If you thought that Linux was somehow the safe and secure choice of operating system, you might want to think again. Hot on the heels of the Copy Fail access vulnerability that had remained hidden for 9 years comes news that a new zero-day, with no patch available and granting hackers root, has been confirmed. Here’s what we know about Dirty Frag and the workaround you can employ to mitigate against attacks.

What We Know About CVE-2026-43284, The Linux Dirty Frag Zero-Day

Why is it always a Friday? Just as security teams and end users alike look forward to the weekend, a security issue rears its ugly head, putting a stop to all that. With the major Linux distributions still rolling out patches for the Copy Fail vulnerability, which the U.S. Cybersecurity and Infrastructure Security Agency has confirmed is now being exploited by attackers , comes news that an even worse issue is out there. Dirty Frag, officially now tracked by the Common Vulnerabilities and Exposures database as CVE-2026-43284, has been confirmed and publicly disclosed, all before a patch is ready to roll.

The reason for the May 8 public disclosure, according to the security researcher responsible, Hyunwoo Kim, was someone breaking the embargo that was in place. “Because the embargo has now been broken, no patches or CVEs exist for these vulnerabilities,” Kim said. After consulting with the Linux Distros Openwall maintainers, and at their request, Kim confirmed, “I am publicly releasing this Dirty Frag document .”

Amazingly, just like Copy Fail before it in terms of age, the Dirty Frag privilege escalation flaw has been present in the Linux kernel, specifically its algif_aead cryptographic algorithm interface, for around nine years.

Also, like Copy Fail, Kim said, “Dirty Frag likewise allows immediate root privilege escalation on all major distributions, and it chains two separate vulnerabilities.”

How To Mitigate The Linux Dirty Frag Attack Risk Before A Patch Arrives

To mitigate Linux attacks now that the zero-day has been publicly disclosed, and before a patch is ready to roll out, users are advised by Kim to remove the modules in which the vulnerabilities occur as follows:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

Dirty Frag has been tested as being applicable to the following Linux distribution versions:

  • Ubuntu 24.04.4: 6.17.0-23-generic
  • RHEL 10.1: 6.12.0-124.49.1.el10_1.x86_64
  • openSUSE Tumbleweed: 7.0.2-1-default
  • CentOS Stream 10: 6.12.0-224.el10.x86_64
  • AlmaLinux 10: 6.12.0-124.52.3.el10_1.x86_64
  • Fedora 44: 6.19.14-300.fc44.x86_64_

You can read more technical details and keep up to date with developments related to the latest Linux kernel zero-day at the official Dirty Frag information site .