On Tue, Jun 30, 2026 at 07:01:48AM -0700, Dave Hansen wrote:
> On 6/29/26 18:22, Xiang Mei wrote:
> >> Please don't even try to send a v3 without addressing this.
> > This is a demo exploiting CVE-2026-31419 with this technique:
> > https://github.com/google/security-research/pull/397
> 
> Thanks for sharing that. That's really good info.
> 
> But what I want to hear a bit more about is why this new guard region is
> a good, generic mitigation. Does it help mitigate a whole class of
> vulnerabilities?

I guess, to add to the questions (to Xiang and/or x86 people):
1) Aren't initiatives like kCFI/CET/shadow stack supposed to mitigate these
issues? Is this mitigation supposed to be applied in spite of these features?
2) Aren't you screwed by the time the attacker gets kernel remote code
execution anyway?

> 
> I think you're making the claim that this ENTER technique takes what
> would normally just be a DoS and makes it fully exploitable. Does this
> happen for a lot of DoS bugs? Or is CVE-2026-31419 very unusual and this
> stack guard gunk won't ever be useful again?

I suspect it's just the typical UAF with a function pointer table, that leads
into remote code execution. I know that for our (SUSE) CVE scoring, we tend
to treat these kinds of UAFs a lot more seriously than others. But I didn't
look closely.

-- 
Pedro

Reply via email to