Analysis updated 2026-07-17 · repo last pushed 2026-05-10
Test a patched Linux server to confirm the fix for CVE-2026-43284 and CVE-2026-43500 is effective.
Verify whether a fleet of Ubuntu, RHEL, Fedora, CentOS, or openSUSE servers is vulnerable before patching.
Apply the provided mitigation steps, like disabling the esp4, esp6, and rxrpc kernel modules, when patches can't be applied immediately.
Study the deterministic logic-bug technique as a reference for understanding page-cache corruption bugs.
| v4bel/dirtyfrag | openvenues/libpostal | hpjansson/chafa | |
|---|---|---|---|
| Stars | 4,883 | 4,795 | 4,793 |
| Language | C | C | C |
| Last pushed | 2026-05-10 | — | — |
| Maintenance | Maintained | — | — |
| Setup difficulty | hard | hard | easy |
| Complexity | 5/5 | 4/5 | 2/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
For authorized testing only, running the exploit contaminates the page cache and requires a reboot or cache flush afterward.
Dirty Frag is a security research project that demonstrates a way for a regular, non-administrator Linux user to gain full root (administrator) privileges. It chains together two vulnerabilities in the Linux kernel, tracked as CVE-2026-43284 and CVE-2026-43500. The creator named it "Dirty Frag" because it belongs to the same family of flaws as the famous "Dirty Pipe" vulnerability, and it involves manipulating a fragment of network data inside the kernel. At a technical level, the exploit works by tricking the Linux kernel into writing data into the wrong place, specifically, into the system's page cache, which is a temporary store of file data in memory. By exploiting how the kernel handles certain network protocols (xfrm-ESP and RxRPC), an attacker can overwrite cached file contents. This is a deterministic logic bug, meaning it doesn't rely on lucky timing or race conditions. The exploit either works reliably or fails safely without crashing the system. The creator chained two separate vulnerabilities together because each one alone has blind spots on certain Linux distributions, but together they cover all major distributions. This tool is primarily useful for security researchers, penetration testers, and system administrators who need to understand and verify whether their systems are vulnerable. For example, if you manage a fleet of Linux servers and want to confirm that a patch is effective, you could test it with this proof-of-concept. The README is explicit that it should only be used on systems you are authorized to test, and it notes that running the exploit contaminates the page cache, requiring a reboot or a cache flush afterward for system stability. The vulnerabilities have existed for a long time, one since 2017 and the other since 2023, and affect major distributions including Ubuntu, RHEL, Fedora, CentOS, and openSUSE. The project provides mitigation steps if you can't immediately apply official patches: you can disable the vulnerable kernel modules (esp4, esp6, and rxrpc) and flush the page cache. The creator notes that even systems that mitigated the related "Copy Fail" vulnerability remain exposed to Dirty Frag. Official kernel patches have already been merged into the mainline Linux kernel.
A proof-of-concept security research project chaining two Linux kernel CVEs to demonstrate local privilege escalation from a normal user to root, for verifying whether systems are vulnerable.
Mainly C. The stack also includes C, Linux Kernel.
Maintained — commit in last 6 months (last push 2026-05-10).
License is not stated in the available content.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.