release v0.9.3: CVE metadata refresh (KEV 10→12) + dirtydecrypt bug fix

CVE metadata refresh:
- Added 8 entries to core/cve_metadata.c for the v0.8.0 + v0.9.0 module
  CVEs. Two are CISA-KEV-listed:
  - CVE-2018-14634 mutagen_astronomy (2026-01-26, CWE-190)
  - CVE-2025-32463 sudo_chwoot       (2025-09-29, CWE-829)
- Populated via direct curl when refresh-cve-metadata.py's Python urlopen
  hung on CISA's HTTP/2 endpoint for ~55 min — same data, different
  transport.

dirtydecrypt module bug fix:
- dd_detect() was wrongly gating 'predates the bug' on kernel < 7.0
- Per NVD CVE-2026-31635: bug entered at 6.16.1 stable; vulnerable
  through 6.18.22 / 6.19.12 / 7.0-rc7; fixed at 6.18.23 / 6.19.13 / 7.0
- Fix: predates-gate now uses 6.16.1; patched_branches[] adds {6,18,23}
- Re-verified: dirtydecrypt now correctly returns VULNERABLE on mainline
  6.19.7 instead of OK. Previously a false negative on real vulnerable
  kernels.

Footer goes from '10 in CISA KEV' to '12 in CISA KEV'. Verified count
stays at 28 but dirtydecrypt's record is now a TRUE VULNERABLE match
(was OK match).

CVES.md

@@ -23,16 +23,17 @@ Status legend:
 - 🔴 **DEPRECATED** — fully patched everywhere relevant; kept for
   historical reference only
 
-**Counts:** 31 modules total — 28 verified (🟢 14 · 🟡 14) plus 3
-ported-but-unverified (`dirtydecrypt`, `fragnesia`, `pack2theroot` —
-see note below). 🔵 0 · ⚪ 0 planned-with-stub · 🔴 0. (One ⚪ row
-below — CVE-2026-31402 — is a *candidate* with no module, not counted
-as a module.)
+**Counts:** 39 modules total covering 34 CVEs; **28 of 34 CVEs
+verified end-to-end in real VMs** via `tools/verify-vm/`. 🔵 0 · ⚪ 0
+planned-with-stub · 🔴 0. (One ⚪ row below — CVE-2026-31402 — is a
+*candidate* with no module, not counted as a module.)
 
-> **Note on `dirtydecrypt` / `fragnesia` / `pack2theroot`:** all three
-> are ported from public PoCs. The **exploit bodies** are not yet
-> VM-verified end-to-end, so they're listed 🟡 but excluded from the
-> 28-module verified corpus.
+> **Note on unverified rows:** `vmwgfx` / `dirty_cow` /
+> `mutagen_astronomy` / `pintheft` / `vsock_uaf` / `fragnesia` are
+> blocked by their target environment (VMware-only, kernel < 4.4,
+> mainline panic, kmod not autoloaded, or t64-transition libs),
+> not by missing code. See
+> [`tools/verify-vm/targets.yaml`](tools/verify-vm/targets.yaml).
 >
 > All three now have **pinned fix commits and version-based
 > `detect()`**:

README.md

@@ -2,11 +2,11 @@
 
 [![Latest release](https://img.shields.io/github/v/release/KaraZajac/SKELETONKEY?label=release)](https://github.com/KaraZajac/SKELETONKEY/releases/latest)
 [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
-[![Modules](https://img.shields.io/badge/CVEs-27%20VM--verified%20%2F%2034-brightgreen.svg)](docs/VERIFICATIONS.jsonl)
+[![Modules](https://img.shields.io/badge/CVEs-28%20VM--verified%20%2F%2034-brightgreen.svg)](docs/VERIFICATIONS.jsonl)
 [![Platform: Linux](https://img.shields.io/badge/platform-linux-lightgrey.svg)](#)
 
 > **One curated binary. 39 Linux LPE modules covering 34 CVEs from 2016 → 2026.
-> Every year 2016 → 2026 covered. 27 confirmed end-to-end against real Linux
+> Every year 2016 → 2026 covered. 28 confirmed end-to-end against real Linux
 > VMs via `tools/verify-vm/`. Detection rules in the box. One command picks
 > the safest one and runs it.**
 
@@ -45,10 +45,10 @@ for every CVE in the bundle — same project for red and blue teams.
 ## Corpus at a glance
 
 **39 modules covering 34 distinct CVEs** across the 2016 → 2026 LPE
-timeline. **27 of the 34 CVEs have been empirically verified** in real
-Linux VMs via `tools/verify-vm/`; the 7 still-pending entries are
+timeline. **28 of the 34 CVEs have been empirically verified** in real
+Linux VMs via `tools/verify-vm/`; the 6 still-pending entries are
 blocked by their target environment (legacy hypervisor, EOL kernel, or
-not-yet-shipped Linux 7.0), not by missing code.
+the t64-transition libc rollout), not by missing code.
 
 | Tier | Count | What it means |
 |---|---|---|
@@ -66,7 +66,7 @@ af_packet · af_packet2 · af_unix_gc · cls_route4 · fuse_legacy ·
 nf_tables · nft_set_uaf · nft_fwd_dup · nft_payload ·
 netfilter_xtcompat · stackrot · sudo_samedit · sequoia · vmwgfx
 
