A second critical Linux kernel vulnerability in eight days is exposing servers to instant root compromise. Security researcher Hyunwoo Kim publicly disclosed "Dirty Frag" (CVE-2026-43284) on May 7, 2026 — a chained exploit that combines two flaws in the IPsec/ESP network path. When MSG_SPLICE_PAGES attaches pipe pages to network buffers, the kernel fails to mark them as shared, allowing attackers to write controlled data directly into kernel page cache and escalate to root.

The vulnerability affects every mainstream Linux distribution built since 2017, including Red Hat Enterprise Linux, AlmaLinux, Debian, Ubuntu, Fedora, and Amazon Linux. Unlike the previous DirtyPipe flaw which required precise timing, Dirty Frag is deterministic with very high success rates and no race condition window. An exploit already exists in the wild, and systems not patched since May 8 remain vulnerable.

This marks the second universal privilege escalation vulnerability in a week, following Copy Fail (CVE-2026-31431) from April 29. The same researcher built Dirty Frag explicitly on the bug class Copy Fail introduced — some in the security community now call it "Copy Fail 2.0." The disclosure was complicated when an unrelated party leaked details before all distributions finished packaging patches. Patched kernels are available; the only real fix is updating and rebooting.