More Linux LPEs Hark the age of the Linux LPE has arrived. This week’s release follows up on recent work bringing new Linux LPEs to Metasploit users. Copy Fail seemed to have kicked off a trend of similar bugs and hot on its heels is Dirty Frag. Dirty Frag is actually two vulnerabilities in a trenchcoat, individually identified as CVE-2026-43284 and CVE-2026-43500. Each is exploitable individually and comes with a new Metasploit module. New module content (5) Citrix ADC (NetScaler) CVE-2026-3055
Full text archived locally
✦ AI Summary· Claude Sonnet
More Linux LPEsHark the age of the Linux LPE has arrived. This week’s release follows up on recent work bringing new Linux LPEs to Metasploit users. Copy Fail seemed to have kicked off a trend of similar bugs and hot on its heels is Dirty Frag. Dirty Frag is actually two vulnerabilities in a trenchcoat, individually identified as CVE-2026-43284 and CVE-2026-43500. Each is exploitable individually and comes with a new Metasploit module.
New module content (5)Citrix ADC (NetScaler) CVE-2026-3055 ScannerAuthors: sfewer-r7 and watchTowrType: AuxiliaryPull request: #21204 contributed by sfewer-r7Path: scanner/http/citrix_netscaler_cve_2026_3055AttackerKB reference: CVE-2026-3055Description: Adds auxiliary module targeting CVE-2026-3055, an info leak in Citrix NetScaler (when configured as an SAML IdP). Similar to the other CitrixBleed vulns, we can leak memory and potentially discover session cookies.Ollama ScannerAuthor: h00dieType: AuxiliaryPull request: #21271 contributed by h00diePath: scanner/http/ollama_infoDescription: Adds an ollama LLM auxiliary scanner module to enumerate which LLMs are installed and details about them.xfrm-ESP Page-Cache Write via CVE-2026-43284Authors: Giovanni Heward and Hyunwoo KimType: ExploitPull request: #21434 contributed by offsecguyPath: linux/local/cve_2026_43284_dirty_fragAttackerKB reference: CVE-2026-43284Description: Adds two new local privilege escalation modules for the "DirtyFrag" Linux kernel vulnerabilities. The first targets CVE-2026-43284, a page-cache write vulnerability in the xfrm/ESP fragmentation path. The second targets CVE-2026-43500, a page-cache corruption vulnerability in the RxRPC/rxkad subsystem.Dompdf RCE via Malicious Font Caching (CVE-2022-28368)Authors: Adithya Pawar, Fabian Bräunlein, Maximilian Kirchmeier, msutovsky-r7, and rvizxType: ExploitPull request: #21155 contributed by AdithyadspawarPath: multi/http/dompdf_rce_cve_2022_28368AttackerKB reference: CVE-2022-28368Description: Adds a new exploit module for CVE-2022-28368, an unauthenticated remote code execution vulnerability in dompdf prior to 1.2.1. When remote resource loading is enabled, dompdf preserves the .php extension when caching fonts fetched via CSS @font-face rules, allowing an attacker to drop a PHP webshell in the font cache directory and trigger it with a follow-up request.Supsystic Contact Form Wordpress Plugin SSTI RCEAuthors: Azril Fathoni and bootstrapbool bootstrapbool@gmail.comType: ExploitPull request: #21267 contributed by bootstrapboolPath: multi/http/wp_plugin_supsystic_contact_form_rceAttackerKB reference: CVE-2026-4257Description: This adds a module to exploit CVE-2026-4257 resulting in remote code execution on Wordpress sites with the Contact Form by Supsystic plugin. Contact Form plugin versions 1.7.36 and before are vulnerable.Bugs fixed (4)#21390 from zeroSteiner - This refines our smb_to_ldap relay attack reporting by demoting anonymous authentication messages from print_good to print_status, reflecting that anonymous sessions do not grant additional privileges. It also skips the #on_relay_success callback for these sessions to prevent modules from needlessly acting on unprivileged access.#21443 from jheysel-r7 - This bumps the Metasploit-credentials gem to address an issue in how Kerberos hashes were being handled.#21485 from adfoster-r7 - Fixes MCP server test failure.#21487 from adfoster-r7 - Updates to a newer version of RubyZip to support Zip files larger than 4GB.DocumentationYou can find the latest Metasploit documentation on our docsite at docs.metasploit.com.Get itAs always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:Pull Requests 6.4.134...6.4.135Full diff 6.4.134...6.4.135If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit ProArticle TagsMetasploitMetasploit Weekly WrapupSpencer McIntyreAuthor PostsRelated blog postsProducts and ToolsMetasploit Wrap Up 05/22/2026Martin SutovskyProducts and ToolsMetasploit Wrap-Up 05/15/2026Martin SutovskyProducts and ToolsMetasploit Wrap-Up 05/08/2026Alan David FosterProducts and ToolsMetasploit Wrap-Up 05/01/2026Christopher GranleeseSee all posts