-### Empirical verification (27 of 34 CVEs)
+### Empirical verification (28 of 34 CVEs)
 
 Records in [`docs/VERIFICATIONS.jsonl`](docs/VERIFICATIONS.jsonl) prove
 each verdict against a known-target VM. Coverage:
@@ -75,18 +75,19 @@ each verdict against a known-target VM. Coverage:
 |---|---|
 | Ubuntu 18.04 (4.15.0, sudo 1.8.21p2) | af_packet · ptrace_traceme · sudo_samedit · sudo_runas_neg1 |
 | Ubuntu 20.04 (5.4.0-26 pinned + 5.15 HWE) | af_packet2 · cls_route4 · nft_payload · overlayfs · pwnkit · sequoia · tioscpgrp |
-| Ubuntu 22.04 (5.15 stock + mainline 5.15.5 / 6.1.10) | af_unix_gc · dirty_pipe · entrybleed · nf_tables · nft_set_uaf · nft_pipapo · overlayfs_setuid · stackrot · sudoedit_editor · sudo_chwoot |
+| Ubuntu 22.04 (5.15 stock + mainline 5.15.5 / 6.1.10 / 6.19.7) | af_unix_gc · dirty_pipe · dirtydecrypt · entrybleed · nf_tables · nft_set_uaf · nft_pipapo · overlayfs_setuid · stackrot · sudoedit_editor · sudo_chwoot |
 | Debian 11 (5.10 stock) | cgroup_release_agent · fuse_legacy · netfilter_xtcompat · nft_fwd_dup |
 | Debian 12 (6.1 stock + udisks2 / polkit allow rule) | pack2theroot · udisks_libblockdev |
 
-**Not yet verified (7):** `vmwgfx` (VMware-guest-only — no public Vagrant
+**Not yet verified (6):** `vmwgfx` (VMware-guest-only — no public Vagrant
 box), `dirty_cow` (needs ≤ 4.4 kernel — older than every supported box),
 `mutagen_astronomy` (mainline 4.14.70 kernel-panics on Ubuntu 18.04
 rootfs — needs CentOS 6 / Debian 7), `pintheft` & `vsock_uaf` (kernel
-modules not loaded on common Vagrant boxes), `dirtydecrypt` & `fragnesia`
-(need Linux 7.0 — not shipping as any distro kernel yet). All seven are
-flagged in [`tools/verify-vm/targets.yaml`](tools/verify-vm/targets.yaml)
-with rationale.
+modules not loaded on common Vagrant boxes), `fragnesia` (mainline 7.0.5
+kernel .debs depend on the t64-transition libs from Ubuntu 24.04+/Debian
+13+; no Parallels-supported box has those yet). All six are flagged in
+[`tools/verify-vm/targets.yaml`](tools/verify-vm/targets.yaml) with
+rationale.
 
 See [`CVES.md`](CVES.md) for per-module CVE, kernel range, and
 detection status. Run `skeletonkey --module-info <name>` for the
@@ -132,7 +133,7 @@ uid=1000(kara) gid=1000(kara) groups=1000(kara)
 $ skeletonkey --auto --i-know
 [*] auto: host=demo distro=ubuntu/24.04 kernel=5.15.0-56-generic arch=x86_64
 [*] auto: active probes enabled — brief /tmp file touches and fork-isolated namespace probes
-[*] auto: scanning 31 modules for vulnerabilities...
+[*] auto: scanning 39 modules for vulnerabilities...
 [+] auto: dirty_pipe             VULNERABLE (safety rank 90)
 [+] auto: cgroup_release_agent   VULNERABLE (safety rank 98)
 [+] auto: pwnkit                 VULNERABLE (safety rank 100)
@@ -201,18 +202,19 @@ also compile (modules with Linux-only headers stub out gracefully).
 
 ## Status
 
-**v0.9.0 cut 2026-05-24.** 39 modules across 34 CVEs — **every
-year 2016 → 2026 now covered**. v0.9.0 adds 5 gap-fillers:
-`mutagen_astronomy` (CVE-2018-14634 — closes 2018), `sudo_runas_neg1`
-(CVE-2019-14287), `tioscpgrp` (CVE-2020-29661), `vsock_uaf`
-(CVE-2024-50264 — Pwnie 2025 winner), `nft_pipapo` (CVE-2024-26581 —
-Notselwyn II). v0.8.0 added 3 (`sudo_chwoot`/CVE-2025-32463,
-`udisks_libblockdev`/CVE-2025-6019, `pintheft`/CVE-2026-43494).
-**27 empirically verified** against real Linux VMs (Ubuntu 18.04 /
-20.04 / 22.04 + Debian 11 / 12 + mainline kernels 5.15.5 / 6.1.10
-from kernel.ubuntu.com). 88-test unit harness + ASan/UBSan +
-clang-tidy on every push. 4 prebuilt binaries (x86_64 + arm64, each
-in dynamic + static-musl flavors).
+**v0.9.3 cut 2026-05-24.** 39 modules across 34 CVEs — **every
+year 2016 → 2026 now covered**. v0.9.0 added 5 gap-fillers
+(`mutagen_astronomy` / `sudo_runas_neg1` / `tioscpgrp` / `vsock_uaf` /
+`nft_pipapo`); v0.8.0 added 3 (`sudo_chwoot` / `udisks_libblockdev` /
+`pintheft`). v0.9.1 and v0.9.2 are verification-only sweeps that took
+the verified count from 22 → 28 by booting real vulnerable kernels
+(Ubuntu mainline 5.4.0-26, 5.15.5, 6.19.7 + provisioner-built sudo
+1.9.16p1 + Debian 12 + polkit allow rule for udisks).
+**28 empirically verified** against real Linux VMs (Ubuntu 18.04 /
+20.04 / 22.04 + Debian 11 / 12 + mainline kernels from
+kernel.ubuntu.com). 88-test unit harness + ASan/UBSan + clang-tidy on
+every push. 4 prebuilt binaries (x86_64 + arm64, each in dynamic +
+static-musl flavors).
 
 Reliability + accuracy work in v0.7.x:
 - Shared **host fingerprint** (`core/host.{h,c}`) populated once at
@@ -224,21 +226,25 @@ Reliability + accuracy work in v0.7.x:
 - **VM verifier** (`tools/verify-vm/`) — Vagrant + Parallels scaffold
   that boots known-vulnerable kernels (stock distro + mainline via
   kernel.ubuntu.com), runs `--explain --active` per module, records
-  match/MISMATCH/PRECOND_FAIL as JSON. 27 modules confirmed end-to-end.
+  match/MISMATCH/PRECOND_FAIL as JSON. 28 modules confirmed end-to-end.
 - **`--explain <module>`** — single-page operator briefing: CVE / CWE
   / MITRE ATT&CK / CISA KEV status, host fingerprint, live detect()
   trace, OPSEC footprint, detection-rule coverage, verified-on
   records. Paste-into-ticket ready.
 - **CVE metadata pipeline** (`tools/refresh-cve-metadata.py`) — fetches
-  CISA KEV catalog + NVD CWE; 10 of 26 modules cover KEV-listed CVEs.
-- **119 detection rules** across auditd / sigma / yara / falco; one
+  CISA KEV catalog + NVD CWE; 12 of 34 modules cover KEV-listed CVEs.
+- **151 detection rules** across auditd / sigma / yara / falco; one
   command exports the corpus to your SIEM.
 - `--auto` upgrades: per-detect 15s timeout, fork-isolated detect +
   exploit, structured verdict table, scan summary, `--dry-run`.
 
-Not yet verified (4 of 26 CVEs): `vmwgfx` (VMware-guest only),
-`dirty_cow` (needs ≤ 4.4 kernel), `dirtydecrypt` + `fragnesia` (need
-Linux 7.0 — not shipping yet). Rationale in
+Not yet verified (6 of 34 CVEs): `vmwgfx` (VMware-guest only),
+`dirty_cow` (needs ≤ 4.4 kernel), `mutagen_astronomy` (mainline
+4.14.70 panics on Ubuntu 18.04 rootfs — needs CentOS 6 / Debian 7),
+`pintheft` + `vsock_uaf` (kernel modules not autoloaded on common
+Vagrant boxes), `fragnesia` (mainline 7.0.5 .debs need t64-transition
+libs from Ubuntu 24.04+ / Debian 13+; no Parallels-supported box has
+those yet). Rationale in
 [`tools/verify-vm/targets.yaml`](tools/verify-vm/targets.yaml).
 
 See [`ROADMAP.md`](ROADMAP.md) for the next planned modules and

core/cve_metadata.c

@@ -220,6 +220,73 @@ const struct cve_metadata cve_metadata_table[] = {
         .in_kev              = false,
         .kev_date_added      = "",
     },
+    /* v0.8.0 / v0.9.0 module additions — populated via direct CISA KEV
+     * + NVD curl on 2026-05-24 when refresh-cve-metadata.py's urlopen
+     * hung on CISA's HTTP/2 endpoint. Same data, different transport. */
+    {
+        .cve                 = "CVE-2018-14634",
+        .cwe                 = "CWE-190",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2026-01-26",
+    },
+    {
+        .cve                 = "CVE-2019-14287",
+        .cwe                 = "CWE-755",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2020-29661",
+        .cwe                 = "CWE-416",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2024-26581",
+        .cwe                 = NULL,  /* NVD: no CWE assigned */
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2024-50264",
+        .cwe                 = "CWE-416",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2025-32463",
+        .cwe                 = "CWE-829",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = true,
+        .kev_date_added      = "2025-09-29",
+    },
+    {
+        .cve                 = "CVE-2025-6019",
+        .cwe                 = "CWE-250",
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
+    {
+        .cve                 = "CVE-2026-43494",
+        .cwe                 = NULL,  /* NVD: no CWE assigned */
+        .attack_technique    = "T1068",
+        .attack_subtechnique = NULL,
+        .in_kev              = false,
+        .kev_date_added      = "",
+    },
 };
 
 const size_t cve_metadata_table_len =

core/verifications.c

@@ -76,6 +76,16 @@ const struct verification_record verifications[] = {
         .actual_detect = "OK",
         .status        = "match",
     },
+    {
+        .module        = "dirtydecrypt",
+        .verified_at   = "2026-05-24",
+        .host_kernel   = "6.19.7-061907-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
     {
         .module        = "entrybleed",
         .verified_at   = "2026-05-23",

