KernelGP: Racing Against the Android Kernel
Talk by Chariton Karamitas about ways to use FUSE for kernel exploitation from unprivileged SELinux contexts on Android.
Talk by Chariton Karamitas about ways to use FUSE for kernel exploitation from unprivileged SELinux contexts on Android.
YouTube
OffensiveCon25 - Chariton Karamitas - KernelGP: Racing Against the Android Kernel
https://www.offensivecon.org/speakers/2025/chariton-karamitas.html
👍9🔥6
Android In-The-Wild: Unexpectedly Excavating a Kernel Exploit
Talk by Seth Jenkins about analyzing the traces of an In-The-Wild exploit that targeted the Qualcomm adsprpc driver.
Based on a previously published article.
Talk by Seth Jenkins about analyzing the traces of an In-The-Wild exploit that targeted the Qualcomm adsprpc driver.
Based on a previously published article.
YouTube
OffensiveCon25 - Seth Jenkins - Android In-The-Wild: Unexpectedly Excavating a Kernel Exploit
https://www.offensivecon.org/speakers/2025/seth-jenkins.html
👍7
How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel's SMB implementation
Article by Sean Heelan about rediscovering a bug in the ksmbd module via the OpenAI's o3 model and then finding a 0-day vulnerability as well.
The researcher had to rerun the prompt multiple times before getting a true-positive result. The o3 model managed to find the 0-day vulnerability in only ~1 out of 50 runs.
Article by Sean Heelan about rediscovering a bug in the ksmbd module via the OpenAI's o3 model and then finding a 0-day vulnerability as well.
The researcher had to rerun the prompt multiple times before getting a true-positive result. The o3 model managed to find the 0-day vulnerability in only ~1 out of 50 runs.
👍19🔥1
Bypassing MTE with CVE-2025-0072
Article by Man Yue Mo about exploiting a page use-after-free vulnerability in the ARM's Mali GPU driver in the code that manages userspace-mapped pages.
Author published an exploit for this bug that disable SELinux and gains root privileges on Pixel 8 running from the untrusted_app context. The exploit is not affected by MTE.
Article by Man Yue Mo about exploiting a page use-after-free vulnerability in the ARM's Mali GPU driver in the code that manages userspace-mapped pages.
Author published an exploit for this bug that disable SELinux and gains root privileges on Pixel 8 running from the untrusted_app context. The exploit is not affected by MTE.
👍13🔥5
Solo: A Pixel 6 Pro Story (When one bug is all you need)
Awesome article by Lin Ze Wei about adapting the Pixel 7/8 exploit for a bug in the Mali GPU driver to Pixel 6 Pro.
Awesome article by Lin Ze Wei about adapting the Pixel 7/8 exploit for a bug in the Mali GPU driver to Pixel 6 Pro.
🔥11👍2
Exploiting the CVE-2025-21756 1-day vulnerability
Hyunwoo Kim and Wongi Lee posted a kernelCTF report about exploiting a UAF in the vsock subsystem of the Linux kernel.
The researchers leaked the kernel base address using the EntryBleed side-channel attack and then turned the UAF on the vsock_sock structure into a RIP control primitive to execute a ROP-chain.
Hyunwoo Kim and Wongi Lee posted a kernelCTF report about exploiting a UAF in the vsock subsystem of the Linux kernel.
The researchers leaked the kernel base address using the EntryBleed side-channel attack and then turned the UAF on the vsock_sock structure into a RIP control primitive to execute a ROP-chain.
👍16🔥5
Bypass Kernel Barriers: Fuzzing Linux Kernel in Userspace With LKL
Xuan Xing & Eugene Rodionov gave a talk (slides) about fuzzing the Linux kernel interfaces fully in user space using LKL (Linux Kernel Library).
Xuan Xing & Eugene Rodionov gave a talk (slides) about fuzzing the Linux kernel interfaces fully in user space using LKL (Linux Kernel Library).
🔥15🤔4👍3
Fuzzing Linux Kernel Modules, with Slava Moskvin
Stream by Slava Moskvin hosted by Stephen Sims about building a custom fuzzer to rediscover CVE-2025-0927 in the HFS+ filesystem implementation.
Slava started with a simple fuzzer implementation and then improved it step-by-step by adding coverage collection, proper seed generation, mutations, etc.
The source code of the fuzzer is public.
Stream by Slava Moskvin hosted by Stephen Sims about building a custom fuzzer to rediscover CVE-2025-0927 in the HFS+ filesystem implementation.
