Tanzu Security Advisory CVE-2026-43284 / CVE-2026-43500

Severity:	High
CVSSv3 Range:	7.8
CVSSv3 Vector:	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Issue Date:	2026-05-08
Updated on:
CVE(s)	CVE-2026-43284 CVE-2026-43500
Synopsis	"Dirty Frag" (discovered by Hyunwoo Kim, @v4bel) is a class of Linux kernel vulnerabilities that achieves root privilege escalation by exploiting in-place cryptographic operations performed directly on page-cache pages that were planted into a kernel socket buffer (sk_buff) via a zero-copy splice() send path. The attacker can read-only files (e.g., /usr/bin/su, /etc/passwd) whose page cache content they can modify permanently in RAM without needing write permission.

Impact

This is a local system vulnerability only impacting jammy-stemcells and linux systems. It requires access to a running system and can not be exploited remotely across a network.

The diego cell garden runtime, as documented in the Container Security in VMware Tanzu Platform white paper and container security documentation was assessed by the Tanzu Platform team who reviewed and tested against the seccomp configuration of the Tanzu Platform runtime and determined that the exploit does not function in Tanzu Platform container runtime:

vcap@c7375bd6-2b63-4dc2-6120-874b:~/app$ ./exp

dirtyfrag: failed (rc=3)

The vulnerable modules are present on Jammy stemcells. This CVE does not represent a practical risk to containerized workloads (see below), there is a mitigation customers can apply removing the impacted kernel modules. No stemcell patch will be issued for this CVE until the kernel patch is available and fully tested against IPSec.

Technical Details

Dirty Frag - Universal Linux LPE
Technical Write Up

"Dirty Frag" is a class of Linux kernel LPE vulnerabilities discovered and reported by Hyunwoo Kim (@v4bel). The vulnerability exploits a missing SKBFL_SHARED_FRAG flag check: when MSG_SPLICE_PAGES attaches a read-only page-cache page into a socket buffer via splice(), the page is indistinguishable from a normal kernel-owned page. Crypto code that performs in-place operations on that buffer then writes directly into the page cache of files the attacker only has read access to — permanently modifying them in RAM without a write permission check.

CVE-2026-43284 covers the xfrm-ESP variant. In esp_input(), when an skb is non-linear but has no frag_list, the missing skb_has_shared_frag() check allows the in-place AEAD decryption path to write 4 bytes of attacker-controlled data (replay_esn->seq_hi, set at SA registration) into the page cache at an attacker-chosen file offset. By repeating this 48 times, an attacker can overwrite /usr/bin/su with a root-shell ELF and execute it.

CVE-2026-43500 (RxRPC companion) achieves the same page-cache write effect via rxkad_verify_packet_1() without requiring a user namespace, relying instead on the add_key("rxrpc", ...) syscall to plant a session key.

The combined "Dirty Frag" chain exploit tries the ESP variant first and falls back to RxRPC, making it effective across environments where only one variant is available.

Tanzu Platform container runtime is not impacted

Guardian's Seccomp Profile Blocks Both Exploit Variants

Guardian (garden-runc-release) deploys a deny-by-default seccomp allowlist to every CF application container it manages. The profile is defined in seccomp_linux with DefaultAction: specs.ActErrno.

For the xfrm-ESP variant (CVE-2026-43284):

unshare is not present in the seccomp allowlist. Any call to unshare(CLONE_NEWUSER | CLONE_NEWNET) from within a CF application container fails immediately. The clone syscall is allowed only with namespace flags masked to zero via OpMaskedEqual:

clone3 is explicitly blocked with ActErrno returning ENOSYS. There is no syscall path available to create a user or network namespace from within a CF application container. Without a user namespace, CAP_NET_ADMIN cannot be obtained, XFRM SAs cannot be registered, and the exploit cannot proceed past step one.

For the RxRPC variant (CVE-2026-43500):

add_key is not present in the seccomp allowlist. keyctl and request_key are also absent. Without the ability to register an RxRPC session key, the companion exploit is independently blocked before it can configure the cipher context.

The allowed syscalls splice, vmsplice, socket, and sendmsg are inert without the above. They perform general-purpose data operations and pose no exploitable risk when the namespace and key prerequisites are blocked.

Tanzu Jammy Stemcell Versions Affected

All versions

There is currently no upstream Linux Kernel patch incorporated and tested in jammy stemcell.
As soon as a patch is available and tested an update will be released.

Mitigation

There is a kernel patch expected that will supersede this mitigation in the coming weeks. An updated stemcell will be provided as soon as the linux kernel patch is available and tested with Tanzu IPSec.

For all BOSH-managed VMs not using Tanzu IPSec, the ESP and RxRPC kernel modules can be unloaded or blacklisted. This eliminates the vulnerable code path at the kernel level entirely, regardless of the privilege level of any process on that VM.

Temporary Mitigation

SSH to the VM
Run the mitigation:

sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

Reset the page cache

echo 3 | sudo tee /proc/sys/vm/drop_caches

NOTE: This will disable the esp4/esp6 and rxrpc modules. These modules are required for Tanzu IPSec and will disrupt and break IPSec operations.

History
2026-05-08: Initial vulnerability report published.

Contact
E-mail: [email protected]

VMware Tanzu Security Advisories
https://tanzu.vmware.com/security