Updated: Linux Kernel Vulnerability “Dirty Frag” and Variants

Tuesday, May 19, 2026

Update

Another variant, named "DirtyDecrypt,” has been identified as part of the Dirty Frag vulnerability set. It is a proof-of-concept exploit that allows attackers to gain root access on some Linux systems.

Linux users should install the latest kernel updates to patch their systems as soon as possible. If patching is not possible at this point, apply the same mitigations that were recommended for Dirty Frag, if they have not been applied already.

For more information, see:

Exploit available for new DirtyDecrypt Linux root escalation flaw (Bleeping Computer, 5/18/26)
DirtyCBC: When Linux Kernel Decrypt-Before-MAC Turns Authenticated Encryption Into a Page-Cache Write (Delphos Labs, 5/15/26)

Update - Thursday, May 14, 2026

A recently disclosed variant, referred to as "Fragnesia," has been identified as part of the Dirty Frag vulnerability set. A user with a local account could trigger the flaws to gain root privileges, such as that of a system administrator.

A patch is available. If patching is not possible at this point, apply the same mitigations that were recommended for Dirty Frag. Systems where the Dirty Frag mitigations described below have been implemented are also protected against Fragnesia.

For more information, see:

RHSB-2026-003 Networking subsystem Privilege Escalation - Linux Kernel (CVE-2026-43284, CVE-2026-43500, CVE-2026-46300) - Dirty Frag (Red Hat Security Bulletin, 5/13/26)
New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption (Hacker News, 5/14/26)

This message below is intended for U-M IT staff who are responsible for Linux systems. It was sent on Thursday, May 7, 2026.

Summary

Information and Technology Services (ITS) is responding to a newly disclosed Linux kernel vulnerability known as “Dirty Frag,” which is similar to the recent Copy Fail vulnerability.

Problem

"Dirty Frag" is a Linux kernel vulnerability that allows unauthorized users to quickly gain full administrative (root) control of a system, which presents critical security risks to all vulnerable Linux systems.

Threats

This vulnerability allows unauthorized users to quickly gain full administrative (root) control of a system, which presents critical security risks to all vulnerable Linux systems.

Affected Systems

This vulnerability affects all recent Linux systems, versions released since 2017, including kernel 7.0.4.

Affected Versions

All versions released since 2017, including kernel 7.0.4.

Detection

This vulnerability affects all recent Linux versions released since 2017, including kernel 7.0.4.

Action Items

Anyone who runs or administers Linux systems must take action immediately. One mitigation is to prevent the loading of the vulnerable kernel modules by performing the actions below. Note: ITS is mitigating ITS-managed MiServers running Linux. However, ITS customers with unmanaged MiServers will need to perform the mitigation for themselves.

Create the file /etc/modprobe.d/dirtyfrag.conf containing the following three lines:
install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
Check to see if the three modules are currently loaded by running
lsmod | egrep '^(esp4|esp6|rxrpc)'
If any of the modules are loaded, unload them using commands such as the following
rmmod esp4
rmmod esp6
rmmod rxrpc

Note: This mitigation works by blacklisting the esp4, esp6, and rxrpc kernel modules. This will break IPsec and RxRPC, which is used by the kAFS version of the AFS distributed file system software. However, the mitigation is not currently believed to negatively impact the OpenAFS version of the AFS software, the more common type of AFS software used on U-M systems. We currently believe it is safe to apply these mitigations to systems using OpenAFS. However, for any systems where the kernel modules are already loaded, we encourage you to perform these actions on a non-critical system and test essential functions prior to performing these actions on critical systems.

The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.

References

Dirty Frag: Universal Linux LPE (github.com)