Dirty Frag: Memory Corruption in the Linux IPv6 Stack (CVE-2026-43500)

Dirty Frag is the collective name for two vulnerabilities, CVE-2026-43500 and CVE-2026-43284, which affect the Linux kernel's handling of fragmented IPv6 packets. Similar to the previously discussed Copy Fail vulnerability, Dirty Frag allows a local attacker to bypass memory protections and gain root privileges. While Copy Fail targets the page cache, Dirty Frag exploits the kernel's network reassembly queue to trigger heap corruption.

Technical Analysis: IPv6 Reassembly Race

The core of the issue lies in the ip6_frag_reasm function within the kernel's networking stack. When an IPv6 packet is too large for the network path, it is broken into fragments. The receiving kernel must store these fragments in a reassembly queue until the entire packet is received.

A race condition was introduced in early 2025 during an update to the sk_buff (socket buffer) management logic. This update was intended to improve the efficiency of handling out-of-order fragments. However, it created a window where multiple threads could modify the same reassembly queue simultaneously.

An attacker can send a series of specially crafted, overlapping IPv6 fragments. By timing these fragments correctly, they can trigger the race condition. This causes the kernel to miscalculate the total length of the reassembled packet. When the kernel eventually attempts to merge these fragments into a single contiguous buffer, it performs an out-of-bounds write.

Memory Corruption and sk_buff Mismanagement

The second component of the attack, CVE-2026-43284, involves how the kernel manages the lifecycle of the sk_buff structures during this failed reassembly. The out-of-bounds write occurs on the kernel heap. By carefully controlling the size and content of the overlapping fragments, an attacker can overwrite adjacent kernel objects.

In a typical exploit scenario, the attacker targets structures that contain function pointers. Overwriting these pointers allows the attacker to redirect kernel execution to a location of their choosing. This technique is used to bypass modern kernel security features like Supervisor Mode Execution Prevention (SMEP) and achieve arbitrary code execution in kernel mode.

Parallels with Copy Fail

There are significant architectural parallels between Dirty Frag and the Copy Fail vulnerability. Both exploit scenarios where the kernel attempts to perform a low-level data transfer without adequate validation of the destination's state or permissions.

• Copy Fail uses the crypto API to trick the kernel into writing to the Page Cache of a read-only file.
• Dirty Frag uses the network stack to trick the kernel into writing past the bounds of a heap-allocated buffer.

In both cases, the vulnerability allows an unprivileged local user to force the kernel into an illegal state that leads to full system compromise.

Timeline of Events

The progression of Dirty Frag from discovery to mitigation is documented in the table below.

Impact and Remediation

The Dirty Frag vulnerability is highly critical due to the ubiquity of IPv6 and the reliability of the exploit on multi-core systems where race conditions are easier to trigger. All systems running Linux kernel versions from early 2025 until the May 2026 patch cycle are affected.

Remediation requires updating the Linux kernel to a version that includes the fixes for ip6_frag_reasm and sk_buff management. These patches introduce new locking mechanisms to prevent simultaneous access to the reassembly queue and add stricter validation for overlapping fragments. A system reboot is necessary to ensure the patched kernel is in use.