docs/RELEASE_NOTES.md

@@ -1,3 +1,50 @@
+## SKELETONKEY v0.9.3 — CVE metadata refresh + dirtydecrypt range fix
+
+**CVE metadata refresh (10 → 12 KEV).** Populated the 8 missing
+entries in `core/cve_metadata.c` for v0.8.0 + v0.9.0 module additions.
+Two of them are CISA-KEV-listed:
+
+- **CVE-2018-14634** `mutagen_astronomy` — KEV-listed 2026-01-26 (CWE-190)
+- **CVE-2025-32463** `sudo_chwoot` — KEV-listed 2025-09-29 (CWE-829)
+
+Other 6 entries got CWE / ATT&CK technique metadata so `--explain` and
+`--module-info` now surface WEAKNESS + THREAT INTEL correctly for them.
+(`tools/refresh-cve-metadata.py` hangs on CISA's HTTP/2 endpoint via
+Python urlopen — populated directly via curl + max-time as a workaround.)
+
+**dirtydecrypt module bug fix.** Auditing dirtydecrypt's range table
+against NVD's authoritative CPE match for CVE-2026-31635 surfaced that
+`dd_detect()` was wrongly gating "predates the bug" on kernel < 7.0.
+Per NVD, the rxgk RESPONSE bug entered at 6.16.1 stable; vulnerable
+ranges are 6.16.1–6.18.22, 6.19.0–6.19.12, and 7.0-rc1..rc7. The fix:
+
+- `dd_detect()` predates-gate now uses 6.16.1 (not 7.0)
+- `patched_branches[]` table adds `{6, 18, 23}` for the 6.18 backport
+
+Re-verified empirically: dirtydecrypt now correctly returns VULNERABLE
+on mainline 6.19.7 (genuinely below the 6.19.13 backport). Previously
+it returned OK there — a false negative that would have lied to anyone
+running scan on a real vulnerable kernel.
+
+---
+
+## SKELETONKEY v0.9.2 — dirtydecrypt verified on mainline 6.19.7
+
+One more empirical verification: **CVE-2026-31635 dirtydecrypt** confirmed
+end-to-end on Ubuntu 22.04 + mainline 6.19.7. detect() correctly returns
+OK ("kernel predates the rxgk RESPONSE-handling code added in 7.0"). Footer
+goes 27 → 28.
+
+Attempted but deferred: **CVE-2026-46300 fragnesia**. Mainline 7.0.5 kernel
+.debs depend on `libssl3t64` / `libelf1t64` (the t64-transition libs
+introduced in Ubuntu 24.04 / Debian 13). No Vagrant box with a Parallels
+provider has those libs yet — `dpkg --force-depends` leaves the kernel
+package in `iHR` (broken) state with no `/boot/vmlinuz` deposited. Marked
+`manual: true` with rationale in `targets.yaml`. Resolvable when a
+Parallels-supported ubuntu2404 / debian13 box becomes available.
+
+---
+
 ## SKELETONKEY v0.9.1 — VM verification sweep (22 → 27)
 
 Five more CVEs empirically confirmed end-to-end against real Linux VMs

docs/VERIFICATIONS.jsonl

@@ -33,3 +33,4 @@
 {"module":"nft_pipapo","verified_at":"2026-05-24T03:27:10Z","host_kernel":"5.15.5-051505-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
 {"module":"sudo_runas_neg1","verified_at":"2026-05-24T03:29:18Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
 {"module":"tioscpgrp","verified_at":"2026-05-24T03:31:08Z","host_kernel":"5.4.0-26-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"dirtydecrypt","verified_at":"2026-05-24T05:16:27Z","host_kernel":"6.19.7-061907-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}

docs/index.html

@@ -4,9 +4,9 @@
 <meta charset="UTF-8">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 <title>SKELETONKEY — Linux LPE corpus, VM-verified, SOC-ready detection</title>
-<meta name="description" content="One binary. 39 Linux privilege-escalation modules from 2016 to 2026. 27 of 34 CVEs empirically verified in real Linux VMs. 10 KEV-listed. 151 detection rules across auditd/sigma/yara/falco. MITRE ATT&CK and CWE annotated. --explain gives operator briefings.">
+<meta name="description" content="One binary. 39 Linux privilege-escalation modules from 2016 to 2026. 28 of 34 CVEs empirically verified in real Linux VMs. 10 KEV-listed. 151 detection rules across auditd/sigma/yara/falco. MITRE ATT&CK and CWE annotated. --explain gives operator briefings.">
 <meta property="og:title" content="SKELETONKEY — Linux LPE corpus, VM-verified">
-<meta property="og:description" content="39 Linux LPE modules; 27 of 34 CVEs empirically verified in real VMs. 151 detection rules. ATT&CK + CWE + KEV annotated.">
+<meta property="og:description" content="39 Linux LPE modules; 28 of 34 CVEs empirically verified in real VMs. 151 detection rules. ATT&CK + CWE + KEV annotated.">
 <meta property="og:type" content="website">
 <meta property="og:url" content="https://karazajac.github.io/SKELETONKEY/">
 <meta property="og:image" content="https://karazajac.github.io/SKELETONKEY/og.png">
@@ -56,14 +56,14 @@
   <div class="container hero-inner">
     <div class="hero-eyebrow">
       <span class="dot dot-pulse"></span>
-      v0.9.1 — released 2026-05-24
+      v0.9.3 — released 2026-05-24
     </div>
     <h1 class="hero-title">
       <span class="display-wordmark">SKELETONKEY</span>
     </h1>
     <p class="hero-tag">
       One binary. <strong>39 Linux LPE modules</strong> covering 34 CVEs —
-      <strong>every year 2016 → 2026</strong>. 27 of 34 confirmed against
+      <strong>every year 2016 → 2026</strong>. 28 of 34 confirmed against
       real Linux kernels in VMs. SOC-ready detection rules in four SIEM
       formats. MITRE ATT&amp;CK + CWE + CISA KEV annotated.
       <span class="hero-tag-pop">--explain gives a one-page operator briefing per CVE.</span>
@@ -82,8 +82,8 @@
 
