Alert - AL26-011 - Vulnerabilities affecting Linux - CVE-2026-43284 and CVE-2026-43500

Number: AL26-011
Date: May 8, 2026

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security (Cyber Centre) is also available to provide additional assistance regarding the content of this Alert upon request.

Details

The Cyber Centre is aware of security vulnerabilities affecting Linux-based operating systems, identified as CVE-2026-43284^{Footnote 1} and CVE-2026-43500^{Footnote 2}.

Tracked as CVE-2026-43284, this is a Linux kernel Write-what-where Condition vulnerability (CWE-123)^{Footnote 3} that may allow a local attacker to execute arbitrary code.

CVE-2026-43500 is a Linux kernel local privilege escalation (LPE) vulnerability in the RxRPC subsystem that may allow a local attacker to escalate privileges.

Public reporting and Linux kernel security advisories^{Footnote 4Footnote 5Footnote 6Footnote 7Footnote 8Footnote 9} indicate that these vulnerabilities originate in the Linux kernel and may, under certain conditions, allow privilege escalation to root or bypass of isolation mechanisms.

Publicly referred to as “Dirty Frag”, CVE-2026-43284 and CVE-2026-43500 can be chained to allow for a local unprivileged user to gain root access^{Footnote 10}. Chained with a remote code execution vulnerability, these vulnerabilities are even more significant and need to be prioritized for patching.

The Cyber Centre is aware of working publicly available Proof of Concepts (POC) exploiting these vulnerabilities^{Footnote 11}.

Suggested actions

As of May 8, 2026, no universal fix has been released across all stable kernels for CVE-2026-43284 and CVE-2026-43500.

The Cyber Centre recommends that organizations identify and apply the recommended mitigations until patches become available.

Affected environments include, but are not limited to:

• Enterprise Linux distributions (Red Hat Enterprise Linux, Rocky Linux, AlmaLinux, Oracle Linux, Fedora and CentOS Stream)
• Debian-based distributions (Debian, Ubuntu)
• SUSE-based distributions (SUSE Linux Enterprise, openSUSE)
• Other Linux systems running vulnerable kernel versions

Organizations should consult their respective distribution maintainers for version-specific impact and mitigation guidance. Organizations can determine whether systems may be affected by CVE-2026-43284 and CVE-2026-43500 in:

• Identifying the running Linux kernel version using the uname -r command that include:
  • ESP/XFRM IPsec support
  • UDP ESP‑in‑UDP receive paths
  • RXRPC enabled
• Checking whether the affected kernel modules are currently loaded by running lsmod | egrep '^(esp4|esp6|rxrpc)\b' or grep -qE '^(esp4|esp6|rxrpc) ' /proc/modules; no output indicates the modules are not currently loaded, but organizations should also confirm whether the modules are available to load and review vendor guidance, as module availability and default exposure vary by distribution.

Until vendor patches are available, the Cyber Centre recommends that organizations:

• Disable vulnerable kernel modules (esp, esp6 and rxpc) if not required by running sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true" or distro-specific guidance when available^{Footnote 9Footnote 12}. Note: Disabling esp4, esp6 may break IPsec. Disabling rxrpc may impact AFS-based systems. Regenerate the initramfs images to prevent the modules from being loaded during early boot by running sudo update-initramfs -u -k all or follow vendor-specific guidance when available
• Restrict local and remote access to affected systems, particularly in shared or multi-tenant environments
• Review and limit administrative privileges, including sudo and role-based access
• Monitor authentication, system, and kernel logs for signs of privilege escalation or abnormal activity

In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions with an emphasis on the following topics^{Footnote 13}.

• Patch operating systems and applications
• Enforce the management of administrative privileges
• Harden operating systems and applications
• Segment and separate information

Should activity matching the content of this alert be discovered, recipients are encouraged to report via My Cyber Portal, or email contact@cyber.gc.ca.