{"id":4360,"date":"2026-05-09T12:20:28","date_gmt":"2026-05-09T12:20:28","guid":{"rendered":"https:\/\/www.copahost.com\/blog\/?p=4360"},"modified":"2026-05-09T12:20:33","modified_gmt":"2026-05-09T12:20:33","slug":"dirty-frag-cve-2026-43284","status":"publish","type":"post","link":"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/","title":{"rendered":"&#8220;Dirty Frag&#8221; (CVE-2026-43284): The Second Linux Root Exploit in Eight Days \u2014 Patch Your Server Now"},"content":{"rendered":"\n<p>Eight days after Copy Fail shook the Linux server world, another critical vulnerability has arrived \u2014 and this one also hands root access to anyone who can run code on your server.<\/p>\n\n\n\n<p>It is called <strong>&#8220;Dirty Frag&#8221;<\/strong>. It was publicly disclosed on May 7, 2026. A working exploit already exists. And if your server has not been patched and rebooted since May 8, it is vulnerable right now.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_69_1 ez-toc-wrap-center counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#What_is_Dirty_Frag\" title=\"What is Dirty Frag?\">What is Dirty Frag?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#How_it_connects_to_Copy_Fail\" title=\"How it connects to Copy Fail\">How it connects to Copy Fail<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#Who_is_affected\" title=\"Who is affected?\">Who is affected?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#The_fix_%E2%80%94_step_by_step\" title=\"The fix \u2014 step by step\">The fix \u2014 step by step<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#Step_1_Update_the_kernel\" title=\"Step 1: Update the kernel\">Step 1: Update the kernel<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#Step_2_Interim_mitigation_if_you_cannot_reboot_immediately\" title=\"Step 2: Interim mitigation (if you cannot reboot immediately)\">Step 2: Interim mitigation (if you cannot reboot immediately)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#Step_3_Combine_with_Copy_Fail_remediation\" title=\"Step 3: Combine with Copy Fail remediation\">Step 3: Combine with Copy Fail remediation<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#What_this_means_going_forward\" title=\"What this means going forward\">What this means going forward<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#Sources\" title=\"Sources\">Sources<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_Dirty_Frag\"><\/span>What is Dirty Frag?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Dirty Frag is the informal name for a chained exploit that combines two Linux kernel vulnerabilities: <strong>CVE-2026-43284<\/strong> and CVE-2026-43500. The first one is already patched; the second is still being rolled out to distributions as of this writing.<\/p>\n\n\n\n<p>The root cause of CVE-2026-43284 lies in how the Linux kernel handles network packet memory in the IPsec\/ESP path. When <code><strong>MSG_SPLICE_PAGES<\/strong><\/code> attaches pages from a pipe directly to a network buffer (skb), the IPv4\/IPv6 datagram paths failed to mark those pages as shared. <\/p>\n\n\n\n<p>This left an ESP-in-UDP packet made from shared pipe pages appearing to the kernel like an ordinary, privately-owned buffer \u2014 so ESP decryption would happen in-place directly over memory the skb does not own. An attacker who knows how to manipulate this behavior can achieve a controlled write into the kernel page cache and ultimately escalate to root. <\/p>\n\n\n\n<p>In plain terms: the kernel trusted memory it should not have trusted, and an attacker can use that misplaced trust to take over the entire machine.<\/p>\n\n\n\n<p>Unlike the previous DirtyPipe vulnerability, which relied on a narrow race condition in pipe buffer flag handling, Dirty Frag is a deterministic logic flaw. Researcher Hyunwoo Kim reports very high success rates and minimal kernel panic risk, with no timing window to lose. This makes it unusually reliable as exploits go. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_it_connects_to_Copy_Fail\"><\/span>How it connects to Copy Fail<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><a href=\"https:\/\/www.homehost.com.br\/blog\/seguranca-da-informacao\/copy-fail-cve-2026-31431-a-vulnerabilidade-mais-grave-da-historia-do-linux\/\">Copy Fail (CVE-2026-31431)<\/a>, disclosed on April 29, exploited a logic bug in the Linux kernel&#8217;s cryptographic subsystem \u2014 specifically a flaw in the <code>authencesn<\/code> AEAD template that allowed a controlled 4-byte write into the kernel page cache. A 732-byte Python script was enough to gain root on every major Linux distribution built since 2017.