Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
443 changes: 443 additions & 0 deletions pocs/linux/kernelctf/CVE-2026-43074_lts/docs/exploit.md

Large diffs are not rendered by default.

564 changes: 564 additions & 0 deletions pocs/linux/kernelctf/CVE-2026-43074_lts/docs/novel-techniques.md

Large diffs are not rendered by default.

38 changes: 38 additions & 0 deletions pocs/linux/kernelctf/CVE-2026-43074_lts/docs/vulnerability.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Vulnerability

CVE-2026-43074 is a race condition vulnerability in the Linux kernel.

We refer to the exploit chain built on top of it as epollution.

It occurs when eventpoll walks an epoll reference graph under RCU while another
thread concurrently drops the last reference to a parent `struct eventpoll` and
frees it with plain `kfree()`, resulting in a use-after-free. Different
concurrent paths can hit the same lifetime bug, including
`reverse_path_check_proc()` and `ep_get_upwards_depth_proc()`.

The fix patch's `Fixes` tag was inaccurate, and the CVE announcement has
already been corrected: `f2e467a48287` introduced
`ep_get_upwards_depth_proc()`, but `reverse_path_check_proc()` already existed,
while the actual root cause was introduced by `58c9b016e128`.

## Requirements
- **Capabilities**: none
- **Kernel configuration**: `CONFIG_EPOLL=y`. This is almost
always true in practice; disabling it requires `EXPERT`.
- **User namespaces**: not required.

## Introduction
- **Commit**: [58c9b016e128](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=58c9b016e128)
- **Description**: This commit changed eventpoll lifetime handling to use a refcount-based model without deferring `struct eventpoll` past RCU readers.

## Fix
- **Commit**: [07712db80857](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=07712db80857d5d09ae08f3df85a708ecfc3b61f)

## Affected Versions
- Linux `v6.4-rc1` to `v7.0-rc7`

## Subsystem
- VFS

## Root Cause
- Race condition
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
CXX := g++

KERNEL_XDK_INCLUDE_DIR ?= /usr/local/include
KERNEL_XDK_LIB_DIR ?= /usr/lib

CXXFLAGS := -O2 -g -Wall -Wextra -std=gnu++20 -D_GNU_SOURCE -ffunction-sections -fdata-sections \
-static -I$(KERNEL_XDK_INCLUDE_DIR)
LDFLAGS := -pthread -Wl,--gc-sections -L$(KERNEL_XDK_LIB_DIR) -lkernelXDK

all: exploit

MODULE_SOURCES := $(wildcard modules/*.cpp)
MODULE_HEADERS := $(wildcard modules/*.h)
OBJECTS := exploit.o $(MODULE_SOURCES:.cpp=.o)


exploit: target_db.kxdb $(OBJECTS)
$(CXX) $(CXXFLAGS) $(OBJECTS) -o $@ $(LDFLAGS)

exploit_debug: target_db.kxdb $(OBJECTS)
$(CXX) $(CXXFLAGS) $(OBJECTS) -o $@ $(LDFLAGS)

exploit.o: exploit.cpp $(MODULE_HEADERS)
$(CXX) $(CXXFLAGS) -c $< -o $@

modules/%.o: modules/%.cpp $(MODULE_HEADERS)
$(CXX) $(CXXFLAGS) -c $< -o $@

target_db.kxdb:
wget -O target_db.kxdb https://storage.googleapis.com/kernelxdk/db/kernelctf.kxdb

clean:
rm -f exploit exploit_debug modules/*.o

.PHONY: all clean
Binary file not shown.
Loading
Loading