Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
6e9dc4b
Add kernelCTF CVE-2026-23394_lts_cos
sysroot314 May 13, 2026
7222044
fix building warnings
sysroot314 May 13, 2026
0a71133
add first version of exploit.md and simlify the exploit
sysroot314 May 14, 2026
99a856b
fix infinite loop: let's exit if we got the flag
sysroot314 May 14, 2026
7634b5f
fix minor issue, we don't need skb->data filled in spray, let's remov…
sysroot314 May 14, 2026
65b9ca3
remove unused code
sysroot314 May 16, 2026
1ffc05b
Add mitigation exploit
sysroot314 May 22, 2026
8ed4574
Rename the directory with the submissions
sysroot314 May 22, 2026
4777f7e
Move timings slower, fix timerfd storm count
sysroot314 May 22, 2026
71b3834
try to speed up the exploits
sysroot314 May 22, 2026
80a4a13
Simplify vuln_prepare
sysroot314 May 22, 2026
ba6996c
Add comments in the exploits
sysroot314 May 27, 2026
ee5f685
Don't build kernelxdk
sysroot314 May 27, 2026
f896de5
Revert
sysroot314 May 27, 2026
c9bc2d8
Fix pin_to_cpu
sysroot314 May 27, 2026
5bfde58
Exit from the forked attempt
sysroot314 May 27, 2026
60b0b62
Don't use kernelxdk in vuln-trigger mode
sysroot314 May 27, 2026
0822e02
Add start message
sysroot314 May 27, 2026
148f1a2
Isolate kernelxdk from vuln-trigger mode
sysroot314 May 27, 2026
b5b8168
Attach compiled exploits
sysroot314 May 27, 2026
3a84552
Attach exploit binaries without kernelxdk
sysroot314 May 27, 2026
29f1d83
Attach exploit binaries that runs in less than 3m on patched kernel
sysroot314 May 27, 2026
5db8668
Remove .DS_Store
sysroot314 May 27, 2026
85932c0
Refine comments and the lts+cos exploit
sysroot314 May 28, 2026
1c22784
Attach binaries that exits if the vulnerability is triggered in vuln-…
sysroot314 May 28, 2026
772870a
Fix vuln-verify
sysroot314 May 28, 2026
8571d5b
Fix vuln-verify
sysroot314 May 28, 2026
ff1ca26
Fix vuln-verify
sysroot314 May 28, 2026
244da9a
Fix vuln-verify
sysroot314 May 28, 2026
080f556
Fix vuln-verify
sysroot314 May 28, 2026
fd0b470
Fix vuln-verify
sysroot314 May 28, 2026
18b7067
Fix vuln-verify
sysroot314 May 28, 2026
8ec77b3
Remove unused code
sysroot314 May 28, 2026
aa9d03d
Refine lts+cos exploits and documentation, add reliability notes
sysroot314 May 30, 2026
2035916
Refine the mitigation exploit, add documentation and reliability notes
sysroot314 Jun 4, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
592 changes: 592 additions & 0 deletions pocs/linux/kernelctf/CVE-2026-23394_lts_cos_mitigation/docs/exploit.md

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# CVE-2026-23394

- Requirements:
- Capabilities: not required
- Kernel configuration: `CONFIG_UNIX=y`
- User namespaces: not required
- Introduced by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=118f457da9ed58a79e24b73c2ef0aa1987241f0e (af_unix: Remove lock dance in unix_peek_fds().)
- Fixed by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e5b31d988a41549037b8d8721a3c3cae893d8670 (af_unix: Give up GC if MSG_PEEK intervened.)
- Affected Versions: 6.10 - 6.18
- Affected component, subsystem: net/unix (Unix Sockets)
- Cause: Race Condition leading to UAF
- URL: https://www.cve.org/CVERecord?id=CVE-2026-23394
- A regression to CVE-2021-0920: Android sk_buff use-after-free in Linux.

## Description

There is a race condition in the Linux kernel's Unix Sockets Garbage Collector
(`net/unix/garbage.c`) where an inflight file's `f_count` can be incremented by
using `MSG_PEEK` after the GC decides that the file is a garbage candidate but
before the GC finishes checking.

It is possible to peek an inflight unix socket from another socket and then close
the receiver. In this case the GC checks both sockets as a garbage candidate,
treating the entire SCC as dead.

The patch uses `seqcount_t` for flagging that `MSG_PEEK` has occurred. At the
start of an SCC checking the patch saves the counter and checks if any
`MSG_PEEK` intervened before the final decision. This guarantees that `MSG_PEEK`
can't change the GC internal state and affect the GC decision right in the middle
of the checking.
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
CC := g++
CPPFLAGS := -Ikernel-research/libxdk/include
CFLAGS := -O0 -static -std=c++17 -pthread
LDFLAGS := -Lkernel-research/libxdk/lib
LDLIBS := -lkernelXDK -lpthread

TARGETS := exploit exploit_debug
SRC := exploit.cc

.PHONY: all prerequisites run clean

all: prerequisites exploit

prerequisites: target_db.kxdb kernel-research/libxdk/lib/libkernelXDK.a

target_db.kxdb:
wget -O $@ https://storage.googleapis.com/kernelxdk/db/kernelctf.kxdb

kernel-research:
git clone --depth 1 https://github.com/google/kernel-research.git $@

kernel-research/libxdk/lib/libkernelXDK.a: | kernel-research
cd kernel-research/libxdk && ./build.sh

exploit: $(SRC)
$(CC) $(CPPFLAGS) $(CFLAGS) $< -o $@ $(LDFLAGS) $(LDLIBS)

exploit_debug: CFLAGS += -g
exploit_debug: $(SRC)
$(CC) $(CPPFLAGS) $(CFLAGS) $< -o $@ $(LDFLAGS) $(LDLIBS)

run: exploit
./$<

clean:
rm -rf $(TARGETS) target_db.kxdb kernel-research
Binary file not shown.
Loading
Loading