Add kernelCTF CVE-2026-23074_cos

Author: Hc0wl

pocs/cpus/tdxploits/README.md

@@ -50,6 +50,6 @@ A host VMM creates a template TD to import migration bundles into. The host VMM
 
 Metadata bundles are comprised of a `md_list_header_t` and an array of `md_sequence_t` structures. Each sequence can specify, via the `write_mask_valid` flag in the `sequence_header`, whether `element[0]` holds a `wr_mask`. If the `wr_mask` is `0` the entries in the sequence are skipped when `skip_non_writable` is set to `true` when `md_write_sequence` is called (which is the case for import activities). This effectively allows *any* required entry to be skipped.
 
-`eddie.py` sets `write_mask_valid` to `1` and `element[0]` to `0` for the EPTP in a metadata bundle and proceed to perform the import activity. In this situation the `tdcs_ptr->execution_ctl_fields.eptp` is never initialized and results in a SEAM shutdown as the TDX Module will dereference an invalid address in `secure_ept_walk`.
+`eddie.py` sets `write_mask_valid` to `1` and `element[0]` to `0` for the EPTP in a metadata bundle and proceed to perform the import activity. In this situation the `tdcs_ptr->execution_ctl_fields.eptp` is never initialized and results in a SEAM shutdown as the TDX Module will dereference when calling `secure_ept_walk`.
 
 **Credits: Kirk Swidowski, Daniel Moghimi, Josh Eads, and Erdem Aktas.**

pocs/linux/kernelctf/CVE-2026-23074_cos/docs/exploit.md

@@ -0,0 +1,13 @@
+# Vulnerability Details
+
+- **Requirements**:
+    - **Capabilities**: `CAP_NET_ADMIN`
+    - **Kernel configuration**: `CONFIG_NET_SCHED=y, CONFIG_NET_SCH_TEQL=y`
+    - **User namespaces required**: Yes
+- **Introduced by**: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+- **Fixed by**: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b
+- **Affected Version**: `v2.6.12-rc2 - v6.19-rc6`
+- **Affected Component**: `net/sched: sch_teql`
+- **Syscall to disable**: `unshare`
+- **Cause**: Use-After-Free
+- **Description**: A Use-After-Free vulnerability was discovered in the Linux kernel's TC (Traffic Control) scheduler. When teql is used as a child qdisc instead of a root qdisc, qlen is not properly updated, causing the parent qdisc to misjudge the class state, resulting in a dangling pointer and triggering a Use-After-Free.

pocs/linux/kernelctf/CVE-2026-23074_cos/docs/vulnerability.md

@@ -0,0 +1,24 @@
+CC = gcc
+CXX = g++
+CFLAGS = -static -DKASLR_BYPASS_INTEL=1
+CXXFLAGS = -static -DKASLR_BYPASS_INTEL=1
+LDFLAGS = -lkernelXDK
+
+all: exploit
+
+kaslr_bypass.o: kaslr_bypass.c kaslr_bypass.h
+	$(CC) $(CFLAGS) -c kaslr_bypass.c -o kaslr_bypass.o
+
+exploit.o: exploit.c kaslr_bypass.h
+	$(CXX) $(CXXFLAGS) -c exploit.c -o exploit.o
+
+exploit: exploit.o kaslr_bypass.o
+	$(CXX) $(CXXFLAGS) -o exploit exploit.o kaslr_bypass.o $(LDFLAGS)
+
+exploit_debug: exploit.c kaslr_bypass.c kaslr_bypass.h
+	$(CC) $(CFLAGS) -g -c kaslr_bypass.c -o kaslr_bypass_dbg.o
+	$(CXX) $(CXXFLAGS) -g -c exploit.c -o exploit_dbg.o
+	$(CXX) $(CXXFLAGS) -g -o exploit_debug exploit_dbg.o kaslr_bypass_dbg.o $(LDFLAGS)
+
+clean:
+	rm -f exploit exploit_debug *.o