Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Dirty Frag refers to Linux local privilege escalation flaws tracked as CVE-2026-43284 and CVE-2026-43500 that allow a low-privileged user to obtain root access by abusing kernel networking and memory-fragment handling components, including esp4, esp6, and rxrpc. The exploit has been observed in real-world attacks where adversaries first gain an initial foothold through SSH access, web shells, container escapes, or compromised service accounts, then trigger the vulnerability with an ELF binary that invokes the su command. Once root privileges are obtained, attackers can disable security controls, alter logs, move laterally, and establish long-term persistence. The report describes a limited but active campaign using this technique.
Investigation
Microsoft Defender researchers observed a step-by-step intrusion chain in which an external actor first gained SSH access, opened an interactive shell, and staged an ELF binary named ./update. That binary immediately invoked su to escalate privileges, after which the attacker modified a GLPI LDAP authentication file, enumerated GLPI directories, deleted and read PHP session files, and exfiltrated session data. The activity aligned with Microsoft Defender alerts tied to suspicious SUID and SGID execution and potential Dirty Frag exploitation. The investigation remains ongoing as researchers continue to review new telemetry.
Mitigation
Security updates for CVE-2026-43284 were released on May 8, 2026, while a fix for CVE-2026-43500 was not yet available at the time of reporting. Recommended mitigations include disabling the vulnerable kernel modules rxrpc, esp4, and esp6 through modprobe configuration, reducing unnecessary local shell access, hardening containerized workloads, and clearing page caches after suspected exploitation attempts. Organizations should also prioritize kernel patch deployment and verify the integrity of critical files following any suspected compromise.
Response
Defenders should detect unusual use of the su command, loading of the esp4, esp6, or rxrpc modules, and execution of unknown ELF binaries in privileged contexts. Applying the latest kernel updates promptly remains critical. Additional controls should include least-privilege enforcement for local accounts, tighter SSH key management, and file integrity monitoring for sensitive files such as GLPI LDAP authentication configurations. If exploitation is suspected, teams should clear caches, unload the affected modules, and perform forensic analysis of both memory and filesystem artifacts.
"graph TB %% Class Definitions Section classDef action fill:#99ccff %% Blue for action nodes classDef builtin fill:#cccccc %% Grey for tools, malware, vulnerabilities, files %% Node Definitions initial_access["<b>Action</b> – <b>T1078 Valid Accounts</b><br/><b>Description</b>: Use compromised SSH credentials to obtain an interactive shell on the Linux host."] class initial_access action execution_unix_shell["<b>Action</b> – <b>T1059.004 Unix Shell</b><br/><b>Description</b>: Execute a malicious ELF binary (./update) via the Unix shell."] class execution_unix_shell action priv_esc_exploit["<b>Action</b> – <b>T1068 Exploitation for Privilege Escalation</b><br/><b>Description</b>: Exploit the Dirtyu202fFrag kernel vulnerability (CVEu20112026u201143284 / CVEu20112026u201143500) to obtain root privileges."] class priv_esc_exploit action credential_harvest["<b>Action</b> – <b>T1552.001 Credentials In Files</b><br/><b>Description</b>: Modify the GLPI LDAP authentication file to harvest stored credentials."] class credential_harvest action defense_evasion["<b>Action</b> – <b>T1070.004 File Deletion</b><br/><b>Description</b>: Delete PHP session files to erase evidence and disrupt active sessions."] class defense_evasion action tool_ssh["<b>Tool</b> – <b>Name</b>: SSH<br/><b>Description</b>: Remote login protocol used with stolen credentials."] class tool_ssh builtin malware_update["<b>Malware</b> – <b>Name</b>: update (ELF binary)<br/><b>Description</b>: Malicious executable used to trigger privilege escalation."] class malware_update builtin vuln_dirtyfrag["<b>Vulnerability</b> – <b>Name</b>: Dirtyu202fFrag (CVEu20112026u201143284 / CVEu20112026u201143500)<br/><b>Description</b>: Kernel memoryu2011corruption bug that allows local privilege escalation."] class vuln_dirtyfrag builtin file_glpi["<b>File</b> – <b>Name</b>: GLPI LDAP auth config<br/><b>Path</b>: /etc/glpi/ldap.conf"] class file_glpi builtin file_sessions["<b>File</b> – <b>Name</b>: PHP session files<br/><b>Location</b>: /var/lib/php/sessions/"] class file_sessions builtin %% Connections Showing Attack Flow initial_access –>|uses| tool_ssh tool_ssh –>|provides shell for| execution_unix_shell execution_unix_shell –>|executes| malware_update malware_update –>|exploits| vuln_dirtyfrag vuln_dirtyfrag –>|enables| priv_esc_exploit priv_esc_exploit –>|modifies| file_glpi file_glpi –>|enables| credential_harvest credential_harvest –>|leads to| defense_evasion defense_evasion –>|deletes| file_sessions "
Attack Flow
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (T1548) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
-
Preparation – Drop the malicious ELF:
The attacker, operating with a low‑privilege account, creates a crafted ELF binary namedupdatethat exploits the Dirty Frag vulnerability. In the lab we simulate this with a simple “hello world” ELF.cat <<'EOF' > update.c #include <stdio.h> int main() { printf("Malicious update executedn"); return 0; } EOF gcc -o update update.c chmod +x update -
Execution of the vulnerable binary:
The attacker runs the ELF from the current directory, generating anexecveevent for./update../update -
Privilege escalation – invoke
suafter the ELF:
Immediately after the malicious ELF finishes, the attacker runssuto obtain a root shell, relying on the system’s misconfiguration that allows password‑less escalation (typical in vulnerable lab setups).su -c "id"The command line
su -c "id"contains the literal./updateas part of the same session (the detection rule only checks forproc.cmdline|contains: './update'within the samesuprocess). To satisfy the rule, we embed the path in thesucommand line itself:su -c "./update && id"This concatenates the malicious ELF execution and the privilege‑escalation request in a single
suinvocation, producing the exact telemetry the rule expects.
-
-
Regression Test Script:
#!/usr/bin/env bash # ------------------------------------------------------------ # Simulates Dirty Frag / Copy Fail privilege escalation chain # ------------------------------------------------------------ set -euo pipefail # 1. Build a dummy ELF binary named 'update' cat <<'EOF' > update.c #include <stdio.h> int main() { printf("Simulated malicious updaten"); return 0; } EOF gcc -o update update.c chmod +x update # 2. Execute the ELF (generates a normal execve event) echo "[*] Running malicious ELF ./update" ./update # 3. Trigger the detection condition: su with cmdline containing './update' echo "[*] Invoking su to elevate privileges while referencing './update'" # Note: In many lab environments 'su' may be configured without a password. su -c "./update && id" # 4. Cleanup (handled separately) -
Cleanup Commands:
#!/usr/bin/env bash # ------------------------------------------------------------ # Cleanup artifacts created by the simulation script # ------------------------------------------------------------ set -euo pipefail echo "[*] Removing simulated ELF binary and source file" rm -f update update.c echo "[*] Cleanup complete"