CVE-2026-43284 and CVE-2026-43500 impact on Tanzu Jammy stemcells
search cancel

CVE-2026-43284 and CVE-2026-43500 impact on Tanzu Jammy stemcells

book

Article ID: 440040

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

CVE-2026-43284 and CVE-2026-43500, also known as Dirty Frag, are Linux kernel local privilege escalation vulnerabilities.

The vulnerabilities involve specific Linux kernel code paths where page-cache-backed memory may be modified through in-place cryptographic operations after data is inserted into socket buffers using zero-copy mechanisms.

These CVEs require local access to a running system. They are not remotely exploitable over the network.

For Tanzu Platform / TAS environments, it is important to distinguish between:

  1. The Jammy stemcell VM, where the affected kernel modules are be present.
  2. The Tanzu Platform application container runtime, where the known exploit path does not function.

Environment

This issue may be relevant to Tanzu environments using Jammy stemcells, including:

  • VMware Tanzu Application Service
  • VMware Tanzu Platform for Cloud Foundry
  • VMware Tanzu Kubernetes Grid Integrated Edition
  • Other BOSH-managed deployments based on Jammy stemcells

Cause

The issue is caused by Linux kernel vulnerabilities involving shared socket buffer fragments and in-place cryptographic operations.

At a high level:

  • CVE-2026-43284 is associated with the Linux xfrm / ESP code path.
  • CVE-2026-43500 is associated with the Linux RxRPC code path.

The affected kernel functionality is available on Jammy stemcell-based VMs until an updated Jammy stemcell includes the relevant upstream kernel fixes.

Resolution

We will update this KB article as soon as a Jammy stemcell version that includes the Linux kernel fixes for CVE-2026-43284 and CVE-2026-43500 is released. Until then, you can apply the following workaround.

For BOSH-managed VMs that are not using Tanzu IPSec, the affected kernel modules can be unloaded and blacklisted as a temporary mitigation.

  1. SSH to the affected VM:
    bosh -d <deployment-name> ssh <instance-group>/<instance-id>
  2. Run:
    sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"


  3. Reset the page cache:
    echo 3 | sudo tee /proc/sys/vm/drop_caches
 

This disables the following kernel modules: esp4, esp6 and rxrpc.

Do not apply this workaround on VMs that use Tanzu IPSec.

The esp4 and esp6 modules are required for IPSec functionality. Disabling them can disrupt or break IPSec communication between VMs.

Additional Information

 

Powered by Wolken Software