From 882707286f77c30a2966cebcbfba2e6ff24f4541 Mon Sep 17 00:00:00 2001
From: V4bel <imv4bel@gmail.com>
Date: Sun, 10 May 2026 04:27:55 +0900
Subject: [PATCH] typo

---
 README.md          | 3 ++-
 assets/write-up.md | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 48366d3..f49a9cb 100644
--- a/README.md
+++ b/README.md
@@ -43,7 +43,8 @@ or reboot the system.
 
 # Affected Versions
 
-The xfrm-ESP Page-Cache Write vulnerability is in scope from cac2661c53f3 (2017-01-17) up to upstream, and the RxRPC Page-Cache Write vulnerability is in scope from 2dc334f1a63a (2023-06) up to upstream.
+- `CVE-2026-43284`: xfrm-ESP Page-Cache Write vulnerability is in scope from [cac2661c53f3 (2017-01-17)](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cac2661c53f3) up to [f4c50a4034e6 (2026-05-05)](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4).
+- `CVE-2026-43500`: RxRPC Page-Cache Write vulnerability is in scope from [2dc334f1a63a (2023-06-08)](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2dc334f1a63a) up to upstream.
 
 In other words, the effective lifetime of the vulnerabilities is about 9 years.
 
diff --git a/assets/write-up.md b/assets/write-up.md
index 58a31c2..5402692 100644
--- a/assets/write-up.md
+++ b/assets/write-up.md
@@ -384,7 +384,7 @@ recvmsg(rxsk_cli, &m, 0)
                 fcrypt_decrypt(page_address(P) + splice_off, ct, K)  // 8 byte STORE: page P[splice_off..+8] = fcrypt_decrypt(C, K)
 ```
 
-Each STORE plants exactly 8 bytes at file offset (`splice_off`). The HMAC/sechdr verification afterward returns `-EPROTO`, but the STORE is already done.
+Each STORE plants exactly 8 bytes at file offset (`splice_off`). The sechdr verification afterward returns `-EPROTO`, but the STORE is already done.
 
 For each of the three positions (off = 4, 6, 8), the exploit runs the following sequence in turn: update K, `add_key`, socket setup, handshake, cksum computation, splice + recvmsg. With last-write-wins, chars 4..15 of `/etc/passwd` line 1 are replaced with the shape `"::0:0:GGGGGG:"`. Finally, when the parent process execs `/usr/bin/su -` along with a PTY, `pam_unix.so nullok` of PAM common-auth accepts the empty passwd field and lets it through without a prompt. su then performs `setresuid(0, 0, 0)` and execs `/bin/bash`, dropping into a root shell. This variant does not use `unshare()`, and `add_key()`, `socket(AF_RXRPC)`, `socket(AF_ALG)` (for cksum computation), `splice()`, and `recvmsg()` are all APIs available to unprivileged users.