CVE-2026-43284

HIGHPre-NVD 8.89.0
EchelonGraph scoreHIGH confidence

Score elevated to 9.0 because EPSS predicts 93% probability of exploitation within the next 30 days (top 0.2% of all CVEs). the CNA's CVSS baseline 8.8 retained for reference (NVD's own analysis pending). Confidence: see factors.

Triggered by: EPSS exploit prediction ≥85%
Sources: cna:linux, epss, ghsa
Weaponized
8.8
EchelonGraph verdictPatch this weekExploitation is likely or a public exploit exists.
  • High exploitation likelihood — EPSS 93%
CISA-KEV: Not listedEPSS: 93%CVSS: 8.8Exploit: NoneExposed: 0

A fix is available — apply it.

In the Linux kernel, the following vulnerability has been resolved:

xfrm: esp: avoid in-place decrypt on shared skb frags

MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs.

That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb.

Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path.

This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().

CVSS v3
8.8
EG Score
9.0(high)
EPSS
99.8%
KEV
Not listed

Published

May 8, 2026

Last Modified

July 2, 2026

Advisory Details (10)

Auto-updated May 11, 2026
No patch confirmed yet.
generic

xfrm: esp: ipv4: fix up flags setting - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/fe785bb3a8096dffcc4048a85cd0c83337eeecad
generic

xfrm: esp: avoid in-place decrypt on shared skb frags - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4
generic

xfrm: esp: avoid in-place decrypt on shared skb frags - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/b54edf1e9a3fd3491bdcb82a21f8d21315271e0d
generic

xfrm: esp: avoid in-place decrypt on shared skb frags - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/ab8b995323e5237041472d07e5055f5f7dcdf15b
generic

xfrm: esp: avoid in-place decrypt on shared skb frags - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/a6cb440f274a22456ef3e86b457344f1678f38f9
generic

xfrm: esp: ipv4: fix up flags setting - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/8253aab4659ca16116b522203c2a6b18dccacea7
generic

xfrm: esp: avoid in-place decrypt on shared skb frags - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/71a1d9d985d26716f74d21f18ee8cac821b06e97
generic

xfrm: esp: avoid in-place decrypt on shared skb frags - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/5d55c7336f8032d434adcc5fab987ccc93a44aec
generic

xfrm: esp: avoid in-place decrypt on shared skb frags - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/52646cbd00e765a6db9c3afe9535f26218276034
generic

xfrm: esp: avoid in-place decrypt on shared skb frags - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/50ed1e7873100f77abad20fd31c51029bc49cd03

Patch Availability(24)

Vendor / EcosystemFixed in / PatchReleasedSource
redhatrhcos-413.92.202606160406-02026-06-25redhat
redhatrhcos-415.92.202606030318-02026-06-11redhat
redhatrhcos-412.86.202605271418-02026-06-04redhat
redhatkpatch-patch2026-05-20redhat
redhatkernel-0:5.14.0-687.10.1.el9_82026-05-20redhat
redhatkernel-0:6.12.0-211.16.1.el10_22026-05-20redhat
redhatkernel-0:5.14.0-687.5.3.el9_82026-05-19redhat
redhatkernel-0:6.12.0-211.7.3.el10_22026-05-19redhat
redhatkernel-0:6.12.0-211.7.el10nv2026-05-15redhat
redhatrhcos-414.92.202605111427-02026-05-14redhat
redhatrhcos-412.86.202605111404-02026-05-14redhat
redhatrhcos-4.20.9.6.202605110206-02026-05-13redhat
redhatrhcos-4.21.9.6.202605110143-02026-05-13redhat
redhatkernel-0:5.14.0-570.113.1.el9_62026-05-13redhat
redhatrhcos-416.94.202605101426-02026-05-13redhat
redhatrhcos-418.94.202605101521-02026-05-13redhat
redhatrhcos-4.19.9.6.202605110225-02026-05-13redhat
redhatkernel-0:5.14.0-70.179.1.el9_02026-05-12redhat
redhatkernel-rt-0:5.14.0-284.170.1.rt14.455.el9_22026-05-12redhat
redhatkernel-0:5.14.0-284.170.1.el9_22026-05-12redhat
redhatkernel-0:4.18.0-553.124.1.el8_102026-05-12redhat
redhatkernel-rt-0:5.14.0-70.179.1.rt21.251.el9_02026-05-12redhat
redhatkernel-0:4.18.0-372.192.1.el8_62026-05-12redhat
redhatkernel-0:5.14.0-611.55.1.el9_72026-05-12redhat

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Additional Vendor Advisories

(20)

Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.

Data Freshness Timeline

(refreshed 1× in last 7d / 75× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

Showing the most recent 100 of 139 total refreshes for this CVE.

