TL;DR

The Dirty Frag vulnerability (CVE-2026-43284 and CVE-2026-43500) was publicly disclosed on May 7th. Scalingo became aware on May 8th and could not reproduce the exploit on its platform. As a precaution, the three vulnerable kernel modules (esp4, esp6, rxrpc) were disabled across all hosting nodes by 10:02 on May 8th, with no customer impact.

On May 13th, a related vulnerability named Fragnesia was disclosed by William Bowling (V12 team). It exploits a separate but closely related bug in the same XFRM ESP-in-TCP subsystem. The mitigation already applied on May 8th fully covers Fragnesia: Scalingo hosting nodes are not vulnerable.

What Happened?

On May 7th, 2026, security researcher Hyunwoo Kim (v4bel) published two new Linux kernel vulnerabilities collectively named “Dirty Frag” (CVE-2026-43284 and CVE-2026-43500). These vulnerabilities affect all major Linux kernel versions, including those used on Scalingo hosts. They have been evaluated with a CVSS v3.1 base score of 7.8.

Both vulnerabilities exploit improper page cache handling in the Linux kernel — CVE-2026-43284 in the IPsec ESP (xfrm-ESP) subsystem, and CVE-2026-43500 in the RxRPC subsystem. By chaining them, an unprivileged local user can overwrite the in-memory representation of privileged binaries in the page cache and gain root-level access, without requiring a race condition.

Scalingo’s security team became aware on May 8th at 07:00 and immediately started an assessment. We attempted to reproduce the exploit internally and could not confirm it on our platform. Nevertheless, given the severity of the vulnerability and the availability of a public exploit, we disabled the three vulnerable kernel modules (esp4, esp6, and rxrpc) across all hosting nodes as a precaution. The mitigation was completed at 10:02 with no customer-facing impact.

On May 13th, 2026, a related vulnerability named Fragnesia was publicly disclosed by William Bowling (V12 team). Fragnesia exploits a separate but closely related bug in the same XFRM ESP-in-TCP subsystem. We assessed Scalingo’s exposure starting at 16:30 and concluded at 16:45 that the mitigation already applied on May 8th fully covers Fragnesia. No further action was required.

Incident Analysis

Dirty Frag (CVE-2026-43284 and CVE-2026-43500)

Disclosed publicly on May 7th, 2026, the two Dirty Frag vulnerabilities affect the Linux kernel page cache mechanism:

• CVE-2026-43284 — introduced in January 2017, affects the xfrm-ESP subsystem. It provides a write-what-where primitive into page-cache-backed memory via IPsec packet processing.
• CVE-2026-43500 — introduced in June 2023, affects the RxRPC subsystem. It provides a similar primitive in environments where the first CVE is blocked.

Chaining both vulnerabilities allows an unprivileged user to overwrite in-memory contents of privileged binaries (such as /usr/bin/su) in the kernel page cache, without modifying the file on disk. Exploitation does not require a race condition, making it highly reliable. A public proof-of-concept was released at time of disclosure.

Exploiting these vulnerabilities requires local code execution on an affected host, which is possible on Scalingo application nodes and builders, but not on database and other nodes.

Scalingo’s security team attempted to reproduce the exploit on our platform and was unable to do so. The exploit obtains CAP_NET_ADMIN by first creating an unprivileged user namespace (CLONE_NEWUSER), not by having it granted directly. Scalingo container configuration blocks both unshare and clone(CLONE_NEWUSER) for containers that do not hold CAP_SYS_ADMIN. Scalingo containers are started without CAP_SYS_ADMIN, which means user namespace creation is blocked by seccomp, preventing the exploit from acquiring CAP_NET_ADMIN and proceeding.

Because Dirty Frag targets the Linux page cache, which is shared at the host kernel level across all containers, a successful exploit could potentially overwrite privileged binaries in the host page cache and affect processes outside the attacker’s container. This contributed to our decision to apply an emergency mitigation despite not being able to reproduce the exploit.

Fragnesia

Disclosed publicly on May 13th, 2026, Fragnesia is a separate bug in the same XFRM ESP-in-TCP subsystem, described as an unintended side effect of one of the Dirty Frag patches.

Fragnesia abuses a logic flaw in the ESP-in-TCP implementation: when a TCP socket transitions to espintcp ULP mode after file data has already been spliced into its receive queue, the kernel processes those file-backed pages as ESP ciphertext and XORs AES-GCM keystream bytes directly into the page cache. By selecting the IV nonce to produce a desired keystream byte, an attacker can overwrite arbitrary bytes of read-only cached files and achieve root privileges — one byte per invocation, without a race condition and without modifying files on disk. A public proof-of-concept was released at time of disclosure.

Like Dirty Frag, Fragnesia belongs to the same page-cache write vulnerability class, carries the same container escape risk, and uses the same CLONE_NEWUSER → CAP_NET_ADMIN acquisition path. The required mitigation is identical — disabling the esp4, esp6, and rxrpc kernel modules — and was already in place on Scalingo nodes before Fragnesia’s disclosure.

What We Did

In response to Dirty Frag (May 8th):

• Assessed Scalingo’s exposure to the vulnerability.
• Attempted to reproduce the exploit internally — could not confirm it on our platform.
• Disabled the three vulnerable kernel modules as an emergency mitigation: esp4, esp6, and rxrpc.
• Completed the mitigation rollout across all application nodes, builders, and other nodes.

In response to Fragnesia (May 13th):

• Assessed Scalingo’s exposure to the vulnerability.
• Confirmed that the mitigation applied on May 8th fully covers Fragnesia — no further action was required.

What You Should Do

No action is required for Scalingo PaaS customers.

What We Will Do in the Future

Scalingo will:

• Continue monitoring kernel security advisories and applying security updates promptly.
• Update this bulletin if new relevant information becomes available.

Product Impacts

Scalingo PaaS

The three vulnerable kernel modules (esp4, esp6, rxrpc) were disabled on all application runtime nodes and builders on May 8th at 10:02, with no service interruption or customer impact. This mitigation covers both Dirty Frag and Fragnesia.

Both vulnerabilities target the Linux page cache shared at the host kernel level, carrying a potential container escape risk as detailed in the Incident Analysis. The known exploit path is blocked on Scalingo: Docker’s default seccomp profile prevents user namespace creation (CLONE_NEWUSER) in containers without CAP_SYS_ADMIN, which Scalingo does not grant. We found no evidence of exploitation or unauthorized cross-tenant access during either incident.

Scalingo DBaaS Add-ons

Scalingo does not allow customer-controlled code execution on managed database nodes. As a result, the known exploit path is not directly reachable by customers in that context.

Managed database nodes have been mitigated through the same module disabling approach, and will be updated through Scalingo’s standard database maintenance process.

Other Scalingo Add-ons and Services

Other Scalingo add-ons and services were affected by the vulnerabilities, but as no customer code can be executed on these components, they were not exploitable in practice. The mitigation was applied to them, and they continued to operate normally throughout.

Contact

If you have any questions or require further assistance, please contact our support team. We remain committed to ensuring the security of our platform and the protection of our users’ data.

Timeline

Changelog

2026-05-13: Initial publication of SSB-2026-002, covering Dirty Frag (CVE-2026-43284, CVE-2026-43500) and Fragnesia