Exploit for CVE-2026-KGSL-UAF

Name: Exploit for CVE-2026-KGSL-UAF
Rating: 5 (12 reviews)
2026-06-22 | CVSS 5.9
## https://sploitus.com/exploit?id=12C68D27-0DC2-5E20-B7DF-ADF40157122E
# CVE-2026-XXXXX — KGSL Syncsource Fence Use-After-Free

**Severity:** Critical (CVSS 7.8)  
**Component:** Qualcomm Adreno KGSL GPU Kernel Driver  
**Affected:** All Android devices with Snapdragon SoCs (Android 15/16 GKI, Linux 6.6)  
**Discovered:** June 2026  

## Overview

A race condition in `kgsl_ioctl_syncsource_create_fence()` allows a
use-after-free write in kernel memory. An unprivileged Android app can
exploit this for local privilege escalation.

The bug exists in the latest upstream KGSL driver as of June 8, 2026
(tag `v1.0.4`, commit `4300b655d3c0`).

## The Bug

```
fd_install(fd, sync_file->file);       // fd visible to userspace
                                       // ⚡ RACE: close(fd) → kfree(sfence)
param->fence_fd = fd;

spin_lock_irqsave(&syncsource->lock, flags);
list_add_tail(&sfence->child_list, ...);  // UAF WRITE to freed memory
spin_unlock_irqrestore(&syncsource->lock, flags);
```

The kernel calls `fd_install()` (making the fd globally visible) **before**
adding the fence to the syncsource's child list. A concurrent `close()`
frees the fence, and the subsequent `list_add_tail()` writes to freed memory.

## Files

| File | Description |
|------|-------------|
| `README.md` | This file |
| `advisory/advisory.md` | Full security advisory |
| `poc/poc_kgsl_uaf.c` | Proof-of-Concept source |
| `poc/poc_kgsl_uaf_arm64` | Pre-compiled ARM64 binary |
| `docs/analysis.md` | Full root cause analysis with refcount trace |
| `docs/trigger_sequence.md` | Thread interleaving and trigger conditions |

## Additional Findings

Three more bugs identified in the same codebase (see `advisory/advisory.md`):

| # | Type | Severity | Component |
|---|------|----------|-----------|
| 2 | TOCTOU → UAF | High | `kgsl.c` context detach |
| 3 | Uncounted pointer → UAF | High | `kgsl_sync.c` process release |
| 4 | AB-BA deadlock | Low | `kgsl_timeline.c` |

## Fix

Move `list_add_tail()` before `fd_install()`:

```diff
-       fd_install(fd, sync_file->file);
-       param->fence_fd = fd;
        spin_lock_irqsave(&syncsource->lock, flags);
        list_add_tail(&sfence->child_list, &syncsource->child_list_head);
        spin_unlock_irqrestore(&syncsource->lock, flags);
+       fd_install(fd, sync_file->file);
+       param->fence_fd = fd;
```

## References

- Source: https://github.com/qualcomm-linux/kgsl (branch `gfx-kernel.le.0.0`)
- Google VRP: https://bughunters.google.com