Notice of Linux Kernel Privilege Escalation Vulnerabilities (CVE-2026-43284 and CVE-2026-43500)
Recently, two high-risk LPE vulnerabilities in the Linux kernel were disclosed in the industry. Following the recent Copy Fail vulnerability (CVE-2026-31431), the two vulnerabilities, named Dirty Frag, represent another logical flaw that exploits a kernel page cache write primitive to achieve privilege escalation. The vulnerabilities can cause container escape and privilege escalation. The details are as follows:
- CVE-2026-43284 (xfrm/ESP path): Attackers use splice() system calls to inject a page cache on which the attackers have only read permissions into the frag slot of a network data packet (skb). When the kernel performs IPsec (ESP) encryption or decryption on the network receiver, it modifies the memory page pointed to by the frag in place. The kernel does not verify whether the caller has the write permissions on the page. As a result, attackers can tamper with the read-only files (such as /etc/passwd or SUID binary files) in the page cache without authorization. As a result, privilege escalation is achieved.
- CVE-2026-43500 (RxRPC path): The principle is similar to that of the vulnerability above. The difference is that it exploits a logic flaw in the RxRPC network protocol component when processing shared page fragments. This bug expands the vulnerability's coverage across different Linux distributions.
Description
| Type | CVE-ID | Severity | Discovered |
|---|---|---|---|
| Privilege escalation | Critical | 2026-05-08 | |
| Privilege escalation | Critical | 2026-05-08 |
Impact
According to the disclosure, the following OS image versions will be affected:
- CVE-2026-43284: This vulnerability was introduced in kernel 4.11. If the kernel version is earlier than 4.11, the system is not affected.
- CVE-2026-43500: This vulnerability was introduced in kernel 6.5. If the kernel version is earlier than 6.5, the system is not affected.
Identification Method
- Currently, the kernel version of the images used by Huawei Cloud CCE is earlier than 6.5 and is not affected by CVE-2026-43500.
- Nodes that run CentOS 7.6, with a kernel version earlier than 3.15, are not affected by this vulnerability.
- If EulerOS 2.9, Huawei Cloud EulerOS 2.0 or EulerOS 2.10 is used, you can run the following command to check the kernel version:
uname -a

If the kernel version is 4.11 or later, the system is affected by CVE-2026-43284.
Vulnerability Mitigation Solutions
- Solution 1: Disabling the Kernel Module For Huawei Cloud EulerOS 2.0, EulerOS 2.9, and EulerOS 2.10, take the following steps:
# Check whether the module is loaded. # (1) esp4 and esp6 are used for kernel-mode cryptography acceleration, such as IPsec. Run the command below to check whether the modules are loaded. If the command output is not empty, use solution 2. lsmod|grep esp # Disable the related kernel module. No restart is required. echo "install esp4 /bin/false" >> /etc/modprobe.d/disable-esp.conf echo "install esp6 /bin/false" >> /etc/modprobe.d/disable-esp.conf
- Solution 2: Enable the default seccomp configuration in the container workload. For details, see Restrict a Container's Syscalls with seccomp.
The following is an example of the pod configuration (which may be invalid for privileged containers):
... spec: securityContext: seccompProfile: type: RuntimeDefault ...If a custom seccomp profile is used, disable unshare system calls in the configuration file.... "syscalls":[{"names":["unshare"],"action":"SCMP_ACT_ERRNO"}] ...
Select a solution based on service requirements and fully verify it in the test environment before implementation.
Vulnerability Fixing Solution
For Huawei Cloud EulerOS 2.0, CCE and related teams will release new OS versions to fix the vulnerability. Please stay tuned for updates on OS Image Tag Release Notes.
EulerOS 2.9 and EulerOS 2.10 have reached EOS. Use Huawei Cloud EulerOS 2.0 instead.
Once an OS image with the vulnerability fixed is released, new clusters and nodes will have the vulnerability fixed by default. To fix the vulnerability on existing nodes, you can simply reset them. If the cluster version has reached EOS, you need to upgrade the version first.
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.