Slava started with a simple fuzzer implementation and then improved it step-by-step by adding coverage collection, proper seed generation, mutations, etc.
The source code of the fuzzer is public.
YouTube
Fuzzing Linux Kernel Modules, with Slava Moskvin
In this video/stream, we’ll walk through the process of fuzzing Linux kernel modules from scratch: picking a subsystem, analyzing its attack surface, compiling a custom kernel, writing a simple fuzzer, and progressively making it smarter—eventually turning…
🔥19
CVE-2023-52927 - Turning a Forgotten Syzkaller Report into kCTF Exploit
Article by Hoàng Hải Long about finding an unfixed netfilter use-after-free bug reported by syzbot. The researcher exploited it to pwn the kernelCTF COS instance.
Article by Hoàng Hải Long about finding an unfixed netfilter use-after-free bug reported by syzbot. The researcher exploited it to pwn the kernelCTF COS instance.
🔥21
Debugging the Pixel 8 kernel via KGDB
Article by Andrey Konovalov about setting up KGDB on Pixel 8 for debugging its kernel.
Provides instructions for getting the kernel log over UART via USB-Cereal, building and flashing a kernel with KGDB, breaking into KGDB via /proc/sysrq-trigger or by sending SysRq-G over a serial connection, dealing with watchdogs, etc.
Article by Andrey Konovalov about setting up KGDB on Pixel 8 for debugging its kernel.
Provides instructions for getting the kernel log over UART via USB-Cereal, building and flashing a kernel with KGDB, breaking into KGDB via /proc/sysrq-trigger or by sending SysRq-G over a serial connection, dealing with watchdogs, etc.
🔥21👍5
Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: A RBTree Family Drama
Crusaders of Rust posted an article about exploiting a UAF in the network packet scheduler. The researchers manipulated red-black trees in the kernel to achieve a page-level UAF, which they used to escalate privileges.
Crusaders of Rust posted an article about exploiting a UAF in the network packet scheduler. The researchers manipulated red-black trees in the kernel to achieve a page-level UAF, which they used to escalate privileges.
[CVE-2025-38001] Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: An RBTree Family Drama (Part One: LTS & COS)
CVE-2025-38001 is a Use-After-Free vulnerability in the Linux network packet scheduler, specifically in the HFSC queuing discipline. When the HFSC qdisc is utilized with NETEM and NETEM packet duplication is enabled, using HFSC_RSC it is possible to cause…
🔥13😱2
From Chrome renderer code exec to kernel with MSG_OOB
Jann Horn posted an article about exploiting CVE-2025-38236, a UAF in the UNIX domain sockets. The article contains many interesting notes and takeaways on writing kernel exploits that work from within the Chrome renderer sandbox.
Jann Horn posted an article about exploiting CVE-2025-38236, a UAF in the UNIX domain sockets. The article contains many interesting notes and takeaways on writing kernel exploits that work from within the Chrome renderer sandbox.
Blogspot
From Chrome renderer code exec to kernel with MSG_OOB
Posted by Jann Horn, Google Project Zero Introduction In early June, I was reviewing a new Linux kernel feature when I learned about the...
🔥14👍2👏2
Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel
Alexander Popov (me) published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
Despite the bug collision with other researchers, Alexander found a new exploitation method for this bug by relying on his pet project kernel-hack-drill.
Alexander Popov (me) published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
Despite the bug collision with other researchers, Alexander found a new exploitation method for this bug by relying on his pet project kernel-hack-drill.
🔥19👍3👏3
arm64: Linear mapping is mapped at the same static virtual address
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
🤯12👍2🔥2
ksmbd - Fuzzing Improvements and Vulnerability Discovery
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
Covers the improvements made to the fuzzer since the previous article. These improvements allowed finding an impressive amount of 23 bugs in ksmbd.
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
Covers the improvements made to the fuzzer since the previous article. These improvements allowed finding an impressive amount of 23 bugs in ksmbd.
🔥5🎉1
USB HID info-leak exploit for CVE-2025-38494/CVE-2025-38495
Exploit by Andrey Konovalov for an integer underflow bug in the HID subsystem that allows leaking up to 64 KB of kernel memory over USB.
The bug is still not fixed in the Pixel and Ubuntu kernels.
Exploit by Andrey Konovalov for an integer underflow bug in the HID subsystem that allows leaking up to 64 KB of kernel memory over USB.
The bug is still not fixed in the Pixel and Ubuntu kernels.
🔥22😱6👍1