CVE-2026-43284 — dirty frag

On the 18th of May, 2026, CVE-2026-43284 was announced, also known as "dirty frag".

This is a Linux kernel vulnerability in the xfrm: esp subsystem where the IPv4 and IPv6 datagram paths failed to mark splice-attached pipe pages with SKBFL_SHARED_FRAG, causing ESP input to decrypt in-place over memory not privately owned by the socket buffer (CWE-119). It has been assigned a CVSS score of 7.8 (HIGH).

Impact to LiquidFiles

Does this impact LiquidFiles — No.

CVE-2026-43284 requires local shell access to the system to exploit (CVSS vector: AV:L/AC:H/PR:L/UI:N). An attacker would need an OS-level account with shell access on the server itself.

LiquidFiles application users do not have shell access to the underlying operating system — they interact exclusively through the web interface. Shell access is restricted to system administrators only, who are already fully trusted. There is no path from the LiquidFiles application layer to the kernel's ESP/XFRM subsystem.

Additionally, the affected kernel modules esp4, esp6, and rxrpc are not present on the LiquidFiles appliance, so the vulnerability is also mitigated at the system level regardless of the kernel version in use.

When will this be fixed

You can check the current patch status on the Ubuntu security tracker.

If and when a kernel update is released and you have Automatic Updates enabled as recommended, the updated kernel package will be applied automatically and your system will be mitigated at the OS level as well.