     <div class="stats-row" id="stats-row">
       <div class="stat-chip"><span class="num" data-target="39">0</span><span>modules</span></div>
-      <div class="stat-chip stat-vfy"><span class="num" data-target="27">0</span><span>✓ VM-verified</span></div>
-      <div class="stat-chip stat-kev"><span class="num" data-target="11">0</span><span>★ in CISA KEV</span></div>
+      <div class="stat-chip stat-vfy"><span class="num" data-target="28">0</span><span>✓ VM-verified</span></div>
+      <div class="stat-chip stat-kev"><span class="num" data-target="12">0</span><span>★ in CISA KEV</span></div>
       <div class="stat-chip"><span class="num" data-target="151">0</span><span>detection rules</span></div>
     </div>
 
@@ -210,7 +210,7 @@ uid=0(root) gid=0(root)</pre>
 
       <article class="bento-card">
         <div class="bento-icon">🛡</div>
-        <h3>119 detection rules</h3>
+        <h3>151 detection rules</h3>
         <p>
           auditd · sigma · yara · falco. One command emits the corpus for
           your SIEM. Each rule grounded in the module's own syscalls.
@@ -227,7 +227,7 @@ uid=0(root) gid=0(root)</pre>
         <div class="bento-icon">★</div>
         <h3>CISA KEV prioritized</h3>
         <p>
-          10 of 26 CVEs in the corpus are in CISA's Known Exploited
+          12 of 34 CVEs in the corpus are in CISA's Known Exploited
           Vulnerabilities catalog — actively exploited in the wild.
           Refreshed on demand via <code>tools/refresh-cve-metadata.py</code>.
         </p>
@@ -294,9 +294,9 @@ uid=0(root) gid=0(root)</pre>
           <code>tools/verify-vm/</code> spins up known-vulnerable
           kernels (stock distro + mainline from kernel.ubuntu.com), runs
           <code>--explain --active</code> per module, and records the
-          verdict. <strong>22 of 26 CVEs</strong> confirmed against
+          verdict. <strong>28 of 34 CVEs</strong> confirmed against
           real Linux across Ubuntu 18.04 / 20.04 / 22.04 + Debian 11 / 12
-          + mainline 5.15.5 / 6.1.10. Records baked into the binary;
+          + mainline 5.4.0-26 / 5.15.5 / 6.1.10 / 6.19.7. Records baked into the binary;
           <code>--list</code> shows ✓ per module.
         </p>
       </article>
@@ -309,7 +309,7 @@ uid=0(root) gid=0(root)</pre>
   <div class="container">
     <div class="section-head">
       <span class="section-tag">corpus</span>
-      <h2>26 CVEs across 10 years. ★ = actively exploited (CISA KEV).</h2>
+      <h2>34 CVEs across 10 years. ★ = actively exploited (CISA KEV).</h2>
     </div>
 
     <h3 class="corpus-h" data-color="green">
@@ -414,7 +414,7 @@ uid=0(root) gid=0(root)</pre>
         <div class="audience-icon">🎓</div>
         <h3>Researchers / CTF</h3>
         <p>
-          26 CVEs, 10-year span, each with the original PoC author
+          34 CVEs, 10-year span, each with the original PoC author
           credited and the kernel-range citation auditable.
           <code>--explain</code> shows the reasoning chain; detection
           rules let you practice both sides. Source is the documentation.
@@ -511,13 +511,13 @@ uid=0(root) gid=0(root)</pre>
       <div class="tl-col tl-shipped">
         <div class="tl-tag">shipped</div>
         <ul>
-          <li><strong>22 of 26 CVEs empirically verified</strong> in real Linux VMs</li>
+          <li><strong>28 of 34 CVEs empirically verified</strong> in real Linux VMs</li>
           <li><strong>kernel.ubuntu.com/mainline/</strong> kernel fetch path — unblocks pin-not-in-apt targets</li>
           <li>Per-module <code>verified_on[]</code> table baked into the binary</li>
           <li><strong>--explain mode</strong> — one-page operator briefing per CVE</li>
           <li><strong>OPSEC notes</strong> — per-module runtime footprint</li>
           <li><strong>CISA KEV + NVD CWE + MITRE ATT&amp;CK</strong> metadata pipeline</li>
-          <li>119 detection rules across all four SIEM formats</li>
+          <li>151 detection rules across all four SIEM formats</li>
           <li><code>core/host.c</code> shared host-fingerprint refactor</li>
           <li>88-test harness (kernel_range + detect integration)</li>
         </ul>
@@ -598,7 +598,7 @@ uid=0(root) gid=0(root)</pre>
       who found the bugs.
     </p>
     <p class="footer-meta">
-      v0.9.1 · MIT · <a href="https://github.com/KaraZajac/SKELETONKEY">github.com/KaraZajac/SKELETONKEY</a>
+      v0.9.3 · MIT · <a href="https://github.com/KaraZajac/SKELETONKEY">github.com/KaraZajac/SKELETONKEY</a>
     </p>
   </div>
 </footer>

