P014C
Dirty Frag (CVE-2026-43284)
Description
CVE-2026-43284, also known as Dirty Frag, is a vulnerability in the Linux kernel's IP fragment reassembly path affecting the IPsec (esp4, esp6, ipcomp, ipcomp6) and RxRPC (rxrpc) subsystems. AWS has issued a security bulletin for this issue. The affected kernel modules can be exploited by a local attacker to achieve privilege escalation.
Impact
There is no downtime expected from this change. The affected kernel modules (esp4, esp6, ipcomp, ipcomp6, rxrpc) are unloaded on all nodes and blacklisted so they cannot be reloaded. A filesystem cache flush is performed afterward to ensure clean state.
Changes
- Places a boot hook (
00-dirty-frag-mitigation) on the shared storage at/mnt/jrc-comms/hooks/boot.d/so the mitigation is applied automatically on every instance boot, even after AMI replacements. - The hook blacklists the
esp4,esp6,ipcomp,ipcomp6, andrxrpcmodules via/etc/modprobe.d/p014c-disable-dirtyfrag.confand unloads any that are currently loaded. - Runs the hook immediately on all nodes so the mitigation takes effect without waiting for a reboot.
- Flushes filesystem caches on all nodes after the mitigation is applied.
If You Accept
The five affected kernel modules will be unloaded and blacklisted across all instances, closing this attack vector. The boot hook ensures the mitigation persists across reboots and new instances. Once a patched kernel is rolled out, the hook is harmless to leave in place.
If You Reject
The affected modules will remain loaded, leaving your instances vulnerable to exploitation via the Dirty Frag vulnerability.