Feed aggregator
Apple, Intel have reached preliminary chip-making deal
Article URL: https://www.reuters.com/business/apple-intel-have-reached-preliminary-chip-making-deal-wsj-reports-2026-05-08/
Comments URL: https://news.ycombinator.com/item?id=48066169
Points: 13
# Comments: 0
DynDNS via SSH and NSD
Article URL: https://cweiske.de/tagebuch/ssh-dyndns2.htm
Comments URL: https://news.ycombinator.com/item?id=48066164
Points: 1
# Comments: 0
Widower can't renew license because DMV software unearthed 47yo speeding ticket
Don't Wait for the Pollen Spike: Start These 6 Allergy Prep Steps Today
Active attack: Dirty Frag Linux vulnerability expands post-compromise risk
- Why Dirty Frag matters
- Technical overview
- Exploitation scenarios
- Mitigation guidance
- Post-mitigation integrity verification
- References
A newly disclosed Linux local privilege escalation vulnerability known as “Dirty Frag” enables escalation from an unprivileged user to root through vulnerable kernel networking and memory-fragment handling components, including esp4, esp6 (CVE-2026-43284), and rxrpc (CVE-2026-43500). Public reporting and proof-of-concept activity indicate the exploit is designed to provide more reliable privilege escalation than traditional race-condition-dependent Linux local privilege escalation techniques.
Dirty Frag may be leveraged after initial compromise through SSH access, web-shell execution, container escape, or compromise of a low-privileged account. Affected environments may include Ubuntu, RHEL, CentOS Stream, AlmaLinux, Fedora, openSUSE, and OpenShift deployments. Microsoft Defender is actively monitoring related activity and investigating additional detections and protections.
This article details an ongoing investigation into active campaign. We will update this report as new details emerge.
Why Dirty Frag mattersLocal privilege escalation vulnerabilities are frequently used by threat actors after initial access to expand control over a compromised environment. Once root access is obtained, attackers can disable security tooling, access sensitive credentials, tamper with logs, pivot laterally, and establish persistent access.
Dirty Frag is notable because it introduces multiple kernel attack paths involving rxrpc and esp/xfrm networking components to improve exploitation reliability. Rather than relying on narrow timing windows or unstable corruption conditions often associated with Linux local privilege escalation exploits, Dirty Frag appears designed to increase consistency across vulnerable environments.
This increases operational risk in environments where threat actors already possess limited local execution capability through compromised accounts, vulnerable applications, containers, or exposed administrative interfaces.
Technical overviewDirty Frag abuses Linux kernel networking and memory-fragment handling behavior involving esp4, esp6, and rxrpc components. Similar to the previously disclosed CopyFail vulnerability (CVE-2026-31431), the exploit attempts to manipulate Linux page cache behavior to achieve privilege escalation. However, Dirty Frag introduces additional attack paths that expand exploitation opportunities and improve reliability.
The vulnerability affects systems where vulnerable modules are present and accessible. In many enterprise environments, these components may already be enabled to support IPsec, VPN functionality, or other networking workloads.
Exploitation scenariosThreat actors may leverage Dirty Frag after obtaining local code execution through several common intrusion paths, including:
- Compromised SSH accounts
- Web-shell access on internet-facing applications
- Container escapes into the host environment
- Abuse of low-privileged service accounts
- Post-exploitation activity following phishing or remote access compromise
Once local access is established, successful exploitation may allow attackers to escalate privileges to root and gain broad control over the affected Linux host.
Mitigation guidanceWhile comprehensive remediation guidance continues to evolve, organizations should evaluate interim mitigations immediately.
Recommended actions include:
- Disable unused rxrpc kernel modules where operationally possible
- Assess whether esp4, esp6, and related xfrm/IPsec functionality can be temporarily disabled safely
- Restrict unnecessary local shell access
- Harden containerized workloads
- Increase monitoring for abnormal privilege escalation activity
- Prioritize kernel patch deployment once vendor advisories are released
The following example prevents vulnerable modules from loading and unloads active modules where possible:
cat </dev/nullThese mitigations should be carefully evaluated before deployment, particularly in environments relying on IPsec VPNs or RxRPC functionality.
