CVE-2026-43046 Linux内核Btrfs拒绝服务漏洞

import struct # This PoC demonstrates the invalid state that crashes the kernel. # In a real scenario, this state exists on a Btrfs disk image. class BtrfsRootItem: def __init__(self, data): # Simplified parsing of Btrfs Root Item # Offset of drop_progress (objectid) is usually at index 0-8 # Offset of drop_level is usually around 0x50 (80) self.drop_progress = struct.unpack('<Q', data[0:8])[0] self.drop_level = struct.unpack('<B', data[80:81])[0] def check_vulnerability(data): """ Simulates the missing validation in tree-checker that was fixed. """ item = BtrfsRootItem(data) print(f"[*] Parsing Btrfs Root Item...") print(f" drop_progress: {hex(item.drop_progress)}") print(f" drop_level: {item.drop_level}") # Check for the invalid condition: non-zero progress with zero level if item.drop_progress != 0 and item.drop_level == 0: print("[!] VULNERABLE STATE DETECTED: Non-zero drop_progress with zero drop_level.") print("[!] This would trigger BUG_ON(level == 0) in merge_reloc_root().") return True else: print("[+] State is valid or drop_progress is zero.") return False # Craft a malicious payload (simulating disk corruption) # drop_progress = 0xDEADBEEF (Non-zero) # drop_level = 0 (Zero) malicious_data = bytearray(100) struct.pack_into('<Q', malicious_data, 0, 0xDEADBEEF) # drop_progress # drop_level remains 0 at index 80 if __name__ == "__main__": print("CVE-2026-43046 PoC Simulation") print("="*30) check_vulnerability(malicious_data)