Linux kernels since ~4.14 expose a page-cache write primitive via the
IPsec (XFRM) and RxRPC subsystems. Any local user who can open
socket(AF_NETLINK, NETLINK_XFRM) or
socket(AF_RXRPC) has the gateway. Watch the attack surface
open, then two surgical socket_rules close it.
socket(AF_RXRPC, …) for every process in the
session. RxRPC is the kernel subsystem behind
CVE-2026-43500’s page-cache write primitive.
AI agent workloads almost never need RxRPC — blocking it is
zero-cost in practice.
socket(AF_NETLINK, …, NETLINK_XFRM)
only. NETLINK_XFRM is the IPsec key-management interface
behind CVE-2026-43284. All other
AF_NETLINK protocols — ROUTE, GENERIC, AUDIT,
KOBJECT_UEVENT — remain open so ip, ss
and udev are unaffected.
action: errno? The socket returns
EAFNOSUPPORT — identical to what a process would see if
the kernel module were simply not loaded. No crash, no kill signal.
Compare with the system-level workaround (modprobe -r rxrpc esp4 esp6),
which removes entire kernel facilities. These two rules remove only the
specific socket interfaces the exploit needs, scoped to the processes the
agentsh daemon supervises.
Docker’s default seccomp is disabled so the raw kernel surface is
visible. Both DirtyFrag gateway sockets open as uid=1000(alice).
The control socket NETLINK_ROUTE also opens — it would
in any case; the point is that XFRM is open alongside it.
The two socket_rules close both attack-surface sockets with
EAFNOSUPPORT. NETLINK_ROUTE stays open —
the rule is surgical. The raw-syscall check (step 3) proves the block
fires at the kernel boundary, not just in the libc wrapper.
dirtyfrag-conservative mitigation expands to the two
advisory-specific socket rules: AF_RXRPC and
AF_NETLINK with protocol NETLINK_XFRM. It keeps normal
AF_NETLINK protocols such as route and generic netlink available.
The demo above uses equivalent explicit rules with action: errno;
the built-in mitigation set uses action: log_and_kill.