Mitigation for the DirtyFrag kernel vulnerabilities on EKS nodes

We rolled out mitigations for the two kernel vulnerabilities (“DirtyFrag”) covered in AWS security bulletin AWS-2026-027. Both allow an unprivileged process on a node to escalate privileges by triggering auto-load of specific kernel modules.

• CVE-2026-31431 — patched by bumping the EKS-optimised AMI to v20260505.
• CVE-2026-43284 — no patched AMI available yet, so we block the exploitation path at the kernel-module level through Karpenter’s EC2NodeClass user-data.

The user-data mitigation is temporary. As soon as AWS publishes an EKS-optimised AMI containing the patched kernel (>= 6.12.83-113.160.amzn2023, per ALAS-2026-1695), we will bump the AMI and remove or keep the user-data block as defense-in-depth.

What changed

Worker nodes now ship a modprobe configuration that blocks loading of the esp4, esp6, and rxrpc kernel modules — the modules exploitable via the DirtyFrag class of issues. The mitigation is delivered through Karpenter’s EC2NodeClass user-data, so it applies to every new node provisioned in your clusters. Existing nodes are rotated to pick up the change; the rotation respects each node pool’s disruption budget.

What you need to do

Nothing. The change is rolled out automatically. We scanned all clusters for active use of esp4, esp6, and rxrpc before the rollout and will reach out directly to any customer where we detected anomalies to coordinate an exception.