Skip to content

Commit 5e82b67

Browse files
committed
Add kernelCTF CVE-2026-23074_cos
1 parent bc107b0 commit 5e82b67

File tree

14 files changed

+2408
-1
lines changed

14 files changed

+2408
-1
lines changed

pocs/cpus/tdxploits/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,6 @@ A host VMM creates a template TD to import migration bundles into. The host VMM
5050

5151
Metadata bundles are comprised of a `md_list_header_t` and an array of `md_sequence_t` structures. Each sequence can specify, via the `write_mask_valid` flag in the `sequence_header`, whether `element[0]` holds a `wr_mask`. If the `wr_mask` is `0` the entries in the sequence are skipped when `skip_non_writable` is set to `true` when `md_write_sequence` is called (which is the case for import activities). This effectively allows *any* required entry to be skipped.
5252

53-
`eddie.py` sets `write_mask_valid` to `1` and `element[0]` to `0` for the EPTP in a metadata bundle and proceed to perform the import activity. In this situation the `tdcs_ptr->execution_ctl_fields.eptp` is never initialized and results in a SEAM shutdown as the TDX Module will dereference an invalid address in `secure_ept_walk`.
53+
`eddie.py` sets `write_mask_valid` to `1` and `element[0]` to `0` for the EPTP in a metadata bundle and proceed to perform the import activity. In this situation the `tdcs_ptr->execution_ctl_fields.eptp` is never initialized and results in a SEAM shutdown as the TDX Module will dereference when calling `secure_ept_walk`.
5454

5555
**Credits: Kirk Swidowski, Daniel Moghimi, Josh Eads, and Erdem Aktas.**

pocs/linux/kernelctf/CVE-2026-23074_cos/docs/exploit.md

Lines changed: 443 additions & 0 deletions
Large diffs are not rendered by default.
Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
# Vulnerability Details
2+
3+
- **Requirements**:
4+
- **Capabilities**: `CAP_NET_ADMIN`
5+
- **Kernel configuration**: `CONFIG_NET_SCHED=y, CONFIG_NET_SCH_TEQL=y`
6+
- **User namespaces required**: Yes
7+
- **Introduced by**: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
8+
- **Fixed by**: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b
9+
- **Affected Version**: `v2.6.12-rc2 - v6.19-rc6`
10+
- **Affected Component**: `net/sched: sch_teql`
11+
- **Syscall to disable**: `unshare`
12+
- **Cause**: Use-After-Free
13+
- **Description**: A Use-After-Free vulnerability was discovered in the Linux kernel's TC (Traffic Control) scheduler. When teql is used as a child qdisc instead of a root qdisc, qlen is not properly updated, causing the parent qdisc to misjudge the class state, resulting in a dangling pointer and triggering a Use-After-Free.
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
CC = gcc
2+
CXX = g++
3+
CFLAGS = -static -DKASLR_BYPASS_INTEL=1
4+
CXXFLAGS = -static -DKASLR_BYPASS_INTEL=1
5+
LDFLAGS = -lkernelXDK
6+
7+
all: exploit
8+
9+
kaslr_bypass.o: kaslr_bypass.c kaslr_bypass.h
10+
$(CC) $(CFLAGS) -c kaslr_bypass.c -o kaslr_bypass.o
11+
12+
exploit.o: exploit.c kaslr_bypass.h
13+
$(CXX) $(CXXFLAGS) -c exploit.c -o exploit.o
14+
15+
exploit: exploit.o kaslr_bypass.o
16+
$(CXX) $(CXXFLAGS) -o exploit exploit.o kaslr_bypass.o $(LDFLAGS)
17+
18+
exploit_debug: exploit.c kaslr_bypass.c kaslr_bypass.h
19+
$(CC) $(CFLAGS) -g -c kaslr_bypass.c -o kaslr_bypass_dbg.o
20+
$(CXX) $(CXXFLAGS) -g -c exploit.c -o exploit_dbg.o
21+
$(CXX) $(CXXFLAGS) -g -o exploit_debug exploit_dbg.o kaslr_bypass_dbg.o $(LDFLAGS)
22+
23+
clean:
24+
rm -f exploit exploit_debug *.o
Binary file not shown.

0 commit comments

Comments
 (0)