More Linux LPEs
Hark the age of the Linux LPE has arrived. This week’s release follows up on recent work bringing new Linux LPEs to Metasploit users. Copy Fail seemed to have kicked off a trend of similar bugs and hot on its heels is Dirty Frag. Dirty Frag is actually two vulnerabilities in a trenchcoat, individually identified as CVE-2026-43284 and CVE-2026-43500. Each is exploitable individually and comes with a new Metasploit module.
New module content (5)
Citrix ADC (NetScaler) CVE-2026-3055 Scanner
Authors: sfewer-r7 and watchTowr
Type: Auxiliary
Pull request: #21204 contributed by sfewer-r7
Path: scanner/http/citrix_netscaler_cve_2026_3055
AttackerKB reference: CVE-2026-3055
Description: Adds auxiliary module targeting CVE-2026-3055, an info leak in Citrix NetScaler (when configured as an SAML IdP). Similar to the other CitrixBleed vulns, we can leak memory and potentially discover session cookies.
Ollama Scanner
Author: h00die
Type: Auxiliary
Pull request: #21271 contributed by h00die
Path: scanner/http/ollama_info
Description: Adds an ollama LLM auxiliary scanner module to enumerate which LLMs are installed and details about them.
xfrm-ESP Page-Cache Write via CVE-2026-43284
Authors: Giovanni Heward and Hyunwoo Kim
Type: Exploit
Pull request: #21434 contributed by offsecguy
Path: linux/local/cve_2026_43284_dirty_frag
AttackerKB reference: CVE-2026-43284
Description: Adds two new local privilege escalation modules for the “DirtyFrag” Linux kernel vulnerabilities. The first targets CVE-2026-43284, a page-cache write vulnerability in the xfrm/ESP fragmentation path. The second targets CVE-2026-43500, a page-cache corruption vulnerability in the RxRPC/rxkad subsystem.
Dompdf RCE via Malicious Font Caching (CVE-2022-28368)
Authors: Adithya Pawar, Fabian Bräunlein, Maximilian Kirchmeier, msutovsky-r7, and rvizx
Type: Exploit
Pull request: #21155 contributed by Adithyadspawar
Path: multi/http/dompdf_rce_cve_2022_28368
AttackerKB reference: CVE-2022-28368
Description: Adds a new exploit module for CVE-2022-28368, an unauthenticated remote code execution vulnerability in dompdf prior to 1.2.1. When remote resource loading is enabled, dompdf preserves the .php extension when caching fonts fetched via CSS @font-face rules, allowing an attacker to drop a PHP webshell in the font cache directory and trigger it with a follow-up request.
Supsystic Contact Form WordPress Plugin SSTI RCE
Authors: Azril Fathoni and bootstrapbool [email protected]
Type: Exploit
Pull request: #21267 contributed by bootstrapbool
Path: multi/http/wp_plugin_supsystic_contact_form_rce
AttackerKB reference: CVE-2026-4257
Description: This adds a module to exploit CVE-2026-4257 resulting in remote code execution on WordPress sites with the Contact Form by Supsystic plugin. Contact Form plugin versions 1.7.36 and before are vulnerable.
Bugs fixed (4)
- #21390 from zeroSteiner – This refines our smb_to_ldap relay attack reporting by demoting anonymous authentication messages from print_good to print_status, reflecting that anonymous sessions do not grant additional privileges. It also skips the #on_relay_success callback for these sessions to prevent modules from needlessly acting on unprivileged access.
- #21443 from jheysel-r7 – This bumps the Metasploit-credentials gem to address an issue in how Kerberos hashes were being handled.
- #21485 from adfoster-r7 – Fixes MCP server test failure.
- #21487 from adfoster-r7 – Updates to a newer version of RubyZip to support Zip files larger than 4GB.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
