CVE-2026-43284 and CVE-2026-43500 (Dirty Frag)

Document Version: 1.0 Severity: High (CVE), Medium (TrueNAS Impact)

Two Linux kernel vulnerabilities collectively known as “Dirty Frag” (CVE-2026-43284 and CVE-2026-43500) affect page cache memory management and can be chained together to achieve local privilege escalation on vulnerable Linux systems. While TrueNAS Enterprise/CE contains the affected kernel components, the ZFS filesystem architecture provides protection in testing against these vulnerabilities, preventing exploitation in testing.

TrueNAS Impact: MEDIUM - Systems appear protected by filesystem-level architectural defenses.

• Component: Linux kernel xfrm (IPsec) subsystem, specifically ESP (Encapsulating Security Payload) implementation
• Attack Vector: Local privilege escalation through page cache corruption
• Prerequisites: User namespace creation capability (CLONE_NEWUSER|CLONE_NEWNET)
• Kernel Modules: esp4, esp6

• Component: Linux kernel RxRPC protocol implementation
• Attack Vector: Local privilege escalation through page cache corruption
• Prerequisites: Ability to create AF_RXRPC sockets (no namespace required)
• Kernel Modules: rxrpc

The “Dirty Frag” exploit chains these vulnerabilities to:

1. Corrupt Linux page cache memory containing system files
2. Overwrite critical system files (e.g., /etc/passwd) through memory corruption
3. Remove root password requirements or modify system binaries
4. Achieve root privilege escalation

All current TrueNAS Enterprise/CE versions contain the vulnerable kernel components:

• 24.04.x series
• 24.10.x series
• 25.04.x series
• 25.10.x series (fixed in 25.10.4)

TrueNAS Enterprise/CE systems contain the necessary components for the exploit:

• Kernel modules present: esp4, esp6, and rxrpc modules are available
• User namespaces enabled: CLONE_NEWUSER functionality works
• Network protocols active: IPsec ESP modules loaded for enterprise storage features
• Target files accessible: Standard system files like /etc/passwd exist

TrueNAS Enterprise/CE appears protected by ZFS filesystem design:

• ZFS implements its own caching layer (ARC) separate from the Linux page cache
• File data flows through ZFS ARC rather than directly through Linux page cache
• Memory corruption in Linux page cache did not propagate to ZFS-managed files in testing

Internal testing confirmed the protection mechanism:

• ZFS filesystem: Exploit fails with no file modification (rc=4 error)
• ext4 filesystem: Exploit succeeds, demonstrating kernel vulnerability exists
• Root cause: Page cache corruption does not affect ZFS-backed files

• Affects major Linux distributions (Ubuntu, RHEL, CentOS, openSUSE, Fedora)
• Deterministic exploit with high success rate on vulnerable systems
• No patches available in mainline distributions as of publication date

• ZFS filesystem architecture provides protection in testing
• Exploit prerequisites are met but attack vector is blocked
• No additional configuration or patches required

1. No action required based on current analysis - ZFS provides architectural protection
2. Monitor for kernel updates - Apply security updates when available through normal channels
3. Maintain access controls - Limit local system access to authorized users only
4. Review security policies - Ensure appropriate local access controls are in place

For customers on releases prior to 25.10.4 requiring additional security layers:

TrueNAS 25.10.3.1:

midclt call system.advanced.update '{"kernel_extra_options": "module_blacklist=esp4,esp6,rxrpc"}'

TrueNAS 25.10.3, 25.04.2.x:

midclt call system.advanced.update '{"kernel_extra_options": "initcall_blacklist=algif_aead_init module_blacklist=esp4,esp6,rxrpc"}'

Note: Disabling ESP modules (esp4/esp6) will prevent IPsec VPN functionality. Only apply if IPsec is not required for your deployment. Customers running 25.10.4 or later do not need these mitigations.

• Avoid testing with ext4 or other non-ZFS filesystems that lack protection
• Use isolated test environments when evaluating kernel exploits
• Clear page cache after exploit testing: echo 3 > /proc/sys/vm/drop_caches

The exploit failed in testing on TrueNAS Enterprise/CE due to filesystem-level isolation:

1. Memory corruption succeeds: Kernel vulnerabilities are triggered successfully
2. Page cache corruption occurs: Linux page cache memory is corrupted as designed
3. ZFS isolation prevents propagation: Corruption does not reach ZFS-managed files
4. File integrity maintained: Target system files remain unmodified

• No performance impact from this protection mechanism
• ZFS ARC provides performance benefits independent of security considerations
• Standard ZFS operations continue normally

• CVE-2026-43284: xfrm-ESP Page-Cache Write vulnerability
• CVE-2026-43500: RxRPC Page-Cache Write vulnerability
• Exploit Research: “Dirty Frag: Universal Linux LPE” by Hyunwoo Kim (@v4bel)
• Upstream Fix: CVE-2026-43284 patched at kernel commit f4c50a4034e6
• TrueNAS Security: https://security.truenas.com

While the Dirty Frag vulnerabilities represent a significant threat to Linux systems using traditional filesystems, TrueNAS Enterprise/CE customers benefit from protection in testing through ZFS architecture. The filesystem’s design provides isolation from page cache corruption attacks in this specific case.

No immediate action is required from TrueNAS Enterprise/CE users, though standard security best practices for local access control should be maintained.

This document will be updated as additional information becomes available or if circumstances change.