# tools/verify-vm/targets.yaml — VM verification targets per module # # For each module, the (box, kernel) pair the verifier should spin up to # empirically confirm detect() + exploit() against a KNOWN-VULNERABLE # kernel. Picked from Debian snapshot / kernel.ubuntu.com / Ubuntu HWE # archives — every version below is fetch-able as a .deb package. # # Schema: # : # box: vagrant box name (matches tools/verify-vm/boxes//) # kernel_pkg: apt package name to install for the vulnerable kernel # (omit / empty if the stock distro kernel is already vulnerable) # kernel_version: expected /proc/version-style major.minor.patch # expect_detect: what skeletonkey --explain should say on a confirmed-vulnerable # target. One of: VULNERABLE | OK | PRECOND_FAIL. # notes: short rationale for the target choice. # # Boxes available (matches tools/verify-vm/boxes/): # debian11 — Debian 11 bullseye (5.10.0 stock) # debian12 — Debian 12 bookworm (6.1.0 stock) # ubuntu1804 — Ubuntu 18.04 LTS (4.15.0 stock; HWE up to 5.4) # ubuntu2004 — Ubuntu 20.04 LTS (5.4.0 stock; HWE up to 5.15) # ubuntu2204 — Ubuntu 22.04 LTS (5.15.0 stock; HWE up to 6.5) # # Adding a new target: pick the oldest LTS box whose stock or HWE kernel # is below the module's kernel_range fix threshold; if no LTS works, # install a pinned kernel from kernel.ubuntu.com / snapshot.debian.org # via the kernel_pkg field. # # Modules where no fully-automatic vulnerable target exists (need manual # kernel build or a special distro variant) are marked manual: true with # a comment explaining the constraint. af_packet: box: ubuntu1804 kernel_pkg: "" # stock 4.15.0-213-generic — patch backported kernel_version: "4.15.0" expect_detect: OK notes: "CVE-2017-7308; bug fixed mainline 4.10.6 + 4.9.18 backports. Ubuntu 18.04 stock kernel (4.15.0) is post-fix — detect() correctly returns OK. To validate the VULNERABLE path empirically would need a hand-built 4.4 or earlier kernel; deferred." af_packet2: box: ubuntu2004 kernel_pkg: linux-image-5.4.0-26-generic kernel_version: "5.4.0-26" expect_detect: VULNERABLE notes: "CVE-2020-14386; fixed in 5.9 mainline + backports; 5.4.0-26 (Ubuntu 20.04 launch) is pre-fix." af_unix_gc: box: ubuntu2204 kernel_pkg: "" mainline_version: "5.15.5" # kernel.ubuntu.com/mainline/v5.15.5/ — below 5.15.130 backport kernel_version: "5.15.5" expect_detect: VULNERABLE notes: "CVE-2023-4622; fix mainline 6.5 + backports 5.15.130/6.1.51/etc. Mainline 5.15.5 (Nov 2021) predates all backports and any silent distro patching. Installed via kernel.ubuntu.com/mainline/v5.15.5/." cgroup_release_agent: box: debian11 kernel_pkg: "" # 5.10.0 stock is pre-fix (fix 5.17) kernel_version: "5.10.0" expect_detect: VULNERABLE notes: "CVE-2022-0492; fix landed 5.17 mainline + 5.16.9 stable; 5.10.0 is below." cls_route4: box: ubuntu2004 kernel_pkg: linux-image-5.15.0-43-generic kernel_version: "5.15.0-43" expect_detect: VULNERABLE notes: "CVE-2022-2588; fix landed 5.19 / backports 5.10.143 / 5.15.67; 5.15.0-43 is below." dirty_cow: box: ubuntu1804 kernel_pkg: "" # 4.15.0 has the COW race fix; need older kernel kernel_version: "4.4.0" expect_detect: OK notes: "CVE-2016-5195; ALL 4.4+ kernels have the fix backported. Ubuntu 18.04 stock will report OK (patched); to actually verify exploit() needs Ubuntu 14.04 / kernel ≤ 4.4.0-46. Use a custom box for that." manual_for_exploit_verify: true dirty_pipe: box: ubuntu2204 kernel_pkg: "" # 22.04 stock 5.15.0-91-generic kernel_version: "5.15.0" expect_detect: OK notes: "CVE-2022-0847; introduced 5.8, fixed 5.16.11 / 5.15.25. Ubuntu 22.04 ships 5.15.0-91-generic, where uname reports '5.15.0' (below the 5.15.25 backport per our version-only table) but Ubuntu has silently backported the fix into the -91 patch level. Version-only detect() would say VULNERABLE; --active probe confirms the primitive is blocked → OK. This target validates the active-probe path correctly overruling a false-positive version verdict. (Originally pointed at Ubuntu 20.04 + pinned 5.13.0-19, but that HWE kernel is no longer in 20.04's apt archive.)" dirtydecrypt: box: ubuntu2204 kernel_pkg: "" mainline_version: "6.19.7" # below the 7.0 introduction point → 'predates the bug' OK path kernel_version: "6.19.7" expect_detect: OK notes: "CVE-2026-31635; rxgk RESPONSE-handling bug. Module's range table says fix lands at 7.0.0 mainline (commit a2567217) — meaning the bug only existed in 7.0-rcN pre-release. No shipping stable kernel is VULNERABLE. We verify the 'kernel predates rxgk code added in 7.0' OK path via mainline 6.19.7. To test VULNERABLE would require building from a 7.0-rcN tag pre-a2567217, deferred." entrybleed: box: ubuntu2204 kernel_pkg: "" # any KPTI-enabled x86_64 kernel kernel_version: "5.15.0" expect_detect: VULNERABLE notes: "CVE-2023-0458; side-channel applies to any KPTI-on Intel x86_64 host. Stock Ubuntu 22.04 will report VULNERABLE if meltdown sysfs shows 'Mitigation: PTI'." fragnesia: box: "" kernel_pkg: "" kernel_version: "" expect_detect: "" manual: true notes: "CVE-2026-46300; XFRM ESP-in-TCP bug. Fix lands at 7.0.9. Verifying VULNERABLE needs a pre-fix 7.0.x kernel. Mainline 7.0.5 was tried via Ubuntu 22.04 + kernel.ubuntu.com — fails because the 7.0.5 kernel .debs depend on the t64-transition libs (libssl3t64, libelf1t64) which only exist on Ubuntu 24.04+ / Debian 13+. No Vagrant box with Parallels provider has those libs yet. dpkg --force-depends leaves the kernel image in iHR (broken) state with no /boot/vmlinuz deposited. Resolution: wait for a Parallels-supported ubuntu2404 / debian13 box, or build one locally." fuse_legacy: box: debian11 kernel_pkg: "" # 5.10.0 is pre-fix (fix 5.16) kernel_version: "5.10.0" expect_detect: VULNERABLE notes: "CVE-2022-0185; fix 5.16.2 mainline + 5.10.93 stable; Debian 11 stock 5.10.0 is below." netfilter_xtcompat: box: debian11 kernel_pkg: "" # 5.10.0 (Debian 11 stock) is pre-fix (fix 5.13 + 5.10.46) kernel_version: "5.10.0" expect_detect: VULNERABLE notes: "CVE-2021-22555; 15-year-old bug; Debian 11 stock 5.10.0 below the 5.10.38 fix backport." nf_tables: box: ubuntu2204 kernel_pkg: "" mainline_version: "5.15.5" kernel_version: "5.15.5" expect_detect: VULNERABLE notes: "CVE-2024-1086; bug introduced 5.14; fix mainline 6.8 + 5.15.149/6.1.74 backports. Mainline 5.15.5 (Nov 2021) is well below 5.15.149 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v5.15.5/." nft_fwd_dup: box: debian11 kernel_pkg: "" # 5.10.0 below the 5.10.103 backport kernel_version: "5.10.0" expect_detect: VULNERABLE notes: "CVE-2022-25636; fix 5.17 mainline + 5.10.103 backport; Debian 11 stock 5.10.0 below." nft_payload: box: ubuntu2004 kernel_pkg: linux-image-5.15.0-43-generic kernel_version: "5.15.0-43" expect_detect: VULNERABLE notes: "CVE-2023-0179; fix 6.2 mainline + 5.15.91 / 5.10.162 backports; 5.15.0-43 is below." nft_set_uaf: box: ubuntu2204 kernel_pkg: "" mainline_version: "5.15.5" kernel_version: "5.15.5" expect_detect: VULNERABLE notes: "CVE-2023-32233; bug introduced 5.1; fix mainline 6.4-rc4 + 6.1.27/5.15.110 backports. Mainline 5.15.5 (Nov 2021) is below 5.15.110 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v5.15.5/." overlayfs: box: ubuntu2004 kernel_pkg: "" # Ubuntu-specific bug; stock 5.4 is pre-fix kernel_version: "5.4.0" expect_detect: VULNERABLE notes: "CVE-2021-3493; Ubuntu-specific overlayfs userns capability injection. Stock 5.4.0 in Ubuntu 20.04 is below the fixed package." overlayfs_setuid: box: ubuntu2204 kernel_pkg: "" # 5.15.0 stock is pre-fix (5.15.110 backport) kernel_version: "5.15.0" expect_detect: VULNERABLE notes: "CVE-2023-0386; fix 6.3 + 6.1.11 / 5.15.110 / 5.10.179; 5.15.0 stock is below." pack2theroot: box: debian12 kernel_pkg: "" # PackageKit-version bug, not kernel kernel_version: "6.1.0" expect_detect: PRECOND_FAIL notes: "CVE-2026-41651; needs PackageKit ≤ 1.3.5 + polkit + an active D-Bus session bus. Debian 12's generic cloud image is server-oriented and does NOT install PackageKit (the bug's target daemon), so detect() correctly returns PRECOND_FAIL ('PackageKit daemon not registered on the system bus'). To validate the VULNERABLE path empirically, install packagekit in the VM before verifying ('apt install -y packagekit' + 'systemctl start packagekit'); deferred to a follow-up provisioner." ptrace_traceme: box: ubuntu1804 kernel_pkg: "" # 4.15.0 stock is below the 5.1.17 fix kernel_version: "4.15.0" expect_detect: VULNERABLE notes: "CVE-2019-13272; fix 5.1.17 mainline; Ubuntu 18.04 stock 4.15 is below." pwnkit: box: ubuntu2004 kernel_pkg: "" # polkit 0.105 ships in Ubuntu 20.04 → vulnerable kernel_version: "5.4.0" expect_detect: VULNERABLE notes: "CVE-2021-4034; polkit ≤ 0.120 vulnerable. Ubuntu 20.04 ships polkit 0.105." sequoia: box: ubuntu2004 kernel_pkg: linux-image-5.4.0-26-generic kernel_version: "5.4.0-26" expect_detect: VULNERABLE notes: "CVE-2021-33909; fix 5.13.4 / 5.10.52 / 5.4.135; 5.4.0-26 is below." stackrot: box: ubuntu2204 kernel_pkg: "" mainline_version: "6.1.10" # below the 6.1.37 backport kernel_version: "6.1.10" expect_detect: VULNERABLE notes: "CVE-2023-3269; bug introduced 6.1; fix mainline 6.4 + 6.1.37/6.3.10 backports. Mainline 6.1.10 (Feb 2023) is below 6.1.37 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v6.1.10/." sudo_samedit: box: ubuntu1804 kernel_pkg: "" # ubuntu 18.04 ships sudo 1.8.21 — vulnerable to 1.9.5p1 kernel_version: "4.15.0" expect_detect: VULNERABLE notes: "CVE-2021-3156; sudo 1.8.21 vulnerable; Ubuntu 18.04 ships 1.8.21p2." sudoedit_editor: box: ubuntu2204 kernel_pkg: "" # sudo 1.9.9 in Ubuntu 22.04 is vulnerable kernel_version: "5.15.0" expect_detect: PRECOND_FAIL notes: "CVE-2023-22809; sudo ≤ 1.9.12p2 vulnerable, Ubuntu 22.04 ships 1.9.9 — version-wise vulnerable. BUT the default Vagrant 'vagrant' user has no sudoedit grant in /etc/sudoers, so detect() short-circuits to PRECOND_FAIL ('vuln version present, no grant to abuse'). This is correct and documented behaviour. To validate the VULNERABLE-by-version path empirically, provision a sudoers grant (e.g. `vagrant ALL=(ALL) sudoedit /tmp/probe`) before verifying — currently the Vagrantfile doesn't." vmwgfx: box: "" # vmware-guest only; no useful Vagrant box kernel_pkg: "" kernel_version: "" expect_detect: PRECOND_FAIL notes: "CVE-2023-2008; vmwgfx DRM only reachable on VMware guests. No Vagrant box; verify manually inside a VMware VM with a vulnerable kernel (e.g. Debian 11 / 5.10.0)." manual: true # ── v0.8.0 additions ────────────────────────────────────────────── sudo_chwoot: box: ubuntu2204 # 22.04 ships sudo 1.9.9 — provisioner builds 1.9.16p1 over it kernel_pkg: "" # this bug is sudo-version-gated, not kernel kernel_version: "5.15.0" expect_detect: VULNERABLE notes: "CVE-2025-32463; sudo --chroot NSS shim. Vulnerable range is sudo [1.9.14, 1.9.17p0]. provisioners/sudo_chwoot.sh builds sudo 1.9.16p1 from upstream sources into /usr/local/bin (which precedes /usr/bin in PATH so plain `sudo` resolves to the vulnerable binary)." udisks_libblockdev: box: debian12 # 12 ships udisks2 2.10.x + libblockdev 3.0.x — vulnerable kernel_pkg: "" kernel_version: "6.1.0" expect_detect: VULNERABLE notes: "CVE-2025-6019; udisks/libblockdev SUID-on-mount. provisioners/udisks_libblockdev.sh installs