Vulners
Lucene search
Linux Kernel - Local Privilege Escalation
| Reporter | Title | Published | Views | Family All 867 |
|---|---|---|---|---|
 | lpe-toolkit | 21 May 202619:33 | – | githubexploit |
| Exploit for Out-of-bounds Write in Linux Linux_Kernel | 18 May 202619:32 | – | githubexploit |
| Exploit for Write-what-where Condition in Linux Linux_Kernel | 30 May 202620:11 | – | githubexploit |
| Exploit for Write-what-where Condition in Linux Linux_Kernel | 15 May 202606:38 | – | githubexploit |
| kernel-exploit-intelligence | 10 May 202606:04 | – | githubexploit |
| DirtyFrag-Linux-Kernel-Local-Privilege-Escalation-Educational-Mirror- | 15 May 202618:00 | – | githubexploit |
| Exploit for Write-what-where Condition in Linux Linux_Kernel | 8 May 202613:57 | – | githubexploit |
| Exploit for Write-what-where Condition in Linux Linux_Kernel | 24 May 202612:39 | – | githubexploit |
| Exploit for Incorrect Resource Transfer Between Spheres in Linux Linux_Kernel | 8 May 202614:05 | – | githubexploit |
| centipede | 9 May 202618:52 | – | githubexploit |
10
# Titles:** Linux Kernel Local Privilege Escalation (CVE-2026-43284 /
CVE-2026-43500 / CVE-2026-46300)
# Author:** nu11secur1ty
# Date:** 2026-05-11
# Vendor:** Linux Kernel
# Software:** Linux Kernel (All major distributions)
# Vulnerability Type:** Page-Cache Write / Memory Corruption
# Status:** HIGH / CRITICAL
---
## Description
The **"Kukurigu"** exploit represents a sophisticated local privilege
escalation (LPE) vector targeting the Linux kernel's page-cache management.
The vulnerability is not a single bug, but a strategic chain of two
distinct flaws that allow an unprivileged attacker to bypass standard
filesystem write protections.
### Vulnerability Chain:
1. **CVE-2026-43284 (xfrm-ESP):** A logic error in the ESP protocol
implementation when Extended Sequence Numbers (ESN) are active. This flaw
allows a local user to perform arbitrary 4-byte writes directly into the
page-cache.
2. **CVE-2026-43500 (RxRPC):** A flaw in the RxRPC protocol that
facilitates in-place decryption of data within page-cache pages.
3. **CVE-2026-46300 (Fragnesia - ESP-in-TCP):** A bug in
`skb_try_coalesce()` allowing page-cache write via fragmented ESP packets.
### Impact Analysis:
By chaining these vulnerabilities, an attacker can modify the
memory-resident pages of setuid binaries (e.g., `/usr/bin/su` or
`/usr/bin/sudo`) or sensitive system files (e.g., `/etc/passwd`). Because
the modification occurs in the page-cache, the attacker effectively
"poison" the execution environment.
**Key Advantages for Attacker:**
* **Stability:** No race conditions involved.
* **Reliability:** Near 100% success rate on tested environments.
* **Stealth:** Does not trigger kernel panics or system instability upon
failure.
* **Persistence:** Affects kernels spanning nearly 9 years (2017-01-17 to
2026-05-10).
---
## Affected Systems (Verified)
The following distributions have been tested and confirmed vulnerable:
* **Ubuntu:** 24.04.4 / 25.10 / 26.04
* **RHEL:** 10.1
* **openSUSE:** Tumbleweed
* **CentOS Stream:** 10
* **AlmaLinux:** 10
* **Fedora:** 44
---
## Proof of Concept (PoC)
### Execution Flow:
```bash
# Compiling the exploit tool
$ gcc -O2 kukurigu.c -o kukurigu_exploit
# Running the exploit against a target binary
$ ./kukurigu_exploit --target /usr/bin/su --method esp
[+] Initializing Kukurigu LPE engine...
[+] Exploiting CVE-2026-43284 (xfrm-ESP write)...
[+] Exploiting CVE-2026-43500 (RxRPC decryption)...
[+] Exploiting CVE-2026-46300 (Fragnesia)...
[+] Page-cache poisoned successfully for /usr/bin/su.
[+] Dropping into root shell...
# id
uid=0(root) gid=0(root) groups=0(root)
[+]Exploit:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-43284-CVE-2026-43500
)
# Demo:
[href](https://www.patreon.com/posts/cve-2026-43284-157962202)
[href](https://www.patreon.com/posts/cve-2026-46300-k-158433402)
# Patch if you want:
[href](https://www.patreon.com/posts/cve-2026-43284-157966167)
# Time spent:
01:30:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 May 2026 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.17.8 - 8.8
EPSS0.43539
SSVC