<\/p>\n\n\n\n<p>Dirty Frag follows the same fundamental pattern \u2014 a page cache write primitive turned into a root escalation \u2014 but through a completely different code path. Both vulnerabilities turn long-lived in-place processing optimizations into deterministic root primitives: Copy Fail through userspace crypto, Dirty Frag through IPsec receive. <\/p>\n\n\n\n<p>The connection is not accidental. Researcher Hyunwoo Kim explicitly built on the bug class that Copy Fail introduced. Some in the security community have already started referring to CVE-2026-43284 as &#8220;Copy Fail 2.0.&#8221; What was presented as a rare kernel bug ten days ago is becoming a repeatable class of attack.<\/p>\n\n\n\n<p>An interesting factor of Dirty Frag is that chaining the two sub-vulnerabilities (CVE-2026-43284 and CVE-2026-43500) covers each other&#8217;s blind spots. Neither flaw alone provides a sufficiently reliable primitive for full root escalation. However, when combined, the chained exploit achieves immediate root on most distributions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Who_is_affected\"><\/span>Who is affected?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Every server running a mainstream Linux kernel built from roughly 2017 onwards is affected. Every supported AlmaLinux release is affected. CVE-2026-43284 affects AlmaLinux 8, 9, and 10 through the <code>esp4<\/code>\/<code>esp6<\/code> modules, which are part of the standard kernel package on every release. <\/p>\n\n\n\n<p>The full list of affected distributions includes Red Hat Enterprise Linux, AlmaLinux, Debian, Ubuntu, Fedora, Arch Linux, CentOS, CloudLinux, and Amazon Linux.<\/p>\n\n\n\n<p>For web hosting environments specifically, the threat vector is the same as Copy Fail: the attacker does not need to break in remotely. The danger is that once an attacker gets in \u2014 through a vulnerable WordPress plugin, a web shell, weak SSH credentials, or a compromised container \u2014 Dirty Frag lets them immediately escalate to root and then disable security tools, read credentials, tamper with logs, move laterally, or persist on the server. <\/p>\n\n\n\n<p>On shared hosting servers, a single compromised account could become a full server compromise.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"The_fix_%E2%80%94_step_by_step\"><\/span>The fix \u2014 step by step<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Step_1_Update_the_kernel\"><\/span>Step 1: Update the kernel<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Patched kernels are now available in production repositories as of May 8, 2026. This is the only real fix.<\/p>\n\n\n\n<p><strong>For AlmaLinux, CloudLinux, Rocky Linux, CentOS Stream, RHEL:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dnf clean metadata &amp;&amp; sudo dnf upgrade\nsudo reboot<\/code><\/pre>\n\n\n\n<p><strong>For Debian \/ Ubuntu:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt update &amp;&amp; sudo apt upgrade\nsudo reboot<\/code><\/pre>\n\n\n\n<p><strong>For CloudLinux with KernelCare (no reboot required):<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kcarectl --update<\/code><\/pre>\n\n\n\n<p>After rebooting, confirm you are running the patched kernel:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>uname -r<\/code><\/pre>\n\n\n\n<p>Compare the output against the patched version in your distribution&#8217;s security advisory before considering the server protected.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Step_2_Interim_mitigation_if_you_cannot_reboot_immediately\"><\/span>Step 2: Interim mitigation (if you cannot reboot immediately)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>If a reboot is not immediately possible, you can block the vulnerable modules from loading. The Dirty Frag technical writeup offers a mitigation that removes the modules containing the vulnerabilities and clears the page cache: <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>printf 'install esp4 \/bin\/false\\ninstall esp6 \/bin\/false\\ninstall rxrpc \/bin\/false\\n' \\\n  &gt; \/etc\/modprobe.d\/dirtyfrag.conf\nrmmod esp4 esp6 rxrpc <strong>2<\/strong>&gt;\/dev\/null\necho 3 &gt; \/proc\/sys\/vm\/drop_caches<\/code><\/pre>\n\n\n\n<p><strong>Important before applying this:<\/strong> verify that your server does not use IPsec VPN tunnels, site-to-site encrypted networking, or Kubernetes network policies that depend on <code>esp4<\/code> or <code>esp6<\/code>. Disabling these modules on a server with active IPsec will break those connections. If in doubt, apply the kernel update instead.