# Titles:** Linux Kernel Local Privilege Escalation (CVE-2026-43284 /
CVE-2026-43500)
# Author:** nu11secur1ty
# Date:** 2026-05-11
# Vendor:** Linux Kernel
# Software:** Linux Kernel (All major distributions)
# Vulnerability Type:** Page-Cache Write / Memory Corruption
# Status:** HIGH / CRITICAL
---
## Description
The **"Kukurigu"** exploit represents a sophisticated local privilege
escalation (LPE) vector targeting the Linux kernel's page-cache management.
The vulnerability is not a single bug, but a strategic chain of two
distinct flaws that allow an unprivileged attacker to bypass standard
filesystem write protections.
### Vulnerability Chain:
1. **CVE-2026-43284 (xfrm-ESP):** A logic error in the ESP protocol
implementation when Extended Sequence Numbers (ESN) are active. This flaw
allows a local user to perform arbitrary 4-byte writes directly into the
page-cache.
2. **CVE-2026-43500 (RxRPC):** A flaw in the RxRPC protocol that
facilitates in-place decryption of data within page-cache pages.
### Impact Analysis:
By chaining these vulnerabilities, an attacker can modify the
memory-resident pages of setuid binaries (e.g., `/usr/bin/su` or
`/usr/bin/sudo`) or sensitive system files (e.g., `/etc/passwd`). Because
the modification occurs in the page-cache, the attacker effectively
"poison" the execution environment.
**Key Advantages for Attacker:**
* **Stability:** No race conditions involved.
* **Reliability:** Near 100% success rate on tested environments.
* **Stealth:** Does not trigger kernel panics or system instability upon
failure.
* **Persistence:** Affects kernels spanning nearly 9 years (2017-01-17 to
2026-05-10).
---
## Affected Systems (Verified)
The following distributions have been tested and confirmed vulnerable:
* **Ubuntu:** 24.04.4 / 25.10 / 26.04
* **RHEL:** 10.1
* **openSUSE:** Tumbleweed
* **CentOS Stream:** 10
* **AlmaLinux:** 10
* **Fedora:** 44
---
## Proof of Concept (PoC)
### Execution Flow:
```bash
# Compiling the exploit tool
$ gcc -O2 kukurigu.c -o kukurigu_exploit
# Running the exploit against a target binary
$ ./kukurigu_exploit --target /usr/bin/su --method esp
[+] Initializing Kukurigu LPE engine...
[+] Exploiting CVE-2026-43284 (xfrm-ESP write)...
[+] Exploiting CVE-2026-43500 (RxRPC decryption)...
[+] Page-cache poisoned successfully for /usr/bin/su.
[+] Dropping into root shell...
# id
uid=0(root) gid=0(root) groups=0(root)
[+]Exploit:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-43284-CVE-2026-43500
)
# Demo:
[href](https://www.patreon.com/posts/cve-2026-43284-157962202)
# Patch if you want:
[href](https://www.patreon.com/posts/cve-2026-43284-157966167)
# Time spent:
01:30:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
