Tag Archives: DirtyFrag

May Linux Patch Wednesday

Leave a reply

May Linux Patch Wednesday

May Linux Patch Wednesday. A total of 1,638 vulnerabilities (474 in the Linux kernel). For comparison, in April there were 1,035 vulnerabilities (a record!). And this time it turns out to be a record again, more than one and a half times higher! The acceleration is both impressive and alarming. But we will see what happens next. At some point it should stabilize. Although the number of critical vulnerabilities is already so high that reviewing all of them becomes quite problematic. For 7 vulnerabilities there are signs of exploitation in the wild. And for another 264 there are public exploits. Let’s start, as usual, with vulnerabilities being actively exploited according to CISA KEV and VulnCheck KEV data. Here, at the top, as expected, are two high-profile ways to get a root shell:

🔻 EoP - Linux Kernel "Copy Fail" (CVE-2026-31431)
🔻 EoP - Linux Kernel "Dirty Frag" (CVE-2026-43500)

Other vulnerabilities being exploited in the wild:

🔻 RCE - Apache ActiveMQ (CVE-2026-40466). Based on the description, this appears to be a bypass of the fix for CVE-2026-34197, which I already wrote about earlier.

🔻 AuthBypass - Rclone (CVE-2026-41176). Rclone ("rsync for cloud storage") is a command-line utility for synchronizing files and directories between various cloud storage services and local systems. Exploitation of the vulnerability can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods.

🔻 RCE - NGINX (CVE-2026-42945). The bug enables unauthenticated remote code execution against servers using rewrite and set directives.

🔻 DoS - PgBouncer (CVE-2026-6664). PgBouncer is a lightweight, open-source connection pooler for PostgreSQL databases. It reduces connection overhead by managing a pool of connections to one or more PostgreSQL servers, improving performance and resource efficiency for applications with frequent short-lived database connections. An integer overflow in the network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash.

🔻 XSS - Postorius (CVE-2026-44742). The Postorius Django app provides a web user interface to access GNU Mailman. Mailman is free software for managing electronic mail discussion and e-newsletter lists. The vulnerability is being exploited according to VulnCheck KEV; however, no public exploits has been observed yet.

From the remaining vulnerabilities with public exploits, but without any signs of exploitation in the wild so far, the following can be highlighted:

🔸 RCE - Apache HTTP Server (CVE-2026-23918). Double-free error in Apache httpd mod_http2 stream cleanup, leading to pre-auth RCE.

🔸 RCE - Apache Tomcat (CVE-2026-34486). Apache Tomcat Tribes cluster communication module fails to discard messages when EncryptInterceptor decryption fails, allowing unauthenticated attackers to trigger Remote Code Execution via Java deserialization on port 4000.

🔸 RCE - ProFTPD (CVE-2026-42167). The flaw exists in how mod_sql handles certain logging variables (like %U), allowing an unauthenticated attacker to inject SQL commands via the USER command.

🔸 EoP - Linux Kernel "DirtyDecrypt" (CVE-2026-31635). Linux local privilege escalation in the RxRPC/GSSAPI decryption path. A missing skb_cow_data() check in rxgk_decrypt_skb() allows an unprivileged local attacker to corrupt cache pages and overwrite in-memory contents of read-only files.

🔸 EoP - Linux Kernel "Fragnesia" (CVE-2026-46300). I also analyzed this vulnerability earlier. A bug in skb_try_coalesce() allowing page-cache write via fragmented ESP packets.

🔸 EoP - Linux Kernel (CVE-2026-46333). Local root privilege escalation and credential disclosure in the Linux kernel ptrace path, discovered by researchers at Qualys.

🔸 EoP - PackageKit "Pack2TheRoot" (CVE-2026-41651). PackageKit is a free and open-source suite of software applications designed to provide a consistent and high-level abstraction layer for a number of different package management systems. The vulnerability allows an attacker to escalate privileges, potentially gaining root access or compromising the system.

🔸 ComInj - Composer (CVE-2026-40261, CVE-2026-40176). Composer is a dependency manager for PHP. The vulnerability exists in the Perforce::generateP4Command() method. Due to insufficient sanitization of repository configuration parameters (such as url, p4user, or client) when constructing shell commands, an attacker who controls a composer.json file can execute arbitrary commands on the victim's system when composer install or composer update is executed.

🗒 Full Vulristics report

About Elevation of Privilege - Linux Kernel "Fragnesia" (CVE-2026-46300) vulnerability

Leave a reply

About Elevation of Privilege - Linux Kernel Fragnesia (CVE-2026-46300) vulnerability

About Elevation of Privilege - Linux Kernel "Fragnesia" (CVE-2026-46300) vulnerability. The vulnerability was discovered by researcher William Bowling together with the V12 team. Fragnesia belongs to the class of Dirty Frag vulnerabilities. It is an error in the ESP/XFRM subsystem, distinct from Dirty Frag, which was addressed with a separate patch. It allows achieving arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition.

