Local Privilege Escalation Flaw Found in Linux Kernel's algif_aead Interface (CVE-2026-43284)

A critical Linux kernel vulnerability known as Dirty Frag that gives attackers root access with no patch available was publicly disclosed on Friday, May 8, 2026 after the embargo regarding the vulnerability was broken. The flaw, officially tracked as CVE-2026-43284, has been present in the Linux kernel for around nine years.

Security researcher Hyunwoo Kim, responsible for the disclosure, said the early release occurred because someone broke the embargo.

"Because the embargo has now been broken, no patches or CVEs exist for these vulnerabilities," Hyunwoo Kim said. A proof of concept exploit for Dirty Frag is known.

The Dirty Frag flaw resides in the Linux kernel’s algif_aead cryptographic algorithm interface. It comes as major Linux distributions are still rolling out patches for the Copy Fail vulnerability, which remained hidden for 9 years.

U.S. Cybersecurity and Infrastructure Security Agency has confirmed that the Copy Fail vulnerability is now being exploited by attackers. David Brumley said the discovery of Dirty Frag so soon after Copy Fail, which was uncovered using advanced AI analysis, serves as a reminder of persistent gaps.

"It is a reminder that vulnerability classes are rarely exhausted by a single pass, even a very good one," Brumley said.

Forbes reported the article was updated on May 10, 2026 to include comments from security experts.

“/etc/modprobe.d/dirtyfrag.conf; echo 'install esp6 /bin/true' >> /etc/modprobe.d/dirtyfrag.conf; echo 'install rxrpc /bin/true' >> /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true. Dirty Frag has been tested as applicable to Ubuntu 24.04.4 running kernel 6.17.0-23-generic. It has also been tested as applicable to RHEL 10.1 running kernel 6.12.0-124.49.1.el10_1.x86_64. Additional testing confirmed Dirty Frag affects openSUSE Tumbleweed running kernel 7.0.2-1-default. It applies as well to CentOS Stream 10 running kernel 6.12.0-224.el10.x86_64. AlmaLinux 10 running kernel 6.12.0-124.52.3.el10_1.x86_64 and Fedora 44 running kernel 6.19.14-300.fc44.x86_64 are also impacted according to the tests. The timing of the Dirty Frag disclosure follows closely on the heels of ongoing patching efforts for Copy Fail across major distributions. With both vulnerabilities having persisted for approximately nine years before discovery, the Linux kernel’s cryptographic and privilege management interfaces continue to draw scrutiny from researchers. Forbes reported that threat actors could begin using Dirty Frag in attacks now that details and a proof of concept are public.”