A security expert’s disclosure details how page-cache flaws in xfrm-ESP and RxRPC can be exploited to achieve deterministic root access.
On 7 May 2026, a security expert, Hyunwoo Kim (known online as @v4bel), shared how he discovered a devastating zero day vulnerability in the Linux kernel that lets any ordinary user escalate to full root access across virtually all major distributions of the operating system.
The disclosure was made after an unexpected third-party leak derailed the planned coordinated disclosure. As of 10 May 2026, no official patches have been rolled out by any vendor, leaving system administrators in a bind.
At the moment, only makeshift workarounds are being explored to stem potential attacks on servers, cloud platforms, and desktops worldwide.
A zero day called “Dirty Frag”
At its core, the zero-day vulnerability links two subtle page-cache manipulation flaws: one lurking in the xfrm-ESP handling for IPsec traffic, and another in the RxRPC transport used by advanced file-sharing systems:
- Attackers weaponize the kernel’s efficient zero-copy send feature, where the splice() system call slips a reference to a cached read-only page — think critical files such as /usr/bin/su or /etc/passwd — straight into a network buffer’s “frag” slot.
- On the receiving end, the kernel runs cryptographic transformations right on that shared memory page, permanently corrupting the cached file contents without triggering traditional protections.
- What sets this apart from typical exploits is its rock-solid determinism: no fragile race conditions or timing tricks required. Success rates hover near 100%, and Kim has shared a GitHub proof-of-concept that elevates privileges with literally one command, making it a nightmare for unpatched environments.
On 30 April 2026, Kim had notified security@kernel.org about the zero day he dubbed “Dirty Frag”, and posting comprehensive details to the Linux-distros mailing list on 7 May 2026, with a reasonable five-day embargo aimed at May 12 for patch releases. Mere hours later, disaster struck when an independent actor dissected an already-public netdev commit fix and dropped their own exploit repo, cheekily dubbed “Copy Fail 2: Electric Boogaloo.” They insisted it stemmed from open-source analysis, not any insider leak from Kim’s process.
After huddling with distro maintainers, Kim opted for full transparency, releasing docs, analysis, and exploit code to empower defenders amid the chaos.
Current mitigation procedures
Patchless defenses center on blacklisting the culprits: the esp4, esp6, and rxrpc kernel modules.
Red Hat stresses this kills IPsec tunnels dependent on kernel-level data paths, so admins should test rigorously outside production first.
CloudLinux points out rxrpc — tied mostly to niche AFS clients — skips standard web-hosting setups, softening the blow there. Notably, this evades fixes for “Copy Fail” (CVE-2026-31431), a sibling vulnerability from just a week prior that targeted algif_aead blocklisting in the identical subsystem.
Red Hat formally tracks Kim’s discovery as CVE-2026-43284, pegging its reach to about nine years of kernel releases.
The fallout underscores deepening worries over Linux kernel networking crypto paths, especially post-Copy Fail. Organizations should lock down local user accounts, watch for tampering in su binaries or passwd files, and segregate exposed systems.
