How to mitigate the "Dirty Frag" CVE-2026-43284, CVE-2026-43500, and "Fragnesia" CVE-2026-46300 in OpenShift 4

Resolution

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

List of fixed versions

Red Hat will release OpenShift z-stream updates including patched kernels into the OpenShift Update Service as soon as those are available and have been through standard validation processes. The following versions already contains the fix for the different CVEs:

CVE-2026-43284

CVE-2026-43500

As explained in CVE-2026-43500, vulnerable code is not present in OpenShift 4 and RHEL 9.

CVE-2026-46300

Note: it could take some time to get the versions in the stable channel, but it is possible and supported to upgrade using the fast channel as explained in is switching between Openshift 4 update channels supported?

Please see Red Hat Security Bulletin RHSB-2026-003 for product errata information.

Mitigations

Red Hat is publishing mitigations to block access to the vulnerable kernel functions in advance of fully patched kernels.

The first mitigation cannot be applicable to clusters using IPsec. The second mitigation can be applied for clusters using and not using IPsec.

How to check if IPsec is in use?

Refer to the Diagnostic Steps section for cheking if IPsec is in use in specific cluster.

IMPORTANT: the validation is for the cluster exclusively. It is still possible to have workload level IPsec in the cluster. If there are workloads running that use IPsec, check with the third-party software vendor for mitigation details.

Note: SDN does not use IPsec. Therefore, if there are no application workloads using the module mentioned in the workaround, it is safe to apply the workaround on clusters using SDN for networking.

If IPsec is in use, only the eBPF Blocking Mechanism mitigation can be applied.

First mitigation (only if IPsec is not in use)

Note: this mitigation works by blacklisting the esp4, esp6, and rxrpc kernel modules. This will impact workloads that rely on those kernel modules. IPsec is a known workload that relies on related codepaths and will be impacted. There are currently no other known side-effects of this mitigation strategy, although there is the possibility it triggers false positives and inadvertently impacts valid workloads. Customers are advised to test this mitigation in a non-production cluster.
Node reboots will not be required for this mitigation. The mitigation can be removed after updating to the resolved z-stream release of OpenShift.

IMPORTANT: do not apply this mitigation if IPsec is in use (it is required to check not only the cluster but also the workloads).

Perform the following steps in order to apply the mitigation. User should have cluster-admin level permission to apply this.

1. Create a YAML file disable-dirtyfrag.yaml containing the following:

   apiVersion: v1
   kind: Namespace
   metadata:
     name: disable-dirtyfrag
   ---
   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: disable-dirtyfrag
     namespace: disable-dirtyfrag
   ---
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: disable-dirtyfrag-privileged
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: system:openshift:scc:privileged
   subjects:
     - kind: ServiceAccount
       name: disable-dirtyfrag
       namespace: disable-dirtyfrag
   ---
   apiVersion: apps/v1
   kind: DaemonSet
   metadata:
     name: disable-dirtyfrag
     namespace: disable-dirtyfrag
     labels:
       app: disable-dirtyfrag
   spec:
     selector:
       matchLabels:
         app: disable-dirtyfrag
     template:
       metadata:
         labels:
           app: disable-dirtyfrag
       spec:
         serviceAccountName: disable-dirtyfrag
         nodeSelector:
           kubernetes.io/os: linux
         tolerations:
           - operator: Exists
         terminationGracePeriodSeconds: 1
         containers:
           - name: disable-modules
             image: image-registry.openshift-image-registry.svc:5000/openshift/cli:latest
             command:
               - /bin/sh
               - "-c"
               - |
                 if grep -qs "esp4" /host/etc/modprobe.d/dirtyfrag.conf 2>/dev/null; then
                   echo "Modprobe config already present, skipping"
                 else
                   printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /host/etc/modprobe.d/dirtyfrag.conf
                   echo "Created /etc/modprobe.d/dirtyfrag.conf"
                 fi
                 for mod in esp4 esp6 rxrpc; do
                   if chroot /host grep -q "^${mod} " /proc/modules 2>/dev/null; then
                     if chroot /host modprobe -r "${mod}" 2>/dev/null; then
                       echo "Unloaded ${mod}"
                     else
                       echo "WARNING: could not unload ${mod} (may be in use, reboot required)"
                     fi
                   else
                     echo "OK: ${mod} was not loaded"
                   fi
                 done
                 echo "=== result ==="
                 PROTECTED=true
                 for mod in esp4 esp6 rxrpc; do
                   if chroot /host grep -q "^${mod} " /proc/modules 2>/dev/null; then
                     echo "WARNING: ${mod} is still loaded, reboot node to complete mitigation"
                     PROTECTED=false
                   fi
                 done
                 if [ "${PROTECTED}" = "true" ]; then
                   echo "Node is protected"
                 fi
                 sleep infinity
             lifecycle:
               preStop:
                 exec:
                   command:
                     - /bin/sh
                     - "-c"
                     - "rm -f /host/etc/modprobe.d/dirtyfrag.conf"
             securityContext:
               privileged: true
             volumeMounts:
               - name: host-root
                 mountPath: /host
         volumes:
           - name: host-root
             hostPath:
               path: /
   

Note 1: if the cluster is a Red Hat-managed cluster, i.e. OSD, ROSA Classic, ROSA HCP or ARO, then add the following to the node selector section, since Red Hat has already applied the mitigation to the cluster control plane:

       node-role.kubernetes.io/worker: ""

Note 2: if the cluster does not have the internal image registry, the image image-registry.openshift-image-registry.svc:5000/openshift/cli:latest will not work in daemonset disable-dirtyfrag.yaml. Use the cluster's release image instead, which can be retrieved with:

$ oc get -o 'jsonpath={.status.desired.image}{"\n"}' clusterversion version

2. Apply the YAML file to cluster

   $ oc apply -f disable-dirtyfrag.yaml
   

3. Check the pod logs to confirm that the kernel modules were unloaded

   $ oc logs -n disable-dirtyfrag -l app=disable-dirtyfrag
   

   Expected output:

   Created /etc/modprobe.d/dirtyfrag.conf
   OK: esp4 was not loaded
   OK: esp6 was not loaded
   OK: rxrpc was not loaded
   === result ===
   Node is protected
   

Removing the first mitigation

In order to remove the mitigation, please update to the version containing the fix. Please check the "List of fixed versions".

Once the cluster is updated to a version that includes the fix, to remove the mitigation it will be enough to remove the DaemonSet and the Namespace created.

Note: if it was applied an old version of the mitigation that does not include the preStop lifecycle, it will be needed to delete the /host/etc/modprobe.d/dirtyfrag.conf from the nodes. It is possible to update the DaemonSet with the current one described above, and then deleting it will delete the file via the preStop.

eBPF Blocking Mechanism (applicable also for clusters using IPsec)

If IPSec is in use, it is possible to leverage an updated version of Red Hat's original block-copyfail eBPF DaemonSet to block access to vulnerable functions. This DaemonSet will block Copy Fail and Dirty Frag in all pods. In order to preserve OpenShift IPSec functionality it only blocks "Fragnesia" from unprivileged pods. Privileged and host namespace pods remain a viable attack surface and as a result we recommend updating as soon as patches are available.

• As a cluster admin, create the Namespace, RBAC, and DaemonSet from daemonset.yaml:

  $ oc apply -f https://raw.githubusercontent.com/openshift/block-copyfail/f3aedc3db264f10980dfa12586d64b67f44b1518/daemonset.yaml
  namespace/openshift-cve-mitigations created
  rolebinding.rbac.authorization.k8s.io/system:openshift:scc:privileged created
  daemonset.apps/kernel-ebpf-lsm-loader created
  

• Verify DaemonSet READY status matches the node count in the cluster:

  $ oc get -n openshift-cve-mitigations daemonset.apps/kernel-ebpf-lsm-loader
  NAME                             DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
  kernel-ebpf-lsm-loader   6         6         6       6            6           <none>          19s
  
  $ oc get nodes -o name | wc -l
  6