Overview
- Researcher Hyunwoo Kim released a public write-up and proof-of-concept on Friday after an embargo break, revealing a one-command local root exploit that works on most major Linux distributions.
- xfrm-ESP has a mainline fix and a CVE (CVE-2026-43284), while the RxRPC issue is tracked as CVE-2026-43500 with no patch yet, and distributors are preparing backports and live updates.
- The chain pairs two page-cache write flaws so one covers the other’s blind spots, with ESP working where unprivileged user namespaces are allowed and RxRPC working on systems like Ubuntu where that path is blocked but rxrpc loads by default.
- Maintainers advise temporarily blocklisting or unloading esp4, esp6, and rxrpc to reduce risk, a step that can break IPsec tunnels or AFS-based services, so operators should stage changes and prioritize updates on multi-tenant, CI, and Kubernetes hosts.
- The exploit alters only the page cache in RAM, so file hashes on disk stay clean, Copy Fail mitigations do not help, and defenders may need to drop caches or reboot after testing while tracking vendor advisories for patched kernels.