Security Alert: “Dirty Frag” Linux Kernel Vulnerability — Patch Your Servers Now

Severity: Critical
Affected Systems: All AlmaLinux releases (8, 9, 10, Kitten 10)

What Is Dirty Frag?

A critical Linux kernel vulnerability — dubbed Dirty Frag — has been publicly disclosed by security researcher Hyunwoo Kim. It affects the in-place decryption fast paths of the esp4, esp6, and rxrpc kernel modules (IPsec ESP and rxrpc).

The flaw allows an unprivileged local user to gain root access on affected systems. With a working exploit already publicly available, this is not a wait-and-see situation.

Two CVEs have been assigned:

CVE-2026-43284 — IPsec ESP (esp4 / esp6)
CVE-2026-43500 — rxrpc kernel module

A second public exploit — Copy Fail 2: Electric Boogaloo — also targets this same vulnerability through identical code paths.

Who Is at Risk?

This vulnerability is especially dangerous if your server is

A multi-tenant host with multiple users
A container build farm or CI runner
Any system where untrusted users can access a shell.

Every supported AlmaLinux version is affected. The exploit is trivial to execute and public.

How to Fix It (Patched Kernels Available Now)

AlmaLinux has released patched kernels ahead of Red Hat/RHEL, available in the testing repository today.

Step 1 — Install the testing repo

sudo dnf install -y almalinux-release-testing

Step 2 — Update the kernel

sudo dnf update 'kernel*' --enablerepo=almalinux-testing

Step 3 — Reboot

sudo reboot

Step 4 — Confirm the patched version

uname -r

Patched Kernel Versions:

AlmaLinux 8 — kernel-4.18.0-553.123.2.el8_10 or newer
AlmaLinux 9 — kernel-5.14.0-611.54.3.el9_7 or newer
AlmaLinux 10 — kernel-6.12.0-124.55.2.el10_1 or newer
AlmaLinux Kitten 10 — available directly in the regular repo, just update and reboot

Note for Kitten 10 users: No testing repo needed. Run sudo dnf update ‘kernel*’ and reboot.

Can’t Reboot Right Now? Apply This Temporary Mitigation

If an immediate reboot is not possible, you can block the vulnerable modules from loading:

sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

This prevents esp4, esp6, and rxrpc from loading and unloads them if currently active. It is safe to run on all supported AlmaLinux releases.

!Do not use this mitigation if your system actively uses IPsec ESP or AFS/rxrpc — those services will break. The permanent fix is to install the patched kernel and reboot.

If you suspect your system may have already been targeted, drop the page cache to evict any potentially corrupted pages:

sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'

To revert the module blacklist, simply remove /etc/modprobe.d/dirtyfrag.conf

Additional Notes

If you have kernel-modules-partner installed, remove it — it ships the rxrpc module and is not intended for production systems

sudo dnf remove kernel-modules-partner

After updating in a production environment, disable the testing repo

sudo dnf config-manager --disable almalinux-testing

Summary — What You Need to Do

Update your kernel immediately using the steps above. Reboot to load the patched kernel. If you cannot reboot yet, apply the module blacklist mitigation. Remove kernel-modules-partner if installed on production systems. Monitor for the patch to move from testing to production repositories.

Need a Reliable Linux VPS?

Incidents like Dirty Frag are a reminder of how important it is to have full control over your server environment. With an AlexHost VPS, you get root access, your choice of OS including AlmaLinux, and the flexibility to apply critical security patches the moment they drop — without waiting on anyone else.

Explore AlexHost VPS Plans — fast deployment, competitive pricing, and Linux-ready out of the box.

Source: AlmaLinux Official Security Blog — https://almalinux.org/blog/2026-05-07-dirty-frag/