Exploit for Write-what-where Condition in Linux Linux_Kernel CVE-2026-43284

Name: Exploit for Write-what-where Condition in Linux Linux_Kernel CVE-2026-43284
Rating: 5 (4 reviews)
2026-06-11 | CVSS 8.8
## https://sploitus.com/exploit?id=5EA55261-60BA-5F5A-A245-187C0E4791C3
# DirtyFrag CVE-2026-43284 PoC Validation and auditd Detection

**Scope:** Linux Local Privilege Escalation (LPE) validation focused on the XFRM/ESP path associated with **CVE-2026-43284**.

This repository contains an English report and evidence artifacts from a controlled laboratory validation of the public DirtyFrag PoC. The focus is not on providing an exploitation guide, but on documenting what was visible in Linux audit logs and how those events can be transformed into practical SOC detection logic.

Full PDF report: 

EN: [`reports/DirtyFrag_CVE-2026-43284_EN.pdf`](reports/DirtyFrag_CVE-2026-43284_EN.pdf)

PL: [`reports/DirtyFrag_CVE-2026-43284_PL.pdf`](reports/DirtyFrag_CVE-2026-43284_PL.pdf)

## Purpose and scope

The test was performed to verify whether a normal local user could obtain a root shell in a vulnerable lab VM and to determine which events can be captured with auditd.

CVE-2026-43284 relates to improper handling of shared page fragments during ESP/IPsec operations. Under specific conditions, a local attacker can influence data in the page cache and escalate privileges. Ubuntu Security rates this vulnerability as **CVSS 3.1: 7.8 High**.

| Vulnerability | Scope | Component | CVSS |
|---|---|---|---|
| CVE-2026-43284 | XFRM/ESP Page-Cache Write | XFRM / ESP, esp4/esp6 | 7.8 High |

Technical references:

- Public DirtyFrag PoC repository: 
- Ubuntu Security - CVE-2026-43284: 
- Ubuntu blog - Dirty Frag Linux vulnerability fixes available: 

## Test environment

| Parameter | Value |
|---|---|
| Distribution | Ubuntu 24.04.4 LTS / noble |
| Test kernel | 6.17.0-23-generic |
| Architecture | x86_64 |
| Virtualization | Oracle VirtualBox |
| CPU | 12th Gen Intel(R) Core(TM) i5-12450H, 1 vCPU |
| RAM | 12 GiB |
| Root filesystem | ext4 |
| Test user | uid=1000(user), gid=1000(user), groups include sudo, adm, lpadmin |
| unprivileged_userns_clone | 1 |
| auditd | active, DirtyFrag/LPE audit rules loaded |
| AppArmor | active; unprivileged_userns profile visible in logs |

Full system baseline: [`evidence/logs/system-info-table.md`](evidence/logs/system-info-table.md)

## Result

Before PoC execution, the test context was a normal user account. After running `./exp`, a root shell was obtained and confirmed with `whoami` and `id`.

![DirtyFrag root shell confirmation](evidence/screenshots/01-dirtyfrag-root-shell.png)

## Evidence collection

After the test, auditd logs and summary outputs were exported to a local evidence directory and copied into this repository.

![Copy audit log](evidence/screenshots/02-copy-audit-log.png)

![Filter audit log](evidence/screenshots/03-filter-audit-log.png)

![ausearch export](evidence/screenshots/04-ausearch-export.png)

![aureport export](evidence/screenshots/05-aureport-export.png)

![System information export](evidence/screenshots/06-system-info-export.png)

![Evidence directory listing](evidence/screenshots/07-evidence-directory-listing.png)

## Repository structure

| Path | Description |
|---|---|
| `docs/DirtyFrag_CVE-2026-43284_auditd_detection_report.docx` | English DOCX report. |
| `evidence/logs/audit.log` | Full auditd log containing raw events. |
| `evidence/logs/dirtyfrag-filtered.log` | Filtered log containing DirtyFrag/LPE-related events. |
| `evidence/logs/dirty_frag_vmsplice.log` | vmsplice events from the PoC process. |
| `evidence/logs/dirty_frag_splice.log` | splice events from the PoC process. |
| `evidence/logs/dirty_frag_execve_su.log` | Execution of `/usr/bin/su` after PoC activity. |
| `evidence/logs/lpe_root_exec_from_user_session.log` | Processes executed as root from the original user session. |
| `evidence/logs/audit-key-summary.txt` | Event count summary by auditd key. |
| `evidence/logs/audit-exec-summary.txt` | Executable summary from aureport. |
| `evidence/logs/audit-rules-loaded.txt` | Active auditd detection rules. |
| `evidence/logs/system-info-table.md` | System baseline table. |
| `evidence/screenshots/01-dirtyfrag-root-shell.png` | Screenshot confirming user -> root shell transition. |
| `tools/generate-system-info-table.sh` | Helper script used to generate the system information table. |

