Linux Bitten by 5 Severe Vulnerabilities in 2 Weeks

Over the past two weeks, the Linux kernel has faced a barrage of severe security flaws that all trace back to a single weak point: the way the operating system handles memory pages cached from disk. Five distinct vulnerabilities have emerged, with two of them forming an especially dangerous pair that researchers have already demonstrated can grant an attacker full root access on every major Linux distribution. At the heart of these attacks lies a specific class of bug known as a linux page cache vulnerability, where an unprivileged user can corrupt read-only files stored in memory by abusing legitimate system calls like splice(). Understanding how these exploits work and what you can do to defend against them is critical for anyone running Linux servers, containers, or even desktop systems.

The Linux Page Cache Vulnerability Family: A Recurring Threat

The page cache is a fundamental part of the kernel’s memory management. When you open a file, the kernel reads its contents from disk into RAM and keeps that data around so subsequent accesses are faster. Under normal circumstances, the kernel enforces strict permissions: a process with only read access cannot modify the cached copy. But a series of bugs has shown that those protections can be bypassed when the kernel’s networking code performs cryptographic operations on memory pages that have been pinned by splice().

In 2022, the Dirty Pipe vulnerability demonstrated this pattern for the first time. It allowed an attacker to overwrite any file they could read, including binaries like /usr/bin/su. Last week, a bug called CopyFail exploited a similar weakness in the authencesn AEAD template used for IPsec extended sequence numbers. Now, researchers have disclosed Dirty Frag, which belongs to the same bug family but targets a different kernel structure: the frag member of struct sk_buff rather than the pipe buffer. Together with two other CVEs, this brings the total to five severe vulnerabilities in just two weeks. Each one is a linux page cache vulnerability that allows an attacker with read-only access to corrupt data in memory.

What Makes These Bugs Different from Standard Memory Corruption

Typical privilege escalation exploits rely on buffer overflows or use-after-free errors that corrupt kernel memory directly. Dirty Frag and its relatives are subtler. They weaponize the kernel’s own design: the splice() system call, which is meant to move data efficiently between file descriptors, can be used to plant a reference to a read-only page-cache page into an skb (socket buffer) fragment. When kernel networking code later performs encryption or decryption in place on that fragment, it unintentionally modifies the original cached file. Every subsequent read of that file — even by root processes — sees the tampered version. The attacker never had write permission to the file on disk, yet the in-memory copy is altered.

How Dirty Frag Exploits the Linux Page Cache Vulnerability through Networking Paths

The Dirty Frag attack is notable because it introduces not one but two separate kernel code paths that can be abused. Microsoft researchers who analyzed the exploit described it as designed for reliability rather than relying on narrow timing windows. The two CVEs involved are CVE-2026-43284 and CVE-2026-43500, and each targets a different networking subsystem.

CVE-2026-43284: Attacking the IPsec ESP Receive Path

This vulnerability resides in the esp_input() function, which handles incoming IPsec ESP packets. When the kernel receives a non-linear skb that lacks a fragment list, the code skips the skb_cow_data() check and proceeds to decrypt the AEAD data directly on the planted fragment. An attacker who can control the file offset and the 4-byte value of each store can therefore corrupt a target file byte by byte. The exploit works on systems where the IPsec stack is loaded and where unprivileged users can create network namespaces. Some Ubuntu configurations with AppArmor block the creation of namespaces by untrusted users, which neutralizes this particular attack vector.

CVE-2026-43500: Exploiting the RxRPC Decryption Routine

The second vulnerability lives in rxkad_verify_packet_1(), a function that decrypts RxRPC (Remote Procedure Call over UDP) payloads. The process uses a single-block decryption where splice-pinned pages serve as both the source and the destination. Paired with the fact that an attacker can freely extract the decryption key using the add_key(rxrpc) system call, this allows rewriting contents in memory. Most distributions do not load the rxrpc.ko kernel module by default, which means this arm of the attack is normally neutralized. But when an attacker can load the module or find a system where it is already in use, the bug becomes exploitable.

