Critical Linux Kernel Local Privilege Escalation (CVE‑2026‑43284/43500/46300) Impacts Major Distributions
What Happened — A chain of three kernel flaws (CVE‑2026‑43284, CVE‑2026‑43500, CVE‑2026‑46300) enables an unprivileged user to write arbitrary data into the page‑cache, allowing modification of setuid binaries and system files. The publicly released “Kukurigu” exploit demonstrates near‑100 % success on tested Ubuntu, RHEL, openSUSE, CentOS Stream, AlmaLinux, and Fedora releases.
Why It Matters for TPRM —
- Persistent LPE can let a compromised third‑party service gain root on host systems, jeopardizing data confidentiality and integrity.
- Many SaaS and managed‑service providers run workloads on vulnerable Linux kernels; a breach can cascade to your organization.
- Patch cycles for kernel releases are often lengthy; exposure may persist across multiple product versions.
Who Is Affected — Cloud‑infrastructure providers, managed service providers, SaaS platforms, and any organization running affected Linux distributions (Ubuntu 24.04‑26.04, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, Fedora 44).
Recommended Actions —
- Verify kernel versions on all Linux assets and cross‑check against the vulnerable range (2017‑01‑17 to 2026‑05‑10).
- Prioritize patching to the latest kernel releases that address CVE‑2026‑43284, CVE‑2026‑43500, and CVE‑2026‑46300.
- Deploy kernel hardening controls (e.g., SELinux/AppArmor, mandatory access controls) and monitor for suspicious page‑cache activity.
Technical Notes — The exploit leverages a page‑cache write primitive via the ESP protocol (xfrm), an RxRPC decryption flaw, and a skb coalescing bug, allowing modification of setuid binaries without triggering kernel panics. No CVE‑specific mitigations were publicly available at time of disclosure. Source: Exploit‑DB 52591