Dirty Frag (CVE-2026-43284 / CVE-2026-43500) check script

Companion to the CVE-2026-31431 checker.

Read-only check for the Dirty Frag local-root vulns: CVE-2026-43284 (IPsec — esp4/esp6/ipcomp) and CVE-2026-43500 (AF_RXRPC). Looks at running kernel vs vendor-published fix, module load state, KernelCare livepatch, and any modprobe blacklist. No exploit code.

curl -fsSL https://github.com/haydenjames/dirty-frag-check/releases/latest/download/dirty-frag-check.sh | bash

-q for one-line fleet output. Exit 0 ok, 1 vulnerable, 2 unknown.

Verdicts: OK / MITIGATED / REBOOT NEEDED / VULNERABLE / WAITING ON VENDOR PATCH / AT RISK / LIKELY PATCHED / UNKNOWN.

The verdict tree distinguishes real vulnerabilities from vendor-lag (Rocky/CloudLinux trailing AlmaLinux by a build) and from the Ubuntu/Debian case where the affected modules ship as available on every host.

Repo: dirty-frag-check: Read-only checker for CVE-2026-43284 / CVE-2026-43500

Thanks for the script HJ
But, patches are actively being rolled out for the CVE
and yes the exploit gain full root access on my current system passwordless

funny that I’ve updated my kernel specially for copy.fail protect now facing dirty frag.

Thanks. Yes, some patches are already out. Others not. At least this morning. But at first just wanted to quickly figure out which systems were affected.