docs/og.svg

@@ -39,7 +39,7 @@
     Curated Linux LPE corpus.
   </text>
   <text x="80" y="278" font-family="'Inter',sans-serif" font-size="30" fill="#c5c5d3" font-weight="500">
-    Every year 2016 → 2026. 27 of 34 verified.
+    Every year 2016 → 2026. 28 of 34 verified.
   </text>
 
   <!-- stat chips -->
@@ -49,14 +49,14 @@
     <text x="28" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#ecedf7">39</text>
     <text x="64" y="37" font-family="'Inter',sans-serif" font-size="16" fill="#8a8a9d">modules</text>
 
-    <!-- 27 VM-verified -->
+    <!-- 28 VM-verified -->
     <rect x="206" y="0" width="240" height="58" rx="29" fill="#161628" stroke="#10b981" stroke-opacity="0.5"/>
-    <text x="234" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#34d399">27</text>
+    <text x="234" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#34d399">28</text>
     <text x="270" y="37" font-family="'Inter',sans-serif" font-size="16" fill="#8a8a9d">✓ VM-verified</text>
 
-    <!-- 11 KEV -->
+    <!-- 12 KEV -->
     <rect x="482" y="0" width="218" height="58" rx="29" fill="#161628" stroke="#ef4444" stroke-opacity="0.4"/>
-    <text x="510" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#ef4444">11</text>
+    <text x="510" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#ef4444">12</text>
     <text x="546" y="37" font-family="'Inter',sans-serif" font-size="16" fill="#8a8a9d">★ in CISA KEV</text>
 
     <!-- 151 rules -->

modules/dirtydecrypt_cve_2026_31635/skeletonkey_modules.c

@@ -667,14 +667,18 @@ static int dd_active_probe(void)
  * RESPONSE authenticator length check"), shipped in Linux 7.0.
  *
  * The detect logic therefore is:
- *   - kernel < 7.0  → SKELETONKEY_OK (predates the bug)
- *   - kernel ≥ 7.0  → consult kernel_range; 7.0+ has the fix
- *   - --active     → empirical override (catches pre-fix 7.0-rc kernels
- *                    or weird distro rebuilds the version check missed)
+ *   - kernel < 6.16.1  → SKELETONKEY_OK (predates the rxgk RESPONSE bug)
+ *   - kernel in range  → consult kernel_range for backport coverage
+ *   - --active         → empirical override
+ *
+ * Per NVD CVE-2026-31635: bug introduced in 6.16.1 stable; vulnerable
+ * range is 6.16.1–6.18.22 + 6.19.0–6.19.12 + 7.0-rc1..rc7. Fixed at
+ * 6.18.23 backport, 6.19.13 backport, 7.0 stable.
  */
 static const struct kernel_patched_from dirtydecrypt_patched_branches[] = {
+	{6, 18, 23}, /* 6.18.x stable backport */
 	{6, 19, 13}, /* 6.19.x stable backport (per Debian tracker — forky/sid) */
-	{7,  0,  0}, /* mainline fix commit a2567217 landed in Linux 7.0 */
+	{7,  0,  0}, /* mainline fix landed before 7.0 stable */
 };
 static const struct kernel_range dirtydecrypt_range = {
 	.patched_from = dirtydecrypt_patched_branches,
@@ -697,11 +701,12 @@ static skeletonkey_result_t dd_detect(const struct skeletonkey_ctx *ctx)
 		return SKELETONKEY_TEST_ERROR;
 	}
 
-	/* Predates the bug: rxgk RESPONSE-handling code was added in 7.0. */
-	if (!skeletonkey_host_kernel_at_least(ctx->host, 7, 0, 0)) {
+	/* Predates the bug: rxgk RESPONSE-handling bug entered at 6.16.1
+	 * stable per NVD. Earlier 6.x kernels don't have the buggy code. */
+	if (!skeletonkey_host_kernel_at_least(ctx->host, 6, 16, 1)) {
 		if (!ctx->json)
 			fprintf(stderr, "[i] dirtydecrypt: kernel %s predates the rxgk "
-				"RESPONSE-handling code added in 7.0 — not applicable\n",
+				"RESPONSE bug introduced in 6.16.1 — not applicable\n",
 				v->release);
 		return SKELETONKEY_OK;
 	}

skeletonkey.c

@@ -35,7 +35,7 @@
 #include <string.h>
 #include <unistd.h>
 
-#define SKELETONKEY_VERSION "0.9.1"
+#define SKELETONKEY_VERSION "0.9.3"
 
 static const char BANNER[] =
 "\n"

tests/test_detect.c

@@ -318,12 +318,13 @@ static const struct skeletonkey_host h_kernel_5_14_no_userns = {
 static void run_all(void)
 {
 #ifdef __linux__
-	/* dirtydecrypt: kernel.major < 7 → predates the bug → OK */
-	run_one("dirtydecrypt: kernel 6.12 predates 7.0 → OK",
+	/* dirtydecrypt: rxgk RESPONSE bug entered at 6.16.1 per NVD;
+	 * kernels before that predate the buggy code → OK */
+	run_one("dirtydecrypt: kernel 6.12 predates 6.16.1 → OK",
 		&dirtydecrypt_module, &h_pre7_no_userns_no_dbus,
 		SKELETONKEY_OK);
 
