Dirty Frag: Universal Linux LPE Vulnerability and Symantec DCS Protection / Detection

DCS 6.x

Dirty Frag, the vulnerability chains two distinct kernel bugs: CVE-2026-43284 (ESP subsystem) and CVE-2026-43500 (RxRPC subsystem). Both vulnerabilities allow modification of page-cache-backed memory that is not exclusively owned by the kernel. If successfully exploited the flaw allows attackers with local access to obtain root privileges on most major Linux distributions.

Symantec protects you from this threat, identified by the following:

Policy-Based

Symantec Data Center Security (DCS) provides out-of-the-box protection against the Dirty Frag: Universal Linux LPE vulnerability through its default Unix OS Prevention policies.

DCS protection mechanism:

• Blocking the Exploit Vector: The Dirty Frag exploit typically relies on gaining write access to /proc/sys/. By default, DCS Unix Prevention policies do not allow write access to these logical files, as such behavior is deemed unusual and undesirable.
• Broad Coverage: This protection has been a core component of the DCS Unix Policy since 2005, meaning all versions of DCS offer this level of protection by default.
• Zero-Day Efficacy: Because DCS focuses on application and OS behavior rather than signatures, it provides protection without requiring a specific patch for the vulnerability.
• User Constraints: The policy denies the exploit attempt for all interactive non-privileged user accounts, as well as the root user.

Detection Capabilities:

Customers using only Detection Policies can use DCS to identify if a Dirty Frag exploit is being executed by deploying a targeted prevention policy in monitor-only mode with the same read-only file rule for /proc/sys/*

Protection Bulletin - https://www.broadcom.com/support/security-center/protection-bulletin/dirtyfrag-vulnerability-cve-2026-43284-cve-2026-43500