heroui logo

Linux Dirty Frag Kernel Privilege Escalation

Splunk Security Content

View Source
Summary
This analytic detects exploitation of the Linux Dirty Frag privilege-escalation chain (CVE-2026-43284 and CVE-2026-43500). It anchors on a two-stage behavioral signature: (1) a sustained high-frequency spray of the splice/vmsplice syscall by an unprivileged process executing from a user-writable path (examples: /home, /tmp, /var/tmp, /dev/shm, /run/user, /root). The detection aggregates spawn-time data from auditd, counting 50+ splice() calls within a 60-second window, capturing the sprayBinary, sprayPid, user, sprayStart, and sprayEnd. (2) within five minutes, a set-UID privilege-escalation binary is executed in the same audit session (from typical privilege utilities such as chfn, chsh, passwd, sudo, su, mount, umount, etc.), with privescTime logged. It then computes windowSecs = privescTime − sprayEnd and flags when 0 <= windowSecs <= 300. The rule relies on two audit rules: one tracking splice/vmsplice with a splice_user key, and another tracking process_creation (execve/execveat) to catch privileged binaries. The implementation uses the linux_auditd macro and is intended to run with Linux Auditd telemetry piped to Splunk. Operators should baseline splice volume to reduce false positives; legitimate I/O-heavy workloads from user-writable paths may require allowlisting or adjusting the splice_count threshold. The rule maps to MITRE techniques T1548.001 (Bypass Defenses: Abuse Elevation of Privilege) and T1068 (Exploitation for Privilege Escalation). References include CVEs and related advisories. The resulting finding identifies a local privilege escalation attempt on a host, attributed to the executing user and the involved spray binary. The analytic story aligns with a Linux Privilege Escalation scenario, targeting endpoint assets.
Categories
  • Endpoint
  • Linux
Data Sources
  • Kernel
  • Process
ATT&CK Techniques
  • T1068
  • T1548
  • T1548.001
Created: 2026-07-07