Post-mitigation integrity verificationMitigation alone may not reverse changes already introduced through successful exploitation attempts.
If exploitation occurred prior to mitigation, malicious modifications may persist in memory or cached file content even after vulnerable modules are disabled. Organizations should validate the integrity of critical files and assess whether cache clearing is appropriate for their environment.
echo 3 | sudo tee /proc/sys/vm/drop_cachesCache clearing can temporarily increase disk I/O and impact production performance and should be evaluated carefully before deployment.
Microsoft Defender coverageMicrosoft Defender provides detection coverage for possible Dirty Frag exploitation activity, including:
Microsoft Defender Antivirus- Exploit:Linux/DirtyFrag.A
- Exploit:Linux/DirtyFrag.B
- Trojan:Linux/DirtyFrag.Z!MTB
- Trojan:Linux/DirtyFrag.ZA!MTB
- Trojan:Linux/DirtyFrag.ZC!MTB
- Trojan:Linux/DirtyFrag.DA!MTB
- Potential exploitation of dirtyfrag vulnerability detected
Microsoft continues investigating additional detections, telemetry correlations, and posture guidance related to Dirty Frag activity.
Further investigation is being conducted by Microsoft Defender towards providing stronger protection and posture recommendations is in progress.
ReferencesRead about CopyFail (CVE-2026-31431), including mitigation and detection guidance here: https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/.
The post Active attack: Dirty Frag Linux vulnerability expands post-compromise risk appeared first on Microsoft Security Blog.
Best T-Mobile Plans: How to Choose and Which Ones to Pick in 2026
Best Sports Streaming Service for 2026
The 25 Best PS5 Games Right Now
Mythos set off a cybersecurity 'hysteria.' Experts say threat was already here
Article URL: https://www.cnbc.com/2026/05/08/anthropic-mythos-ai-cybersecurity-banks.html
Comments URL: https://news.ycombinator.com/item?id=48064675
Points: 1
# Comments: 0
A 429 from a quota cap and a 429 from rate-limit need different cooldowns
Article URL: https://github.com/eleata/resilient-llm-router
Comments URL: https://news.ycombinator.com/item?id=48064656
Points: 1
# Comments: 0
Glow-in-the-dark sliotar wins top student prize
Article URL: https://www.rte.ie/news/business/2026/0507/1572229-student-enterprise-globall/
Comments URL: https://news.ycombinator.com/item?id=48064647
Points: 1
# Comments: 0
Show HN: Inkwell a writer-first newsletter platform,$0 for unlimited subscribers
Article URL: https://lovable.dev/
Comments URL: https://news.ycombinator.com/item?id=48064642
Points: 1
# Comments: 0
Deepfakes are everywhere. The godfather of digital forensics is fighting back
Article URL: https://www.science.org/content/article/deepfakes-are-everywhere-godfather-digital-forensics-fighting-back
Comments URL: https://news.ycombinator.com/item?id=48064641
Points: 1
# Comments: 0
UFO File Not Found
Article URL: https://www.war.gov/UFO/#65_HS1-834228961_62-HQ-83894_Serial_153
Comments URL: https://news.ycombinator.com/item?id=48064622
Points: 1
# Comments: 0
Show HN: IEEE-754-Conformant FP64 on Metal (Apple Silicon)
Article URL: https://github.com/guyfischman/metal-softfloat
Comments URL: https://news.ycombinator.com/item?id=48064592
Points: 1
# Comments: 1
Extortion Using Smartglasses Is a Thing Now
Article URL: https://gizmodo.com/extortion-using-smart-glasses-is-a-thing-now-2000755562
Comments URL: https://news.ycombinator.com/item?id=48064590
Points: 1
# Comments: 0
Show HN: Oc-go-cc, an Open-source proxy that lets Claude Code use OSS models
Article URL: https://github.com/samueltuyizere/oc-go-cc
Comments URL: https://news.ycombinator.com/item?id=48064584
Points: 1
# Comments: 0
Lookout Station – A native dashboard app for iPad and Mac
Article URL: https://lookoutapp.ai
Comments URL: https://news.ycombinator.com/item?id=48064578
Points: 1
# Comments: 0