{"uuid": "a89a0c0a-76af-4b13-a9ad-f64ad5a1bd49", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://gist.github.com/bykvaadm/7bb8937ebc4f0485fea26fa27af4c522", "content": "- name: Mitigate DirtyFrag (CVE-2026-43284 / CVE-2026-43500)\n    hosts: all\n    become: true\n    tasks:\n      - name: Caveats\n        debug:\n          msg: |\n            \u0412\u041d\u0418\u041c\u0410\u041d\u0418\u0415:\n            - esp4/esp6: \u0435\u0441\u043b\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f IPsec VPN (strongSwan, Libreswan \u0438 \u0434\u0440.) \u2014\n              \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435 \u0441\u043b\u043e\u043c\u0430\u0435\u0442 \u0442\u0443\u043d\u043d\u0435\u043b\u0438. \u0412 \u0442\u0430\u043a\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u0436\u0434\u0430\u0442\u044c \u043f\u0430\u0442\u0447\u0430 \u044f\u0434\u0440\u0430.\n            - rxrpc: \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u0434\u043b\u044f AFS/Kerberos, \u0432 \u0431\u043e\u043b\u044c\u0448\u0438\u043d\u0441\u0442\u0432\u0435 \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\n              \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e \u043e\u0442\u043a\u043b\u044e\u0447\u0430\u0442\u044c.\n            - CVE-2026-43500 (rxrpc) \u043f\u043e\u043a\u0430 \u043d\u0435 \u0437\u0430\u043f\u0430\u0442\u0447\u0435\u043d \u2014 \u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u043a\u0430 \u043c\u043e\u0434\u0443\u043b\u044f\n              \u0435\u0434\u0438\u043d\u0441\u0442\u0432\u0435\u043d\u043d\u0430\u044f \u0437\u0430\u0449\u0438\u0442\u0430 \u0434\u043e \u0432\u044b\u0445\u043e\u0434\u0430 \u043f\u0430\u0442\u0447\u0430 \u044f\u0434\u0440\u0430.\n            - \u041f\u043e\u0441\u043b\u0435 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 DirtyFrag page cache \u0437\u0430\u0441\u043e\u0440\u0451\u043d \u2014 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f\n              drop cache \u0438\u043b\u0438 \u0440\u0435\u0431\u0443\u0442.\n\n      - name: Blacklist vulnerable modules\n        copy:\n          dest: /etc/modprobe.d/dirtyfrag-mitigation.conf\n          content: |\n            install esp4 /bin/false\n            install esp6 /bin/false\n            install rxrpc /bin/false\n            blacklist esp4\n            blacklist esp6\n            blacklist rxrpc\n\n      - name: Unload modules if loaded\n        modprobe:\n          name: \"{{ item }}\"\n          state: absent\n        loop: [esp4, esp6, rxrpc]\n        failed_when: false\n        when: ansible_facts.get('ansible_virtualization_type') != 'container'\n\n      - name: Verify modules not loaded\n        shell: lsmod | grep -E '^(esp4|esp6|rxrpc)\\s'\n        register: check\n        failed_when: check.rc == 0\n        changed_when: false\n        when: ansible_facts.get('ansible_virtualization_type') != 'container'", "creation_timestamp": "2026-05-08T13:41:26.000000Z"}