"Dirty Frag belongs to the same bug family as Dirty Pipe and Copy Fail, but it targets the frag member of the kernel's struct sk_buff rather than pipe_buffer . The exploit uses splice() to plant a reference to a read-only page-cache page (for example, /etc/passwd or /usr/bin/su ) into the frag slot of a sender-side skb . Receiver-side kernel code then performs in-place cryptographic operations on that frag, modifying the page cache in RAM. Every subsequent read of the file sees the corrupted version, even though the attacker only ever had read access."
"CVE-2026-43284 is found in the esp_input() process on the IPsec ESP receive path. When an skb object is non-linear but lacks a frag list, the code skips skb_cow_data() and decrypts AEAD in place on the planted frag. From there, an attacker can control the file offset and the 4-byte value of each store."
"CVE-2026-43500, meanwhile, resides in rxkad_verify_packet_1(). The process decrypts RxRPC payloads using a single-block process. Splice-pinned pages become both a source and destination. That, paired with the decryption key being freely extracted using the add_key (rxrpc), allows an attacker to rewrite contents in memory."
"Either exploit used separately is unreliable. Some Ubuntu configurations use AppArmor to prevent untrusted users from creating namespace contents. That, in turn, neutralizes th"
Privilege escalation vulnerabilities arise from flaws in kernel handling of page caches stored in memory, letting untrusted users modify cached pages. The vulnerabilities target networking and memory-fragment handling components. CVE-2026-43284 affects the IPsec ESP receive path, where in-place AEAD decryption occurs on planted frag pages when skb objects are non-linear without a frag list. This enables control over file offsets and stored values. CVE-2026-43500 affects RxRPC verification, where decryption uses a single-block process and splice-pinned pages act as both source and destination, allowing attackers to rewrite memory contents after extracting the decryption key. Related issues include Dirty Pipe, CopyFail, and Dirty Frag, which corrupt page cache contents after only read access.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]