Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel
Alexander Popov (me) published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
Despite the bug collision with other researchers, Alexander found a new exploitation method for this bug by relying on his pet project kernel-hack-drill.
Alexander Popov (me) published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
Despite the bug collision with other researchers, Alexander found a new exploitation method for this bug by relying on his pet project kernel-hack-drill.
🔥19👍3👏3
arm64: Linear mapping is mapped at the same static virtual address
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
🤯12👍2🔥2
ksmbd - Fuzzing Improvements and Vulnerability Discovery
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
Covers the improvements made to the fuzzer since the previous article. These improvements allowed finding an impressive amount of 23 bugs in ksmbd.
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
Covers the improvements made to the fuzzer since the previous article. These improvements allowed finding an impressive amount of 23 bugs in ksmbd.
🔥5🎉1
USB HID info-leak exploit for CVE-2025-38494/CVE-2025-38495
Exploit by Andrey Konovalov for an integer underflow bug in the HID subsystem that allows leaking up to 64 KB of kernel memory over USB.
The bug is still not fixed in the Pixel and Ubuntu kernels.
Exploit by Andrey Konovalov for an integer underflow bug in the HID subsystem that allows leaking up to 64 KB of kernel memory over USB.
The bug is still not fixed in the Pixel and Ubuntu kernels.
🔥22😱6👍1
A Syzkaller Summer: Fixing False Positive Soft Lockups in net/sched Fuzzing
Article by Will's Root about fixing the soft lockup bug found when fuzzing the network scheduler subsystem with syzkaller.
The article also gives a summary about the exploitable bugs the author managed to find in the same subsystem.
Article by Will's Root about fixing the soft lockup bug found when fuzzing the network scheduler subsystem with syzkaller.
The article also gives a summary about the exploitable bugs the author managed to find in the same subsystem.
🔥9
The anatomy of a bug: 6 Months at STAR Labs
Gerrard Tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions.
Gerrard Tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions.
🔥9
Eternal-Tux: Crafting a Linux Kernel KSMBD 0-Click RCE Exploit from N-Days
William Liu posted an article about exploiting a slab object overflow (CVE-2023-52440) and remote infoleak (CVE-2023-4130) in the kernel SMB3 daemon to gain RCE.
William Liu posted an article about exploiting a slab object overflow (CVE-2023-52440) and remote infoleak (CVE-2023-4130) in the kernel SMB3 daemon to gain RCE.
🔥10🤔3👎2👍1
ksmbd - Exploiting CVE-2025-37947
Article by Norbert Szetei about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module.
Article by Norbert Szetei about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module.
👍12
Oops! It's a kernel stack use-after-free: Exploiting NVIDIA's GPU Linux drivers
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
The article shows an interesting scenario of how a NULL-pointer-dereference can lead to a more severe memory corruption. It also demonstrates a few techniques of shaping vmalloc memory for exploitation.
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
The article shows an interesting scenario of how a NULL-pointer-dereference can lead to a more severe memory corruption. It also demonstrates a few techniques of shaping vmalloc memory for exploitation.
👍5🤯4🔥1
Defeating KASLR by Doing Nothing at All
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
🔥11🤯3👍2🤔2
kernelCTF: CVE-2025-38477
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
👍13
LPE via refcount imbalance in the af_unix of Ubuntu
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
👍8
Exploiting CVE-2025-21479 on a Samsung S23
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
👏11👎5😱4🤔2
Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE
Talk (slides) by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
Talk (slides) by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
🤔4🔥3
Enhancing FineIBT
LWN article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
The article also refers to another post "A hole in FineIBT protection" about a method to bypass this CFI mechanism.
LWN article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
The article also refers to another post "A hole in FineIBT protection" about a method to bypass this CFI mechanism.
Slice: SAST + LLM Interprocedural Context Extractor
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.
🔥4
LinkPro: eBPF rootkit analysis
Théo Letailleur published an article with a detailed denoscription of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".
Théo Letailleur published an article with a detailed denoscription of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".
Synacktiv
LinkPro: eBPF rootkit analysis
🔥13👍5👏3🤔1
Race Condition Symphony: From Tiny Idea to Pwnie
Slides from a talk by Hyunwoo Kim and Wongi Lee about exploiting CVE-2024-50264 — a race condition in the vsock subsystem.
Previously, Alexander Popov described another way to exploit this vulnerability.
Slides from a talk by Hyunwoo Kim and Wongi Lee about exploiting CVE-2024-50264 — a race condition in the vsock subsystem.
Previously, Alexander Popov described another way to exploit this vulnerability.
👍15