{"uuid": "2d295cf9-75fd-4e2c-879f-bc63061f6a8a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/cve_2026_43500_dirty_frag.rb", "content": "{\"actions\": [], \"aliases\": [], \"arch\": \"cmd\", \"author\": [\"Hyunwoo Kim\", \"Giovanni Heward\"], \"autofilter_ports\": [], \"autofilter_services\": [], \"check\": true, \"default_credential\": false, \"description\": \"CVE-2026-43500 exploits a memory-corruption vulnerability in the Linux kernel's RxRPC\\n          authentication subsystem (rxkad). When a crafted DATA packet is delivered to an AF_RXRPC\\n          socket configured with an attacker-controlled rxkad session key, the kernel's\\n          rxkad_verify_packet_1() function performs an in-place 8-byte pcbc(fcrypt) decryption\\n          directly on the page-cache page referenced by the splice offset. Because the decryption\\n          mutates the page in-place without marking it dirty, the corrupted in-memory view is\\n          immediately visible to all processes reading from the page cache. This allows a local\\n          attacker to corrupt the in-memory contents of a SUID binary and escalate privileges to root.\", \"disclosure_date\": \"2026-05-08\", \"fullname\": \"exploit/linux/local/cve_2026_43500_dirty_frag\", \"is_install_path\": true, \"mod_time\": \"2026-05-21 11:49:08 +0000\", \"name\": \"rxkad Page-Cache Write via CVE-2026-43500\", \"needs_cleanup\": true, \"notes\": {\"Reliability\": [\"repeatable-session\"], \"SideEffects\": [\"artifacts-on-disk\"], \"Stability\": [\"crash-os-down\"]}, \"path\": \"/modules/exploits/linux/local/cve_2026_43500_dirty_frag.rb\", \"platform\": \"Linux,Unix\", \"post_auth\": false, \"rank\": 400, \"ref_name\": \"linux/local/cve_2026_43500_dirty_frag\", \"references\": [\"CVE-2026-43500\", \"URL-https://github.com/V4bel/dirtyfrag\"], \"rport\": null, \"session_types\": [\"shell\", \"meterpreter\"], \"targets\": [\"Auto\"], \"type\": \"exploit\"}", "creation_timestamp": "2026-05-21T10:50:23.000000Z"}