Each privilege escalation vulnerabilities stem from bugs within the kernel’s dealing with of web page caches saved in reminiscence, permitting untrusted customers to switch them. They aim caches in networking and memory-fragment dealing with parts. Particularly, CVE-2026-43284 assaults the esp4 and esp6 () processes, and CVE-2026-43500 zeroes in on rxrpc. Final week’s CopyFail exploited defective web page caching within the authencesn AEAD template course of, which is used for IPsec prolonged sequence numbers. A 2022 vulnerability named Soiled Pipe additionally stemmed from flaws that permit attackers to overwrite web page caches.
Researchers from safety agency Automox wrote:
Soiled Frag belongs to the identical bug household as Soiled Pipe and Copy Fail, but it surely targets the frag member of the kernel’s struct sk_buff slightly than pipe_buffer. The exploit makes use of splice() to plant a reference to a read-only page-cache web page (for instance, /and so forth/passwd or /usr/bin/su) into the frag slot of a sender-side skb. Receiver-side kernel code then performs in-place cryptographic operations on that frag, modifying the web page cache in RAM. Each subsequent learn of the file sees the corrupted model, though the attacker solely ever had learn entry.
CVE-2026-43284 is discovered within the esp_input() course of on the IPsec ESP obtain path. When an skb object is non-linear however lacks a frag record, the code skips skb_cow_data() and decrypts AEAD in place on the planted frag. From there, an attacker can management the file offset and the 4-byte worth of every retailer.
CVE-2026-43500, in the meantime, resides in rxkad_verify_packet_1(). The method decrypts RxRPC payloads utilizing a single-block course of. Splice-pinned pages change into each a supply and vacation spot. That, paired with the decryption key being freely extracted utilizing the add_key (rxrpc), permits an attacker to rewrite contents in reminiscence.
Both exploit used individually is unreliable. Some Ubuntu configurations use AppArmor to forestall untrusted customers from creating namespace contents. That, in flip, neutralizes the ESP method. Most different distributions by default don’t run rxrpc.ko, which neutralizes the RxRPC arm. When chained collectively, nevertheless, the 2 exploits permit attackers to acquire root on each main distribution Kim examined. As soon as the exploits run, attackers can use SSH entry, web-shell execution, or container escapes, or compromise low-privilege accounts.
“Soiled Frag is notable as a result of it introduces a number of kernel assault paths involving rxrpc and esp/xfrm networking parts to enhance exploitation reliability,” Microsoft researchers wrote. “Slightly than counting on slim timing home windows or unstable corruption situations usually related to Linux native privilege escalation exploits, Soiled Frag seems designed to extend consistency throughout weak environments.”
Researchers at Google-owned Wiz mentioned exploits will probably be much less prone to get away of hardened containerized environments like Kubernetes with default safety settings in place. “Nonetheless, the chance stays important for digital machines or much less restricted environments.”
The perfect response for anybody utilizing Linux is to put in patches instantly. Whereas fixes possible require a reboot, safety from a risk as extreme as Soiled Frag outweighs the price of disruptions. Anybody who can’t set up instantly ought to comply with the mitigation steps specified by the posts linked above. Further steerage may be discovered right here.
