{"uuid": "6b67825a-dc2d-4543-a253-3e059d70c686", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/xc78xsgzsd-droid/7bb632be2e3e341b4e8b4cc79deac739", "content": "#!/bin/sh\n# ============================================================\n# DirtyFrag Vulnerability Checker\n# CVE-2026-43284 (xfrm/ESP) + CVE-2026-43500 (rxrpc)\n# Disclosed: 2026-05-07 | No patch available yet\n# ============================================================\n\nRED='\\033[0;31m'; YEL='\\033[1;33m'; GRN='\\033[0;32m'\nBLD='\\033[1m'; RST='\\033[0m'\n\nok()   { printf \"${GRN}[OK]${RST}     %s\\n\" \"$1\"; }\nwarn() { printf \"${YEL}[WARN]${RST}   %s\\n\" \"$1\"; }\nvuln() { printf \"${RED}[VULN]${RST}   %s\\n\" \"$1\"; }\ninfo() { printf \"         %s\\n\" \"$1\"; }\n\necho\nprintf \"${BLD}=== DirtyFrag Vulnerability Check ===${RST}\\n\"\nprintf \"    CVE-2026-43284 (ESP/xfrm) + CVE-2026-43500 (rxrpc)\\n\"\nprintf \"    Kernel: %s\\n\\n\" \"$(uname -r)\"\n\nVULN_COUNT=0\n\n# \u2500\u2500 1. Mitigation already in place? \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[1] Modprobe blacklist (/etc/modprobe.d/dirtyfrag.conf)${RST}\\n\"\nif [ -f /etc/modprobe.d/dirtyfrag.conf ] || \\\n   grep -rq 'install esp4 /bin/false' /etc/modprobe.d/ 2>/dev/null; then\n    ok \"Blacklist found \u2013 modules blocked from loading\"\n    MITIGATED=1\nelse\n    warn \"No blacklist found\"\n    MITIGATED=0\nfi\necho\n\n# \u2500\u2500 2. Vulnerable modules currently loaded? \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[2] Loaded kernel modules (esp4 / esp6 / rxrpc)${RST}\\n\"\nfor MOD in esp4 esp6 rxrpc; do\n    if lsmod 2>/dev/null | grep -q \"^${MOD} \"; then\n        vuln \"Module '${MOD}' is currently LOADED\"\n        VULN_COUNT=$((VULN_COUNT + 1))\n    else\n        ok \"Module '${MOD}' not loaded\"\n    fi\ndone\necho\n\n# \u2500\u2500 3. Modules available on disk? \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[3] Module files available on disk${RST}\\n\"\nKVER=$(uname -r)\nfor MOD in esp4 esp6 rxrpc; do\n    FOUND=$(find /lib/modules/${KVER} -name \"${MOD}.ko\" -o -name \"${MOD}.ko.xz\" \\\n                                     -o -name \"${MOD}.ko.zst\" 2>/dev/null | head -1)\n    if [ -n \"$FOUND\" ]; then\n        if [ \"$MITIGATED\" -eq 1 ]; then\n            warn \"Module '${MOD}' exists on disk (but loading is blocked)\"\n            info \"\u2192 $FOUND\"\n        else\n            vuln \"Module '${MOD}' exists and CAN be auto-loaded\"\n            info \"\u2192 $FOUND\"\n            VULN_COUNT=$((VULN_COUNT + 1))\n        fi\n    else\n        ok \"Module '${MOD}' not found on disk\"\n    fi\ndone\necho\n\n# \u2500\u2500 4. User namespace creation (xfrm/ESP exploit path) \u2500\u2500\u2500\u2500\nprintf \"${BLD}[4] Unprivileged user namespaces (CVE-2026-43284 path)${RST}\\n\"\nUSERNS=$(cat /proc/sys/user/max_user_namespaces 2>/dev/null)\nif [ \"$USERNS\" = \"0\" ]; then\n    ok \"user.max_user_namespaces = 0 (xfrm/ESP exploit path blocked)\"\nelse\n    USERNS=${USERNS:-\"unknown\"}\n    warn \"user.max_user_namespaces = ${USERNS} (ESP exploit path reachable)\"\n    info \"\u2192 Ubuntu: check AppArmor profile for namespace restriction\"\nfi\n\n# AppArmor namespace restriction (Ubuntu)\nif [ -f /sys/kernel/security/apparmor/profiles ]; then\n    if grep -q 