🛠 Technical details and exploit code were published on May 15. The public exploit modifies the contents of /usr/bin/su in the kernel page cache, and then executes /usr/bin/su, resulting in the user obtaining a root shell. The on-disk binary is never modified. A reboot or cache flush restores normal system behavior.

⚙️ Fragnesia affects the same kernel versions as Dirty Frag. Any distribution shipping a kernel without the May 13 patch is vulnerable. The vulnerability was confirmed on Ubuntu 6.8.0-111-generic (April 11, 2026 build). Monitor kernel package updates for your Linux distribution(s).

For systems where a kernel update is not possible, the same workaround as for Dirty Frag is effective (blacklisting modules). Systems where the Dirty Frag workaround has already been applied are already protected against Fragnesia. Systems that only received Dirty Frag updates without applying the workaround remain vulnerable and require new updates addressing Fragnesia.

About Elevation of Privilege vulnerability - Linux Kernel "Dirty Frag" (CVE-2026-43284, CVE-2026-43500) vulnerability

Leave a reply

About Elevation of Privilege vulnerability - Linux Kernel Dirty Frag (CVE-2026-43284, CVE-2026-43500) vulnerability

About Elevation of Privilege vulnerability - Linux Kernel "Dirty Frag" (CVE-2026-43284, CVE-2026-43500) vulnerability. According to information from researcher Hyunwoo Kim (@v4bel), Dirty Frag is a vulnerability (a class of vulnerabilities) that allows a local unprivileged attacker to obtain root privileges on most Linux distributions by combining the xfrm-ESP Page-Cache Write vulnerability (CVE-2026-43284) and the RxRPC Page-Cache Write vulnerability (CVE-2026-43500). Exploitation of this chain enables the attacker to fully compromise the system: gain access to any files, disable protections, establish persistence, and use the host for further attacks.

⚙️🛠 The vulnerability chain description, technical write-up and exploit code were published on May 7. Exploitability has been confirmed on up-to-date distributions including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44. The xfrm-ESP Page-Cache Write vulnerability has been present in the kernel since commit cac2661c53f3 (2017-01-17) and up to the current upstream version, while the RxRPC Page-Cache Write vulnerability has been present in the kernel since commit 2dc334f1a63a (2023-06) and up to the current upstream version. In other words, the actual time span during which these vulnerabilities have existed in the kernel is around 9 years.

Information about the vulnerability and the exploit was published before patches were available in affected Linux distributions. According to the researcher, on May 7 he submitted detailed information about the vulnerability and the exploit to the linux-distros mailing list. The embargo was set for 5 days, with an agreement that if a third party published the exploit on the internet during the embargo period, the "Dirty Frag" exploit would be released publicly. On the same day, this is exactly what happened: the information was leaked to the public, and the embargo was violated. 🤷‍♂️ As a result, the researcher proceeded with full disclosure.

A similar high-profile vulnerability, Elevation of Privilege - Linux Kernel "Copy Fail" (CVE-2026-31431), served as the motivation for this research. As the researcher reports, the xfrm-ESP Page-Cache Write vulnerability in the Dirty Frag chain shares the same sink as Copy Fail. However, it is triggered regardless of whether the algif_aead module is available. In other words, even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, Linux remains vulnerable to Dirty Frag.

Why is a chain of two vulnerabilities used? As the researcher reports, the xfrm-ESP Page-Cache Write vulnerability provides a powerful arbitrary 4-byte STORE primitive, similar to Copy Fail, and is present in most distributions. However, its exploitation requires the privilege to create a namespace. In Ubuntu, unprivileged user namespace creation is sometimes restricted by AppArmor policy. In such an environment, xfrm-ESP Page-Cache Write cannot be triggered. The RxRPC Page-Cache Write vulnerability does not require the privilege to create a namespace, but the rxrpc.ko module itself is not included in most distributions. However, on Ubuntu, the rxrpc.ko module is loaded by default. Chaining the two variants makes the blind spots cover each other, allowing root privileges to be obtained on every major distribution.

As of May 8, the fix for the xfrm-ESP Page-Cache Write (CVE-2026-43284) vulnerability has been merged into the mainline Linux kernel, while the fix for the RxRPC Page-Cache Write (CVE-2026-43500) vulnerability has not yet been merged. It is recommended to monitor the release of security updates for CVE-2026-43284 and CVE-2026-43500 across the Linux distributions in use and apply them promptly. As a workaround, the vulnerability researcher proposes a script that prevents loading of the esp4, esp6, and rxrpc modules, attempts to unload them from the kernel, and clears the Linux memory cache:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"