Linux Dirty Frag Vulnerability and Security Updates from SANS Internet Storm Center

On May 11, 2026, the SANS Internet Storm Center reported a new Linux privilege escalation vulnerability named "Dirty Frag," affecting distributions dating back to 2017. The flaw requires two vulnerable kernel modules—RPCRX (used in file systems like AFS) and either ESP4 or ESP6 (part of IPsec)—to be present for exploitation. Disabling or unloading the ESP modules is suggested as a mitigation, particularly for systems not using IPsec. Researchers at Flare also highlighted how Pluggable Authentication Modules (PAM) in Linux can be manipulated to introduce backdoors or capture SSH passwords, though this risk is mitigated by using SSH key authentication. cPanel released an update fixing three vulnerabilities, including an arbitrary code execution flaw requiring elevated privileges, with no urgent patching required. Let's Encrypt temporarily halted certificate issuance due to a cross-signing issue during a migration from "generation X" to "generation Y" of their environment, with a full switchover scheduled for May 13, 2026. The incident did not affect primary certificate issuance but impacted staging and experimental environments.