Interactive demos showing agentsh blocking real-world exploit paths with execution-layer controls.
CVE-2025-32463 local privilege escalation blocked by agentsh file, command, and syscall controls.
Watch demo → CVE-2026-43284 · CVE-2026-43500Linux kernel page-cache write primitive via IPsec and RxRPC gateway sockets, closed by two surgical socket_rules.
Watch demo → CVE-2026-31635Linux kernel rxgk/RxRPC setup surface blocked by agentsh's DirtyFrag mitigation set or a single AF_RXRPC socket rule.
Watch demo → CVE-2026-46300Linux kernel page-cache attack path through XFRM ESP-in-TCP setup, blocked by agentsh's DirtyFrag mitigation set.
Watch demo → CVE-2026-31431Linux kernel page-cache write primitive via AF_ALG, blocked by agentsh's default seccomp configuration — zero custom rules required.
Watch demo →Each mitigation page isolates one exploit setup path and compares the raw kernel surface with the same operation under agentsh. The point is not to ship exploit code. The demos show whether the risky syscall, socket family, command, or file access can be reached by an untrusted process, and then show the policy decision agentsh returns when that process is wrapped.
This is the execution-layer security model in concrete form: policy is evaluated against the actual operation, not against the prompt that caused it. When a setup socket is denied, the process receives a normal kernel-style error and the session audit records the decision. For definitions of socket rules, deterministic enforcement, and audit events, see the Glossary.