CVE-2026-43284

The document describes a Linux kernel local privilege escalation (LPE) exploit chain involving three CVEs (CVE-2026-43284, CVE-2026-43500, CVE-2026-46300) that manipulate page-cache writes and memory corruption. It provides a high-level overview of the attack flow, affected systems, and references external links for the exploit code and demo.

The document describes a local privilege escalation (LPE) exploit chain targeting the Linux kernel's page-cache management, leveraging CVE-2026-43284 (xfrm-ESP) and CVE-2026-43500 (RxRPC) to achieve arbitrary writes and in-place decryption. It provides a high-level overview of the vulnerability chain, affected systems, and execution flow but lacks actual exploit code.

This repository provides a detection toolkit for CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's `algif_aead` module. It includes scripts and configurations for scanning systems, checking kernel versions, module states, and mitigations without exploiting the vulnerability.

This repository contains a functional proof-of-concept exploit for CVE-2026-43284, demonstrating a Kubernetes container escape via the Dirty Frag Linux kernel page-cache corruption vulnerability. The exploit targets shared container image layers to achieve node-level code execution on Amazon EKS.

The repository contains a functional exploit for CVE-2026-43284, leveraging a Linux kernel vulnerability in the XFRM subsystem (DirtyFrag) to achieve local privilege escalation (LPE). The exploit includes detailed checks for kernel configuration, user namespace availability, and setuid binary targeting, followed by a crafted payload to overwrite memory and escalate privileges.

This repository contains a functional exploit for CVE-2026-43284, a Linux kernel local privilege escalation vulnerability in the xfrm-ESP page-cache write mechanism. The exploit leverages splice operations to manipulate page cache entries, achieving arbitrary write primitives to escalate privileges.

This repository contains a bash script that checks for the presence of vulnerabilities related to CVE-2026-43284 and CVE-2026-43500 in Linux kernels. It inspects kernel versions, module states, and applied mitigations but does not include exploit code.

This repository provides a detailed technical analysis of CVE-2026-43284 (Dirty Frag), covering root cause analysis, exploit flow, and shellcode breakdown for a Linux kernel local privilege escalation vulnerability.

This repository contains detailed audit logs and system information related to CVE-2026-43284, demonstrating the exploitation of a vulnerability in auditd. The logs show privilege escalation from a user to root via sudo, with extensive auditd tracking of syscalls and file accesses.

This repository contains a functional exploit for CVE-2026-43284, which leverages a vulnerability in the Linux kernel's XFRM subsystem to achieve local privilege escalation (LPE). The exploit corrupts the `/usr/bin/su` binary by overwriting it with a malicious ELF payload, granting root access.

This repository contains a functional exploit for CVE-2026-43284, leveraging a Linux kernel vulnerability in the XFRM subsystem to achieve local privilege escalation (LPE). The exploit corrupts the `/usr/bin/su` binary by overwriting it with a malicious ELF payload, granting root access.

This repository contains a functional exploit for CVE-2026-43284, leveraging ESP/XFRM and RxRPC vulnerabilities to achieve local privilege escalation (LPE) by overwriting the `/usr/bin/su` binary or patching `/etc/passwd`. The exploit uses kernel page-cache write primitives via in-place decryption triggered by crafted network packets.

The repository contains minimal content with no actual exploit code or technical details. The README is empty, and the Python file is also empty, indicating a potential lure for external downloads or monetization.

This repository contains a technical analysis of CVE-2026-43284, focusing on a fragmentation-based vulnerability. It includes detailed screenshots and diagrams of network traffic analysis, Suricata IDS logs, and ELK stack visualizations, but lacks actual exploit code.

This repository contains a functional exploit for CVE-2026-43284, a Linux kernel privilege escalation vulnerability. The exploit leverages the Dirty Frag vulnerability to overwrite the `/usr/bin/su` binary with a malicious ELF payload, achieving root privileges.

