Critical Dual‑CVE Linux Kernel Local Privilege Escalation (CVE‑2026‑43284 & CVE‑2026‑43500) Impacts Major Distributions
What Happened – A chained exploit, dubbed “Kukurigu,” leverages two kernel bugs (CVE‑2026‑43284 in the xfrm‑ESP code path and CVE‑2026‑43500 in RxRPC) to write arbitrary data into the page‑cache. By poisoning cached pages of set‑uid binaries or system files, an unprivileged user can obtain a stable root shell on vulnerable Linux kernels spanning 2017‑2026.
Why It Matters for TPRM –
- Privilege‑escalation bugs can be weaponised by malicious insiders or compromised third‑party services, exposing your organization to data theft or ransomware.
- Many SaaS, cloud‑hosting, and telecom platforms run on the affected kernels; a breach can cascade through supply‑chain relationships.
- The exploit is reliable, low‑noise, and does not trigger kernel panics, making detection difficult.
Who Is Affected – Technology vendors, cloud‑infrastructure providers, telecom operators, financial services, government agencies, and any organization running the listed Linux distributions (Ubuntu 24.04‑26.04, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, Fedora 44).
Recommended Actions –
- Apply vendor‑supplied kernel patches immediately (or upgrade to patched kernel versions).
- Audit all Linux hosts for the vulnerable kernel range; prioritize critical production systems.
- Implement runtime integrity monitoring (e.g., file‑integrity tools, SELinux/AppArmor policies) to detect unauthorized page‑cache modifications.
- Review third‑party contracts for Linux‑based services and verify their patch‑management processes.
Technical Notes – The attack vector is a local‑only vulnerability exploit (no network component). CVE‑2026‑43284 enables arbitrary 4‑byte writes via the ESP protocol when ESN is active; CVE‑2026‑43500 allows in‑place decryption of RxRPC data, together permitting page‑cache poisoning of setuid binaries. No CVE‑specific mitigations were disclosed at time of writing. Source: Exploit‑DB 52585