udisks2 + libblockdev-utils3 and drops a polkit rule allowing the vagrant user to invoke loop-setup/filesystem-mount — simulating the trust polkit would give a logged-in workstation user (the real-world bug-path). Without that rule, the SSH session is not 'active' per polkit and the D-Bus call short-circuits." pintheft: box: "" # RDS is blacklisted on every common Vagrant box's stock kernel kernel_pkg: "" kernel_version: "" expect_detect: OK notes: "CVE-2026-43494; PinTheft. Among Vagrant-supported distros, NONE autoload the rds kernel module (Arch Linux is the only common distro that does, and there's no maintained generic/arch-linux Vagrant box). On Debian/Ubuntu/Fedora boxes the AF_RDS socket() call fails with EAFNOSUPPORT → detect correctly returns OK ('bug exists in kernel but unreachable from userland here'). Verifying the VULNERABLE path needs either an Arch box, or a custom box with the rds module pre-loaded ('modprobe rds && modprobe rds_tcp'). Deferred." manual: true # ── v0.9.0 additions (gap fillers 2018 / 2019 / 2020 / 2024) ────── mutagen_astronomy: box: "" kernel_pkg: "" kernel_version: "" expect_detect: "" manual: true notes: "CVE-2018-14634; Qualys Mutagen Astronomy. No good Vagrant verification environment: stock Ubuntu 18.04 (4.15.0-213) returns detect()=VULNERABLE because the module's kernel_range table has no entry for the 4.15.x series (Ubuntu's HWE backports are not modeled), but the kernel IS actually patched — false-positive of the conservative module logic. Mainline 4.14.70 (target VULNERABLE kernel) panics on Ubuntu 18.04's rootfs with 'Failed to execute /init (error -8)' — kernel config mismatch (binfmt_elf as module rather than baked-in). Genuinely vulnerable verification needs a contemporary CentOS 6 / Debian 7 image with original-vintage kernel; deferred to custom-box workflow." sudo_runas_neg1: box: ubuntu1804 # ships sudo 1.8.21p2 (vulnerable; pre-1.8.28 fix) kernel_pkg: "" kernel_version: "4.15.0" expect_detect: VULNERABLE notes: "CVE-2019-14287; sudo Runas -u#-1. Ubuntu 18.04 ships sudo 1.8.21p2 (vulnerable). provisioners/sudo_runas_neg1.sh adds 'vagrant ALL=(ALL,!root) NOPASSWD: /bin/vi' to /etc/sudoers.d/ so find_runas_blacklist_grant() has a grant to abuse." tioscpgrp: box: ubuntu2004 # 5.4 stock kernels (5.4.0-26) are below the 5.4.85 backport kernel_pkg: linux-image-5.4.0-26-generic kernel_version: "5.4.0-26" expect_detect: VULNERABLE notes: "CVE-2020-29661; TTY TIOCSPGRP UAF race. Stock Ubuntu 20.04 5.4.0-26 is below the 5.4.85 LTS backport. /dev/ptmx is universally writable in CI containers. Should validate VULNERABLE." vsock_uaf: box: "" # vsock module typically not loaded on CI containers (no virtualization) kernel_pkg: "" kernel_version: "" expect_detect: OK notes: "CVE-2024-50264; Pwn2Own 2024 vsock UAF. AF_VSOCK requires the vsock kernel module, which autoloads only on KVM/QEMU GUESTS. Vagrant VMs running under Parallels are themselves guests, but their guest kernel may or may not have vsock loaded depending on the Parallels host. detect correctly returns OK when AF_VSOCK is unavailable. To validate VULNERABLE, ensure the VM kernel has CONFIG_VSOCKETS + virtio-vsock loaded ('modprobe vsock_loopback' may suffice on newer kernels)." manual: true nft_pipapo: box: ubuntu2204 # 5.15 stock + HWE — same pipapo set substrate as nf_tables kernel_pkg: "" mainline_version: "5.15.5" kernel_version: "5.15.5" expect_detect: VULNERABLE notes: "CVE-2024-26581; nft_pipapo destroy-race (Notselwyn II). Same mainline 5.15.5 target as nf_tables works here — 5.15.5 is below the 5.15.149 backport. (Switched from apt-pinned 5.15.0-43 after that package was removed from Ubuntu repos.) Userns gate must be open (sysctl kernel.unprivileged_userns_clone=1)."