Add kernelCTF CVE-2026-23074_cos

pocs/linux/kernelctf/CVE-2026-23074_cos/docs/vulnerability.md

@@ -0,0 +1,13 @@
+# Vulnerability Details
+
+- **Requirements**:
+    - **Capabilities**: `CAP_NET_ADMIN`
+    - **Kernel configuration**: `CONFIG_NET_SCHED=y, CONFIG_NET_SCH_TEQL=y`
+    - **User namespaces required**: Yes
+- **Introduced by**: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+- **Fixed by**: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b
+- **Affected Version**: `v2.6.12-rc2 - v6.19-rc6`
+- **Affected Component**: `net/sched: sch_teql`
+- **Syscall to disable**: `unshare`
+- **Cause**: Use-After-Free
+- **Description**: A Use-After-Free vulnerability was discovered in the Linux kernel's TC (Traffic Control) scheduler. When teql is used as a child qdisc instead of a root qdisc, qlen is not properly updated, causing the parent qdisc to misjudge the class state, resulting in a dangling pointer and triggering a Use-After-Free.

pocs/linux/kernelctf/CVE-2026-23074_cos/exploit/cos-113-18244.521.39/Makefile

@@ -0,0 +1,27 @@
+CC = gcc
+CXX = g++
+CFLAGS = -static -DKASLR_BYPASS_INTEL=1
+CXXFLAGS = -static -DKASLR_BYPASS_INTEL=1
+LDFLAGS = -lkernelXDK
+
+all: exploit
+
+prerequisites:
+	wget -O target_db.kxdb https://storage.googleapis.com/kernelxdk/db/kernelctf.kxdb
+
+kaslr_bypass.o: kaslr_bypass.c kaslr_bypass.h
+	$(CC) $(CFLAGS) -c kaslr_bypass.c -o kaslr_bypass.o
+
+exploit.o: exploit.c kaslr_bypass.h
+	$(CXX) $(CXXFLAGS) -c exploit.c -o exploit.o
+
+exploit: exploit.o kaslr_bypass.o
+	$(CXX) $(CXXFLAGS) -o exploit exploit.o kaslr_bypass.o $(LDFLAGS)
+
+exploit_debug: exploit.c kaslr_bypass.c kaslr_bypass.h
+	$(CC) $(CFLAGS) -g -c kaslr_bypass.c -o kaslr_bypass_dbg.o
+	$(CXX) $(CXXFLAGS) -g -c exploit.c -o exploit_dbg.o
+	$(CXX) $(CXXFLAGS) -g -o exploit_debug exploit_dbg.o kaslr_bypass_dbg.o $(LDFLAGS)
+
+clean:
+	rm -f exploit exploit_debug *.o