedVersionscweIdstags

via Exploit-DB

v16Tier B32d ago

Added CWE-20 and new tags related to Moxa security advisory.

cweIdstags

via CCCS Canada

v15Tier B38d ago

Added a detailed description of the vulnerability and included the new affected version 4.10 along with new tags related to the vulnerability.

descriptionaffectedVersionstags

via CERT/CC Vuln Notes

v14Tier C44d ago

Added affected version f4c50a4034e6 and updated severity to CRITICAL.

affectedVersionsseverity

via oss-security

v13Tier C44d ago

Added new affected version f4c50a4034e6 and included the new tag 'fragnesia'.

affectedVersionstags

via oss-security

v12Tier C45d ago

Updated description with new technical details about the vulnerability and added new IoCs and tags related to the exploit.

descriptioniocstags

via oss-security

v11Tier D46d ago

Added affected version 7.7.3 for Tails and included new CVE IDs CVE-2026-43284 and CVE-2026-43500.

affectedVersionscweIdstags

via Heise Security

v10Tier D47d ago

Updated description with new details about the discovery and impact, changed severity to IMPORTANT, and noted that no patch is currently available.

descriptionseverity

via The Record

v9Tier D47d ago

Updated description with detailed technical information about the Dirty Frag exploit and added new CWE and tags.

descriptioncweIdstags

via CSO Online

v8Tier D47d ago

Updated description with detailed technical information, added new CWE IDs, and included new tags related to the vulnerability.

cweIdstags

via SecurityWeek

v7Tier C49d ago

Updated description with detailed technical information about the Dirty Frag exploit and changed severity from NONE to HIGH.

descriptionseverity

via Qualys Blog

v6Tier C49d ago

Updated description with new technical details, added affected versions, changed severity to HIGH, and included new CWE and tags.

affectedVersionscweIdstags

via Qualys Blog

v5Tier B50d ago

Updated description with details on publicly available Proof of Concepts and added affected environments and tags.

descriptionaffectedVersionstags

via CCCS Canada

v4Tier B50d ago

Updated description with details on CVE-2026-43284 and CVE-2026-43500, added CWE-123, marked as actively exploited, and noted that no universal fix is available.

descriptioncweIdsexploitAvailableactivelyExploitedtags

via CCCS Canada

v3Tier D50d ago

Updated description with details about the 'Dirty Frag' vulnerability and added new CVE IDs and tags.

cweIdstags

via Help Net Security

v2Tier C50d ago

Updated affected versions to include 6.6.137, 6.12.86, 6.18.27, 7.0.4 and changed severity to CRITICAL.

affectedVersions

via VulDB

v150d ago

Initial creation