module
rxkad Page-Cache Write via CVE-2026-43500
| Disclosed | Created |
|---|---|
| May 8, 2026 | May 21, 2026 |
Disclosed
May 8, 2026
Created
May 21, 2026
Description
CVE-2026-43500 exploits a memory-corruption vulnerability in the Linux kernel's RxRPC
authentication subsystem (rxkad). When a crafted DATA packet is delivered to an AF_RXRPC
socket configured with an attacker-controlled rxkad session key, the kernel's
rxkad_verify_packet_1() function performs an in-place 8-byte pcbc(fcrypt) decryption
directly on the page-cache page referenced by the splice offset. Because the decryption
mutates the page in-place without marking it dirty, the corrupted in-memory view is
immediately visible to all processes reading from the page cache. This allows a local
attacker to corrupt the in-memory contents of a SUID binary and escalate privileges to root.
authentication subsystem (rxkad). When a crafted DATA packet is delivered to an AF_RXRPC
socket configured with an attacker-controlled rxkad session key, the kernel's
rxkad_verify_packet_1() function performs an in-place 8-byte pcbc(fcrypt) decryption
directly on the page-cache page referenced by the splice offset. Because the decryption
mutates the page in-place without marking it dirty, the corrupted in-memory view is
immediately visible to all processes reading from the page cache. This allows a local
attacker to corrupt the in-memory contents of a SUID binary and escalate privileges to root.
Authors
Hyunwoo Kim
Giovanni Heward
Giovanni Heward
Platform
Linux,Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.