# Titles:** Linux Kernel Local Privilege Escalation (CVE-2026-43284 /
CVE-2026-43500 / CVE-2026-46300)
# Author:** nu11secur1ty
# Date:** 2026-05-11
# Vendor:** Linux Kernel
# Software:** Linux Kernel (All major distributions)
# Vulnerability Type:** Page-Cache Write / Memory Corruption
# Status:** HIGH / CRITICAL

---

## Description

The **"Kukurigu"** exploit represents a sophisticated local privilege
escalation (LPE) vector targeting the Linux kernel's page-cache management.
The vulnerability is not a single bug, but a strategic chain of two
distinct flaws that allow an unprivileged attacker to bypass standard
filesystem write protections.

### Vulnerability Chain:
1.  **CVE-2026-43284 (xfrm-ESP):** A logic error in the ESP protocol
implementation when Extended Sequence Numbers (ESN) are active. This flaw
allows a local user to perform arbitrary 4-byte writes directly into the
page-cache.
2.  **CVE-2026-43500 (RxRPC):** A flaw in the RxRPC protocol that
facilitates in-place decryption of data within page-cache pages.
3.  **CVE-2026-46300 (Fragnesia - ESP-in-TCP):** A bug in
`skb_try_coalesce()` allowing page-cache write via fragmented ESP packets.

### Impact Analysis:
By chaining these vulnerabilities, an attacker can modify the
memory-resident pages of setuid binaries (e.g., `/usr/bin/su` or
`/usr/bin/sudo`) or sensitive system files (e.g., `/etc/passwd`). Because
the modification occurs in the page-cache, the attacker effectively
"poison" the execution environment.

**Key Advantages for Attacker:**
*   **Stability:** No race conditions involved.
*   **Reliability:** Near 100% success rate on tested environments.
*   **Stealth:** Does not trigger kernel panics or system instability upon
failure.
*   **Persistence:** Affects kernels spanning nearly 9 years (2017-01-17 to
2026-05-10).

---

## Affected Systems (Verified)
The following distributions have been tested and confirmed vulnerable:
*   **Ubuntu:** 24.04.4 / 25.10 / 26.04
*   **RHEL:** 10.1
*   **openSUSE:** Tumbleweed
*   **CentOS Stream:** 10
*   **AlmaLinux:** 10
*   **Fedora:** 44

---

## Proof of Concept (PoC)

### Execution Flow:
```bash
# Compiling the exploit tool
$ gcc -O2 kukurigu.c -o kukurigu_exploit

# Running the exploit against a target binary
$ ./kukurigu_exploit --target /usr/bin/su --method esp

[+] Initializing Kukurigu LPE engine...
[+] Exploiting CVE-2026-43284 (xfrm-ESP write)...
[+] Exploiting CVE-2026-43500 (RxRPC decryption)...
[+] Exploiting CVE-2026-46300 (Fragnesia)...
[+] Page-cache poisoned successfully for /usr/bin/su.
[+] Dropping into root shell...

# id
uid=0(root) gid=0(root) groups=0(root)


[+]Exploit:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-43284-CVE-2026-43500
)

# Demo:
[href](https://www.patreon.com/posts/cve-2026-43284-157962202)
[href](https://www.patreon.com/posts/cve-2026-46300-k-158433402)

# Patch if you want:
[href](https://www.patreon.com/posts/cve-2026-43284-157966167)

# Time spent:
01:30:00

--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>

-- 

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>