kernelCTF exp521: CVE-2025-40019 essiv on mitigation-v4-6.12#382
kernelCTF exp521: CVE-2025-40019 essiv on mitigation-v4-6.12#382AshmitSh4rma wants to merge 3 commits into
Conversation
Adds a 1-day submission porting the published CVE-2025-40019 essiv ssize-underflow technique to the mitigation-v4-6.12 target (vanilla v6.12.0 + jannh mitigations). - Flag captured live 2026-05-13 13:33Z (exp521 on the public spreadsheet). - Per-target symbol offsets re-derived from the mit-v4-6.12 vmlinux. - Inline AES-256-ECB + SHA-256 (tinycrypto.h) to drop the OpenSSL runtime dependency.
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
- affected_versions: use '6.0 - 6.12.82' (range form per schema regex) - requirements.attack_surface: empty (only 'userns'|'io_uring' enum allowed, this exploit uses neither) - exploits.mitigation-v4-6.12.uses: empty for same reason Free-text bug-class / primitive descriptions live in docs/exploit.md, not in metadata.json's tag arrays.
|
The
The CVE column on the public spreadsheet for There is no user-facing CVE field on the Google submission form, so I can't populate it from my side. Could a reviewer kick the auto-resolver, or fill the The PR metadata correctly identifies the bug as CVE-2025-40019 via |
AshmitSh4rma
force-pushed
the
kernelctf-exp521-CVE-2025-40019-mit4
branch
from
cb836aa to
d992fae
Compare
|
@googlebot I have signed the CLA |
1 participant
Submission for exp521.
mitigation-v4-6.12crypto/essiv.ckernelCTF{v1:mitigation-v4-6.12:1778679222:cd35326a7169f91303f32929a9beeb219df90157}at 2026-05-13T13:33:42Zd96391e7c5aaa72a8d782d1392496ce864bb0695c456f11ca4a688d3e293df33Layout
docs/vulnerability.md— bug root cause + introducing/fixing commitsdocs/exploit.md— full 8-step exploit walkthrough (essiv ssize underflow → chained-SGL crafted reclaim → PTE remap → core_pattern overwrite → root via usermodehelper + pidfd stdio theft)exploit/mitigation-v4-6.12/exploit.c— single-file source (~620 lines)exploit/mitigation-v4-6.12/tinycrypto.h— inline AES-256-ECB + SHA-256 (drops OpenSSL runtime dependency)exploit/mitigation-v4-6.12/Makefile—make exploitbuilds;make runnotesexploit/mitigation-v4-6.12/exploit— the binary that captured the flagoriginal.tar.gz— matches the SHA256 submitted via the Google Formmetadata.json— schema v3Reachability
Triggerable from any unprivileged UID with no caps and no user namespaces. Required configs:
CONFIG_CRYPTO_USER_API_AEAD=y,CONFIG_CRYPTO_ESSIV=y(both=yin the kCTF mitigation-v4 image). Compatible with all of the kCTF mitigation hardening (max_user_namespaces=1,io_uring_disabled=2,unprivileged_bpf_disabled=2).