How to Secure Your System Against the Dirty Frag Vulnerability: Step-by-Step Update Guide

Introduction

The Dirty Frag vulnerability has been a hot topic in Linux circles recently. This local privilege escalation (LPE) exploit, accidentally exposed to the public, caught many distributions off guard. Fortunately, a proper patch is now available in Linux kernel 7.0.6 and Linux 6.18.29 LTS. Fedora and Pop!_OS have already pushed their own fixes. This guide will walk you through updating your system to protect against Dirty Frag, whether you use Fedora, Pop!_OS, or are comfortable with manual kernel installation.

What You Need

• A Linux system running Fedora (version 42, 43, or 44) or Pop!_OS (22.04 or 24.04 LTS)
• Root or sudo access
• A stable internet connection
• A recent backup of your important data (strongly recommended)
• Basic familiarity with the terminal

Step-by-Step Instructions

Step 1: Identify Your Distribution and Version

Before applying the fix, confirm you're running a supported distribution. Open a terminal and run:

cat /etc/os-release

This shows your distro name and version. For this guide we cover Fedora and Pop!_OS. If you use another distro (e.g., Ubuntu), see the tips below for manual installation options.

Step 2: Back Up Your Data

Kernel updates are generally safe, but unexpected issues can arise. Back up important files to an external drive or cloud storage. Use tools like rsync or your distribution's backup utility.

Step 3: Update Your Package Repositories

For both Fedora and Pop!_OS, refresh the package list to ensure you receive the latest kernel:

• Fedora: sudo dnf update
• Pop!_OS: sudo apt update

Step 4: Apply the Kernel Update

The actual upgrade command depends on your distro:

For Fedora

After running sudo dnf update, check which kernel version is available. The patched kernel for Fedora 43/44 is 7.0.4-100.fc43 (note: Fedora 44 also uses this version; the team skipped 7.0.5 as the fix was already in 7.0.4). For Fedora 42, the fix comes in kernel 6.19.14-101. Confirm you see these versions, then run:

sudo dnf upgrade

When prompted, type Y to proceed. The system will download and install the new kernel along with any other updates.

For Pop!_OS

Pop!_OS LTS releases (22.04 and 24.04) receive the fix via apt. After sudo apt update, run:

sudo apt upgrade

This installs the patched kernel. Note: Pop!_OS has disabled the rxrpc module rather than patching it, while the esp4/esp6 modules are fixed and safe to re‑enable (though no action needed).

Step 5: Reboot to Load the New Kernel

Once the update completes, reboot your system:

sudo reboot

After restarting, verify the new kernel is active:

uname -r

For Fedora, you should see 7.0.4-100.fc43.x86_64 (or similar for Fedora 42). For Pop!_OS, the version will be the updated LTS kernel (e.g., 6.19.14-101 or higher).

Step 6: Confirm the Patch Is Applied (Optional)

To be extra sure, check the changelog or use zgrep for CVE references:

zgrep "43500" /proc/version

If the patch is included, the output will mention the CVE. Alternatively, visit kernel.org and compare your kernel version to the patched release.

Tips for a Smooth Update

• Backup first: Even though the update process is routine, backing up ensures you can recover from any rare failures.
• Manual installation is riskier: If you're not on Fedora or Pop!_OS, you can download the kernel tarball from kernel.org and compile it manually. This is advanced and requires careful steps; we have a separate guide for Ubuntu users. Only proceed if you are comfortable with kernel compilation and have a full backup.
• Check for further updates: Dirty Frag consisted of two CVEs. While this guide addresses CVE-2026-43500, ensure your distro has also patched the second CVE (likely included in the same update).
• Re-enable modules carefully: Pop!_OS disabled rxrpc. Unless you need AF_RXRPC functionality, leave it disabled. The esp4/esp6 modules are safe to enable if needed, but verify with your distro's documentation.
• Stay informed: Subscribe to your distribution's security announcements or check the National Vulnerability Database for official CVSS scores and details.