## https://sploitus.com/exploit?id=F46CEFF1-0817-5130-A43D-EDE8126EA08F
# CVE-2026-23416-POC
POC for CVE-2026-23416 (linux kernel 6.17-linux kernel 7 rc5) - vulnerability discovered by Antonius
SUMMARY
-------
An invariant violation (VM_WARN_ON_VMG) fires at mm/vma.c:830 inside
vma_merge_existing_range() when mseal(2) is called with a range spanning
two adjacent VMAs where one has VM_SEALED set and the other does not.
- Syscall: mseal(2)
- File: mm/vma.c line 830
- Affected: Linux kernel 6.17 - Linux Kernel 7-rc5 (confirmed)
- Access: UID 1000, no capabilities required
- Repro: 100% deterministic, do_mseal() [mm/mseal.c]
-> mseal_apply()
-> vma_modify_flags() [mm/vma.c]
-> vma_modify()
-> vma_merge_existing_range()
-> VM_WARN_ON_VMG fires at line 830
FAILING ASSERTION
-----------------
VM_WARN_ON_VMG(middle &&
((middle != prev && vmg->start != middle->vm_start) ||
vmg->end > middle->vm_end))
vmg->start = 0x21da8000 (original mseal start, not clamped)
middle->vm_start = 0x21de6000 (VMA-B, not sealed)
-> vmg->start != middle->vm_start -> WARN fires
ROOT CAUSE
----------
do_mseal() calls vma_modify_flags() with the original mseal() start
address without clamping it to the current VMA's vm_start when the
mseal range spans two VMAs with different VM_SEALED states. This causes
vma_merge_existing_range() to receive an inconsistent vmg state.
SECURITY RELEVANCE
------------------
1. Reachable from unprivileged userspace (UID 1000, no CAP_* needed,
only memfd_create + mmap + mseal syscalls).
2. mseal(2) is a security primitive protecting VMA immutability. An
invariant violation in its application logic means VM_SEALED may
be applied incorrectly when spanning VMAs with mixed seal states,
potentially undermining the security guarantee mseal provides.
3. In production kernels (non-debug, WARN compiled to no-op), the
inconsistent vmg state proceeds silently -- the VMA tree could
be left with incorrect seal state without any visible error.