Share
## https://sploitus.com/exploit?id=8A220C63-B8DE-5273-85D0-21F1B20930E3
CVE-2026-43284

xfrm/ESP page cache write exploit, 4 byte primitive, 64 iterations
to overwrite 256 bytes of a setuid binary with a root shell ELF

build:
  gcc -O0 -o dirtyfrag dirtyfrag.c -lutil

usage:
  ./dirtyfrag [/path/to/setuid]

defaults to /usr/bin/su, needs CONFIG_XFRM, CONFIG_INET_ESP, CONFIG_USER_NS.
x86_64 only, works even with algif_aead blacklisted

tested:
  wsl2 debian 6.6.87.2-microsoft-standard-wsl2
  ubuntu 24.04
  fedora 44

how:
  unshare userns+netns, register 64 XFRM SAs with shellcode bytes
  in ESN seq_hi, trigger via UDP 4500 with UDP_ENCAP_ESPINUDP.
  splice reads target file into pipe, splice pipe to UDP socket.
  page cache page enters ESP SGL via skip_cow path, authencesn
  scatterwalk writes seq_hi bytes at assoclen+cryptlen offset.
  HMAC fails, write persists in page cache.
  payload is setgid(0)+setuid(0)+execve(/bin/sh).

restore:
  saves original bytes, writes them back after shell exits.
  if restore fails try echo 3 | sudo tee /proc/sys/vm/drop_caches

patched by f4c50a4034e6 (mainline, may 8 2026).
vulnerable since cac2661c53f3 (jan 2017).

notes:
  rxrpc variant exists (CVE-2026-43500) for systems without
  userns. targets /etc/passwd, uses pcbc(fcrypt) 8 byte brute
  force, but its not included here.