'unprivileged_userns' /sys/kernel/security/apparmor/profiles 2>/dev/null || \\\n       [ -f /etc/apparmor.d/tunables/userns ]; then\n        ok \"AppArmor namespace restriction detected (Ubuntu-style mitigation)\"\n    fi\nfi\necho\n\n# \u2500\u2500 5. rxrpc-specific check \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[5] rxrpc path (CVE-2026-43500 \u2013 no namespace needed)${RST}\\n\"\nif lsmod 2>/dev/null | grep -q '^rxrpc '; then\n    vuln \"rxrpc is loaded \u2013 exploit path requires NO namespace privilege\"\n    VULN_COUNT=$((VULN_COUNT + 1))\nelif find /lib/modules/${KVER} -name 'rxrpc.ko*' 2>/dev/null | grep -q .; then\n    if [ \"$MITIGATED\" -eq 1 ]; then\n        ok \"rxrpc available but loading is blacklisted\"\n    else\n        vuln \"rxrpc module present and loadable (no namespace needed to exploit)\"\n        VULN_COUNT=$((VULN_COUNT + 1))\n    fi\nelse\n    ok \"rxrpc module not present on this system\"\nfi\necho\n\n# \u2500\u2500 6. Page cache integrity hint \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[6] Page cache integrity check (exploit IOC)${RST}\\n\"\nPASSWD_SIZE=$(stat -c%s /etc/passwd 2>/dev/null)\nSHADOW_SIZE=$(stat -c%s /etc/shadow 2>/dev/null)\nif [ -n \"$PASSWD_SIZE\" ] && [ \"$PASSWD_SIZE\" -lt 50 ]; then\n    vuln \"/etc/passwd suspiciously small (${PASSWD_SIZE} bytes) \u2013 possible tampering!\"\n    VULN_COUNT=$((VULN_COUNT + 1))\nelse\n    ok \"/etc/passwd size appears normal (${PASSWD_SIZE} bytes)\"\nfi\n\n# Check for unexpected root entries (new UID 0 lines)\nROOT_ENTRIES=$(grep -c ':0:' /etc/passwd 2>/dev/null)\nif [ \"$ROOT_ENTRIES\" -gt 2 ]; then\n    vuln \"Multiple UID-0 entries in /etc/passwd (${ROOT_ENTRIES}) \u2013 check for backdoor!\"\n    VULN_COUNT=$((VULN_COUNT + 1))\nelse\n    ok \"No unexpected UID-0 entries in /etc/passwd\"\nfi\necho\n\n# \u2500\u2500 Summary \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}=== Summary ===${RST}\\n\"\nKERNEL_YEAR=$(uname -r | grep -oE '^[0-9]+' )\nif [ \"$KERNEL_YEAR\" -ge 4 ] 2>/dev/null; then\n    info \"Kernel $(uname -r) is in the affected range (since Jan 2017)\"\nelse\n    info \"Kernel $(uname -r) \u2013 age unclear, manual review recommended\"\nfi\n\nif [ \"$MITIGATED\" -eq 1 ] && [ \"$VULN_COUNT\" -eq 0 ]; then\n    printf \"\\n${GRN}${BLD}[RESULT] Mitigation applied \u2013 system appears protected${RST}\\n\"\n    info \"\u2192 Revert /etc/modprobe.d/dirtyfrag.conf once a patched kernel is installed\"\nelif [ \"$VULN_COUNT\" -eq 0 ]; then\n    printf \"\\n${YEL}${BLD}[RESULT] No active modules loaded, but no blacklist in place${RST}\\n\"\n    info \"\u2192 Modules can still be auto-loaded. Apply mitigation to be safe.\"\nelse\n    printf \"\\n${RED}${BLD}[RESULT] SYSTEM LIKELY VULNERABLE (${VULN_COUNT} issue(s) found)${RST}\\n\"\n    info \"\u2192 Apply mitigation immediately (unless you use IPsec/kAFS):\"\n    printf \"\\n\"\n    printf '    sudo sh -c \"printf '\"'\"'install esp4 /bin/false\\ninstall esp6 /bin/false\\ninstall rxrpc /bin/false\\n'\"'\"' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true\"\\n'\n    printf \"\\n\"\n    info \"\u2192 Optionally drop page cache afterwards:\"\n    info \"  sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'\"\nfi\necho\n", "creation_timestamp": "2026-05-08T12:08:27.000000Z"}