Dirty Frag (CVE-2026-43284 and CVE-2026-43500): Detecting unpatched local privilege escalation via Linux Kernel ESP and RxRPC

Dirty Frag (CVE-2026-43284 and CVE-2026-43500) are Linux kernel in-place decryption flaws in the ESP and RxRPC paths that allow an unprivileged local attacker to overwrite shared page-cache pages (e.g., /usr/bin/su) with attacker-controlled plaintext and obtain root; a public PoC was published before patches, the impact spans kernels 4.10–7.0 and most distributions, and containers inheriting host kernels are vulnerable. The report provides exploitation steps, detection rules for Sysdig and Falco, and mitigation guidance including immediate kernel updates, module blacklisting, seccomp restrictions, and runtime detection deployment.