Cve 2026 43284 Dirty Frag

Deep audit and detection of the Dirty Frag (CVE-2026-43284/43500) Linux privilege escalation exploit chain.

Install
cmdop skills install agensi-cve-2026-43284-dirty-frag

This skill audits Linux systems and containers for the Dirty Frag exploit chain, which covers CVE-2026-43284 and CVE-2026-43500. Both CVEs relate to local privilege escalation via IPsec ESP or RxRPC in-place decryption fast paths in the Linux kernel. The audit is read-only and performs 11 distinct checks against the live system state rather than relying solely on kernel version matching.

The checks inspect kernel build configurations (including whether vulnerable code such as CONFIG_INET_ESP is compiled directly into the kernel rather than as a loadable module), module blacklists in modprobe.d, socket accessibility for unprivileged users, and active LSM profiles under AppArmor or SELinux. A critical distinction from simple version-based scanners is that the skill detects cases where blacklisting a module has no effect because the code is built-in — a condition that version checks miss entirely.

The skill is container-aware: it detects when it is running inside a container or Kubernetes pod and targets the host kernel’s vulnerability state accordingly. Output includes a detailed report of vulnerable conditions, a JSON-compatible risk-level summary suitable for SIEM ingestion, and exit codes usable for CI/CD pipeline gating. It also generates environment-specific remediation guidance, covering module blacklisting steps where applicable and kernel update instructions where blacklisting is insufficient. No environment variables are required to invoke it.

Use cases

  • Audit a bare-metal Linux host for Dirty Frag kernel privilege escalation exposure
  • Check containerized workloads or Kubernetes pods for host kernel vulnerability to CVE-2026-43284
  • Gate CI/CD pipelines by consuming the skill's exit codes and JSON output in automated checks
  • Feed JSON risk summaries into a SIEM for fleet-wide CVE-2026-43500 tracking
  • Identify whether kernel build configuration (CONFIG_INET_ESP=y) makes module blacklisting ineffective
  • Generate environment-specific remediation commands for patching or mitigating the Dirty Frag chain

When to use it

  • The target system is a Linux host or container and you need to determine Dirty Frag exposure beyond a simple version check
  • You need to verify whether module blacklisting has actually closed the attack surface or whether the module is built into the kernel
  • You are integrating vulnerability detection into a CI/CD pipeline and need machine-readable exit codes and JSON output
  • You are auditing Kubernetes workloads and need the skill to detect and target the underlying host kernel state

When not to use it

  • The target system is not Linux — the skill covers Linux kernel CVEs only
  • You need a broad CVE scanner covering multiple CVE families beyond CVE-2026-43284 and CVE-2026-43500
  • You require active exploitation testing or penetration-testing capabilities rather than read-only auditing
  • No individual sub-check tools are exposed, so agents needing granular programmatic tool invocation cannot call checks independently