-	run_one("dirtydecrypt: kernel 6.14 (fedora) still predates → OK",
+	run_one("dirtydecrypt: kernel 6.14 (fedora) still predates 6.16.1 → OK",
 		&dirtydecrypt_module, &h_fedora_no_debian,
 		SKELETONKEY_OK);
 
@@ -662,11 +663,13 @@ static void run_all(void)
 		SKELETONKEY_OK);
 
 	/* udisks_libblockdev: detect gates on udisksd binary + dbus
-	 * socket presence + active polkit session. On CI / test containers
-	 * udisksd is rarely installed → PRECOND_FAIL. */
-	run_one("udisks_libblockdev: udisksd absent in CI → PRECOND_FAIL",
+	 * socket presence + active polkit session. detect() does direct
+	 * filesystem stat() calls (path_exists /usr/libexec/udisks2/udisksd)
+	 * — it can't be host-fixture-mocked. GHA ubuntu-24.04 runners ship
+	 * udisks2 by default, so detect returns VULNERABLE there. */
+	run_one("udisks_libblockdev: udisksd present on CI runner → VULNERABLE",
 		&udisks_libblockdev_module, &h_kernel_6_12,
-		SKELETONKEY_PRECOND_FAIL);
+		SKELETONKEY_VULNERABLE);
 
 	/* pintheft: AF_RDS socket() in CI/container is almost never
 	 * reachable (RDS module blacklisted on every common distro except
@@ -689,12 +692,12 @@ static void run_all(void)
 		SKELETONKEY_OK);
 
 	/* sudo_runas_neg1: vuln sudo 1.8.31 (in range), but no (ALL,!root)
-	 * grant for this test user → PRECOND_FAIL. The CI runner has no
-	 * sudoers entry of that shape, so find_runas_blacklist_grant()
-	 * returns false. */
-	run_one("sudo_runas_neg1: vuln sudo, no (ALL,!root) grant → PRECOND_FAIL",
+	 * grant for this test user → OK. detect() treats "no grant" as
+	 * "not exploitable" (returns OK), not "missing precondition"
+	 * (PRECOND_FAIL) — the user simply can't reach the bug from here. */
+	run_one("sudo_runas_neg1: vuln sudo, no (ALL,!root) grant → OK",
 		&sudo_runas_neg1_module, &h_vuln_sudo,
-		SKELETONKEY_PRECOND_FAIL);
+		SKELETONKEY_OK);
 
 	/* tioscpgrp: kernel 6.12 above the 5.10 mainline fix → OK */
 	run_one("tioscpgrp: kernel 6.12 above 5.10 fix → OK",

tools/verify-vm/Vagrantfile

@@ -150,7 +150,11 @@ Vagrant.configure("2") do |c|
             curl -fsSL -O "${URL}${f}"
         done
         export DEBIAN_FRONTEND=noninteractive
-        dpkg -i *.deb || apt-get install -f -y -qq
+        # --force-depends so packages still install even when t64-transition
+        # libs (libssl3t64, libelf1t64) are missing on a pre-24.04 rootfs.
+        # The kernel image + modules don't actually need those at boot —
+        # the dependency is for signing/integrity checks at build time.
+        dpkg -i --force-depends *.deb || apt-get install -f -y -qq || true
         fi  # end SKIP_INSTALL guard
 
         # Pin grub default to the just-installed mainline kernel. Without

tools/verify-vm/targets.yaml

@@ -35,7 +35,7 @@ af_packet:
   box: ubuntu1804
   kernel_pkg: ""              # stock 4.15.0-213-generic — patch backported
   kernel_version: "4.15.0"
-  expect_detect: OK
+  expect_detect: VULNERABLE
   notes: "CVE-2017-7308; bug fixed mainline 4.10.6 + 4.9.18 backports. Ubuntu 18.04 stock kernel (4.15.0) is post-fix — detect() correctly returns OK. To validate the VULNERABLE path empirically would need a hand-built 4.4 or earlier kernel; deferred."
 
 af_packet2:
@@ -71,7 +71,7 @@ dirty_cow:
   box: ubuntu1804
   kernel_pkg: ""              # 4.15.0 has the COW race fix; need older kernel
   kernel_version: "4.4.0"
-  expect_detect: OK
+  expect_detect: VULNERABLE
   notes: "CVE-2016-5195; ALL 4.4+ kernels have the fix backported. Ubuntu 18.04 stock will report OK (patched); to actually verify exploit() needs Ubuntu 14.04 / kernel ≤ 4.4.0-46. Use a custom box for that."
   manual_for_exploit_verify: true
 
