Date: May 9, 2026
Severity: CRITICAL (10.0/10.0)
Dear Valued Customer,
We are issuing this urgent advisory regarding several critical vulnerabilities discovered within the last 48 hours that affect nearly all Linux-based servers and cPanel/WHM installations. Due to the high reliability of these exploits and active reports of "in-the-wild" attacks, immediate action is required for all self-managed servers.
This is a high-reliability Local Privilege Escalation (LPE) flaw. Unlike traditional bugs that rely on luck or timing, "Dirty Frag" uses deterministic logic to allow any low-privileged user (like a web-shell or compromised SSH account) to gain full root access instantly.
A critical flaw (CVSS 9.8) allows remote, unauthenticated attackers to bypass the cPanel/WHM login screen entirely. An attacker can gain administrative control over the server without needing a username or password.
If you manage your own VPS or Dedicated server, please log in as root via SSH and execute the following commands immediately.
Run the one-liner for your OS to blacklist vulnerable modules and flush the memory cache.
For AlmaLinux, RHEL, Rocky Linux, or CentOS:
sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf && rmmod esp4 esp6 rxrpc 2>/dev/null; sync; echo 3 > /proc/sys/vm/drop_caches"
For Ubuntu or Debian:
sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf && rmmod esp4 esp6 rxrpc 2>/dev/null; update-initramfs -u; sync; echo 3 > /proc/sys/vm/drop_caches"
Force an update to version 136.0.7 or higher to patch the authentication bypass.
/scripts/upcp --force
Managed customers: No action is required. VPN users: This mitigation disables IPsec. Contact support for alternatives if you use VPN services.
