Google security-research repo adds kernelCTF exploit material for Linux kernel CVEs
Google's security-research repository received kernelCTF-related pull requests tied to Linux kernel vulnerabilities including CVE-2024-26582, CVE-2026-23209, and a reference to CVE-2026-23392. The updates were submitted through GitHub pull requests and include repeated revisions to mitigation material, writeups, and proof-of-concept content, with commit history showing iterative changes such as "final," "update writeup," and "update pocs." One pull request associated with CVE-2026-23209 also references files named original.tar.gz and exploit.md, indicating publication of source material and exploit documentation in the repository.
The available records do not provide technical specifics on exploitation, affected distributions, or patch guidance, but they show active disclosure and documentation work around kernelCTF targets in Google's public research repository. For defenders, the appearance of exploit notes and PoC-related updates in a widely watched security-research project is a signal to track the cited CVEs closely, validate kernel exposure, and review vendor advisories and mitigation status for impacted Linux environments.
How this story unfolded
9 events from the earliest known activity through the most recent confirmed update.
KernelCTF mitigation work for CVE-2024-26582 is added and updated
A Google security-research pull request history shows multiple commits adding and revising a kernelCTF mitigation for CVE-2024-26582, followed by updates labeled final, writeup, and PoCs. The material indicates ongoing security research and documentation work rather than a newly described incident.
kernelCTF repository adds CVE-2026-23209 source material and exploit documentation
A later Google security-research pull request adds files including original.tar.gz and exploit.md for CVE-2026-23209 in the kernelCTF repository. This reflects publication of source material and exploit documentation for the vulnerability.
kernelCTF repository adds CVE-2026-23392_cos exploit materials
A Google security-research pull request titled "Add kernelCTF CVE-2026-23392_cos" was published, indicating repository publication of materials for CVE-2026-23392_cos, including updates to original metadata and an exploit.cpp file. The reference reflects disclosure of exploit-related source material rather than a newly reported victim incident.
kernelCTF repository adds CVE-2026-23351_cos exploit materials
A Google security-research pull request published materials for CVE-2026-23351_cos, describing an nft_set_pipapo garbage-collection use-after-free affecting Container-Optimized OS build cos-121-18867.381.30. The discussion also documented exploitation details and branch updates, including CI fixes and correction of the nft_immediate_eval offset for the targeted COS build.
kernelCTF repository adds CVE-2026-23271_lts exploit materials
A Google security-research pull request published kernelCTF materials for CVE-2026-23271_lts, including commits that renamed the original exploit and updated the exploit code and Makefile. The reference indicates repository publication of exploit-related source material rather than a newly disclosed victim or incident.
kernelCTF repository adds CVE-2026-43074_lts exploit materials
A Google security-research pull request titled "Add kernelCTF CVE-2026-43074_lts" was published, indicating repository publication of materials for CVE-2026-43074_lts. The available fragment references an LTS submission, a commit identifier, and verification activity, but provides limited technical detail beyond the addition of exploit-related source material.
kernelCTF repository adds CVE-2026-23394_lts_cos exploit materials
A Google security-research pull request titled "Add kernelCTF CVE-2026-23394_lts_cos" was published, indicating repository publication of materials for CVE-2026-23394_lts_cos. The available fragment mentions commit identifiers and a fix for build warnings, but provides limited technical detail beyond the addition of exploit-related source material.
kernelCTF repository adds CVE-2025-40019 mitigation-v4-6.12 exploit materials
A Google security-research pull request published kernelCTF exploit materials for CVE-2025-40019 targeting mitigation-v4-6.12, described as a 1-day port of the published essiv ssize-underflow technique. The submission states the exploit captured the flag live as exp521 on 2026-05-13 and includes updated offsets, embedded crypto code to remove an OpenSSL dependency, and schema-compliant metadata changes.
