## https://sploitus.com/exploit?id=8A220C63-B8DE-5273-85D0-21F1B20930E3
CVE-2026-43284
xfrm/ESP page cache write exploit, 4 byte primitive, 64 iterations
to overwrite 256 bytes of a setuid binary with a root shell ELF
build:
gcc -O0 -o dirtyfrag dirtyfrag.c -lutil
usage:
./dirtyfrag [/path/to/setuid]
defaults to /usr/bin/su, needs CONFIG_XFRM, CONFIG_INET_ESP, CONFIG_USER_NS.
x86_64 only, works even with algif_aead blacklisted
tested:
wsl2 debian 6.6.87.2-microsoft-standard-wsl2
ubuntu 24.04
fedora 44
how:
unshare userns+netns, register 64 XFRM SAs with shellcode bytes
in ESN seq_hi, trigger via UDP 4500 with UDP_ENCAP_ESPINUDP.
splice reads target file into pipe, splice pipe to UDP socket.
page cache page enters ESP SGL via skip_cow path, authencesn
scatterwalk writes seq_hi bytes at assoclen+cryptlen offset.
HMAC fails, write persists in page cache.
payload is setgid(0)+setuid(0)+execve(/bin/sh).
restore:
saves original bytes, writes them back after shell exits.
if restore fails try echo 3 | sudo tee /proc/sys/vm/drop_caches
patched by f4c50a4034e6 (mainline, may 8 2026).
vulnerable since cac2661c53f3 (jan 2017).
notes:
rxrpc variant exists (CVE-2026-43500) for systems without
userns. targets /etc/passwd, uses pcbc(fcrypt) 8 byte brute
force, but its not included here.