On Tue, Jun 30, 2026 at 7:02 AM Dave Hansen <[email protected]> wrote:
>
> On 6/29/26 18:22, Xiang Mei wrote:
> >> Please don't even try to send a v3 without addressing this.
> > This is a demo exploiting CVE-2026-31419 with this technique:
> > https://github.com/google/security-research/pull/397
>
> Thanks for sharing that. That's really good info.
>
> But what I want to hear a bit more about is why this new guard region is
> a good, generic mitigation. Does it help mitigate a whole class of
> vulnerabilities?
>
Thanks for the question. I'll change my words to call this problem an
issue instead of a bug since it's more like an (instruction set +
kernel stack design) issue.
I have used LLMs to evaluate other Intel instructions influencing SP
register (plus checking if such a gadget exists, e.g., `add rsp
0x8000`) and can't find a second gadget that could be used for stack
pivoting targeting adjacent pages.

> I think you're making the claim that this ENTER technique takes what
> would normally just be a DoS and makes it fully exploitable. Does this
> happen for a lot of DoS bugs? Or is CVE-2026-31419 very unusual and this
> stack guard gunk won't ever be useful again?

I may have written some misleading content; let me provide more
information to correct it.
ENTER escalates CFH (Contrflow Hijacking) to ACE (Arbitrary Code
Execution). It can't escalate DoS to exploitation primitives:
1) ENTER is an instruction, and it can be used to perform stack pivoting
2) The ENTER-pivoting technique requires a CFH primitive, for example
  a) CVE-2026-31419 is a race condition, and it gives a UAF
  b) attackers exploit UAF and control a function pointer
  c) attackers change the pointer to be an enter-pivoting gadget
(e.g., `enter 0x8000, 0; ret`)
  d) attackers escalate CFH to ACE
3) ENTER-pivoting is strong since the gadget is common and **one
gadget** is enough to escalate the CFH to ACE
5) Before this gadget, there is only one public one-gadget style
CFH->ACE technique: jump into BPF JIT (mitigated by JIT hardening)
6) This technique can be used for all CFH attacks, and it can enable
some hard exploitations (no register control, BPF JIT hardened).

Please feel free to ask any questions; I am glad to help.
Thanks,
Xiang

Reply via email to