Search
Contact salesLog in to Token FactoryLog in to AI Cloud

[Security Advisory] CVE-2026-43284, CVE-2026-43500: “DirtyFrag” Linux kernel local privilege escalation — mitigation required

May 8, 2026
9 mins to read

Two Linux kernel vulnerabilities (CVE-2026-43284, CVE-2026-43500), collectively known as “DirtyFrag”, were publicly disclosed on May 7, 2026. Both allow a local unprivileged user to escalate to root with no special privileges required.

The vulnerabilities are triggered through two specific kernel modules:

  • esp4 / esp6 — used by IPsec (ESP) tunnels,

  • rxrpc — used by AFS/Kerberos-based storage environments.

Nebius Compute instances and Managed Kubernetes nodes running these modules are potentially affected. No evidence of exploitation against Nebius infrastructure has been found at this time. We are actively working on a permanent solution and will update this advisory when it is available. In the meantime, we strongly recommend applying the mitigations below for your environment.

Compute instances

The vulnerable modules can be disabled directly by executing the following command:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"

Managed Kubernetes

To disable vulnerable modules on your Managed Kubernetes nodes apply this DaemonSet.

  1. Create dirty-frag-mitigation.yaml with following content:
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: dirty-frag-mitigation
  namespace: kube-system
spec:
  selector:
    matchLabels:
      app: dirty-frag-mitigation
  template:
    metadata:
      labels:
        app: dirty-frag-mitigation
    spec:
      hostPID: true
      tolerations:
        - operator: Exists
      initContainers:
        - name: mitigate
          image: cr.eu-north1.nebius.cloud/soperator/busybox:latest
          securityContext:
            privileged: true
          command:
            - /bin/sh
            - -ec
            - |
              printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /host/etc/modprobe.d/dirtyfrag.conf
              rmmod esp4 esp6 rxrpc || exit 1
              echo 3 > /proc/sys/vm/drop_caches
              echo "Mitigation applied"
          volumeMounts:
            - name: host-etc-modprobe
              mountPath: /host/etc/modprobe.d
      containers:
        - name: pause
          image: cr.eu-north1.nebius.cloud/soperator/busybox:latest
          command:
            - /bin/sh
            - -ec
            - sleep infinity
      volumes:
        - name: host-etc-modprobe
          hostPath:
            path: /etc/modprobe.d
            type: DirectoryOrCreate
  1. Apply the DaemonSet:
kubectl apply -f dirty-frag-mitigation.yaml
  1. Verify the fix was applied:
kubectl -n kube-system rollout status ds/dirty-frag-mitigation
kubectl -n kube-system logs ds/dirty-frag-mitigation -c mitigate

Explore Nebius AI Cloud

Sign up
Docs

Explore Nebius Token Factory

Sign up
Docs and support
author
Nebius team

Contents

See also

Sign in to save this post