This skill audits Linux systems and containers for the Dirty Frag exploit chain, which covers CVE-2026-43284 and CVE-2026-43500. Both CVEs relate to local privilege escalation via IPsec ESP or RxRPC in-place decryption fast paths in the Linux kernel. The audit is read-only and performs 11 distinct checks against the live system state rather than relying solely on kernel version matching.
The checks inspect kernel build configurations (including whether vulnerable code such as CONFIG_INET_ESP is compiled directly into the kernel rather than as a loadable module), module blacklists in modprobe.d, socket accessibility for unprivileged users, and active LSM profiles under AppArmor or SELinux. A critical distinction from simple version-based scanners is that the skill detects cases where blacklisting a module has no effect because the code is built-in — a condition that version checks miss entirely.
The skill is container-aware: it detects when it is running inside a container or Kubernetes pod and targets the host kernel’s vulnerability state accordingly. Output includes a detailed report of vulnerable conditions, a JSON-compatible risk-level summary suitable for SIEM ingestion, and exit codes usable for CI/CD pipeline gating. It also generates environment-specific remediation guidance, covering module blacklisting steps where applicable and kernel update instructions where blacklisting is insufficient. No environment variables are required to invoke it.