You are not logged in.
- Topics: Active | Unanswered
#1 2026-05-10 17:09:47
- GerBra
- Forum Fellow
- From: Bingen/Germany
- Registered: 2007-05-10
- Posts: 273
linux-hardened and CVE-2026-43284 (aka DirtyFrag)
linux-hardened 6.19.14.hardened1-2
I've tested the exploit from
https://github.com/V4bel/dirtyfrag
on some kernels. On the hardened kernel it leads directly to a kernel panic (screen).
So it's not "vulnerable", but:
I don't know if this is/should be the normal behavior.
With this piece of code a user could bring the whole system down (DoS ?)
Myself have no experience with the hardened kernel, so this question...
My avatar: "It's not just a toilet... a FERGUSON. The King of bowls. Sit down and give me your best shot." Al Bundy
Offline
#2 2026-05-10 17:19:58
- 5hridhyan
- Member
- Registered: 2025-12-25
- Posts: 822
- Website
Re: linux-hardened and CVE-2026-43284 (aka DirtyFrag)
I believe the hardened kernel has a philosophy of "Crash loudly instead of being silently compromised" 
though I guess that also means a potential DoS vector...
Last edited by 5hridhyan (2026-05-10 17:20:20)
Offline
#3 2026-05-10 18:38:43
- GerBra
- Forum Fellow
- From: Bingen/Germany
- Registered: 2007-05-10
- Posts: 273
Re: linux-hardened and CVE-2026-43284 (aka DirtyFrag)
I also think that's just the normal behavior of the hardened kernel.
Although it wasn’t explicitly patched in any way, it was the only kernel in the official repositories that didn’t allow root access via the exploit at the time of testing.
And in a regulated multi-user environment, a user shouldn’t actually be allowed to compile code or run their own programs in directories with elevated privileges.
My avatar: "It's not just a toilet... a FERGUSON. The King of bowls. Sit down and give me your best shot." Al Bundy
Offline
#4 2026-05-10 19:12:11
- seth
- Member
- From: Won't reply 2 private help req
- Registered: 2012-09-03
- Posts: 75,841
Re: linux-hardened and CVE-2026-43284 (aka DirtyFrag)
Afaiu esp* needs unprivileged_userns_clone, did you also test the rxrpc vulnerability ?
Offline
#5 2026-05-10 19:39:59
- GerBra
- Forum Fellow
- From: Bingen/Germany
- Registered: 2007-05-10
- Posts: 273
Re: linux-hardened and CVE-2026-43284 (aka DirtyFrag)
did you also test the rxrpc vulnerability ?
Seems not affected and no panic reaction
$ uname -a
Linux client1 6.19.14-hardened1-2-hardened #1 SMP PREEMPT_DYNAMIC Fri, 01 May 2026 20:53:29 +0000 x86_64 GNU/Linux
$ python test_cve_2026_31431.py
[*] CVE-2026-31431 detector kernel=6.19.14-hardened1-2-hardened arch=x86_64
[+] AF_ALG + 'authencesn(hmac(sha256),cbc(aes))' loadable - precondition met.
[+] Page cache intact. NOT vulnerable on this kernel.//Edit: I've tested it again as root, same result...
Last edited by GerBra (2026-05-10 20:24:23)
My avatar: "It's not just a toilet... a FERGUSON. The King of bowls. Sit down and give me your best shot." Al Bundy
Offline
#6 2026-05-10 22:08:41
- GerBra
- Forum Fellow
- From: Bingen/Germany
- Registered: 2007-05-10
- Posts: 273
Re: linux-hardened and CVE-2026-43284 (aka DirtyFrag)
I've tested again the DirtyFrag exploit on linux-hardened, this time from external terminal to the host and --verbose output.