kernelCTF repository adds CVE-2026-43456_lts_cos_mitigation materials
A Google security-research pull request titled "Add kernelCTF CVE-2026-43456_lts_cos_mitigation" was published, indicating repository activity for CVE-2026-43456 with multiple verified revisions. The available fragment provides little technical detail beyond code-review and repository update workflow, but it reflects publication of new kernelCTF-related source material.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Add kernelCTF CVE-2026-43456_lts_cos_mitigation by rqdaA · Pull Request #383 · google/security-research · GitHub
github.com
Open sourceAdd kernelCTF CVE-2026-23394_lts_cos by sysroot314 · Pull Request #381 · google/security-research · GitHub
github.com
Open sourcekernelCTF exp521: CVE-2025-40019 essiv on mitigation-v4-6.12 by AshmitSh4rma · Pull Request #382 · google/security-research · GitHub
github.com
Open sourceAdd kernelCTF CVE-2026-43074_lts by 2045castor · Pull Request #380 · google/security-research · GitHub
github.com
Open sourceAdd kernelCTF CVE-2026-23271_lts by simond67 · Pull Request #379 · google/security-research · GitHub
github.com
Open sourcekernelctf: CVE-2026-23351_cos by 11X0r · Pull Request #371 · google/security-research · GitHub
github.com
Open sourceAdd kernelCTF CVE-2026-23392_cos by NLQuy · Pull Request #370 · google/security-research · GitHub
github.com
Open sourceAdd kernelCTF CVE-2026-23392_cos by NLQuy · Pull Request #369 · google/security-research · GitHub
github.com
Open sourcekernelCTF: add CVE-2026-23209_cos by 4ab48b3f1ded2472 · Pull Request #368 · google/security-research · GitHub
github.com
Open sourceCVE 2026 23392 cos by NLQuy · Pull Request #363 · google/security-research · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Linux Kernel Privilege Escalation CVE-2026-31431 Draws Patch and PoC Activity
`CVE-2026-31431` is a Linux kernel flaw classified as **CWE-669: Incorrect Resource Transfer Between Spheres** that can enable local privilege escalation to root and, in some cases, bypass isolation boundaries. The Canadian Centre for Cyber Security warned that the impact becomes more severe when the bug is chained with a remote code execution vulnerability, and urged organizations to identify exposed systems, apply vendor fixes, reboot after kernel updates, restrict access, enforce kernel security controls, monitor logs, and segment high-risk or Internet-facing workloads. Vendor and community activity indicates broad exposure across modern Linux platforms. Red Hat lists **RHEL 8**, **RHEL 9**, **RHEL 10**, and corresponding `kernel-rt` packages as affected, while **RHEL 6** and **RHEL 7** are marked not affected because the vulnerable code is absent. Public exploit interest accelerated after Theori published the **"Copy Fail"** technical write-up and proof-of-concept repository, which references testing on **Ubuntu 24.04 LTS**, **Amazon Linux 2023**, **RHEL 10.1**, and **SUSE 16**; Rocky Linux also published related errata, signaling downstream patch availability in enterprise Linux ecosystems.
May 1, 2026
Public PoC Exploits Surfaced for CVE-2026-34177 and CVE-2025-7389
Public GitHub repositories were flagged for newly published proof-of-concept exploits tied to two high-severity vulnerabilities: **`CVE-2026-34177`**, a VM low-level restriction bypass involving `raw.apparmor` and `raw.qemu.conf`, and **`CVE-2025-7389`**, an unauthorized arbitrary file-read issue via RMI in an AdminServer interface. The monitoring identified repositories advertising exploit code or demonstrations for both flaws, indicating that offensive tradecraft is now publicly accessible. The referenced tracking activity monitors GitHub for exploit and PoC publications, ranks results by most recently updated repositories, and limits visible results to the first 15 entries for performance reasons. For defenders, the appearance of public exploit material raises the urgency of validating exposure to affected virtualization and AdminServer deployments, prioritizing patching or mitigations, and increasing detection coverage for exploitation attempts targeting these CVEs.
Apr 14, 2026
Microsoft Discloses Broad Set of Linux Kernel Vulnerabilities
Microsoft published a broad batch of Security Update Guide entries for Linux kernel flaws affecting memory management, networking, virtualization, device drivers, and subsystem input validation. The listed issues include use-after-free, NULL dereference, integer underflow, refcount underflow, information disclosure, and bounds-checking failures tracked as **`CVE-2026-31496`**, **`CVE-2026-31458`**, **`CVE-2026-31689`**, **`CVE-2026-31615`**, **`CVE-2026-31664`**, **`CVE-2026-31656`**, **`CVE-2026-31611`**, **`CVE-2026-31671`**, **`CVE-2026-31612`**, and others. Affected components span `nf_conntrack_expect`, `damon`, `edac_mc`, `renesas_usb3`, `xfrm`, `drm/i915`, `ksmbd`, `stmmac`, `tipc`, `mptcp`, `NFC`, `HID`, `KVM`, `mmc`, `x86/CPU`, `PCI endpoint`, `blk-cgroup`, `media/as102`, and `altera-tse`. Several entries point to bugs that could lead to kernel crashes, memory corruption, or data leakage if triggered through malformed input, protocol handling, or device interaction. Notable examples include a slab use-after-free in `mptcp`, information leaks in `xfrm_user` and `xfrm`, validation flaws in `ksmbd`, endpoint index handling in `usb: gadget: renesas_usb3`, and multiple underflow and teardown-ordering bugs across networking and driver code. The disclosures indicate a coordinated publication of upstream Linux kernel fixes through Microsoft's advisory channel, underscoring the need for organizations running Linux workloads in Microsoft-connected environments to review affected kernel versions and apply vendor patches promptly.
May 2, 2026