Chaining Two Moderate Bugs into a Reliable Root Exploit

On their own, each of these CVEs is unreliable. The ESP path requires specific network namespace conditions, and the RxRPC path requires the module to be loaded. But researcher Kim (the discoverer) demonstrated that chaining them together produces a working privilege escalation on every major distribution. The ESP bug handles one set of conditions, while the RxRPC bug handles the rest. Together they cover the gaps, making the exploit consistent.

Once the exploit runs successfully, the attacker gains root access. From there, they can use SSH access, execute commands through a web shell, escape containers, or compromise low-privilege accounts to pivot further into the network. Researchers at Google-owned Wiz noted that hardened container environments like Kubernetes with default security settings are less likely to be broken out of, but virtual machines and less restricted environments remain at significant risk.

Why the Chain Works on All Distributions

Some Ubuntu builds use AppArmor to block unprivileged users from creating network namespaces, which stops the ESP technique. Conversely, most other distributions do not load rxrpc.ko by default, which stops the RxRPC technique. By combining the two exploits, the attacker can switch between them depending on the environment. If one path is blocked, the other may be open. This is a powerful reminder that two moderate-severity bugs can produce a critical vulnerability when combined.

You may also enjoy reading: How to Get a Nail Tech License in Texas: A Step-by-Step Guide.

Practical Mitigation for the Linux Page Cache Vulnerability

The best response is to install patches as soon as they become available. The fixes for CVE-2026-43284 and CVE-2026-43500 are already being integrated into stable kernel releases from kernel.org, and distribution maintainers are backporting them. A reboot will likely be required because the fixes modify core kernel code. While downtime is inconvenient, the protection from a threat as severe as Dirty Frag far outweighs the cost of a scheduled restart.

Checking Your Kernel Version

To determine whether your system is affected, run uname -r and compare the version against the patched releases. The exact fixed versions will be announced by your distribution. For Ubuntu, check the security notices at ubuntu.com/security. For Red Hat, consult the Red Hat Security Advisories. If you are running a custom kernel, apply the upstream commits directly. The vulnerabilities affect kernels from approximately version 5.10 onward, though the precise range depends on backport status.

Alternative Mitigations When Patching Is Delayed

If you cannot reboot immediately, consider these workarounds:

• Disable the splice() system call for untrusted users using seccomp filters. This prevents the initial step of planting a page-cache reference into an skb. However, be aware that splice() is used by many legitimate applications, so test thoroughly.
• Block unprivileged user namespaces by setting kernel.unprivileged_userns_clone=0 on Ubuntu systems. This neutralizes the ESP exploit path that requires namespace creation.
• Unload the rxrpc.ko module if it is loaded on your system. Use lsmod | grep rxrpc to check, and either blacklist the module or remove it with rmmod rxrpc.
• Apply AppArmor or SELinux profiles that restrict which users can create network sockets or perform specific system calls. Even if the kernel is flawed, a strong LSM policy can block the exploit chain.

For home lab users running Ubuntu, note that AppArmor may already be blocking the ESP technique by default. Verify with aa-status and check your namespace policies. If you are a security auditor advising a client who cannot patch, prioritize disabling splice() for untrusted processes and ensuring network namespace creation is restricted.

What the Dirty Frag Family Teaches Us About Kernel Security

The repeated discovery of linux page cache vulnerabilities — Dirty Pipe, CopyFail, Dirty Frag — shows that the kernel’s page-cache handling is a persistent attack surface. Each new bug finds a slightly different code path that uses splice() to bypass access controls. The pattern is clear: any kernel code that performs in-place cryptographic operations on memory pages that can be pinned by an unprivileged user is a potential target. Developers must audit all such routines, especially in networking subsystems like IPsec and RxRPC that handle complex protocol logic.

For system administrators, the lesson is to stay current with kernel updates and to treat any local privilege escalation vulnerability seriously, even if its CVE score seems moderate. As this case demonstrates, two moderate bugs can combine into a reliable root exploit. Hardening measures like security modules and namespace restrictions add valuable layers of defense, but they are not a substitute for patching. The linux page cache vulnerability family is not going away; it is evolving. Staying informed and applying fixes quickly remains the best strategy.