CVE-2026-43500 and CVE-2026-43284 analysis

Staff Editor 2026-05-11
CVE-2026-43500 and CVE-2026-43284 analysis

CVE-2026-43500 and CVE-2026-43284 analysis

https://socprime.com/blog/cve-2026-43500-and-cve-2026-43284-analysis/

Publish Date: 2026-05-11 14:11:00

Source Domain: socprime.com

Linux local privilege escalation bugs remain especially dangerous when they turn a limited foothold into full root access. The CVE-2026-43500 vulnerability is the RxRPC half of the Dirty Frag exploit chain, which Microsoft says is already linked to limited in-the-wild post-compromise abuse, while Qualys describes it as a page-cache write issue that can let an unprivileged local user escalate privileges on major Linux distributions.

This CVE-2026-43500 analysis is important because the Dirty Frag Linux vulnerability is not framed as a noisy remote initial-access bug. Instead, Microsoft says it may be used after SSH access, web-shell execution, container escape, or compromise of a low-privileged account, which makes it highly relevant in real-world intrusion chains where attackers already have some form of code execution.

Qualys explains that Dirty Frag combines two Linux kernel flaws: CVE-2026-43284 in xfrm-ESP and CVE-2026-43500 in RxRPC. Of the two, the vulnerability in CVE-2026-43500 is especially notable because the exploit path does not require user-namespace creation and instead relies only on normal user privileges and unprivileged APIs such as add_key(“rxrpc”, …), socket(AF_RXRPC), socket(AF_ALG), splice(), and recvmsg().

CVE-2026-43500 and CVE-2026-43284 analysis

At a technical level, Dirty Frag abuses Linux page-cache behavior on the receive side of a network protocol that performs in-place operations on skb fragments. Qualys says the exploit can pin a read-only page-cache page into kernel structures and then cause an in-place write onto that page, creating a reliable path to local privilege escalation without relying on the narrower race conditions seen in many older Linux LPE exploits.

In Qualys’ description of the public CVE-2026-43500 poc, the chosen target is the first line of /etc/passwd. Their write-up says the implementation rewrites bytes in a way that creates an empty password field for root,…

Source

More Stories

XLibre Marks Its First Anniversary With Stable 25.1 Xserver Release

XLibre Marks Its First Anniversary With Stable 25.1 Xserver Release

Staff Editor 2026-06-06
AI Agent Discovery Gets Open DNS Standard: DNS-AID Launches Under Linux Foundation

AI Agent Discovery Gets Open DNS Standard: DNS-AID Launches Under Linux Foundation

Staff Editor 2026-06-06
Proton Drive just got 3x faster, and Linux users will finally get what they’ve been asking for

Proton Drive just got 3x faster, and Linux users will finally get what they’ve been asking for

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy