Add kernelCTF CVE-2026-23274_cos

[pjwhatforlunch]

No description provided.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[koczkatamas]

Hey! You are probably aware but the submission does not repro on GHA, please fix that, so we can proceed with the verification to pay out the first half of the reward.

[pjwhatforlunch]

Hey! You are probably aware but the submission does not repro on GHA, please fix that, so we can proceed with the verification to pay out the first half of the reward.

Thanks for reminder! We shall fix the KASLR issue later. However, we have one issue related to vuln_verfiy that we can not address:
As CVE-2026-23274 is a UBI bug and KASAN is not able to detect that. And KASAN also makes it hard to reclaim freed slot to init the UBI data. If the data is uninitialized, the UBI will have no observable effects.
Thus, we currently have no idea how to satisfy vuln_verfiy part.

In fact we cannot bypass KASLR in CI rn as well, but I think that is solvable eventually

[koczkatamas]

If the vulnerability cannot be detected by KASAN, then you don't have to satisfy vuln-verify, we will manually review the submission.

For the KASLR leak, we implemented it in kernelXDK, maybe that works better?