## auditd detection logic

The most useful detection is not a single event. The strongest signal is the full chain observed in a short time window:

```text
user namespace -> vmsplice/splice -> ESP/XFRM -> su -> root shell with AUID of a normal user
```

### Relevant auditd keys

| Key | Meaning |
|---|---|
| `dirty_frag_unshare` | `unshare` executed by an unprivileged user; indicates user namespace preparation. |
| `dirty_frag_vmsplice` | `vmsplice` activity from a user process; main page-cache signal. |
| `dirty_frag_splice` | `splice` activity from a user process; correlated with `vmsplice`. |
| `dirty_frag_su_exec` / `dirty_frag_execve_su` | Execution of `/usr/bin/su` after the page-cache phase. |
| `lpe_root_exec_from_user_session` | `execve` with `euid=0` in a session owned by `auid>=1000`; strong LPE proof when correlated. |

### Reconstructed event chain

| Time | Event | Artifact | Meaning |
|---|---|---|---|
| 21:10:48 | auditd rules loaded | `audit-rules-loaded.txt`, `audit.log` | Monitoring was active before PoC execution. |
| 21:11:32 | `unshare` by `./exp` | `dirtyfrag-filtered.log` | The user process entered `unprivileged_userns`. |
| 21:11:32-21:11:39 | `vmsplice` / `splice` by `./exp` | `dirty_frag_vmsplice.log`, `dirty_frag_splice.log` | Page-cache behavior visible through syscall telemetry. |
| 21:11:32-21:11:39 | `MAC_IPSEC_EVENT` / XFRM ESP | `audit.log` | `SAD-add` and `SA-icv-failure` events on `127.0.0.1` with `SPI 0xdeadbeXX`. |
| 21:11:39 | `su -` | `dirty_frag_execve_su.log` | Attempt to enter a root shell after PoC execution. |
| 21:11:39 | `sh` / `dash` as root | `lpe_root_exec_from_user_session.log` | `UID=root` and `EUID=root` while `AUID=user`. |
| 21:11:48 | `whoami` as root | `lpe_root_exec_from_user_session.log`, screenshot | Manual confirmation of successful escalation. |
| 21:11:49 | `id` as root | `lpe_root_exec_from_user_session.log`, screenshot | Manual confirmation of `uid=0(root)`. |

## Example SIEM correlation

```text
IF
  dirty_frag_unshare by auid>=1000
  AND count(dirty_frag_vmsplice + dirty_frag_splice by same exe or pid) >= 3 within 600s
  AND MAC_IPSEC_EVENT / XFRM activity within 1200s
  AND (dirty_frag_su_exec OR execve with euid=0 and auid>=1000) within 1200s
THEN
  alert = "Possible DirtyFrag CVE-2026-43284 Linux LPE"
  severity = high/critical
```

## SOC recommendations

- Patch the kernel and enforce reboot into the patched kernel after updates.
- Collect syscall telemetry with auditd, Falco, eBPF-based tools or EDR.
- Do not alert on a single `euid=0` event alone; this also catches legitimate `sudo` usage.
- Correlate `unshare`, `vmsplice`, `splice`, XFRM/ESP activity, `su`, and root process creation from a normal user session.
- Consider restricting `kernel.unprivileged_userns_clone` where application compatibility allows it.
- Review whether ESP/IPsec modules are required on a given host class and restrict unnecessary module loading where appropriate.
- Forward logs to a remote collector or SIEM; after LPE, local logs can be modified by the attacker.
- Monitor auditd quality: `lost` should remain `0` during testing and production monitoring.
- Maintain a Linux LPE triage playbook covering host isolation, audit log collection, running kernel verification and loaded module capture.

## Notes

The collected auditd status showed `lost=2555`, which means some audit events may have been dropped. The key chain is still visible, but future tests should increase audit backlog and confirm `lost=0` before running the PoC.

The report intentionally focuses on **CVE-2026-43284 / XFRM/ESP** to avoid mixing the SOC detection scope with other DirtyFrag-related paths.