Add kernelCTF CVE-2026-23231_cos by AIS0127 · Pull Request #376 · google/security-research

AIS0127 · 2026-05-02T08:23:36Z

No description provided.

artmetla · 2026-05-10T14:29:17Z

+
+    /* ROP gadgets (from vmlinux disassembly) */
+    /* 0xafc2d1: pop rsi; pop rdi; ret */
+    ct.AddSymbol("pop_rsi_pop_rdi_ret", 0xafc2d1);


This is not a symbol. This is gadget. So you should follow https://google.github.io/security-research/kernelctf/style_guide.html#rop-chains as it's impossible to utilise XDK's RopChain

artmetla · 2026-05-17T11:45:00Z

Hey @AIS0127. Thanks for working on fixes. Please have a look also why exploit doesn't reproduce now.

This reverts commit 3a32444.

This reverts commit a743bcc.

AIS0127 force-pushed the kernelctf-exp449 branch 3 times, most recently from cd6040a to 23ec8cf Compare May 2, 2026 14:38

kernelCTF: add CVE-2026-23231_cos

57c2bcc

AIS0127 force-pushed the kernelctf-exp449 branch from 23ec8cf to 57c2bcc Compare May 2, 2026 15:13

AIS0127 added 2 commits May 3, 2026 17:15

kernelCTF: enable separate KASLR leak for exp449

ab6d131

kernelCTF: improve exp449 repro and verifier

0ed62df

artmetla reviewed May 10, 2026

View reviewed changes

kernelCTF: clean up exp449 gadget offsets and unused code

500acc8

AIS0127 added 11 commits May 23, 2026 00:23

kernelCTF: remove reclaim from exp449 KASAN verifier path

a714522

kernelCTF: restore exp449 poison reclaim verifier

c982f1e

kernelCTF: tune exp449 verifier flood count

791de6e

kernelCTF: shrink exp449 exploit binary

007243e

kernelCTF: preserve exp449 debug symbols

d8aedac

ci: rerun exp449 checks

1f57c80

kernelCTF: increase exp449 vuln-trigger flooders

cc0bbda

ci: rerun exp449 checks

18e99c3

kernelCTF: tune exp449 verifier and race flooders

6666804

ci: rerun exp449 checks

68783d6

kernelCTF: extend exp449 verifier and alias races

e3a45b7

AIS0127 force-pushed the kernelctf-exp449 branch 9 times, most recently from 0b3156d to c7503e6 Compare May 30, 2026 09:58

AIS0127 force-pushed the kernelctf-exp449 branch 3 times, most recently from 825d30a to e509137 Compare May 30, 2026 13:06

kernelCTF: stabilize exp449 verifier and repro races

0a72530

AIS0127 force-pushed the kernelctf-exp449 branch from e509137 to 0a72530 Compare May 30, 2026 13:23

AIS0127 added 15 commits May 30, 2026 22:46

ci: rerun exp449 checks

b6649f6

ci: rerun exp449 checks

7350666

kernelCTF: speed up exp449 verifier trigger

526a298

kernelCTF: isolate exp449 verifier races

88f68cd

kernelCTF: split exp449 verifier race profiles

727d668

kernelCTF: restore exp449 LPE race pacing

104d2a1

kernelCTF: use legacy exp449 verifier race

7b2eec7

kernelCTF: extend exp449 verifier race budget

2506a08

kernelCTF: restore exp449 single verifier race

00be4ae

kernelCTF: speed up exp449 verifier trigger

3aa46b8

kernelCTF: mix exp449 verifier race profiles

a97b711

kernelCTF: widen exp449 vuln trigger retries

a743bcc

kernelCTF: restore exp449 6.1 verifier profile

3a32444

Revert "kernelCTF: restore exp449 6.1 verifier profile"

a558713

This reverts commit 3a32444.

Revert "kernelCTF: widen exp449 vuln trigger retries"

cb59572

This reverts commit a743bcc.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add kernelCTF CVE-2026-23231_cos#376

Add kernelCTF CVE-2026-23231_cos#376
AIS0127 wants to merge 31 commits into
google:masterfrom
AIS0127:kernelctf-exp449

AIS0127 commented May 2, 2026

Uh oh!

artmetla May 10, 2026

Uh oh!

artmetla commented May 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

AIS0127 commented May 2, 2026

Uh oh!

artmetla May 10, 2026

Choose a reason for hiding this comment

Uh oh!

artmetla commented May 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants