Back to Intelligence

CVE-2026-43284 & CVE-2026-43500: Linux 'Dirty Frag' LPEs and Citrix ADC CVE-2026-3055 Defense

SA
Security Arsenal Team
May 29, 2026
6 min read

The threat landscape for Linux infrastructure has shifted aggressively this week. The latest Metasploit wrap-up (05/29/2026) confirms the arrival of a new era in Linux Local Privilege Escalations (LPEs). Following the "Copy Fail" trend, Rapid7 has released modules for "Dirty Frag"—actually two distinct vulnerabilities masquerading as one: CVE-2026-43284 and CVE-2026-43500.

Simultaneously, a new auxiliary module targets Citrix ADC (NetScaler) via CVE-2026-3055, an information leak vulnerability. The release of these modules in a widely used framework like Metasploit lowers the barrier to entry significantly. What was once theoretical or required bespoke exploit development is now a few commands away for any script kiddie or opportunistic attacker. Defenders must treat these releases as the "go" signal for active exploitation and prioritize patching and detection immediately.

Technical Analysis

1. Dirty Frag: Linux LPE (CVE-2026-43284 & CVE-2026-43500)

  • Affected Platforms: Linux Kernel (specific versions currently being analyzed; the trend suggests recent distributions are at risk).
  • CVE Identifiers: CVE-2026-43284, CVE-2026-43500.
  • Vulnerability Class: Local Privilege Escalation.
  • Mechanism: These vulnerabilities act as "two vulnerabilities in a trenchcoat." While the specific kernel subsystem flaw is still being disseminated by the vendor, they are individually exploitable. They likely follow the lineage of race conditions or memory corruption flaws in the kernel's memory management (similar to Dirty Cow/Pipe), allowing a non-privileged user to gain root access.
  • Exploitation Status: Weaponized. The inclusion of dedicated Metasploit modules confirms that functional exploits are public. Attackers can use these to pivot from a web shell or low-priv container compromise to full root control of the host.

2. Citrix ADC CVE-2026-3055 Scanner

  • Affected Products: Citrix ADC (NetScaler).
  • CVE Identifier: CVE-2026-3055.
  • Vulnerability Class: Information Disclosure.
  • Mechanism: An information leak vulnerability that occurs when the device is configured in a specific manner (often default or common deployments). The flaw allows attackers to leak sensitive memory or configuration data.
  • Metasploit Module: scanner/http/citrix_netscaler_cve_2026_3055 (Auxiliary).
  • Exploitation Status: Scanning/Reconnaissance Active. The release of a scanner module precedes full remote code execution (RCE) modules. Adversaries will use this scanner to identify vulnerable devices to harvest credentials or configuration data before launching deeper attacks.

Detection & Response

Given the release of Metasploit modules, we expect to see a spike in automated scanning and exploitation attempts. Below are detection rules and hunt queries to identify active exploitation of the Citrix flaw and the usage of Metasploit framework components for Linux LPEs.

Sigma Rules

YAML
---
title: Potential Citrix ADC CVE-2026-3055 Scanning Activity
id: 8d7f9a12-3c4e-4f5a-9b1c-2d3e4f5a6b7c
status: experimental
description: Detects potential scanning of Citrix ADC for CVE-2026-3055 based on Metasploit auxiliary module usage patterns.
references:
 - https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-05-29-2026
author: Security Arsenal
date: 2026/05/30
tags:
 - attack.initial_access
 - attack.t1595.003
logsource:
 category: proxy
 product: null
detection:
 selection:
   c-user-agent|contains: 'Metasploit'
   cs-host|contains:
     - 'ns_' # Common NetScaler default hostname pattern
     - 'citrix'
     - 'netscaler'
 condition: selection
falsepositives:
 - Authorized penetration testing
 - Misconfigured scanners
level: high
---
title: Metasploit Framework Execution on Linux Endpoint
id: 9e8g0h1i-2j3k-4l5m-6n7o-8p9q0r1s2t3u
status: experimental
description: Detects the execution of Metasploit framework tools (msfconsole, msfvenom) on Linux endpoints. Relevant for detecting attackers preparing to use new Linux LPE modules.
references:
 - https://attack.mitre.org/techniques/T1068/
author: Security Arsenal
date: 2026/05/30
tags:
 - attack.privilege_escalation
 - attack.t1068
logsource:
 category: process_creation
 product: linux
detection:
 selection:
   Image|endswith:
     - '/msfconsole'
     - '/msfvenom'
     - '/msfrpcd'
   or
   CommandLine|contains:
     - 'msfconsole'
     - 'msfvenom'
 condition: selection
falsepositives:
 - Authorized security testing
 - Administrator tooling
level: critical

KQL (Microsoft Sentinel)

Hunt for Citrix ADC scanners and suspicious Linux process execution.

