Dirty Frag Vulnerabilities Expose Critical Flaws in Network Stack Implementations Across Multiple Operating Systems

Two critical vulnerabilities, CVE-2026-43284 and CVE-2026-43500, collectively named "Dirty Frag," were disclosed in network stack implementations affecting multiple operating systems. The flaws exploit improper handling of IP fragments, allowing unauthenticated remote attackers to execute arbitrary code or cause denial-of-service conditions. The vulnerabilities impact Linux kernels (versions prior to 6.8.12), Windows Server (2019 and 2022), and certain BSD-derived systems. No specific exploitation in the wild has been confirmed, but proof-of-concept exploits exist. The issues were identified by security researcher Marc-Frédéric Gomez and publicly documented in mid-2026.