Skip to content

Dirty Frag Mitigation (CVE-2026-43284, CVE-2026-43500)

Warning

Vendor patches are not widely available, please apply the mitigation to vulnerable hosts.

We have learned that a new vulnerability called Dirty Frag (CVE-2026-43284 and CVE-2026-43500) has leaked to the public. Due to an unplanned leak, official patches are not widely available.

References and Further Reading

General Information & Exploit Details

Vendor Specific Information

Vendor Status Resource
AlmaLinux Patches Released Dirty Frag (CVE-2026-43284, CVE-2026-43500) Patches Released
Red Hat ⚠️ Vulnerable CVE-2026-43284 Security Portal
Ubuntu ⚠️ Vulnerable CVE-2026-43284 Security Advisory
Debian Patches Released Security Tracker CVE-2026-43284
SUSE 🟡 Partial Patches Released Security Vulnerability CVE-2026-43284

Vulnerability Testing

Run this command to test if your system is currently vulnerable to the exploit:

unshare -Urn -- ip xfrm state add \
  src 10.0.0.1 dst 10.0.0.2 \
  proto esp spi 0x00000001 \
  mode transport \
  enc 'cbc(aes)' 0x00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff \
  auth 'hmac(sha1)' 0x00112233445566778899aabbccddeeff00112233

If the output is empty - the system is vulnerable.

If the output is an error message - the system is safe.

Fix for all Linux distributions

Blacklisting and removing vulnerable modules

Danger

  • Blacklisting esp4 and esp6 will cause all IPsec-based VPNs and encrypted tunnels to stop working.

    • This breakage only applies to the temporary mitigation (the module blacklisting workaround).

    • Once a fix has been released by your Linux distribution, install it. You can then safely remove the module blacklisting.

  • The rmmod command will fail if IPsec is currently active or if the modules are being used by another process. If rmmod fails, a reboot is required after creating the blacklist file to ensure the modules are not loaded.

  1. Run: 

    sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

  2. This creates a file /etc/modprobe.d/dirtyfrag.conf with the following contents: 

    install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false

  3. Test with the provided command.