  1. 2026-07-03 22:12 UTCMITRE cvelistV5CVSS v3 → 8.8
  2. 2026-06-30 04:33 UTCNVD updateCVSS v3 → 7.8
  3. 2026-06-29 14:06 UTCEPSS rescore
  4. 2026-06-28 09:33 UTCEG score recompute
  5. 2026-06-28 09:33 UTCVendor advisory
  6. 2026-06-28 09:32 UTCGHSA enrichment
  7. 2026-06-28 05:20 UTCEG score recompute
  8. 2026-06-28 05:20 UTCVendor advisory
  9. 2026-06-28 05:19 UTCGHSA enrichment
  10. 2026-06-27 14:10 UTCEG score recompute
  11. 2026-06-27 14:10 UTCVendor advisory
  12. 2026-06-27 14:09 UTCGHSA enrichment
  13. 2026-06-26 21:56 UTCEG score recompute
  14. 2026-06-26 21:56 UTCVendor advisory
  15. 2026-06-26 21:55 UTCGHSA enrichment
  16. 2026-06-23 21:33 UTCEPSS rescore
  17. 2026-06-21 14:56 UTCEPSS rescore
  18. 2026-06-21 14:56 UTCEPSS rescore
  19. 2026-06-18 17:52 UTCEPSS rescore
  20. 2026-06-18 17:52 UTCEPSS rescore
  21. 2026-06-17 17:53 UTCEPSS rescore
  22. 2026-06-17 02:21 UTCEG score recompute 1.20
  23. 2026-06-17 02:21 UTCVendor advisory
  24. 2026-06-17 02:20 UTCGHSA enrichment
  25. 2026-06-15 17:49 UTCEPSS rescore
Show 75 more
  1. 2026-06-15 04:02 UTCEG score recompute
  2. 2026-06-15 04:02 UTCVendor advisory
  3. 2026-06-15 04:02 UTCGHSA enrichment
  4. 2026-06-14 15:43 UTCEG score recompute
  5. 2026-06-14 15:43 UTCVendor advisory
  6. 2026-06-14 15:42 UTCGHSA enrichment
  7. 2026-06-14 03:23 UTCEG score recompute
  8. 2026-06-14 03:23 UTCVendor advisory
  9. 2026-06-14 03:22 UTCGHSA enrichment
  10. 2026-06-12 23:12 UTCEPSS rescore
  11. 2026-06-12 23:12 UTCEPSS rescore
  12. 2026-06-12 20:41 UTCEG score recompute
  13. 2026-06-12 20:41 UTCVendor advisory
  14. 2026-06-12 20:41 UTCGHSA enrichment
  15. 2026-06-12 05:34 UTCEG score recompute
  16. 2026-06-12 05:34 UTCVendor advisory
  17. 2026-06-12 05:33 UTCGHSA enrichment
  18. 2026-06-11 17:14 UTCEG score recompute
  19. 2026-06-11 17:14 UTCVendor advisory
  20. 2026-06-11 17:14 UTCGHSA enrichment
  21. 2026-06-11 14:00 UTCEPSS rescore
  22. 2026-06-11 03:35 UTCEG score recompute
  23. 2026-06-11 03:35 UTCVendor advisory
  24. 2026-06-11 03:34 UTCGHSA enrichment
  25. 2026-06-10 22:18 UTCEPSS rescore
  26. 2026-06-10 15:16 UTCEG score recompute
  27. 2026-06-10 15:16 UTCVendor advisory
  28. 2026-06-10 15:15 UTCGHSA enrichment
  29. 2026-06-10 13:22 UTCEPSS rescore
  30. 2026-06-10 13:22 UTCEPSS rescore
  31. 2026-06-10 02:57 UTCEG score recompute
  32. 2026-06-10 02:57 UTCVendor advisory
  33. 2026-06-10 02:56 UTCGHSA enrichment
  34. 2026-06-09 14:37 UTCEG score recompute
  35. 2026-06-09 14:37 UTCVendor advisory
  36. 2026-06-09 14:37 UTCGHSA enrichment
  37. 2026-06-09 02:18 UTCEG score recompute
  38. 2026-06-09 02:18 UTCVendor advisory
  39. 2026-06-09 02:18 UTCGHSA enrichment
  40. 2026-06-08 12:50 UTCEG score recompute
  41. 2026-06-08 12:50 UTCVendor advisory
  42. 2026-06-08 12:49 UTCGHSA enrichment
  43. 2026-06-08 00:31 UTCEG score recompute
  44. 2026-06-08 00:31 UTCVendor advisory
  45. 2026-06-08 00:30 UTCGHSA enrichment
  46. 2026-06-07 15:25 UTCEPSS rescore
  47. 2026-06-07 15:25 UTCEPSS rescore
  48. 2026-06-07 12:11 UTCEG score recompute
  49. 2026-06-07 12:11 UTCVendor advisory
  50. 2026-06-07 12:11 UTCGHSA enrichment
  51. 2026-06-06 23:52 UTCEG score recompute
  52. 2026-06-06 23:52 UTCVendor advisory
  53. 2026-06-06 23:52 UTCGHSA enrichment
  54. 2026-06-06 13:47 UTCEPSS rescore
  55. 2026-06-06 13:47 UTCEPSS rescore
  56. 2026-06-06 11:33 UTCEG score recompute
  57. 2026-06-06 11:33 UTCVendor advisory
  58. 2026-06-06 11:33 UTCGHSA enrichment
  59. 2026-06-05 23:14 UTCEG score recompute
  60. 2026-06-05 23:14 UTCVendor advisory
  61. 2026-06-05 23:13 UTCGHSA enrichment
  62. 2026-06-05 22:47 UTCEPSS rescore
  63. 2026-06-05 10:53 UTCEG score recompute
  64. 2026-06-05 10:53 UTCVendor advisory
  65. 2026-06-05 10:52 UTCGHSA enrichment
  66. 2026-06-05 06:10 UTCEPSS rescore
  67. 2026-06-05 06:10 UTCEPSS rescore
  68. 2026-06-04 22:33 UTCEG score recompute
  69. 2026-06-04 22:33 UTCVendor advisory
  70. 2026-06-04 22:33 UTCGHSA enrichment
  71. 2026-06-04 13:12 UTCEPSS rescore
  72. 2026-06-04 13:12 UTCEPSS rescore
  73. 2026-06-04 10:14 UTCEG score recompute
  74. 2026-06-04 10:14 UTCVendor advisory
  75. 2026-06-04 10:14 UTCGHSA enrichment

