The "Kukurigu" exploit chain (CVE-2026-43284, CVE-2026-43500, CVE-2026-46300) enables local privilege escalation by leveraging flaws in the kernel's page-cache management to perform arbitrary writes and modify memory-resident pages of setuid binaries. The primary CVE-2026-43284 has a CVSS score of 8.8 (HIGH), affecting Linux kernels from version 4.11 up to but excluding 5.10.255, 5.12 up to but excluding 5.15.205, 5.16 up to but excluding 6.1.171, 6.2 up to but excluding 6.6.138, and 6.7 up to but excluding 6.12.87. To remediate, affected systems must be upgraded to kernel versions 5.10.255, 5.15.205, 6.1.171, 6.6.138, 6.12.87, 6.18.28, or 7.0.5, depending on the specific kernel branch in use.
This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING Linux Kernel - Local Privilege Escalation EDB-ID: 52591 CVE: 2026-46300 2026-43500 2026-43284 EDB Verified: Author: NU11SECUR1TY Type: LOCAL Exploit: / Platform: LINUX Date: 2026-05-29 Vulnerable App: # Titles:** Linux Kernel Local Privilege Escalation (CVE-2026-43284 / CVE-2026-43500 / CVE-2026-46300) # Author:** nu11secur1ty # Date:** 2026-05-11 # Vendor:** Linux Kernel # Software:** Linux Kernel (All major distributions) # Vulnerability Type:** Page-Cache Write / Memory Corruption # Status:** HIGH / CRITICAL --- ## Description The **"Kukurigu"** exploit represents a sophisticated local privilege escalation (LPE) vector targeting the Linux kernel's page-cache management. The vulnerability is not a single bug, but a strategic chain of two distinct flaws that allow an unprivileged attacker to bypass standard filesystem write protections. ### Vulnerability Chain: 1. **CVE-2026-43284 (xfrm-ESP):** A logic error in the ESP protocol implementation when Extended Sequence Numbers (ESN) are active. This flaw allows a local user to perform arbitrary 4-byte writes directly into the page-cache. 2. **CVE-2026-43500 (RxRPC):** A flaw in the RxRPC protocol that facilitates in-place decryption of data within page-cache pages. 3. **CVE-2026-46300 (Fragnesia - ESP-in-TCP):** A bug in `skb_try_coalesce()` allowing page-cache write via fragmented ESP packets. ### Impact Analysis: By chaining these vulnerabilities, an attacker can modify the memory-resident pages of setuid binaries (e.g., `/usr/bin/su` or `/usr/bin/sudo`) or sensitive system files (e.g., `/etc/passwd`). Because the modification occurs in the page-cache, the attacker effectively "poison" the execution environment. **Key Advantages for Attacker:** * **Stability:** No race conditions involved. * **Reliability:** Near 100% success rate on tested environments. * **Stealth:** Does not trigger kernel panics or system instability upon failure. * **Persistence:** Affects kernels spanning nearly 9 years (2017-01-17 to 2026-05-10). --- ## Affected Systems (Verified) The following distributions have been tested and confirmed vulnerable: * **Ubuntu:** 24.04.4 / 25.10 / 26.04 * **RHEL:** 10.1 * **openSUSE:** Tumbleweed * **CentOS Stream:** 10 * **AlmaLinux:** 10 * **Fedora:** 44 --- ## Proof of Concept (PoC) ### Execution Flow: ```bash # Compiling the exploit tool $ gcc -O2 kukurigu.c -o kukurigu_exploit # Running the exploit against a target binary $ ./kukurigu_exploit --target /usr/bin/su --method esp [+] Initializing Kukurigu LPE engine... [+] Exploiting CVE-2026-43284 (xfrm-ESP write)... [+] Exploiting CVE-2026-43500 (RxRPC decryption)... [+] Exploiting CVE-2026-46300 (Fragnesia)... [+] Page-cache poisoned successfully for /usr/bin/su. [+] Dropping into root shell... # id uid=0(root) gid=0(root) groups=0(root) [+]Exploit: [href]( https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-43284-CVE-2026-43500 ) # Demo: [href](https://www.patreon.com/posts/cve-2026-43284-157962202) [href](https://www.patreon.com/posts/cve-2026-46300-k-158433402) # Patch if you want: [href](https://www.patreon.com/posts/cve-2026-43284-157966167) # Time spent: 01:30:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.