Skip to content

Add kernelCTF CVE-2026-31533_lts_cos#401

Open
d4em0n wants to merge 2 commits into
google:masterfrom
star-sg:CVE-2026-31533_lts_cos
Open

Add kernelCTF CVE-2026-31533_lts_cos#401
d4em0n wants to merge 2 commits into
google:masterfrom
star-sg:CVE-2026-31533_lts_cos

Conversation

@d4em0n

@d4em0n d4em0n commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

No description provided.

d4em0n added 2 commits June 22, 2026 12:33
net/tls use-after-free in the -EBUSY error path of tls_do_encryption()
(double-decrement of the encrypt_pending sentinel + double scatterlist
restore). Exploited as a 0-day on lts-6.12.77 and cos-121-18867.381.30
(submission exp466). Reproduces at 100% in the exploit_repro workflow.
The previous --vuln-trigger used the full exploit's heavy saturation (3000
threads / 4000 fds) and setrlimit(0x8000), which fails under the vuln-verify
environment (unprivileged fd limit ~1024, KASAN ~3-5x slower) -- it never
landed -EBUSY, so no KASAN report and vuln_verify returned UNKNOWN.

Rework the trigger to fit that environment: raise RLIMIT_NOFILE to the hard
limit, use a lean op-fd pool (~1008) for a finite AF_ALG MAY_BACKLOG burst that
momentarily overflows the per-CPU cryptd queue (cryptd_max_cpu_qlen=1000), push
a pending TLS record with sk_err set to corrupt the encrypt_pending sentinel,
then submit one more async encrypt so the tls_rec is freed while a cryptd
callback is still pending. With no heap spray the freed record's scatterlist is
walked by __sk_msg_free()/bpf_exec_tx_verdict(), producing a KASAN report on
the unpatched kernel (locally reproduced on a KASAN 6.12.77 build); the patch
skips the double cleanup so it stays silent. Counts are overridable via
VT_N / VT_DELAY / VT_RETRY. The normal (flag-capturing) exploit path is
unchanged.
@d4em0n d4em0n force-pushed the CVE-2026-31533_lts_cos branch from 6969d79 to 536274e Compare June 22, 2026 07:38
@koczkatamas koczkatamas added the kCTF: vuln OK The submission exploits the claims vulnerability (passed manual verification) label Jun 30, 2026
@koczkatamas

Copy link
Copy Markdown
Collaborator

Hey! We did not find a bughunters.google.com report for this submission, so the payment process is blocked. Please file a Bughunters report, so we can pay out the first half of the reward.

@d4em0n

d4em0n commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

Hi @koczkatamas, we have made a report to Google Bughunters. Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

kCTF: vuln OK The submission exploits the claims vulnerability (passed manual verification)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants