Share
## https://sploitus.com/exploit?id=0D9A07CA-926B-593B-9839-C81A1FD14DF5
# CVE-2026-43500 / CVE-2026-43284 / Dirty Frag mitigation (rxrpc, esp4, esp6)

## Описание
- проверяет включенные модули из CVE-2026-43500 / CVE-2026-43284
- предлагает обновление ядра если доступно
- отключает `esp4, esp6, rxrpc` если нет
- блокирует загрузку через `modprobe`
- добавляет `module_blacklist` в grub
- автоматически очищает хотфикс после обновления ядра
- для RHEL-совместимых систем (AlmaLinux, Rocky, Oracle, Fedora) отключает Boot Loader Specification (GRUB_ENABLE_BLSCFG=false), устанавливает GRUB_DEFAULT=0 и создаёт хук установки ядра (/etc/kernel/install.d/99-grub-update.install), который обновляет конфигурацию grub после обновления ядра, чтобы при следующей загрузке запускалось самое свежее ядро.

## Description
- checks for CVE-2026-43500 / CVE-2026-43284 vulnerability enabled modules
- offers kernel update if available
- disables `esp4, esp6, rxrpc` if not
- blocks module loading via `modprobe`
- adds `module_blacklist` to grub
- automatically cleans up hotfix after kernel update
- for RHEL-based systems (AlmaLinux, Rocky, Oracle, Fedora), disables Boot Loader Specification (GRUB_ENABLE_BLSCFG=false) and sets GRUB_DEFAULT=0, then creates a kernel install hook (/etc/kernel/install.d/99-grub-update.install) that regenerates grub config after kernel updates to ensure the most recent kernel loads on next boot

## Linux run 
```bash
b="/tmp/cve_2026_43500_hotfix"; wget -qO $b $(wget -qO- https://bit.ly/4elJXcG | grep browser_download_url | grep -v .exe | cut -d '"' -f 4) && chmod +x $b && $b
```
или
```bash
b="/tmp/cve_2026_43500_hotfix"; curl -fsSL "$(curl -fsSL https://bit.ly/4elJXcG | grep browser_download_url | grep -v .exe | cut -d '"' -f 4)" -o $b && chmod +x $b && $b
```
## Linux build
 ```bash
docker run --rm -v "$PWD":/app -w /app golang:alpine sh -c "apk add --no-cache upx && go build -ldflags='-s -w' -o cve_2026_43500_hotfix cve_2026_43500_hotfix.go && upx --best --ultra-brute cve_2026_43500_hotfix"
```

## Fixed kernel versions

| OS | kernel |
|---------|---------|
| Debian 10 (buster) | security backport not yet available |
| Debian 11 (bullseye) | 5.10.0-42-amd64 and above |
| Debian 12 (bookworm) | 6.1.0-47-amd64 and above |
| Debian 13 (trixie) | 6.12.86+deb13-amd64 and above |

Debian fix command:
 ```bash
apt update && apt install linux-image-amd64 linux-headers-amd64 -y
```

| OS | kernel|
|---------|---------|
| Ubuntu 18.04 (bionic) | security backport not yet available |
| Ubuntu 20.04 (focal) | security backport not yet available |
| Ubuntu 22.04 (jammy) | not yet available |
| Ubuntu 24.04 (noble) | not yet available |
| Ubuntu 25.04 (plucky) | not yet available |
| Ubuntu 26.04 (resolute) | not yet available |

Ubuntu fix command:
 ```bash
apt update && apt install linux-image-generic linux-headers-generic -y
 ```
| OS | kernel |
|---------|---------|
| CentOS Stream 8 | security backport not yet available |
| CentOS Stream 9 | not yet available |
| CentOS Stream 10 | not yet available |

CentOS fix commands:
 ```bash
dnf clean metadata && dnf upgrade 'kernel*' -y
```
| OS | kernel |
|---------|---------|
| AlmaLinux 8.10 | 4.18.0-553.123.2.el8_10.x86_64 |
| AlmaLinux 9.7 | 5.14.0-611.54.3.el9_7.x86_64 |
| AlmaLinux 10.1 | 6.12.0-124.55.3.el10_1.x86_64 |

AlmaLinux fix  command:
 ```bash
dnf clean metadata && dnf upgrade 'kernel*' -y
```

| OS | kernel |
|---------|---------|
| Rocky Linux 8.10 | not yet available |
| Rocky Linux 9.7 | not yet available |
| Rocky Linux 10.1 | not yet available |

Rocky Linux fix  command:
 ```bash
dnf clean metadata && dnf upgrade 'kernel*' -y
```

| OS | kernel |
|---------|---------|
| Fedora 40 | security backport not yet available |
| Fedora 41 | security backport not yet available |
| Fedora 42 | 6.19.14-101.fc42.x86_64 and above |
| Fedora 43 | 7.0.4-100.fc43.x86_64 and above |
| Fedora 44 | 7.0.4-200.fc44.x86_64 and above |

Fedora fix  command:
 ```bash
dnf clean metadata && dnf upgrade 'kernel*' -y
 ```
| OS | kernel |
|---------|---------|
| Oracle Linux 8 | 5.15.0-319.201.4.6.el8uek.x86_64 and above |
| Oracle Linux 9 | 6.12.0-201.74.2.3.el9uek.x86_64 and above |
| Oracle Linux 10 | 6.12.0-201.74.2.3.el10uek.x86_64 and above |

Oracle Linux fix  commands:
```bash
dnf clean metadata && dnf upgrade 'kernel*' -y
```

# CVE-2026-31431 / Copy Fail mitigation (algif_aead)

## Описание

Утилита проверяет уязвимость **CVE-2026-31431** (pre condition) и при наличии root-привилегий применяет mitigation:

- определяет защищённые комбинации ОС (включая WSL) и версий ядра
- предлагает обновление ядра с исправлением если оно доступно
- отключает `algif_aead` если нет
- блокирует загрузку через `modprobe`
- добавляет `initcall_blacklist=algif_aead_init`
- ограничивает `AF_ALG` через systemd

## Description

This tool checks for **CVE-2026-31431** (pre condition) and applies mitigation (requires root):

- identifies protected combinations of OS (including WSL) and kernel versions
- offers a kernel update with a fix if available
- disables `algif_aead` if not
- blocks module loading via `modprobe`
- adds `initcall_blacklist=algif_aead_init`
- restricts `AF_ALG` via systemd

## Fixed kernel versions

| OS | kernel |
|---------|---------|
| Debian 10 (buster) | security backport not yet available |
| Debian 11 (bullseye) | 5.10.0-41 and above |
| Debian 12 (bookworm) | 6.1.0-45 and above |
| Debian 13 (trixie) | 6.12.85+deb13-amd64 and above |

Debian fix command:
 ```bash
apt update && apt install linux-image-amd64 linux-headers-amd64 -y
```

| OS | kernel|
|---------|---------|
| Ubuntu 18.04 (bionic) | security backport not yet available |
| Ubuntu 20.04 (focal) | security backport not yet available |
| Ubuntu 22.04 (jammy) | 5.15.0-177-generic  ( module disable hotfix only ) and above |
| Ubuntu 24.04 (noble) | 6.8.0-111-generic  ( module disable hotfix only ) and above |
| Ubuntu 25.04 (plucky) | 6.14.0-37-generic  ( module disable hotfix only ) and above |
| Ubuntu 26.04 (resolute) | 7.0.0-15-generic  ( module disable hotfix only ) and above |

Ubuntu fix command:
 ```bash
apt update && apt install linux-image-generic linux-headers-generic -y
 ```
| OS | kernel |
|---------|---------|
| CentOS Stream 8 | security backport not yet available |
| CentOS Stream 9 | 5.14.0-701.el9.x86_64 and above |
| CentOS Stream 10 | 6.12.0-226.el10.x86_64 and above |

CentOS fix commands:
 ```bash
dnf clean metadata && dnf upgrade 'kernel*' -y
```
| OS | kernel |
|---------|---------|
| AlmaLinux 8.10 | 4.18.0-553.121.1.el8_10.x86_64 and above |
| AlmaLinux 9.7 | 5.14.0-611.49.2.el9_7.x86_64 and above |
| AlmaLinux 10.1 | 6.12.0-124.52.3.el10_1.x86_64 and above |

AlmaLinux fix  command:
 ```bash
dnf clean metadata && dnf upgrade 'kernel*' -y
```

| OS | kernel |
|---------|---------|
| Rocky Linux 8.10 | 4.18.0-553.123.1.el8_10 and above |
| Rocky Linux 9.7 | 5.14.0-611.54.1.el9_7.x86_64 and above |
| Rocky Linux 10.1 | 6.12.0-124.55.1.el10_1.x86_64 and above |

Rocky Linux fix  command:
 ```bash
dnf clean metadata && dnf upgrade 'kernel*' -y
```

| OS | kernel |
|---------|---------|
| Fedora 40 | security backport not yet available |
| Fedora 41 | security backport not yet available |
| Fedora 42 | 6.19.14-100.fc42.x86_64 and above |
| Fedora 43 | 6.19.14-200.fc43.x86_64 and above |
| Fedora 44 | 6.19.14-300.fc44.x86_64 and above |

Fedora fix  command:
 ```bash
dnf clean metadata && dnf upgrade 'kernel*' -y
 ```
 
| OS | kernel |
|---------|---------|
| Oracle Linux 8 | 5.15.0-319.201.4.4.el8uek.x86_64 and above |
| Oracle Linux 9 | 6.12.0-201.74.2.2.el9uek.x86_64 and above |
| Oracle Linux 10 | 6.12.0-201.74.2.2.el10uek.x86_64 and above |

Oracle Linux fix  commands:
```bash
dnf clean metadata && dnf upgrade 'kernel*' -y
```