惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog RSS Feed
Spread Privacy
Spread Privacy
T
Threatpost
C
Cisco Blogs
P
Palo Alto Networks Blog
AI
AI
Cyberwarzone
Cyberwarzone
NISL@THU
NISL@THU
P
Privacy & Cybersecurity Law Blog
G
GRAHAM CLULEY
Simon Willison's Weblog
Simon Willison's Weblog
T
Tor Project blog
Latest news
Latest news
AWS News Blog
AWS News Blog
D
Docker
S
SegmentFault 最新的问题
博客园 - 聂微东
WordPress大学
WordPress大学
Vercel News
Vercel News
S
Securelist
爱范儿
爱范儿
J
Java Code Geeks
Know Your Adversary
Know Your Adversary
S
Schneier on Security
Hugging Face - Blog
Hugging Face - Blog
F
Fortinet All Blogs
Last Week in AI
Last Week in AI
D
DataBreaches.Net
宝玉的分享
宝玉的分享
D
Darknet – Hacking Tools, Hacker News & Cyber Security
MongoDB | Blog
MongoDB | Blog
Engineering at Meta
Engineering at Meta
K
Kaspersky official blog
美团技术团队
博客园 - 叶小钗
阮一峰的网络日志
阮一峰的网络日志
量子位
博客园_首页
Attack and Defense Labs
Attack and Defense Labs
S
Secure Thoughts
Google Online Security Blog
Google Online Security Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
腾讯CDC
T
Threat Research - Cisco Blogs
雷峰网
雷峰网
有赞技术团队
有赞技术团队
www.infosecurity-magazine.com
www.infosecurity-magazine.com
P
Privacy International News Feed
S
Security Affairs

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
nu11secur1ty · 2026-05-27 · via Exploit-DB.com RSS Feed
# Titles:** Linux Kernel Local Privilege Escalation (CVE-2026-43284 /
CVE-2026-43500)
# Author:** nu11secur1ty
# Date:** 2026-05-11
# Vendor:** Linux Kernel
# Software:** Linux Kernel (All major distributions)
# Vulnerability Type:** Page-Cache Write / Memory Corruption
# Status:** HIGH / CRITICAL

---

## Description

The **"Kukurigu"** exploit represents a sophisticated local privilege
escalation (LPE) vector targeting the Linux kernel's page-cache management.
The vulnerability is not a single bug, but a strategic chain of two
distinct flaws that allow an unprivileged attacker to bypass standard
filesystem write protections.

### Vulnerability Chain:
1.  **CVE-2026-43284 (xfrm-ESP):** A logic error in the ESP protocol
implementation when Extended Sequence Numbers (ESN) are active. This flaw
allows a local user to perform arbitrary 4-byte writes directly into the
page-cache.
2.  **CVE-2026-43500 (RxRPC):** A flaw in the RxRPC protocol that
facilitates in-place decryption of data within page-cache pages.

### Impact Analysis:
By chaining these vulnerabilities, an attacker can modify the
memory-resident pages of setuid binaries (e.g., `/usr/bin/su` or
`/usr/bin/sudo`) or sensitive system files (e.g., `/etc/passwd`). Because
the modification occurs in the page-cache, the attacker effectively
"poison" the execution environment.

**Key Advantages for Attacker:**
*   **Stability:** No race conditions involved.
*   **Reliability:** Near 100% success rate on tested environments.
*   **Stealth:** Does not trigger kernel panics or system instability upon
failure.
*   **Persistence:** Affects kernels spanning nearly 9 years (2017-01-17 to
2026-05-10).

---

## Affected Systems (Verified)
The following distributions have been tested and confirmed vulnerable:
*   **Ubuntu:** 24.04.4 / 25.10 / 26.04
*   **RHEL:** 10.1
*   **openSUSE:** Tumbleweed
*   **CentOS Stream:** 10
*   **AlmaLinux:** 10
*   **Fedora:** 44

---

## Proof of Concept (PoC)

### Execution Flow:
```bash
# Compiling the exploit tool
$ gcc -O2 kukurigu.c -o kukurigu_exploit

# Running the exploit against a target binary
$ ./kukurigu_exploit --target /usr/bin/su --method esp

[+] Initializing Kukurigu LPE engine...
[+] Exploiting CVE-2026-43284 (xfrm-ESP write)...
[+] Exploiting CVE-2026-43500 (RxRPC decryption)...
[+] Page-cache poisoned successfully for /usr/bin/su.
[+] Dropping into root shell...

# id
uid=0(root) gid=0(root) groups=0(root)


[+]Exploit:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-43284-CVE-2026-43500
)

# Demo:
[href](https://www.patreon.com/posts/cve-2026-43284-157962202)

# Patch if you want:
[href](https://www.patreon.com/posts/cve-2026-43284-157966167)

# Time spent:
01:30:00

--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>
-- 

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>