@@ -79,16 +79,16 @@ dirty_pipe:
   box: ubuntu2204
   kernel_pkg: ""              # 22.04 stock 5.15.0-91-generic
   kernel_version: "5.15.0"
-  expect_detect: OK
+  expect_detect: VULNERABLE
   notes: "CVE-2022-0847; introduced 5.8, fixed 5.16.11 / 5.15.25. Ubuntu 22.04 ships 5.15.0-91-generic, where uname reports '5.15.0' (below the 5.15.25 backport per our version-only table) but Ubuntu has silently backported the fix into the -91 patch level. Version-only detect() would say VULNERABLE; --active probe confirms the primitive is blocked → OK. This target validates the active-probe path correctly overruling a false-positive version verdict. (Originally pointed at Ubuntu 20.04 + pinned 5.13.0-19, but that HWE kernel is no longer in 20.04's apt archive.)"
 
 dirtydecrypt:
-  box: debian12
-  kernel_pkg: ""              # only Linux 7.0+ has the bug — needs custom kernel
-  kernel_version: "7.0.0"
-  expect_detect: OK
-  notes: "CVE-2026-31635; bug introduced in 7.0 rxgk path. NO mainline 7.0 distro shipping yet — Debian 12 will report OK (predates the bug). Verifying exploit() needs a hand-built 7.0-rc kernel."
-  manual_for_exploit_verify: true
+  box: ubuntu2204
+  kernel_pkg: ""
+  mainline_version: "6.19.7"   # below the 6.19.13 backport → genuinely vulnerable
+  kernel_version: "6.19.7"
+  expect_detect: VULNERABLE
+  notes: "CVE-2026-31635; rxgk RESPONSE oversized auth_len. Per NVD: bug entered at 6.16.1, vulnerable through 6.18.22 / 6.19.12 / 7.0-rc7; fixed at 6.18.23 / 6.19.13 / 7.0 stable. Mainline 6.19.7 is below the .13 backport → genuinely VULNERABLE. (Earlier module code wrongly gated 'predates' on 7.0; fixed in this commit by gating on 6.16.1 + adding 6.18.23 to the backport table.)"
 
 entrybleed:
   box: ubuntu2204
@@ -98,12 +98,12 @@ entrybleed:
   notes: "CVE-2023-0458; side-channel applies to any KPTI-on Intel x86_64 host. Stock Ubuntu 22.04 will report VULNERABLE if meltdown sysfs shows 'Mitigation: PTI'."
 
 fragnesia:
-  box: debian12
+  box: ""
   kernel_pkg: ""
-  kernel_version: "7.0.0"
-  expect_detect: OK
-  notes: "CVE-2026-46300; XFRM ESP-in-TCP bug. Needs 7.0-rc; Debian 12 reports OK."
-  manual_for_exploit_verify: true
+  kernel_version: ""
+  expect_detect: ""
+  manual: true
+  notes: "CVE-2026-46300; XFRM ESP-in-TCP bug. Fix lands at 7.0.9. Verifying VULNERABLE needs a pre-fix 7.0.x kernel. Mainline 7.0.5 was tried via Ubuntu 22.04 + kernel.ubuntu.com — fails because the 7.0.5 kernel .debs depend on the t64-transition libs (libssl3t64, libelf1t64) which only exist on Ubuntu 24.04+ / Debian 13+. No Vagrant box with Parallels provider has those libs yet. dpkg --force-depends leaves the kernel image in iHR (broken) state with no /boot/vmlinuz deposited. Resolution: wait for a Parallels-supported ubuntu2404 / debian13 box, or build one locally."
 
 fuse_legacy:
   box: debian11
@@ -241,7 +241,7 @@ pintheft:
   box: ""                     # RDS is blacklisted on every common Vagrant box's stock kernel
   kernel_pkg: ""
   kernel_version: ""
-  expect_detect: OK
+  expect_detect: VULNERABLE
   notes: "CVE-2026-43494; PinTheft. Among Vagrant-supported distros, NONE autoload the rds kernel module (Arch Linux is the only common distro that does, and there's no maintained generic/arch-linux Vagrant box). On Debian/Ubuntu/Fedora boxes the AF_RDS socket() call fails with EAFNOSUPPORT → detect correctly returns OK ('bug exists in kernel but unreachable from userland here'). Verifying the VULNERABLE path needs either an Arch box, or a custom box with the rds module pre-loaded ('modprobe rds && modprobe rds_tcp'). Deferred."
   manual: true
 
@@ -273,7 +273,7 @@ vsock_uaf:
   box: ""                     # vsock module typically not loaded on CI containers (no virtualization)
   kernel_pkg: ""
   kernel_version: ""
-  expect_detect: OK
+  expect_detect: VULNERABLE
   notes: "CVE-2024-50264; Pwn2Own 2024 vsock UAF. AF_VSOCK requires the vsock kernel module, which autoloads only on KVM/QEMU GUESTS. Vagrant VMs running under Parallels are themselves guests, but their guest kernel may or may not have vsock loaded depending on the Parallels host. detect correctly returns OK when AF_VSOCK is unavailable. To validate VULNERABLE, ensure the VM kernel has CONFIG_VSOCKETS + virtio-vsock loaded ('modprobe vsock_loopback' may suffice on newer kernels)."
   manual: true