Skip to content

DLPX-97202 Add esp4/esp6/rxrpc modprobe disable to delphix-platform for CVE-2026-43500 (dirty frag)#560

Merged
david-mendez1 merged 1 commit into
releasefrom
dlpx/pr/david-mendez1/8e98c745-0b63-4518-b34a-a6e03810a5e8
May 11, 2026
Merged

DLPX-97202 Add esp4/esp6/rxrpc modprobe disable to delphix-platform for CVE-2026-43500 (dirty frag)#560
david-mendez1 merged 1 commit into
releasefrom
dlpx/pr/david-mendez1/8e98c745-0b63-4518-b34a-a6e03810a5e8

Conversation

@david-mendez1

@david-mendez1 david-mendez1 commented May 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Problem

CVE-2026-43500 ("dirty frag") is a critical Linux kernel local privilege
escalation vulnerability (CVSS 7.8, CWE-787) that allows an unprivileged
local user to exploit socket buffers with externally-owned paged fragments
that fall through to in-place decryption paths in the esp4, esp6, and
rxrpc kernel modules.

No upstream kernel fix is available yet for Ubuntu 24.04 LTS — all
Delphix kernel repos still carry the vulnerable code.

Solution

Add /etc/modprobe.d/dirty-frag.conf directly to delphix-platform under
files/common/etc/modprobe.d/, containing:

```
install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
```

None of these modules are used by the Delphix product. The fix applies to
all platforms (the file lives under files/common/) and blocks the modules
at image build time, independent of which kmod package version is present.

The comment in the file notes that this should be re-evaluated once an
updated kernel containing the upstream fix is deployed.

Testing Done

Verified on an engine that has been setup that these modules are not in loaded (only exist in the kernel).
Manually created file dirty-frag.conf and tried to load the modules:

root@ip-10-110-226-132:/etc/modprobe.d# cat dirty-frag.conf 
install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
root@ip-10-110-226-132:/etc/modprobe.d# modprobe esp4
modprobe: ERROR: ../libkmod/libkmod-module.c:1084 command_do() Error running install command '/bin/false' for module esp4: retcode 1
modprobe: ERROR: could not insert 'esp4': Invalid argument
root@ip-10-110-226-132:/etc/modprobe.d# modprobe esp6
modprobe: ERROR: ../libkmod/libkmod-module.c:1084 command_do() Error running install command '/bin/false' for module esp6: retcode 1
modprobe: ERROR: could not insert 'esp6': Invalid argument
root@ip-10-110-226-132:/etc/modprobe.d# modprobe rxrpc
modprobe: ERROR: ../libkmod/libkmod-module.c:1084 command_do() Error running install command '/bin/false' for module rxrpc: retcode 1
modprobe: ERROR: could not insert 'rxrpc': Invalid argument

@david-mendez1 david-mendez1 force-pushed the dlpx/pr/david-mendez1/8e98c745-0b63-4518-b34a-a6e03810a5e8 branch from fb0e26a to 34698b1 Compare May 11, 2026 19:46
@david-mendez1 david-mendez1 marked this pull request as ready for review May 11, 2026 19:52
prakashsurya
prakashsurya approved these changes May 11, 2026
View reviewed changes

@prakashsurya prakashsurya left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@david-mendez1 david-mendez1 merged commit 5c3eb38 into release May 11, 2026
16 of 17 checks passed
@david-mendez1 david-mendez1 deleted the dlpx/pr/david-mendez1/8e98c745-0b63-4518-b34a-a6e03810a5e8 branch May 11, 2026 21:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prakashsurya prakashsurya prakashsurya approved these changes

@lyriclake lyriclake lyriclake approved these changes

@sebroy sebroy Awaiting requested review from sebroy

@ShibasishDelphix ShibasishDelphix Awaiting requested review from ShibasishDelphix

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@david-mendez1 @prakashsurya @lyriclake