Each privilege escalation vulnerabilities stem from bugs within the kernel’s dealing with of web page caches saved in reminiscence, permitting untrusted customers to change them. They aim caches in networking and memory-fragment dealing with elements. Particularly, CVE-2026-43284 assaults the esp4 and esp6 () processes, and CVE-2026-43500 zeroes in on rxrpc. Final week’s CopyFail exploited defective web page caching within the authencesn AEAD template course of, which is used for IPsec prolonged sequence numbers. A 2022 vulnerability named Soiled Pipe additionally stemmed from flaws that permit attackers to overwrite web page caches.
Researchers from safety agency Automox wrote:
Soiled Frag belongs to the identical bug household as Soiled Pipe and Copy Fail, however it targets the frag member of the kernel’s struct sk_buff quite than pipe_buffer. The exploit makes use of splice() to plant a reference to a read-only page-cache web page (for instance, /and so forth/passwd or /usr/bin/su) into the frag slot of a sender-side skb. Receiver-side kernel code then performs in-place cryptographic operations on that frag, modifying the web page cache in RAM. Each subsequent learn of the file sees the corrupted model, though the attacker solely ever had learn entry.
CVE-2026-43284 is discovered within the esp_input() course of on the IPsec ESP obtain path. When an skb object is non-linear however lacks a frag listing, the code skips skb_cow_data() and decrypts AEAD in place on the planted frag. From there, an attacker can management the file offset and the 4-byte worth of every retailer.
CVE-2026-43500, in the meantime, resides in rxkad_verify_packet_1(). The method decrypts RxRPC payloads utilizing a single-block course of. Splice-pinned pages turn out to be each a supply and vacation spot. That, paired with the decryption key being freely extracted utilizing the add_key (rxrpc), permits an attacker to rewrite contents in reminiscence.
Both exploit used individually is unreliable. Some Ubuntu configurations use AppArmor to stop untrusted customers from creating namespace contents. That, in flip, neutralizes the ESP approach. Most different distributions by default don’t run rxrpc.ko, which neutralizes the RxRPC arm. When chained collectively, nevertheless, the 2 exploits permit attackers to acquire root on each main distribution Kim examined. As soon as the exploits run, attackers can use SSH entry, web-shell execution, container escapes, or compromise low-privilege accounts.
“Soiled Frag is notable as a result of it introduces a number of kernel assault paths involving rxrpc and esp/xfrm networking elements to enhance exploitation reliability,” Microsoft researchers wrote. “Moderately than counting on slender timing home windows or unstable corruption circumstances typically related to Linux native privilege escalation exploits, Soiled Frag seems designed to extend consistency throughout susceptible environments.”
Researchers at Google-owned Wiz said exploits shall be much less prone to escape of hardened containerized environments equivalent to Kubernets with default safety settings in place. “Nonetheless, the danger stays vital for digital machines or much less restricted environments.”
The perfect response for anybody utilizing Linux is to put in patches instantly. Whereas fixes doubtless require a reboot, safety from a risk as extreme as Soiled Frag outweighs the price of disruptions. Anybody who can’t set up instantly ought to observe the mitigation steps specified by the posts linked above. Extra steering may be discovered here.
