Local Privilege Escalation Vulnerability in Linux Kernel ("Dirty Frag")

Summary

A local privilege escalation vulnerability, colloquially known as "Dirty Frag" (CVE-2026-43284), has been reported to affect the Linux kernel. If exploited, this vulnerability allows an authenticated local user with standard privileges to bypass security restrictions and gain elevated system (root) permissions.

QNAP has confirmed that CVE-2026-43284 affects the majority of QNAP operating systems. However, our investigation confirms that QNAP products are NOT affected by CVE-2026-43500.

Affected Products

The following products are confirmed to be affected by CVE-2026-43284:

• All QNAP x86-based NAS models
• All QNAP ARM64-based NAS models
• All QuTS hero NAS models
• All QuTScloud NAS instances

Products Not Affected

The following are NOT vulnerable to CVE-2026-43284:

• Specific QNAP ARM-based NAS models running Linux Kernel 4.2.

Tip

To verify your NAS architecture and kernel version, log in to QTS/QuTS hero or consult the technical specifications at: https://www.qnap.com/go/release-notes/kernel

Recommendation

At this time, there is no official patch available for the Linux kernel "Dirty Frag" vulnerability. QNAP is working on a fix and strongly recommends that users apply security updates immediately once they are released.

Mitigation Strategies

To minimize the risk of exploitation on your devices, QNAP recommends the following interim security measures:

• Restrict Shell Access: Revoke SSH or Telnet terminal permissions for all non-administrator accounts.
• Container Security: Deploy only trusted images within Container Station and avoid running containers with "Privileged" mode enabled.
• Minimize Attack Surface: Disable unused services, such as the Web Server, and uninstall non-essential third-party applications.
• Network Isolation: Ensure your NAS is not directly exposed to the internet. Utilize QuFirewall or a VPN to restrict access to trusted internal networks only.