Share
## https://sploitus.com/exploit?id=F46CEFF1-0817-5130-A43D-EDE8126EA08F
# CVE-2026-23416-POC
POC for CVE-2026-23416 (linux kernel 6.17-linux kernel 7 rc5) - vulnerability discovered by Antonius

SUMMARY
-------
An invariant violation (VM_WARN_ON_VMG) fires at mm/vma.c:830 inside
vma_merge_existing_range() when mseal(2) is called with a range spanning
two adjacent VMAs where one has VM_SEALED set and the other does not.

  - Syscall:   mseal(2)
  - File:      mm/vma.c line 830
  - Affected:  Linux kernel 6.17 - Linux Kernel 7-rc5 (confirmed)
  - Access:    UID 1000, no capabilities required
  - Repro:     100% deterministic,  do_mseal()           [mm/mseal.c]
     -> mseal_apply()
        -> vma_modify_flags()  [mm/vma.c]
           -> vma_modify()
              -> vma_merge_existing_range()
                 -> VM_WARN_ON_VMG fires at line 830

FAILING ASSERTION
-----------------
  VM_WARN_ON_VMG(middle &&
    ((middle != prev && vmg->start != middle->vm_start) ||
     vmg->end > middle->vm_end))

  vmg->start       = 0x21da8000  (original mseal start, not clamped)
  middle->vm_start = 0x21de6000  (VMA-B, not sealed)
  -> vmg->start != middle->vm_start  -> WARN fires

ROOT CAUSE
----------
do_mseal() calls vma_modify_flags() with the original mseal() start
address without clamping it to the current VMA's vm_start when the
mseal range spans two VMAs with different VM_SEALED states. This causes
vma_merge_existing_range() to receive an inconsistent vmg state.

SECURITY RELEVANCE
------------------
1. Reachable from unprivileged userspace (UID 1000, no CAP_* needed,
   only memfd_create + mmap + mseal syscalls).

2. mseal(2) is a security primitive protecting VMA immutability. An
   invariant violation in its application logic means VM_SEALED may
   be applied incorrectly when spanning VMAs with mixed seal states,
   potentially undermining the security guarantee mseal provides.

3. In production kernels (non-debug, WARN compiled to no-op), the
   inconsistent vmg state proceeds silently -- the VMA tree could
   be left with incorrect seal state without any visible error.