This repository contains a Go-based tool that mitigates CVE-2026-43500 and CVE-2026-43284 by disabling vulnerable kernel modules (esp4, esp6, rxrpc) and applying kernel updates. It includes functionality to detect vulnerable modules, apply hotfixes, and clean up artifacts post-update.

This repository contains a functional exploit for CVE-2026-43284, a local privilege escalation vulnerability in the Linux kernel's IPsec ESP in-place decryption. The exploit corrupts the `/usr/bin/su` binary to achieve root access by leveraging unprivileged user namespaces and XFRM netlink socket manipulation.

This repository contains a functional Go-based exploit for CVE-2026-43284, leveraging ESP/XFRM and RxRPC vulnerabilities to achieve local privilege escalation (LPE). The exploit overwrites the page-cache of `/usr/bin/su` with a root-shell ELF or patches `/etc/passwd` to gain root access.

This repository provides a detailed technical analysis and reproduction steps for the Dirty Frag exploit chain (CVE-2026-43284 and CVE-2026-43500), including detection engineering, incident response, and mitigation strategies. It documents the exploitation process on Kali Linux 2026.1 and includes auditd, Sigma, and YARA rules for detection.

This repository contains a functional proof-of-concept exploit for CVE-2026-43284, a local privilege escalation vulnerability in the Linux kernel affecting the IPsec ESP input path. The exploit leverages page cache corruption via syscalls like splice(2) and sendmsg(2) to achieve root access.

The repository claims to provide a mitigation tool for CVE-2026-43284 but lacks actual exploit code. Instead, it directs users to download a binary from an external source (bit.ly), which is a common tactic for distributing malware or fake exploits.

This repository contains a functional exploit for CVE-2026-43284, leveraging an xfrm/ESP page cache write vulnerability to achieve local privilege escalation by overwriting a setuid binary with a root shell ELF. The exploit uses XFRM SAs with crafted ESN seq_hi values to corrupt memory via UDP encapsulation.

This repository contains a diagnostic tool for CVE-2026-43284, a local privilege escalation vulnerability in the Linux kernel's xfrm-ESP subsystem. The tool tests whether an unprivileged process can engage the esp4 in-place decryption engine via the XFRM netlink interface inside a user namespace, which is the necessary precondition for exploitation.

This repository contains a functional exploit for CVE-2026-43284, leveraging a vulnerability in the Linux kernel's XFRM subsystem to achieve local privilege escalation. The exploit uses crafted netlink messages to manipulate XFRM state and overwrite the `/usr/bin/su` binary with a malicious ELF payload, granting root access.

This repository contains a Go-based mitigation tool for CVE-2026-43500 and CVE-2026-43284, which disables vulnerable kernel modules (esp4, esp6, rxrpc) and applies system-level mitigations. It includes build scripts and CI/CD workflows for automated compilation and release.

This repository contains a functional proof-of-concept exploit for CVE-2026-43284, a Linux kernel vulnerability in the xfrm ESP path that allows local privilege escalation via page cache corruption. The exploit uses splice() and SPLICE_F_MOVE to manipulate file-backed pages, leading to in-memory corruption of executables like /usr/bin/su.

This repository contains a functional exploit for CVE-2026-43284, a Linux kernel vulnerability in the xfrm-ESP module that allows local privilege escalation (LPE). The exploit chains CVE-2026-43284 with CVE-2026-43500 (RxRPC Page-Cache Write) to achieve root access on major Linux distributions.

This repository contains a Python-based detection script for CVE-2026-43284 and CVE-2026-43500, which are Linux kernel vulnerabilities in IPsec ESP and RxRPC subsystems. The script checks for vulnerable kernel versions, patch status, module availability, and mitigation measures without exploiting the vulnerabilities.

The repository contains only a README.md file with minimal information, mentioning CVE-2026-43284 and CVE-2026-43500 without any exploit code, technical details, or additional context.

This repository contains a functional Rust implementation of a Linux kernel exploit targeting CVE-2026-43284. The exploit leverages netlink and XFRM operations to achieve local privilege escalation (LPE) by manipulating kernel memory structures.

The repository contains only a minimal README with no technical details, exploit code, or analysis. It references two CVEs but provides no actionable information, suggesting it may be a lure for external downloads or monetization.

The repository lacks actual exploit code and only provides a vague description of CVE-2026-43284 with a list of affected Linux versions. It mentions running './exp' but does not include the exploit binary or source code.

This repository contains a functional exploit PoC for CVE-2026-43284, an arm64/aarch64 port of the DirtyFrag vulnerability. It leverages the ESP/xfrm path to corrupt `/usr/bin/su` via page cache manipulation, achieving local privilege escalation (LPE).

This repository provides kernel patches for the Dirty Frag vulnerability class (CVE-2026-43284 and CVE-2026-43500), which allows unprivileged local users to overwrite arbitrary bytes in the page cache of read-only files, leading to local privilege escalation. The README includes detailed technical analysis, patch application instructions, and mitigation steps.

This repository provides an in-depth technical analysis of CVE-2026-43284 (Dirty Frag), detailing the root cause, exploit flow, and reverse engineering of the PoC. It includes a comprehensive breakdown of the xfrm-ESP page-cache write vulnerability and its exploitation mechanism.

This repository provides a detailed technical analysis and detection rules for CVE-2026-43284 and CVE-2026-43500, focusing on behavioral detection via Wazuh and auditd. It includes in-depth explanations of the exploit chain, affected systems, and mitigation strategies.

The repository claims to provide a mitigation tool for CVE-2026-43284 but lacks actual exploit code, instead pushing external downloads via bit.ly links. The README is vague and focuses on marketing-like language rather than technical details.

This repository is a tracking document for CVE-2026-43284, a Linux kernel local privilege escalation chain involving page-cache write vulnerabilities in xfrm-ESP and RxRPC. It provides detailed technical context, update workflows, and conventions for tracking fixes across various distributions and platforms.

This repository contains a functional exploit for CVE-2026-43284, leveraging a vulnerability in the Linux kernel's XFRM subsystem to achieve local privilege escalation. The exploit uses a crafted Netlink message to overwrite the `/usr/bin/su` binary with a malicious ELF payload, granting root access.

This repository contains functional exploit code for CVE-2026-43284, leveraging a Linux kernel vulnerability in the crypto subsystem. The exploit uses splice() to manipulate page-cache references of read-only files (e.g., /usr/bin/su) and achieves privilege escalation by overwriting the target binary with a malicious ELF payload.

DIRTYFAIL is a unified detector and PoC harness for the Copy Fail and Dirty Frag Linux page-cache write vulnerability families, including CVE-2026-43284. It provides detection and exploitation capabilities for three CVEs, with a focus on achieving root shell access through deterministic logic flaws in the kernel's page-cache handling.

This repository contains a mitigation script for CVE-2026-43284, which blocks and unloads vulnerable kernel modules (esp4, esp6, rxrpc) to prevent exploitation of the Dirty Frag vulnerability. The script writes a modprobe configuration to blacklist these modules and verifies their unloading status.

The exploit leverages a Linux kernel crypto subsystem vulnerability (CVE-2026-31431) via splice() to manipulate page-cache references of read-only files (e.g., setuid binaries) for privilege escalation. It crafts malicious socket options and sends a payload to overwrite /usr/bin/su with a decompressed shellcode, then executes it.

This repository contains a functional exploit for a Linux kernel vulnerability (likely related to ESP-in-UDP encryption and splice operations) that achieves local privilege escalation (LPE) by manipulating encrypted traffic to flip bits in target files. The exploit uses AES-GCM/ECB operations, user namespace setup, and socket operations to gain root access.

This Metasploit module exploits CVE-2026-43284, a Linux kernel page-cache write vulnerability in the IPsec/xfrm subsystem, allowing local privilege escalation by overwriting a SUID binary. It leverages a race condition in ESP fragmentation handling to gain write access to read-only pages.