CVE-2026-43500
HIGH EXPLOITEDrxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
Title source: cnaExploitation Summary
CVE-2026-43500 has been observed exploited in the wild (reported by VulnCheck KEV).
EIP tracks 8 public exploits from researchers including Unclecheng-li, First-John, gagaltotal, including a Metasploit module exploits/linux/local/cve_2026_43500_dirty_frag.
AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-43500, leveraging a Linux kernel vulnerability in the XFRM subsystem to achieve local privilege escalation (LPE). The exploit corrupts the `/usr/bin/su` binary by overwriting it with a malicious ELF payload, granting root access.
Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.
Exploits (8)
This repository contains a functional exploit for CVE-2026-43500, leveraging a Linux kernel vulnerability in the XFRM subsystem to achieve local privilege escalation (LPE). The exploit corrupts the `/usr/bin/su` binary by overwriting it with a malicious ELF payload, granting root access.
This repository contains a Go-based tool that mitigates CVE-2026-43500 by disabling vulnerable kernel modules (esp4, esp6, rxrpc) and applying system-level fixes. It includes functionality to check for vulnerable modules, offer kernel updates, and apply hotfixes if updates are unavailable.
The repository claims to provide a hotfix for CVE-2026-43500 but lacks actual exploit code. Instead, it directs users to download a binary from an external source (bit.ly) and includes vague descriptions of mitigation steps without technical depth.
The repository contains only a minimal README with no functional code or technical details. It mentions scanning for CVE-2026-43284 and CVE-2026-43500 but lacks any implementation or analysis.
This repository contains a Go-based mitigation tool for CVE-2026-43500 and related vulnerabilities, which disables vulnerable kernel modules (esp4, esp6, rxrpc) and applies system-level mitigations. It includes build scripts and CI/CD workflows for compilation and distribution.
This repository contains a bash script that mitigates CVE-2026-43500 by disabling vulnerable kernel modules (esp4, esp6, rxrpc) via modprobe configuration. It creates a configuration file to prevent module loading and clears the cache.
This repository contains a functional Go-based exploit for CVE-2026-43500, leveraging ESP/XFRM and RxRPC vulnerabilities to achieve local privilege escalation (LPE). The exploit overwrites the /usr/bin/su binary or patches /etc/passwd to gain root access.
This Metasploit module exploits CVE-2026-43500, a memory corruption vulnerability in the Linux kernel's RxRPC authentication subsystem (rxkad). It allows local privilege escalation by corrupting the in-memory contents of a SUID binary via crafted DATA packets.
References (6)
Scores
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H