Dirty Frag: Linux kernel hit by second major security flaw in two weeks

A second major Linux vulnerability has been disclosed in as many weeks, this time by an independent security researcher who published a working exploit after a coordinated disclosure embargo collapsed.

Nicknamed “Dirty Frag,” the issue was found in the same area of the Linux kernel that produced last month’s Copy Fail bug, and also allows anyone with a basic account on an affected computer to seize full administrative control.

Copy Fail had prompted concern as it provided hackers with an escape route from cloud containers, meaning a compromised application running inside a supposedly isolated environment can break out and take control of the entire host server — a major risk given the cloud industry’s dependence on Linux distributions.

Dirty Frag also allows for container escape, and similarly affects nearly all Linux distributions in use today. It was discovered by Hyunwoo Kim, and exploits the same underlying design flaw in how Linux manages files in memory.

Theori, the firm that discovered Copy Fail with the assistance of its own AI tooling, separately noted at the time that its own scanning had surfaced additional vulnerabilities in the same area of the kernel, although these remained under private disclosure.

Kim reported the flaw he discovered privately to Linux maintainers on April 30, giving them time to prepare patches as per the standard coordinated disclosure process.

But, on May 7, Kim said “an unrelated third party independently published the exploit,” prompting him to release his full writeup and his own working exploit on the same day. It is not known who the third party is.

“Because the embargo has currently been broken, no patch or CVE exists,” Kim wrote on the oss-security mailing list, adding that after consulting Linux maintainers, and at their request, he had decided to publish his writeup.

The Dirty Frag flaw is being tracked as two linked vulnerabilities — CVE-2026-43284 and CVE-2026-43500 — each affecting a different part of the Linux kernel's networking code. According to Kim's writeup, neither flaw is sufficient for a reliable attack on its own; chaining both is what makes the exploit work consistently.

Like Copy Fail, the attack corrupts files in memory without touching the originals on disk, leaving standard security monitoring tools unable to detect it.

Red Hat confirmed both flaws affect its enterprise Linux products and issued an advisory, classifying them as Important severity and expediting patches across supported RHEL releases. AlmaLinux and Ubuntu both published patches and mitigations by May 8. SUSE, Debian, Fedora and Amazon Linux had all acknowledged the issue with patches in progress.

Looming patch wave

The Copy Fail and Dirty Frag disclosures are an early illustration of a problem Britain's National Cyber Security Centre had warned about just days earlier, when the agency’s chief technology officer Ollie Whitehouse said AI tools were about to prompt a surge of urgent software updates.

Whitehouse explained that the tools, in the hands of skilled researchers, were beginning to expose the enormous scale of “technical debt” — effectively insecure or outdated code — embedded in critical infrastructure.

AI tools have compressed the time it takes to discover latent vulnerabilities that have accumulated over the past few decades, turning what would once have taken years of vulnerability hunting into a much shorter period of work.

The patching process — which for open source software like Linux depends on a global network of volunteer and corporate maintainers, each responsible for their own distribution — can struggle to keep up even under ideal conditions. When an embargo breaks, as happened with Dirty Frag, that window disappears entirely.

That strain is visible elsewhere in the open source community.

In March, HackerOne paused its bug bounty program citing a “worsening imbalance between vulnerability discoveries and the ability for open source maintainers to remediate them,” and attributing the shift to AI-assisted research expanding the speed and volume of vulnerability discovery.

“This is why we are encouraging all organisations to prepare now for when a ‘patch wave’ arrives,” Whitehouse wrote in his blog, describing the agency’s expectation that there was going to be a rush of software updates requiring urgent application across entire technology stacks.

The NCSC said that administrators preparing for a patch wave now could help limit disruption later, warning that delays in applying fixes during periods of heightened vulnerability discovery could significantly increase the risk of compromise.