Add kernelCTF CVE-2026-23111_cos (#446)

[c0m0r1]

No description provided.

[chanijindal1]

Hi! Thanks for your submission. This one falls under kernelCTF v3 rules which require use of kernelXDK where applicable. From glancing through your source code, it seems like there wouldn't be many changes.

Could you please check that:
#define CORE_PATTERN_PHYS_ADDR 0x3fb3440 should be rewritten to get the address dynamically from XDK.
Any structure sizes or offsets are retrieived through XDK

Here's a couple guides on using kernelXDK.
https://xdk.dev/libxdk/sample_exploit.html
https://google.github.io/security-research/kernelctf/rules.html#what-does-it-mean-to-use-the-kernelxdk

[c0m0r1]

I integrated kernelXDK into my exploit, but there were several hurdles.

• The core_pattern symbol is not supported from kernelXDK, as mentioned on its introduction document

[+] Running on target: kernelctf cos-121-18867.294.100
terminate called after throwing an instance of 'ExpKitError'
  what():  symbol (core_pattern) is not available for the target
Aborted

• kernelXDK failed to resolve the struct size of unix_address

[+] msg_msg_hdr_size=48 unix_address_size=0

I completed the integration by excluding the ones that caused errors.

[artmetla]

I integrated kernelXDK into my exploit, but there were several hurdles.

• The core_pattern symbol is not supported from kernelXDK, as mentioned on its introduction document

[+] Running on target: kernelctf cos-121-18867.294.100
terminate called after throwing an instance of 'ExpKitError'
  what():  symbol (core_pattern) is not available for the target
Aborted

• kernelXDK failed to resolve the struct size of unix_address

[+] msg_msg_hdr_size=48 unix_address_size=0

I completed the integration by excluding the ones that caused errors.

Hey @c0m0r1. It's kind of expected. Please check how the missing offsets and structs should be handled: https://xdk.dev/libxdk/sample_exploit.html#hardcoded-sizes-and-offsets. You could also have a look at other researcher's submissions (the ones that already have "kCTF: vuln Ok" label).

[c0m0r1]

Thanks for the reference. I added unix_address and core_pattern as hardcoded entries on a Target and registered it via kernelXDK. The call sites now use GetStructSize / GetSymbolOffset, and the local struct unix_address and CORE_PATTERN_PHYS_ADDR macro are removed.

[artmetla]

Hey @c0m0r1. Thanks for the fixes. Please have a look at how Makefile is organized in the exploits that pass the checks and fix the build. Debug version of exploit should successfully compile.

[c0m0r1]

Thanks. I updated the Makefile to add an exploit_debug target and confirmed all CI checks pass.