Slice: SAST + LLM Interprocedural Context Extractor

Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.

LinkPro: eBPF rootkit analysis

Théo Letailleur published an article with a detailed denoscription of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".

Race Condition Symphony: From Tiny Idea to Pwnie

Slides from a talk by Hyunwoo Kim and Wongi Lee about exploiting CVE-2024-50264 — a race condition in the vsock subsystem.

Previously, Alexander Popov described another way to exploit this vulnerability.

CUDA de Grâce

Talk (slides) by Valentina Palmiotti and Samuel Lovejoy about exploiting a race condition that leads to a double-free in the NVIDIA GPU driver to escape a container created with NVIDIA Container Toolkit.

Déjà Vu in Linux io_uring

Talk (slides) by Pumpkin about exploiting CVE-2025-21836 — a race condition that leads to a use-after-free in the io_uring subsystem.

An RbTree Family Drama

Talk (slides) by William Liu and Savino Dicanosa about exploiting CVE-2025-38001 — a use-after-free in the network packet scheduler.

The exploit was also covered in a previously posted article.

Extending Kernel Race Windows Using '/dev/shm'

Article by Faith about extending race condition windows via FALLOC_FL_PUNCH_HOLE. The technique allows delaying user memory accesses from the kernel mode, similar to userfaultfd and FUSE.

Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit

MatheuZSec published a detailed article about Singularity — a loadable kernel module rootkit developed for 6.x Linux kernels. The rootkit uses ftrace for hooking syscalls and hiding itself.

CVE-2025-68260: rust_binder: fix race condition on death_list

First CVE was registered for the new Binder kernel driver written in Rust. The vulnerability is a race condition caused by a list operation in an unsafe code block.

mediatek? more like media-rekt, amirite.

Article by hypr covering an assortment of bugs the author found in the MediaTek MT76xx and MT7915 Wi-Fi drivers.

The article also describes the nonsensical responses MediaTek gave to the bug reports, seemingly trying to weasel out of assigning a High impact rating to the reported bugs.

Dangling pointers, fragile memory — from an undisclosed vulnerability to Pixel 9 Pro privilege escalation

Article about analyzing and exploiting a race condition that leads to a double-free in the Arm Mali GPU driver.

Article series about exploiting CVE-2025-38352

Faith posted three articles about exploiting a race condition in the implementation of POSIX CPU timers.

Part 1️⃣ describes reproducing this race condition.

Part 2️⃣ explains how to extend the race window (a period of time when the race can be triggered).

Part 3️⃣ shows a complex PoC exploit for the UAF caused by this race condition.