{"uuid": "d0745ee1-0906-43a9-8130-e998f2e2cd6c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://gist.github.com/Senci/6dd521104fd36bf9c679975fb9e8b89c", "content": "#!/usr/bin/env bash\n# Dirty Frag mitigation + verification\n# CVE-2026-43284 (xfrm-ESP) / CVE-2026-43500 (RxRPC)\n# Works on Rocky/RHEL and Arch \u2014 idempotent, no reboot required.\n\nset -euo pipefail\n\nCONF=/etc/modprobe.d/dirtyfrag.conf\nMODS=(esp4 esp6 rxrpc)\n\n[[ $EUID -eq 0 ]] || {\n  echo \"must run as root\" >&2\n  exit 1\n}\n\necho \"=== Dirty Frag mitigation ===\"\necho \"host:   $(hostname)\"\necho \"kernel: $(uname -r)\"\necho\n\n# 1. report whether vulnerable .ko files are present on this kernel\necho \"[1/5] vulnerable modules on disk:\"\nfor m in \"${MODS[@]}\"; do\n  f=$(find \"/lib/modules/$(uname -r)\" -name \"${m}.ko*\" 2>/dev/null | head -1)\n  [[ -n $f ]] && echo \"  - $m: $f\" || echo \"  - $m: not built for this kernel\"\ndone\necho\n\n# 2. write blacklist\necho \"[2/5] writing $CONF\"\ncat >\"$CONF\" <<'EOF'\n# Dirty Frag mitigation \u2014 block xfrm-ESP and RxRPC page-cache-write LPE\n# CVE-2026-43284 (esp4/esp6), CVE-2026-43500 (rxrpc)\n# Remove this file once distro kernel ships backports.\ninstall esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\nEOF\nchmod 0644 \"$CONF\"\n\n# 3. unload anything currently loaded\necho \"[3/5] unloading currently loaded modules:\"\nfor m in \"${MODS[@]}\"; do\n  if lsmod | awk '{print $1}' | grep -qx \"$m\"; then\n    if rmmod \"$m\" 2>/dev/null; then\n      echo \"  - $m: unloaded\"\n    else\n      echo \"  - $m: in use, could not unload (reboot to clear)\"\n    fi\n  else\n    echo \"  - $m: not loaded\"\n  fi\ndone\n\n# 4. flush page cache (cleans up if exploit had been run pre-mitigation)\necho \"[4/5] flushing page cache\"\nsync\necho 3 >/proc/sys/vm/drop_caches\necho \"  - done\"\n\n# 5. verify autoload is blocked (dry-run, does not execute /bin/false)\necho\necho \"[5/5] verifying autoload is blocked:\"\nfail=0\nfor m in \"${MODS[@]}\"; do\n  if modprobe -n -v \"$m\" 2>&1 | grep -q '/bin/false'; then\n    echo \"  - $m: BLOCKED \u2713\"\n  else\n    echo \"  - $m: NOT BLOCKED \u2717\"\n    fail=1\n  fi\ndone\n\necho\nif [[ $fail -eq 0 ]]; then\n  echo \"=== mitigation applied successfully \u2014 no reboot required ===\"\n  exit 0\nelse\n  echo \"=== mitigation FAILED \u2014 investigate $CONF and modprobe config ===\"\n  exit 2\nfi\n", "creation_timestamp": "2026-05-08T19:04:16.000000Z"}