You must login to view this content
You must login to view this content
You must login to view this content
You must login to view this content
You must login to view this content
You must login to view this content
You must login to view this content
You must login to view this content
Škoda Auto has disclosed a significant IT security incident affecting its official online shop, revealing that unauthorized individuals exploited a vulnerability in the platform’s standard shop software to gain temporary unauthorized access to customer data. During routine technical security monitoring, Škoda’s IT team identified that attackers had leveraged a flaw in the shop’s underlying software […]
The post Škoda Security Incident Exposes Customers Data From Online Shop appeared first on Cyber Security News.
You must login to view this content
The Senate’s top Democrat is worried about smaller government entities being left behind as AI models advance hacking risks.
The post Sen. Schumer seeks DHS plan on AI cyber coordination with state, local governments appeared first on CyberScoop.
A dangerous new infostealer campaign is targeting some of the most sensitive data people store on their computers. Disguised as a legitimate installer for OpenClaw, a popular open-source personal AI assistant, the malware silently takes over systems and goes after over 250 browser extensions tied to crypto wallets and password managers. The campaign has been […]
The post Hackers Use Fake OpenClaw Installer to Steal Crypto Wallet and Password Manager Credentials appeared first on Cyber Security News.
Weeks after the Copy Fail vulnerability was revealed, a new Linux kernel escalation vulnerability has been uncovered. Dubbed “Dirty Frag,” this flaw could allow a local user to gain root access on affected Linux distributions. Public exploit code has been released prior to patches being made available.
Key takeaways:Tenable's Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding CVE-2026-43284 and CVE-2026-43500, an exploit chain leading to Linux kernel local privilege escalation in an attack known as "Dirty Frag"
FAQWhat is Dirty Frag?
Dirty Frag is a local privilege escalation (LPE) vulnerability that allows a local user to escalate their privileges to root.
When was Dirty Frag disclosed?
According to the disclosure timeline, Dirty Frag was publicly disclosed on May 7 after the vulnerability’s embargo was broken by an unrelated third party. On May 8, a proof-of-concept was released alongside technical details and a timeline of the disclosure events.
What CVEs were released?
While no CVEs were available at the time of public disclosure, as of May 8, two CVE identifiers have been released to address the two vulnerabilities which encompass Dirty Frag.
CVEDescriptionCVSSv3CVE-2026-43284Linux Kernel Local Privilege Escalation Vulnerability (xfrm-ESP Page-Cache Write)7.8CVE-2026-43500Linux Kernel Local Privilege Escalation Vulnerability (RxRPC Page-Cache Write)N/AAs of the time this blog was published on May 8, no CVE record details have been released for CVE-2026-43500, which was assigned to address the RxRPC Page-Cache Write vulnerability.
According to the exploit details that have been released, two vulnerabilities are chained in order to craft the exploit. xfrm-ESP Page-Cache Write provided a 4-byte STORE primitive and RxRPC Page-Cache Write provides the privilege to create the namespace. By chaining these two vulnerabilities, root privileges can be obtained on nearly all major Linux distributions.
How does Dirty Frag relate to Copy Fail, Dirty Cow and Dirty Pipe?
Dirty Frag was inspired by Copy Fail as the xfrm-ESP Page-Cache Write vulnerability shares the same sink as Copy Fail. However, it can be triggered on systems that have applied the “algif_aead” blacklist as a mitigation strategy. This means that systems that have been mitigated against Copy Fail remain vulnerable to Dirty Frag.
With the recent disclosure of Copy Fail, there have been comparisons to other well-known Linux kernel privilege escalation vulnerabilities, including Dirty Cow (CVE-2016-5195) and Dirty Pipe (CVE-2022-0847).
Dirty Cow relied on a winning race condition, which meant exploitation was often unreliable. Dirty Pipe had constraints around how data could be written and where in a file it could be modified. As with Copy Fail, Dirty Frag reportedly works consistently across nearly all major Linux distributions.
Which Linux distributions are affected by Dirty Frag?
According to the technical writeup, the xfrm-ESP Page-Cache Write vulnerability has been in upstream since 2017 and the RxRPC Page-Cache Write vulnerability since 2023. Linux distributions released in the last 9 years are likely affected:
Distributions where Dirty Frag has been testedUbuntu 24.04.4: 6.17.0-23-genericRed Hat Enterprise Linux (RHEL) 10.1: 6.12.0-124.49.1.el10_1.x86_64openSUSE Tumbleweed: 7.0.2-1-defaultCentOS Stream 10: 6.12.0-224.el10.x86_64AlmaLinux 10: 6.12.0-124.52.3.el10_1.x86_64Fedora 44: 6.19.14-300.fc44.x86_64Are patches or mitigations available?
As of the time this blog was published on May 8, a kernel patch had been published for the xfrm-ESP Page-Cache Write vulnerability (CVE-2026-43284). It also appears that several distributions are beginning to publish security advisories, including Red Hat and Alma Linux, noting that patches are beginning to be released or will be available soon.
The technical writeup for Dirty Frag offers a mitigation that can be used to remove the modules that contain these vulnerabilities and clear the page cache. However this could have other impacts and we recommend reviewing the available mitigation suggestions for the Linux distribution that you are using prior to applying the suggested mitigation option below:
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"Is there a proof-of-concept (PoC) available?
Yes, a public PoC was released on GitHub which also contains technical details. Additionally, a separate PoC has been released under a different name; Copy Fail 2: Electric Boogaloo.
Historical exploitation of Linux kernel vulnerabilities
The Linux kernel has a long history as a target for privilege escalation attacks. CISA's KEV catalog contains over 20 entries for Linux kernel flaws, including the recently disclosed Copy Fail vulnerability:
CVEDescriptionDate Added to KEVKnown Ransomware UseCVE-2016-5195Linux Kernel Race Condition (Dirty Cow)2022-03-03UnknownCVE-2022-0847Linux Kernel Improper Initialization (Dirty Pipe)2022-04-25UnknownCVE-2026-31431Linux Kernel Local Privilege Escalation Vulnerability (Copy Fail)2026-05-01UnknownHas Tenable Research classified this as part of Vulnerability Watch?
Yes, we classified both CVE-2026-43284 and CVE-2026-43500 as a Vulnerability of Interest under Vulnerability Watch due to the availability of a public proof-of-concept exploit and historical exploitation of similar Linux kernel vulnerabilities.
Has Tenable released any product coverage for this vulnerability?
A list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2026-43284 and CVE-2026-43500 as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Linux
Get more information
Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.