Impact Evaluation of CVE-2026-43284, CVE-2026-43500, and CVE-2026-46300 (Dirty Frag/Fragnesia) of VMware by Broadcom product portfolio
Article ID: 439687
Updated On:
Products
Issue/Introduction
Two local privilege escalation (LPE) vulnerabilities, designated as CVE-2026-43284 and CVE-2026-43500 (collectively referred to as "Dirty Frag"), were publicly disclosed on May 7, 2026, affecting the Linux kernel.
A similar local privilege escalation (LPE) vulnerability, designated as CVE-2026-46300 (referred to as “Fragnesia") was disclosed on May 13, 2026.
These vulnerabilities allow an unprivileged local attacker to trigger a deterministic, controlled memory write directly into the page cache of read-only files. Successful exploitation on affected Linux kernels results in unauthorized escalation to root privileges.
Environment
VMware Photon OS
VMware vSphere Kubernetes Service
VMware vCenter Server
VMware ESXi
VMware SDDC Manager
VMware Aria Suite
VMware NSX
VMware vCloud
Telco Cloud Automation
Cause
The vulnerability is caused by chaining two specific flaws: the xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write vulnerabilities. When an attacker utilizes the splice() system call to map a read-only file (such as /etc/passwd or /usr/bin/su) into a network buffer fragment (sk_buff), the receiver-side kernel incorrectly performs in-place cryptographic operations directly on that fragment. This bypasses copy-on-write protections, unintentionally overwriting the read-only page cache in RAM and altering the file for all subsequent system reads.
For a successful exploitation, an attacker requires network and authenticated access to the relevant system. As per today, this vulnerability can not be exploited remotely or without previously being successfully authenticated to the system in question.
Resolution
| Product | Exploitable/Fixed in | Notes |
| VMware ESXi | No | VMware ESXi is not based on Linux, and hence is not affected. |
| VMware Photon OS | No | Photon OS restricts standard users from creating user namespaces, and no user namespaces are defined by default |
| VMware vCenter Server | No | Virtual Appliance is based on Photon OS, and hence is not affected. |
| VMware vSphere Kubernetes Service - Supervisor | No | Virtual Appliance is based on Photon OS, and hence is not affected. |
| VMware Tanzu Kubernetes Release - Photon OS Images | No | Photon OS is not affected. |
| VMware Tanzu Kubernetes Release - Ubuntu Images | Refer to KB 440587 | Virtual Appliance is based on Ubuntu OS (22.04 and 24.04) |
| VMware SDDC Manager | No | Virtual Appliance is based on Photon OS, and hence is not affected. |
| VMware NSX | No |
|
| VMware Aria Operations | No | Virtual Appliance is based on Photon OS, and hence is not affected. |
| VMware Aria Operations for Logs | No | Virtual Appliance is based on Photon OS, and hence is not affected. |
| VMware Aria Automation | No | Virtual Appliance is based on Photon OS, and hence is not affected. |
| VMware Aria Automation Orchestrator | No | Virtual Appliance is based on Photon OS, and hence is not affected. |
| VMware Aria Suite Lifecycle Manager | No | Virtual Appliance is based on Photon OS, and hence is not affected. |
| VMware vCloud Director | No | Virtual Appliance is based on Photon OS, and hence is not affected. |
| VMware vCloud Usage Meter | No | Virtual Appliance is based on Photon OS, and hence is not affected. |
| VMware vSphere Replication | No | Virtual Appliance is based on Photon OS, and hence is not affected. |
| VMware Live Site Recovery | No | Virtual Appliance is based on Photon OS, and hence is not affected. |
| Telco Cloud Automation | No | TCA Manager and TCA Control Plane virtual Appliances are based on Photon OS, and hence are not affected. |
Should you require further information or support, contact Broadcom Support.
To be notified on any changes, subscribe to this knowledge base article.
Feedback
