VSA-2026-014: Linux Kernel XFRM/RXRPC Local Privilege Escalation (CVE-2026-43284, CVE-2026-43500, CVE-2026-46300)
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-05-15 | 2026-05-15 | 🟠Moderate | 7.8 | XCP-ng, XOA |
Three Linux kernel vulnerabilities and their associated CVEs (CVE-2026-43284, CVE-2026-43500, CVE-2026-46300) have been disclosed, along with exploits leveraging them. For Vates products, we classify the impact as Moderate: XCP-ng and XOA are affected. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary​
All three vulnerabilities are Local Privilege Escalation:
- Vulnerability CVE-2026-43284 is in kernel's XFRM-ESP module.
- Vulnerability CVE-2026-43500 is in kernel's RXRPC module.
- Vulnerability CVE-2026-46300 is in the kernel's XFRM ESP-in-TCP subsystem.
There are various exploits leveraging these:
- "Dirty Frag" is an exploit that is able to leverage both CVE-2026-43284 and CVE-2026-43500.
- "Copy Fail 2: Electric Boogaloo" is leveraging CVE-2026-43284.
- "Fragnesia" is leveraging CVE-2026-46300.
- "DIRTYFAIL" is a unified detector and PoC harness covering CVE-2026-43284 and CVE-2026-43500.
Impact​
An unprivileged local user can escalate privileges to root:
- This is limited in XCP-ng as very few processes are running as other users than root.
- In XOA that could be more impactful as there are network-available services running as unprivileged users.
Affected Versions​
- XCP-ng is impacted by CVE-2026-43284 and CVE-2026-46300, not by CVE-2026-43500 as there is no RXRPC support at all.
- XOA running kernel up to
6.1.170-2are vulnerable to both CVE-2026-43284 and CVE-2026-43500, not by CVE-2026-43500 as AF_RXRPC sockets are blocked for unprivileged users.
Mitigation​
It is possible to blacklist modules in which the vulnerabilities occur, that goes for both XCP-ng and XOA:
esp4esp6
- Blacklisting ESP modules in XCP-ng will disable IPsec ESP support in the Linux kernel. This will break any encrypted private networks configured in XCP-ng. Only apply this mitigation if your environment does not use IPsec-based networking, or if you accept the disruption to encrypted network connectivity.
Resolution​
As of 2026-05-15:
- XCP-ng: A complete fix is in progress.
- XOA:
- CVE-2026-43284 and CVE-2026-43500 are fixed in Debian's kernel version
6.1.170-3. XOA's unattended update mechanism should already have automatically updated the kernel of XOA VMs with a fixed one.
- CVE-2026-43284 and CVE-2026-43500 are fixed in Debian's kernel version
For the XOA update to be effective, the XOA VM needs to be restarted.
Users running their XOA instance for a long time might be on older versions of Debian, the unattended update mechanism keeps the base version and does not upgrade the base Operating System. Only Debian 11 and 12 have updates, people on older versions will need to upgrade their XOA VM.
Credits​
- CVE-2026-43284 and CVE-2026-43500 (Dirty Frag) were reported by V4bel.
- CVE-2026-46300 (Fragnesia) was discovered by William Bowling and the V12 team.
References​
- CVE-2026-43284
- CVE-2026-43284 Upstream kernel fix - commit f4c50a4034e6
- CVE-2026-43284 - Debian security tracker
- CVE-2026-43500
- CVE-2026-43500 Upstream kernel fix - commit aa54b1d27fe0
- CVE-2026-43500 - Debian security tracker
- Dirty Frag - original write-up
- Copy Fail 2: Electric Boogaloo - PoC
- CVE-2026-46300
- CVE-2026-46300 Upstream kernel fix
- CVE-2026-46300 - Debian security tracker
- Fragnesia - PoC
- DIRTYFAIL - unified detector and PoC for CVE-2026-43284 and CVE-2026-43500