<\/p>\n\n\n\n<p>After the patched kernel is installed and the server is rebooted, revert the mitigation by removing the <code><strong>\/etc\/modprobe.d\/dirtyfrag.conf<\/strong><\/code> file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Step_3_Combine_with_Copy_Fail_remediation\"><\/span>Step 3: Combine with Copy Fail remediation<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>If you have not yet addressed Copy Fail (CVE-2026-31431), treat both vulnerabilities as a combined remediation effort, given their similarity and overlapping mitigation steps. A single kernel update and reboot covers both. Check that your running kernel is patched for both CVE-2026-31431 and CVE-2026-43284 before considering the server clean. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_this_means_going_forward\"><\/span>What this means going forward<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Two universal Linux kernel privilege escalation vulnerabilities in eight days is not normal. Dirty Frag is the second in this period, following Copy Fail. With a working public proof-of-concept released ahead of patches and exploitation reduced to a handful of standard syscalls, defenders should assume any local foothold on an unpatched host can become root within seconds. <\/p>\n\n\n\n<p>The disclosure of Dirty Frag also went badly: an unrelated third party leaked the exploit details before distributions had finished packaging patches, forcing a premature public disclosure while CVE-2026-43500 was still unpatched. This is the same pattern that made Copy Fail so dangerous in its first hours.<\/p>\n\n\n\n<p>The practical lesson is that the time between a vulnerability being known to attackers and being exploited in the wild is now measured in hours, not days. Kernel updates must be treated with the same urgency as application security patches \u2014 applied as soon as they are available, not during the next scheduled maintenance window.<\/p>\n\n\n\n<p>For any server running web hosting workloads: patch today, reboot, verify. Then set up alerting so the next time this happens, you know within the hour.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Sources\"><\/span>Sources<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Help Net Security: <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/08\/dirty-frag-linux-vulnerability-cve-2026-43284-cve-2026-43500\/\">https:\/\/www.helpnetsecurity.com\/2026\/05\/08\/dirty-frag-linux-vulnerability-cve-2026-43284-cve-2026-43500\/<\/a> <\/p>\n\n\n\n<p>AlmaLinux security advisory: <a href=\"https:\/\/almalinux.org\/blog\/2026-05-07-dirty-frag\/\">https:\/\/almalinux.org\/blog\/2026-05-07-dirty-frag\/<\/a> <\/p>\n\n\n\n<p>Tenable Research FAQ: <a href=\"https:\/\/www.tenable.com\/blog\/dirty-frag-cve-2026-43284-cve-2026-43500-frequently-asked-questions-linux-kernel-lpe\">https:\/\/www.tenable.com\/blog\/dirty-frag-cve-2026-43284-cve-2026-43500-frequently-asked-questions-linux-kernel-lpe<\/a> <\/p>\n\n\n\n<p>Sysdig detection guide: <a href=\"https:\/\/www.sysdig.com\/blog\/dirty-frag-cve-2026-43284-and-cve-2026-43500-detecting-unpatched-local-privilege-escalation-via-linux-kernel-esp-and-rxrpc\">https:\/\/www.sysdig.com\/blog\/dirty-frag-cve-2026-43284-and-cve-2026-43500-detecting-unpatched-local-privilege-escalation-via-linux-kernel-esp-and-rxrpc<\/a> <\/p>\n\n\n\n<p>SUSE CVE entry: <a href=\"https:\/\/www.suse.com\/security\/cve\/CVE-2026-43284.html\">https:\/\/www.suse.com\/security\/cve\/CVE-2026-43284.html<\/a> <\/p>\n\n\n\n<p>Ubuntu CVE page: <a href=\"https:\/\/ubuntu.com\/security\/CVE-2026-43284\">https:\/\/ubuntu.com\/security\/CVE-2026-43284<\/a> <\/p>\n\n\n\n<p>Ubuntu blog (fixes available): <a href=\"https:\/\/ubuntu.com\/blog\/dirty-frag-linux-vulnerability-fixes-available\">https:\/\/ubuntu.com\/blog\/dirty-frag-linux-vulnerability-fixes-available<\/a> <\/p>\n\n\n\n<p>CloudLinux blog (Dirty Frag): <a href=\"https:\/\/blog.cloudlinux.com\/dirty-frag-mitigation-and-kernel-update\">https:\/\/blog.cloudlinux.com\/dirty-frag-mitigation-and-kernel-update<\/a> <\/p>\n\n\n\n<p>Knightli mitigation guide: <a href=\"https:\/\/www.knightli.com\/en\/2026\/05\/09\/dirty-frag-cve-2026-43284-linux-lpe-mitigation\/\">https:\/\/www.knightli.com\/en\/2026\/05\/09\/dirty-frag-cve-2026-43284-linux-lpe-mitigation\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Eight days after Copy Fail shook the Linux server world, another critical vulnerability has arrived \u2014 and this one also hands root access to anyone who can run code on your server. It is called &#8220;Dirty Frag&#8221;. It was publicly disclosed on May 7, 2026. A working exploit already exists. And if your server has [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4361,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[63],"tags":[],"class_list":["post-4360","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>&quot;Dirty Frag&quot; (CVE-2026-43284): The Second Linux Root Exploit in Eight Days \u2014 Patch Your Server Now - Copahost<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"&quot;Dirty Frag&quot; (CVE-2026-43284): The Second Linux Root Exploit in Eight Days \u2014 Patch Your Server Now - Copahost\" \/>\n<meta property=\"og:description\" content=\"Eight days after Copy Fail shook the Linux server world, another critical vulnerability has arrived \u2014 and this one also hands root access to anyone who can run code on your server. It is called &#8220;Dirty Frag&#8221;. It was publicly disclosed on May 7, 2026. A working exploit already exists. And if your server has [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/\" \/>\n<meta property=\"og:site_name\" content=\"Copahost\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-09T12:20:28+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-09T12:20:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/5d4732c7-b95e-4aed-ad5a-dc6fb11a1cbe.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Gustavo Gallas\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Gustavo Gallas\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/\"},\"author\":{\"name\":\"Gustavo Gallas\",\"@id\":\"https:\/\/www.copahost.com\/blog\/#\/schema\/person\/386b3f1f79299d43f4ceb33d26428246\"},\"headline\":\"&#8220;Dirty Frag&#8221; (CVE-2026-43284): The Second Linux Root Exploit in Eight Days \u2014 Patch Your Server Now\",\"datePublished\":\"2026-05-09T12:20:28+00:00\",\"dateModified\":\"2026-05-09T12:20:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/\"},\"wordCount\":1178,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/5d4732c7-b95e-4aed-ad5a-dc6fb11a1cbe.png\",\"articleSection\":[\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/\",\"url\":\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/\",\"name\":\"\\\"Dirty Frag\\\" (CVE-2026-43284): The Second Linux Root Exploit in Eight Days \u2014 Patch Your Server Now - Copahost\",\"isPartOf\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/5d4732c7-b95e-4aed-ad5a-dc6fb11a1cbe.png\",\"datePublished\":\"2026-05-09T12:20:28+00:00\",\"dateModified\":\"2026-05-09T12:20:33+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#primaryimage\",\"url\":\"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/5d4732c7-b95e-4aed-ad5a-dc6fb11a1cbe.png\",\"contentUrl\":\"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/5d4732c7-b95e-4aed-ad5a-dc6fb11a1cbe.png\",\"width\":1536,\"height\":1024,\"caption\":\"\\\"Dirty Frag\\\" (CVE-2026-43284)\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.copahost.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"&#8220;Dirty Frag&#8221; (CVE-2026-43284): The Second Linux Root Exploit in Eight Days \u2014 Patch Your Server Now\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.copahost.com\/blog\/#website\",\"url\":\"https:\/\/www.copahost.com\/blog\/\",\"name\":\"Copahost\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.copahost.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.copahost.com\/blog\/#organization\",\"name\":\"Copahost\",\"url\":\"https:\/\/www.copahost.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.copahost.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2016\/03\/copahostlogo.png\",\"contentUrl\":\"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2016\/03\/copahostlogo.png\",\"width\":223,\"height\":40,\"caption\":\"Copahost\"},\"image\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.copahost.com\/blog\/#\/schema\/person\/386b3f1f79299d43f4ceb33d26428246\",\"name\":\"Gustavo Gallas\",\"description\":\"Graduated in Computing at PUC-Rio, Brazil. Specialized in IT, networking, systems administration and human and organizational development\u200b. Also have brewing skills.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/gustavo-gallas-107926196\/\"],\"url\":\"https:\/\/www.copahost.com\/blog\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\"Dirty Frag\" (CVE-2026-43284): The Second Linux Root Exploit in Eight Days \u2014 Patch Your Server Now - Copahost","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/","og_locale":"en_US","og_type":"article","og_title":"\"Dirty Frag\" (CVE-2026-43284): The Second Linux Root Exploit in Eight Days \u2014 Patch Your Server Now - Copahost","og_description":"Eight days after Copy Fail shook the Linux server world, another critical vulnerability has arrived \u2014 and this one also hands root access to anyone who can run code on your server. It