We have deployed kernel-level mitigations for the DirtyFrag vulnerability class across all Hypernodes.
What is DirtyFrag?
DirtyFrag is a Linux kernel local privilege escalation vulnerability class disclosed on 2026-05-07 by security researcher Hyunwoo Kim (@v4bel). It is the next entry in the same lineage as Dirty Pipe and the Copy Fail vulnerability we mitigated last month.
Unlike a single CVE, DirtyFrag is a chain of two separate kernel-cache write bugs:
- xfrm-ESP Kernel-Cache Write (
CVE-2026-43284), in the IPsec ESP decryption fast paths (esp4,esp6). - RxRPC Kernel-Cache Write (
CVE-2026-43500), in the RxRPC decryption fast path (rxrpc).
Chained together, the two bugs cover every major Linux distribution shipped since 2017, roughly 9 years of kernels. They allow any unprivileged local user to obtain root privileges reliably, with no race condition required and without panicking the kernel on failure.
Impact on Hypernode
Some Hypernodes were running kernel modules that may be vulnerable to DirtyFrag, though in testing we were not succesful in reproducing. As with Copy Fail, the practical risk to our customers was minimal for one key reason: DirtyFrag is not remotely exploitable. An attacker must already have local shell access to the server to use it.
This means DirtyFrag is not a way into your server. It’s a way up, once someone is already inside.
What we did
We have deployed the recommended mitigations to neutralize both halves of the vulnerability chain:
- Blocked the
esp4,esp6, andrxrpckernel modules from loading, via amodprobeinstall rule. - Unloaded the modules where they were already loaded.
- Cleared the kernel-cache on affected nodes to remove any pre-existing pollution.
These changes align with the guidance from the security researchers behind the original DirtyFrag disclosure, including Red Hat’s RHSB-2026-003 bulletin.
The mitigations have been rolled out automatically across all Hypernodes. These mitigations will remain in place until a comprehensive kernel update is made available by our vendors, and rolled out across the platform.
Action required
None. The mitigations have been applied automatically. No restart or manual intervention is needed on your part.
If you have questions about this vulnerability or your server’s security posture, contact our support team.