KQL — Microsoft Sentinel / Defender
// Hunt for Citrix ADC scanning via Proxy logs
CommonSecurityLog
| where DeviceVendor in ("Citrix", "Citrix Systems")
| where RequestURL contains "/vpn/" or ApplicationProtocol == "HTTPS"
| where UserAgent contains "Metasploit" 
| project TimeGenerated, DeviceIP, SourceIP, DestinationPort, UserAgent, RequestURL
| order by TimeGenerated desc

// Hunt for Metasploit execution on Linux via Syslog/CEF
Syslog
| where ProcessName contains "msfconsole" or ProcessName contains "msfvenom"
| project TimeGenerated, HostName, ProcessName, ProcessID, SyslogMessage
| order by TimeGenerated desc

Velociraptor VQL

Hunt for running Metasploit processes or suspicious shell spawns characteristic of LPE usage.

VQL — Velociraptor
-- Hunt for Metasploit related processes on Linux
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ 'msfconsole'
   OR Name =~ 'msfvenom'
   OR CommandLine =~ 'metasploit'

-- Hunt for recent shell spawns (potential post-exploitation)
SELECT Pid, Name, ParentPid, CommandLine, Exe
FROM pslist()
WHERE Name IN ('bash', 'sh', 'zsh')
  AND Exe NOT IN ('/bin/bash', '/bin/sh', '/usr/bin/zsh')
ORDER BY Pid DESC
LIMIT 50

Remediation Script (Bash)

Use this script to check for the presence of Metasploit (indicative of compromise) and check the kernel version. Note that patching "Dirty Frag" requires a kernel update from your specific Linux vendor.

Bash / Shell
#!/bin/bash

# Security Arsenal - Dirty Frag & Citrix Scanner Response
# Checks for Metasploit processes and Kernel Version

echo "[+] Checking for running Metasploit processes..."
if pgrep -f "msfconsole" > /dev/null || pgrep -f "msfvenom" > /dev/null; then
    echo "[!] WARNING: Metasploit process detected! Investigate immediately."
    ps aux | grep -E "msfconsole|msfvenom"
else
    echo "[-] No Metasploit processes detected."
fi

echo "[+] Checking Current Kernel Version..."
uname -r
echo "[!] ACTION REQUIRED: Compare kernel version against vendor advisory for CVE-2026-43284 and CVE-2026-43500."
echo "[!] If vulnerable, update kernel immediately and reboot."

# Note for Citrix ADC Administrators:
# Run the following on the Citrix ADC Shell:
# show ns version
# Check build version against Citrix Security Advisory for CVE-2026-3055.
# Apply recommended firmware update immediately.

Remediation

  1. Patch Linux Kernel Immediately (Dirty Frag):

    • Monitor your Linux distribution's security updates closely for patches addressing CVE-2026-43284 and CVE-2026-43500.
    • These are kernel-level vulnerabilities. Patching will require a reboot of the host.
    • Prioritize patching internet-facing Linux servers and servers hosting multi-tenant environments (where a non-root user compromise is more likely).

  2. Update Citrix ADC (CVE-2026-3055):

    • Review the official Citrix security bulletin for CVE-2026-3055.
    • Upgrade your Citrix ADC (NetScaler) appliances to the latest recommended firmware version that patches this information leak.
    • Workaround: If a patch cannot be applied immediately, restrict management interface access to trusted IP addresses via ACLs and ensure the device is not configured in the vulnerable state specified in the vendor advisory.

  3. Hunting & Compromise Assessment:

    • Assume that scanning for CVE-2026-3055 is already active. Check your web server logs for Citrix ADC endpoints for unusual User-Agent strings (e.g., "Metasploit").
    • For Linux servers, audit sudo logs and auth.log for unexpected privilege escalation attempts or users gaining root without a corresponding sudo entry (potential kernel exploit success).

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurelinuxmetasploitcitrix-adc

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action