is called &#8220;Dirty Frag&#8221;. It was publicly disclosed on May 7, 2026. A working exploit already exists. And if your server has [&hellip;]","og_url":"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/","og_site_name":"Copahost","article_published_time":"2026-05-09T12:20:28+00:00","article_modified_time":"2026-05-09T12:20:33+00:00","og_image":[{"width":1536,"height":1024,"url":"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/5d4732c7-b95e-4aed-ad5a-dc6fb11a1cbe.png","type":"image\/png"}],"author":"Gustavo Gallas","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Gustavo Gallas","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#article","isPartOf":{"@id":"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/"},"author":{"name":"Gustavo Gallas","@id":"https:\/\/www.copahost.com\/blog\/#\/schema\/person\/386b3f1f79299d43f4ceb33d26428246"},"headline":"&#8220;Dirty Frag&#8221; (CVE-2026-43284): The Second Linux Root Exploit in Eight Days \u2014 Patch Your Server Now","datePublished":"2026-05-09T12:20:28+00:00","dateModified":"2026-05-09T12:20:33+00:00","mainEntityOfPage":{"@id":"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/"},"wordCount":1178,"commentCount":0,"publisher":{"@id":"https:\/\/www.copahost.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#primaryimage"},"thumbnailUrl":"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/5d4732c7-b95e-4aed-ad5a-dc6fb11a1cbe.png","articleSection":["Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/","url":"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/","name":"\"Dirty Frag\" (CVE-2026-43284): The Second Linux Root Exploit in Eight Days \u2014 Patch Your Server Now - Copahost","isPartOf":{"@id":"https:\/\/www.copahost.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#primaryimage"},"image":{"@id":"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#primaryimage"},"thumbnailUrl":"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/5d4732c7-b95e-4aed-ad5a-dc6fb11a1cbe.png","datePublished":"2026-05-09T12:20:28+00:00","dateModified":"2026-05-09T12:20:33+00:00","breadcrumb":{"@id":"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#primaryimage","url":"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/5d4732c7-b95e-4aed-ad5a-dc6fb11a1cbe.png","contentUrl":"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/5d4732c7-b95e-4aed-ad5a-dc6fb11a1cbe.png","width":1536,"height":1024,"caption":"\"Dirty Frag\" (CVE-2026-43284)"},{"@type":"BreadcrumbList","@id":"https:\/\/www.copahost.com\/blog\/dirty-frag-cve-2026-43284\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.copahost.com\/blog\/"},{"@type":"ListItem","position":2,"name":"&#8220;Dirty Frag&#8221; (CVE-2026-43284): The Second Linux Root Exploit in Eight Days \u2014 Patch Your Server Now"}]},{"@type":"WebSite","@id":"https:\/\/www.copahost.com\/blog\/#website","url":"https:\/\/www.copahost.com\/blog\/","name":"Copahost","description":"","publisher":{"@id":"https:\/\/www.copahost.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.copahost.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.copahost.com\/blog\/#organization","name":"Copahost","url":"https:\/\/www.copahost.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.copahost.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2016\/03\/copahostlogo.png","contentUrl":"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2016\/03\/copahostlogo.png","width":223,"height":40,"caption":"Copahost"},"image":{"@id":"https:\/\/www.copahost.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.copahost.com\/blog\/#\/schema\/person\/386b3f1f79299d43f4ceb33d26428246","name":"Gustavo Gallas","description":"Graduated in Computing at PUC-Rio, Brazil. Specialized in IT, networking, systems administration and human and organizational development\u200b. Also have brewing skills.","sameAs":["https:\/\/www.linkedin.com\/in\/gustavo-gallas-107926196\/"],"url":"https:\/\/www.copahost.com\/blog\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/posts\/4360","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/comments?post=4360"}],"version-history":[{"count":1,"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/posts\/4360\/revisions"}],"predecessor-version":[{"id":4362,"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/posts\/4360\/revisions\/4362"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/media\/4361"}],"wp:attachment":[{"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/media?parent=4360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/categories?post=4360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/tags?post=4360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}