Publicly available exploits

(10 references)

Working exploit code is in the public domain (8 GitHub PoCs) (2 Exploit-DB entries). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.

  • Exploit-DBEDB-52591
    First seen May 29, 2026

    Linux Kernel - Local Privilege Escalation

    Open source ↗
  • Exploit-DBEDB-52585
    First seen May 27, 2026

    Linux Kernel - Local Privilege Escalation

    Open source ↗
  • GitHub PoCjayhutajulu1/CVE-2026-43284-DirtyFrag-PoC
    First seen May 26, 2026

    Proof-of-concept for CVE-2026-43284 — 4-byte XFRM/ESP page-cache write primitive to patch a setuid binary (x86_64, user namespaces). Includes kernel preflight + SUID scan.

    Open source ↗
  • GitHub PoCliamromanis101/DirtyFrag-Detector
    First seen May 11, 2026

    CVE-2026-43284/CVE-2026-43500 'DirtyFrag' Benign patch & mitigation detection script

    Open source ↗
  • GitHub PoClinnemanlabs/dirtyfrag-arm64
    First seen May 10, 2026

    arm64/aarch64 port of V4bel/dirtyfrag (CVE-2026-43284). ESP-only - rxrpc path kernel-oopses on arm64 due to flush_dcache_page

    Open source ↗
  • GitHub PoChaydenjames/dirty-frag-check
    First seen May 9, 2026

    Read-only checker for CVE-2026-43284 / CVE-2026-43500 (Dirty Frag) Linux kernel local-root vulns

    Open source ↗
  • GitHub PoC0xBlackash/CVE-2026-43284
    First seen May 8, 2026

    CVE-2026-43284

    Open source ↗
  • GitHub PoCPercivalll/Dirty-Frag-Kubernetes-PoC
    First seen May 8, 2026

    A proof-of-concept demonstrating how a default, unprivileged Kubernetes Pod can achieve node-level code execution on Amazon EKS by exploiting the Dirty Frag (CVE-2026-43284) Linux kernel page-cache corruption vulnerability through shared container image layers.

    Open source ↗
  • GitHub PoCmym0us3r/DIRTY-FRAG-Detection-with-Wazuh-4.14.4
    First seen May 8, 2026

    Wazuh 4.14.4 detection rules for CVE-2026-43284 / CVE-2026-43500 (Dirty Frag) - Linux Local Privilege Escalation via page cache write

    Open source ↗
  • GitHub PoCAK777177/Dirty-Frag-Analysis
    First seen May 8, 2026

    Dirty Frag (CVE-2026-43284/43500) - Linux Kernel LPE Deep Technical Analysis by Bomb

    Open source ↗

Frequently asked(5)

What is CVE-2026-43284?
CVE-2026-43284 is a high vulnerability published on May 8, 2026. In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSGSPLICEPAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFLSHAREDFRAG after skbsplicefrom_iter(), so later paths that may modify packet data…
When was CVE-2026-43284 disclosed?
CVE-2026-43284 was first published in the National Vulnerability Database on May 8, 2026, with the most recent update on July 2, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-43284 actively exploited?
CVE-2026-43284 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 99.8% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-43284?
CVE-2026-43284 has a CVSS v4.0 base score of 8.8 (CNA self-assessment; NVD's own analysis pending). EchelonGraph synthesises NVD + CISA KEV + FIRST EPSS + GHSA into a combined EG score of 9.0.
How do I remediate CVE-2026-43284?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-43284, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-43284

Explore →

Is Your Infrastructure Affected by CVE-2026-43284?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.