CVE-2026-43284: "Dirty Frag" Local Privilege Escalation via Linux Kernel Page Cache Corruption

CVE-2026-43284, commonly referred to as "Dirty Frag" or "Copy Fail 2", is a critical local privilege escalation (LPE) vulnerability affecting the Linux kernel. Discovered by security researcher Hyunwoo Kim (@v4bel), the flaw resides in the interaction between the network socket buffer (skb) fragmentation subsystem and the Encapsulating Security Payload (ESP) processing mechanism. The vulnerability allows an unprivileged local attacker to execute arbitrary writes against memory pages mapped to the system's page cache.

The core of the issue is a missing state flag when the kernel handles the MSG_SPLICE_PAGES directive during IPv4 and IPv6 datagram appending. This directive attaches data from a pipe directly to a socket's buffer without executing a copy operation. If the source of the pipe is a file, the resulting socket buffer fragments reference the Linux page cache directly. The kernel fails to properly mark these fragments as shared memory.

The vulnerability is classified under CWE-123 (Write-what-where Condition) and CWE-787 (Out-of-bounds Write). By exploiting the lack of copy-on-write enforcement during ESP decryption, an attacker can modify the contents of any file they have read access to. This directly undermines the operating system's permission model and facilitates complete system compromise.

The root cause of CVE-2026-43284 is the omission of the SKBFL_SHARED_FRAG flag during the processing of UDP datagram appends via the __ip_append_data function. The MSG_SPLICE_PAGES feature relies on this flag to indicate that the memory pages attached to a socket buffer (skb) are shared with other kernel subsystems. Without this flag, downstream consumers of the skb assume they possess exclusive ownership of the memory fragments.

When an IPsec ESP packet is received and processed, the ESP subsystem evaluates the socket buffer to determine if it can optimize the decryption process. The subsystem inspects the skb for shared or cloned flags. Due to the missing SKBFL_SHARED_FRAG flag, the ESP subsystem determines that the fragments are private and proceeds with a fast-path, in-place decryption routine.

This in-place decryption executes directly over the memory addresses provided by the socket buffer fragments. Because these fragments actually point to the Linux page cache for the spliced file, the decryption operation overwrites the file's cached data. The kernel does not trigger a copy-on-write (COW) fault because it incorrectly believes it is operating on private socket memory.

The corruption is limited to the system's volatile memory. However, since the operating system serves subsequent read requests for that file from the corrupted page cache, the attacker successfully alters the file's contents from the perspective of all other processes.

The vulnerable code resides in the network append paths, primarily net/ipv4/ip_output.c and net/ipv6/ip6_output.c. When MSG_SPLICE_PAGES is passed to sendmsg(), the kernel splices pages from the pipe buffer into the socket buffer fragments. The implementation failed to assign the SKBFL_SHARED_FRAG flag to the skb_shinfo(skb)->tx_flags.

The patch addresses this exact omission. Commit a6cb440f274a22456ef3e86b457344f1678f38f9 enforces copy-on-write semantics for shared fragments in the ESP receive path. The ESP subsystem now forces an evaluation of the shared state and triggers skb_cow_data() before any in-place decryption occurs.

/* Vulnerable state logic */
if (skb_cloned(skb) || skb_header_cloned(skb)) {
    err = skb_cow_data(skb, 0, &trailer);
    if (err < 0)
        goto error;
}
/* In-place decryption proceeds here, unaware of page cache backing */

The fix introduces strict checking for the SKBFL_SHARED_FRAG flag across the datagram append functions. By explicitly flagging the fragments generated via MSG_SPLICE_PAGES, the kernel ensures that subsequent consumers, including the IPsec stack, correctly identify the memory as shared and perform the necessary memory allocations to avoid overwriting the page cache.

/* Patched state logic */
if (skb_cloned(skb) || skb_header_cloned(skb) || 
    (skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG)) {
    err = skb_cow_data(skb, 0, &trailer);
    if (err < 0)
        goto error;
}

Exploiting CVE-2026-43284 requires local access to the vulnerable system and read permissions on the target file. The attacker initiates the exploit chain by opening a sensitive system file, such as /etc/passwd, in read-only mode. The attacker then creates a pipe and utilizes the splice() system call to move data from the file descriptor into the pipe without copying the data into userspace.

Next, the attacker opens a UDP socket and invokes sendmsg() with the MSG_SPLICE_PAGES flag, providing the pipe as the data source. This action forces the kernel to attach the pipe's memory pages directly to the socket buffer. At this stage, the socket buffer contains fragments that point directly to the page cache of /etc/passwd.

The final step involves triggering the ESP subsystem to process the malicious socket buffer. The attacker transmits a crafted IPsec ESP packet to the system, designed to match the UDP socket. The kernel routes the packet through the ESP decryption fast-path, which overwrites the underlying memory fragments with the decrypted payload.

Publicly available proof-of-concept repositories, such as V4bel/dirtyfrag, demonstrate this technique by replacing the root user's password hash in the corrupted /etc/passwd cache. Attackers then use standard su or ssh commands to authenticate as root using the newly injected credentials. Microsoft and other vendors have observed this exact execution chain in active post-compromise campaigns.

The impact of CVE-2026-43284 is absolute system compromise. By leveraging the write-what-where primitive, an unprivileged user bypasses all standard discretionary and mandatory access controls. Modifying sensitive files in the page cache allows attackers to inject malicious shared libraries, alter execution paths, or rewrite authentication databases.

The vulnerability holds a CVSS v3.1 score of 8.8 (High). While the attack vector is local (AV:L), the low complexity (AC:L) and lack of user interaction (UI:N) make it a highly reliable post-exploitation tool. The scope changes (S:C) because the exploit originates within an unprivileged context but corrupts the central kernel memory management system.

In containerized environments, this vulnerability frequently enables container escape. If the container shares the underlying host's kernel and has read access to host-mapped volumes or binaries, the attacker can overwrite files visible to the host operating system. This facilitates lateral movement from an isolated container to the underlying node.

The primary and most effective remediation for CVE-2026-43284 is applying the upstream Linux kernel security patches. Administrators must verify that their kernel is updated to a patched version, such as 5.10.255, 5.15.205, 6.1.171, 6.6.138, 6.12.87, or 6.18.28. Applying the patch completely eliminates the vulnerable code path by enforcing copy-on-write semantics for MSG_SPLICE_PAGES payloads.

In environments where immediate patching is not feasible, administrators can implement network-level mitigations. Disabling the IPsec ESP subsystem or blocking UDP port 4500 (ESP-in-UDP) prevents the exploit chain from reaching the vulnerable decryption logic. This mitigation is only viable for systems that do not rely on IPsec for network communications.

> [!NOTE] > Relying exclusively on File Integrity Monitoring (FIM) tools like AIDE or Tripwire is insufficient for prevention. The corruption occurs in volatile memory and may not trigger disk-based integrity checks immediately.

Security teams should deploy runtime behavioral detection rules. Solutions utilizing eBPF, such as Falco, can detect the exploit pattern by monitoring for processes executing sendmsg with the MSG_SPLICE_PAGES flag immediately following a splice() syscall on a pipe file descriptor. Anomalous modifications to critical authentication files should also trigger immediate incident response procedures.