Share
## https://sploitus.com/exploit?id=5110EFE8-0F4F-5A2A-8D86-979A9CD10ED6
# GhostLock CVE-2026-43499 โ Xiaomi Pad 7 Ultra (jinghu)
## Overview
Port of the [GhostLock](https://nebusec.ai/research/ionstack-part-2) stack-UAF exploit to Xiaomi Pad 7 Ultra (codename jinghu, XRing O1 SoC, Android 16 / HyperOS 3.0, kernel 6.6.77-android15-8).
CVE-2026-43499 is a **stack Use-After-Free** in the Linux futex subsystem โ specifically in `rt_mutex_cleanup_proxy_lock`, which skips `remove_waiter` when `owner == current`, leaving `task->pi_blocked_on` dangling after the syscall returns.
## Device info
| Component | Value |
|-----------|-------|
| Device | Xiaomi Pad 7 Ultra |
| SoC | XRing O1 |
| RAM | 12 GB |
| Kernel | 6.6.77-android15-8 (Clang 18 LTO+PGO+BOLT+MLGO) |
| Android | 16 (SDK 36), HyperOS 3.0.301.0 |
| SELinux | Enforcing |
| Root | None |
| VA_BITS | 39 |
| Page size | 4 KB |
| KASLR | Enabled |
| CONFIG_UBSAN_TRAP | y |
| CONFIG_PANIC_ON_OOPS | y |
## Exploit flow
```
waiter_thread:
1. FUTEX_LOCK_PI(f_pi_chain)
2. FUTEX_WAIT_REQUEUE_PI(f_wait โ f_pi_target)
โ rt_mutex_wait_proxy_lock โ blocks
3. owner releases f_pi_target โ waiter acquires lock
โ remove_waiter SKIPPED โ pi_blocked_on DANGLES
4. futex_wait_requeue_pi returns ret=0
5. pselect() overwrites waiter stack with fd_set + saved registers
6. waiter->lock = &pselect_user_lock (user-space readfds pointer)
consumer_thread:
7. sched_setattr โ rt_mutex_adjust_pi โ rt_mutex_adjust_prio_chain
8. Reads UAF waiter โ lock=&pselect_user_lock โ owner=fake_task|1
9. Hop to sprayed fake_task โ fake_task.pi_waiters
10. rb_erase_cached + rb_insert_color โ write *ASHMEM_MISC_FOPS = fake_fops
```
## Structure offsets (jinghu kernel 6.6.77)
See `src/targets/jinghu/target.h` for the full offset table.
## Files
| File | Purpose |
|------|---------|
| `src/main.c` | Thread orchestration (waiter/owner/consumer) |
| `src/fops.c` | pselect fd_set layout, try_cfi_stage |
| `src/util.c` | SLUB spray payload, configfs read/write |
| `src/slide.c` | boot_id leak via slide pselect |
| `src/pipe.c` | pipe-physrw (post-FOPS-swap) |
| `src/root.c` | Root installation |
| `src/targets/jinghu/target.h` | Offset table for jinghu |
## Build
Requires Android NDK r27d. Edit `build.bat` to set `NDK` path.
```
build.bat
adb push preload.so /data/local/tmp/
adb shell LD_PRELOAD=/data/local/tmp/preload.so id
```
## Current status
- [x] KernelSnitch mm_struct leak
- [x] Stack-UAF trigger (fwq ret=0)
- [x] PI chain via sched_setattr (40ร success)
- [x] PAN bypass (user-space lock accessible via ldxr/casa)
- [x] EBADF avoidance (empty readfds word0)
- [ ] FOPS write (owner hop reaches fake_task but exits at pi_blocked_on)
- [ ] pipe-physrw
- [ ] Root + SELinux off
The remaining blocker: `fake_task+0x938` (pi_blocked_on) must point to a valid
waiter structure whose +0x58 field equals `&pselect_user_lock`. Currently
the chain walk exits prematurely.