Lead Story | HIGH — CVSS 7.8 (Canonical) | Cloud+DevOps · IT Ops · Enterprise |
|
Dirty Frag: Chained Linux Kernel LPE With Public PoC and Suspected Active Exploitation — Patch Both CVEs
Researcher Hyunwoo Kim reported two page-cache write vulnerabilities to kernel maintainers in late April; public disclosure followed May 7. The flaws affect Linux kernels going back to 2017. Chained, they yield root in a single command on every major distribution. Mainline patches exist for both CVEs; distribution packages for CVE-2026-43500 are still rolling out.
CVE-2026-43284 is a logic bug in the in-place decryption path of the kernel’s IPsec ESP modules (esp4 and esp6); it yields a controlled 4-byte write into the page cache of any readable file. CVE-2026-43500 is a related but distinct bug in the rxrpc subsystem — it contributes the namespace privilege the ESP path needs to complete the escalation. The two primitives are complementary: neither alone is a complete root path. Chained, they produce a deterministic privilege escalation that is reliable on default system configurations, though environments with AppArmor user-namespace restrictions or restrictive seccomp profiles constrain certain exploit paths. A public proof-of-concept achieves root in a single command.
As of May 11, Microsoft reported seeing limited in-the-wild activity involving privilege escalation — noting the observed activity may be associated with Dirty Frag or Copy Fail rather than confirming Dirty Frag specifically (Help Net Security, May 11, 2026). Ubuntu (all supported LTS releases), RHEL 8/9/10, CentOS Stream, AlmaLinux, Fedora, and openSUSE have all published advisories. The xfrm-ESP flaw traces to a 2017 kernel optimisation commit; the rxrpc flaw to June 2023. Any distribution shipping kernels from that window is in scope — essentially the entire enterprise Linux landscape, including cloud-hosted workloads.
A mainline patch for CVE-2026-43284 published May 8; a mainline patch for CVE-2026-43500 (commit aa54b1d27fe0) merged on May 10. Distribution packages for CVE-2026-43500 are still rolling out — check your distribution’s advisory. Until patched kernels are available for both CVEs, blacklist the three affected modules: esp4, esp6, and rxrpc via /etc/modprobe.d/. Most cloud and enterprise Linux workloads do not use these modules in normal operation. Tenable → Red Hat → Microsoft →
→ Key Takeaway Apply kernel patches for both CVEs from your distribution. CVE-2026-43284 packages are available now; CVE-2026-43500 packages are still rolling out — check your distribution’s advisory. Blacklist esp4, esp6, and rxrpc via /etc/modprobe.d/ on any host where you cannot immediately patch. The PoC is public, suspected active exploitation is reported, and any Linux host with local shell access to unprivileged users is at risk. |
Quick Hits
| 01 |
Bleeding Llama: Ollama GGUF Flaw Leaks API Keys and Conversation Data from 300,000 Exposed AI Servers
CVE-2026-7482 (CVSS 9.1) sits in Ollama’s GGUF model loader. When an attacker submits a crafted model file to the unauthenticated /api/create endpoint with a malformed tensor size, the loader reads beyond the end of the allocated heap buffer. What spills out is whatever the Ollama process had in memory at that moment: environment variables, API keys, system prompts, and fragments of other users’ sessions. Cyera researchers (who named it “Bleeding Llama”) found approximately 300,000 Ollama servers exposed on the public internet. The fix was quietly included in version 0.17.1 with no security label in the release notes — which is why so many servers are still running the vulnerable build. Upgrade to 0.17.1 or later immediately. Cyera →
| Critical — CVSS 9.1 | Dev · Cloud+DevOps |
|
| 02 |
May Patch Tuesday Releases Today at 1pm ET — The Secure Boot Deadline Is Now 43 Days Out
Microsoft’s May 2026 security advisory publishes today at 1pm ET. The most time-sensitive element is separate from today’s CVE list: Windows Secure Boot certificates issued in 2011 begin expiring June 24, 2026 — 43 days from today. Devices that have not applied the updated certificate chain via Windows Update will enter a degraded security state: existing software continues to function, but the device loses the ability to receive future Secure Boot updates and boot-level protections. May’s Patch Tuesday is the recommended deployment window for this update, leaving just enough runway for testing and rollout before the hard deadline. Review the full advisory at MSRC when it publishes, confirm the Secure Boot certificate update is in your deployment queue, and track completion across all Windows infrastructure. MSRC →
| Advisory | IT Ops · Enterprise |
|
CVE Watch
|
Patch of the Day
| CVE-2026-43284 | CVSS 7.8 (Canonical) |
Dirty Frag — Linux Kernel LPE via IPsec ESP Page-Cache Write
An unprivileged local user on any affected Linux host can trigger the bug by routing an IPsec ESP packet through a socket buffer whose backing pages are shared with userspace — achievable via splice(2) or sendfile(2). Under those conditions, the kernel’s IPsec decryption path (esp4/esp6) writes into pages it does not exclusively control, giving the attacker a controlled 4-byte write anywhere in the file page cache. Paired with CVE-2026-43500 — a related but distinct bug in the rxrpc subsystem that contributes the namespace privilege — the two primitives complete a deterministic root escalation. Researcher: Hyunwoo Kim (@v4bel). Reported late April 2026; publicly disclosed May 7, 2026.
| Vendor: Linux kernel (esp4/esp6) · Patched: May 8, 2026 (distro advisories available) · CISA KEV: Not confirmed at time of writing · Exploited: Limited in-the-wild activity reported May 11; possibly Dirty Frag or Copy Fail (Microsoft, via Help Net Security) |
|
Compliance Tip of the Day
|
(ISC)² CISSP Domain 3 — Security Architecture and Engineering
Kernel Module Restrictions Are Your Dirty Frag Safety Net
Dirty Frag exploits esp4, esp6, and rxrpc — modules that most cloud and enterprise Linux workloads never load in normal operation. Blacklisting them eliminates the attack surface entirely on those hosts. This is the principle of least functionality applied at the kernel layer: components not required for the system’s defined role should not be loaded. Domain 3 covers how security is engineered into system architecture at the foundational layer — privilege ring separation, memory protection domains, and kernel hardening all belong here. The Dirty Frag interim mitigation works precisely because that principle was applied. Study point: Review NIST SP 800-123 (Guide to General Server Security) for OS hardening principles, particularly the sections on reducing attack surface by disabling unnecessary services and components — the principle that underpins the Dirty Frag module blacklist mitigation. Supplement with the CIS Linux Benchmark for contemporary kernel hardening specifics. Both documents map to CISSP Domain 3 exam objectives.
|
|
