Metasploit Weekly Wrap-Up Adds DirtyFrag Linux LPE and Other Exploits
Rapid7's latest Metasploit release includes new modules for the DirtyFrag Linux kernel privilege escalation vulnerabilities, a Citrix NetScaler info leak scanner, and exploits for dompdf and a WordPress plugin.
Rapid7 released its weekly Metasploit wrap-up on May 29, 2026, introducing five new modules that expand the framework's coverage of recent vulnerabilities. The most notable additions are two local privilege escalation (LPE) exploits targeting the DirtyFrag vulnerabilities in the Linux kernel, identified as CVE-2026-43284 and CVE-2026-43500. These bugs affect the xfrm/ESP fragmentation path and the RxRPC/rxkad subsystem, respectively, allowing an attacker to gain root access on affected systems.
The DirtyFrag modules follow a trend of Linux kernel LPEs recently added to Metasploit, including the earlier Copy Fail exploit. Both DirtyFrag vulnerabilities are exploitable individually, and the new modules provide penetration testers with reliable methods to escalate privileges on vulnerable Linux machines. The modules were contributed by researchers Giovanni Heward, Hyunwoo Kim, and offsecguy.
In addition to the Linux exploits, the release includes a scanner for CVE-2026-3055, an information disclosure vulnerability in Citrix NetScaler when configured as a SAML IdP. This auxiliary module, contributed by sfewer-r7 and watchTowr, can leak memory and potentially expose session cookies, similar to previous CitrixBleed vulnerabilities. The scanner helps identify vulnerable Citrix ADC instances during security assessments.
Another new exploit targets CVE-2022-28368, an unauthenticated remote code execution vulnerability in dompdf versions prior to 1.2.1. The vulnerability arises when remote resource loading is enabled, allowing an attacker to drop a PHP webshell via malicious font caching in CSS @font-face rules. The exploit module, contributed by multiple researchers including Adithya Pawar and Fabian Bräunlein, enables attackers to gain code execution on web applications using the vulnerable library.
The release also adds an exploit for CVE-2026-4257, a server-side template injection (SSTI) vulnerability in the Supsystic Contact Form WordPress plugin versions 1.7.36 and earlier. This module, contributed by Azril Fathoni and bootstrapbool, achieves remote code execution on WordPress sites running the vulnerable plugin. Additionally, an auxiliary scanner for Ollama LLM installations was added, allowing enumeration of installed models and configuration details.
Metasploit users can update to the latest version using msfupdate or by cloning the GitHub repository. The full changelog and pull request details are available on the Metasploit Framework GitHub page. This weekly release continues Rapid7's commitment to providing timely exploit modules for critical vulnerabilities, enabling security professionals to test and defend their environments effectively.