It may be from interest for someone, or just the record... <g>
These are the last lines i got before the panic occurs
$ ./exp --verbose 2>&1 | tee exp.log
[su] unshare: Operation not permitted
[su] corruption stage failed (status=0x100)
=== rxrpc/rxkad LPE EXPLOIT (uid=1000 → root) ===
[*] uid=1000 euid=1000 gid=1000
[+] rxrpc module autoloaded via dummy socket(AF_RXRPC)
[+] target /etc/passwd opened RO, size=1144, uid=0 gid=0 mode=0644
[+] mmap'd /etc/passwd page-cache at 0x625c6a521000 (PROT_READ|MAP_SHARED)
[+] /etc/passwd line 1 first 16 bytes:
72 6f 6f 74 3a 78 3a 30 3a 30 3a 3a 2f 72 6f 6f
[*] /etc/passwd line 1 (root entry) BEFORE: 'root:x:0:0::/root:/usr/bin/bash$'
[+] Ca @ 4: 3a783a303a303a3a ":x:0:0::"
[+] Cb @ 6: 3a303a303a3a2f72 ":0:0::/r"
[+] Cc @ 8: 3a303a3a2f726f6f ":0::/roo"
[+] fcrypt selftest OK
=== STAGE 1a: search K_A (chars 4-5 := "::") prob ~1.5e-5 ===
[+] K_A found after 158310 iters in 0.02s (6.85M/s) K=371f1dd70e0f7111 P=3a3a67d3bbc640de "::g...@."
[+] Cb_actual (after splice A) = 67d3bbc640de2f72
=== STAGE 1b: search K_B (chars 6-7 := "0:") prob ~1.5e-5 ===
[+] K_B found after 97459 iters in 0.01s (6.82M/s) K=1c466aca16ad1d8a P=303aebe54fe0d1f1 "0:..O..."
[+] Cc_actual (after splice B) = ebe54fe0d1f16f6f
=== STAGE 1c: search K_C (chars 8-15 := "0:GGGGGG:") prob ~5.4e-8 ===
[+] K_C found after 7153529 iters in 1.03s (6.92M/s) K=21e76c7677a6b473 P=303a6459ae01e23a "0:dY...:"
[+] Predicted post-corruption /etc/passwd line 1:
"root::0:0:dY...:/root:/bin/bash"
=== STAGE 2a: kernel trigger A @ off 4 (set chars 4-5 "::") ===
[+] plain UDP fake-server bound :7779
[+] AF_RXRPC client bound :7780My avatar: "It's not just a toilet... a FERGUSON. The King of bowls. Sit down and give me your best shot." Al Bundy
Offline
#7 2026-05-14 07:17:36
- GerBra
- Forum Fellow
- From: Bingen/Germany
- Registered: 2007-05-10
- Posts: 273
Re: linux-hardened and CVE-2026-43284 (aka DirtyFrag)
Update with
extra/linux-hardened 7.0.6-hardened1-1-hardened
DirtyFrag: same kernel panic
On the newest exploit aka "Fragnesia" (CVE-2026-46300) the current hardened kernel is not affected by the exploit code. With this vector (/bin/su manipulation in page cache) the current version don't panic, it simply don't allow the exploit to work.
//Edit: All other current (in this time) archlinux kernels are vulnerable against Fragnesia, including mainline. Posted this on German Forum
Last edited by GerBra (2026-05-14 12:28:04)
My avatar: "It's not just a toilet... a FERGUSON. The King of bowls. Sit down and give me your best shot." Al Bundy
Offline
#8 2026-05-14 15:09:59
- luscinius
- Member
- Registered: 2008-12-25
- Posts: 18
Re: linux-hardened and CVE-2026-43284 (aka DirtyFrag)
Hi
I am an end user of Arch, not a developer. People here have much deeper knowledge of the kernel internals and are closer to the developers, but is it a good idea to contact someone at security@archlinux.org (or just open a bug on bugtracker since everything is public anyway)? Maybe a new release of linux/linux-lts having a file in /etc/modprobe.d blacklisting esp4, esp6 and rxrpc modules can be made? Also a news item saying these modules are disabled by default until there is a fix upstream, please enable at your own risk if you want to.
Offline
#9 2026-05-14 15:33:11
- seth
- Member
- From: Won't reply 2 private help req
- Registered: 2012-09-03
- Posts: 75,841
Re: linux-hardened and CVE-2026-43284 (aka DirtyFrag)
https://github.com/gregkh/linux/commit/ … 51f9d24411 is in the upcoming 7.0.7 and 7.0.6 is in core-testing atm.
esp* is at least used by some VPNs, the pending mainline patch seeks to address this in skbuff.c https://lore.kernel.org/netdev/20260513 … zellic.io/
Generally brace yourself for more of those coming but also keep in mind that the recent bugs are local privilege escalations, ie. the malicious actor first needs to run un unprivileged exploit on your system.
If one expects random strangers to do so (because the system exposes remote services) one should™ have a look at https://wiki.archlinux.org/title/Securi … le_loading and frankly the entire article.
Offline