CVE-2026-43284
Hello, my name is NOT unconfined: Two Hops and a Shell on Ubuntu
2026-05-13
·
Keith Linneman
Ubuntu's userns restriction patch checks a pointer, not a property. After one profile hop, the label is still functionally unconfined but it's not the sentinel the patch is looking for. Two aa-exec calls, chained into host root via dirtyfrag. Exploring SiCk's two-hop AppArmor bypass.
Porting Dirty Frag to arm64: Detection, Prevention and Hardening Notes
2026-05-11
·
Keith Linneman
Porting CVE-2026-43284 exploit to aarch64. The rxrpc path kernel oopses on arm64. Ubuntu 24.04's AppArmor blocked exploitation over SSH, transitioning into existing complain-mode profile leads to success. Analysis of chmod o-r as a mitigation for SUID targets, FIM limitations, and page-cache persistence.