Share
## https://sploitus.com/exploit?id=AD3CFC19-837C-599D-972C-39AEBBD5AA8E
# Dirty Frag Technical Analysis

> CVE-2026-43284 (xfrm-ESP) / CVE-2026-43500 (RxRPC)
>
> Linux kernel local privilege escalation vulnerability โ€” Reverse engineering, shellcode analysis, patch principles, detection scripts

## Vulnerability Overview

Dirty Frag exploits two independent vulnerabilities: `xfrm-ESP Page-Cache Write` and `RxRPC Page-Cache Write`. This allows local ordinary users to gain root privileges on almost all mainstream Linux distributions. โ€“ **Deterministic logic vulnerability**, no race conditions, 100% success rate
- **Completely bypasses Copy Fail mitigation measures**
- Affected versions: Almost all Linux kernels since 2017

## File Description

| File | Description |
|------|------|
| [dirtyfrag-analysis.md](dirtyfrag-analysis.md) | Complete technical analysis article |
| [dirtyfrag-check.sh](dirtyfrag-check.sh) | One-click detection script (esp4/esp6 + rxrpc) |

## Quick Detection

```bash
# One-line command for quick detection
lsmod | grep -qE "esp4|rxrpc" && echo "[!] Risk exists" || echo "[+] Safe"

# Or use the full detection script
bash dirtyfrag-check.sh
```

## Temporary Fix

```bash
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches"
```

> โš ๏ธ Please confirm that IPsec encryption is not used between IPsec VPN / SD-WAN / K8s pods before applying this fix

## Practical Verification

```
OS:      Ubuntu 22.04.5 LTS
Kernel:  5.15.0-171-generic
User:    ubuntu (uid=1000) โ†’ root (uid=0)
Variant: xfrm-ESP Page-Cache Write
Time:    ~8 seconds
```

## Acknowledgments

- Vulnerability discoverer: [Hyunwoo Kim (@v4bel)](https://x.com/v4bel)
- [Dirty Frag official repository](https://github.com/V4bel/dirtyfrag)

## Disclaimer

This article is intended for security research and discussion purposes only. Do not use it for unauthorized system testing. ---

**Author:** Bomb

**WeChat:** AK7777177 (Security research communication, vulnerability analysis collaboration)