## https://sploitus.com/exploit?id=F5A489AC-794B-57F3-B60D-26B3D4C2A025
# Dirty Frag check (CVE-2026-43284 / CVE-2026-43500)
Read-only checker for the "Dirty Frag" Linux kernel local-root vulns
([CVE-2026-43284](https://access.redhat.com/security/cve/CVE-2026-43284),
[CVE-2026-43500](https://access.redhat.com/security/cve/CVE-2026-43500)).
Looks at running kernel version vs the vendor-published fix, the load
state of the affected IPsec / AF\_RXRPC modules, KernelCare livepatch
state, and any modprobe blacklist you've put in place, then prints a
verdict. It does not run exploit code.
Companion to [CVE-2026-31431-check](https://github.com/haydenjames/CVE-2026-31431-check).
> Heads up: this is a heuristic. A green verdict isn't a guarantee. Cross-reference
> with your distro's advisory before you call a host safe. MIT, no warranty.
## Quick run
Always-latest release (recommended โ auto-tracks bug fixes):
```bash
curl -fsSL https://github.com/haydenjames/dirty-frag-check/releases/latest/download/dirty-frag-check.sh | bash
```
If you'd rather read it first (sensible on production):
```bash
curl -fsSLO https://github.com/haydenjames/dirty-frag-check/releases/latest/download/dirty-frag-check.sh
less dirty-frag-check.sh
chmod +x dirty-frag-check.sh && ./dirty-frag-check.sh
```
For change-control or audit (immutable, won't pick up future fixes), pin
to a specific release tag instead โ e.g.
`https://raw.githubusercontent.com/haydenjames/dirty-frag-check/v1.0.0/dirty-frag-check.sh`.
`-q` gives a one-line summary for fleet runs. `-h` for help. Exit 0 ok, 1 vulnerable, 2 unknown.
## Fleet usage
```bash
# parallel-ssh
parallel-ssh -h hosts.txt -i 'bash -s -- -q' /dev/null || true
```
If `rmmod` says "module is in use", something on the box actively uses
IPsec or AF\_RXRPC (some VPNs, AFS clients, strongSwan, Libreswan).
Don't force-unload it. Patch the kernel and reboot instead.
KernelCare / TuxCare ELS users: livepatches for CVE-2026-43284 cover
this without a reboot. Check `kcarectl --patch-info`.
## Targets
Aimed at AlmaLinux 8/9/10, Rocky, RHEL, CloudLinux 8/9/10, Ubuntu,
Debian, and CentOS 7 (TuxCare ELS / KernelCare). The fixed-version
table is RHEL-family-specific; Ubuntu/Debian fall back to
package-manager freshness. Confirm any green verdict against your
distro's tracker.
## Discussion
- AlmaLinux advisory: [Dirty Frag](https://almalinux.org/blog/2026-05-07-dirty-frag/)
- CloudLinux / KernelCare: [mitigation and kernel update](https://blog.cloudlinux.com/dirty-frag-mitigation-and-kernel-update)
- cPanel: [security advisory](https://support.cpanel.net/hc/en-us/articles/40313772552727)
- Companion checker: [CVE-2026-31431-check](https://github.com/haydenjames/CVE-2026-31431-check)
- Issues: [GitHub](https://github.com/haydenjames/dirty-frag-check/issues)
## License
MIT โ see [LICENSE](LICENSE).