ksmbd - Exploiting CVE-2025-37947
Article by Norbert Szetei about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module.
Article by Norbert Szetei about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module.
👍12
Oops! It's a kernel stack use-after-free: Exploiting NVIDIA's GPU Linux drivers
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
The article shows an interesting scenario of how a NULL-pointer-dereference can lead to a more severe memory corruption. It also demonstrates a few techniques of shaping vmalloc memory for exploitation.
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
The article shows an interesting scenario of how a NULL-pointer-dereference can lead to a more severe memory corruption. It also demonstrates a few techniques of shaping vmalloc memory for exploitation.
👍5🤯4🔥1
Defeating KASLR by Doing Nothing at All
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
🔥11🤯3👍2🤔2
kernelCTF: CVE-2025-38477
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
👍13
LPE via refcount imbalance in the af_unix of Ubuntu
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
👍8
Exploiting CVE-2025-21479 on a Samsung S23
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
👏11👎5😱4🤔2
Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE
Talk (slides) by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
Talk (slides) by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
🤔4🔥3
Enhancing FineIBT
LWN article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
The article also refers to another post "A hole in FineIBT protection" about a method to bypass this CFI mechanism.
LWN article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
The article also refers to another post "A hole in FineIBT protection" about a method to bypass this CFI mechanism.
Slice: SAST + LLM Interprocedural Context Extractor
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.
🔥4
LinkPro: eBPF rootkit analysis
Théo Letailleur published an article with a detailed description of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".
Théo Letailleur published an article with a detailed description of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".
Synacktiv
LinkPro: eBPF rootkit analysis
🔥14👍5👏3🤔1
Race Condition Symphony: From Tiny Idea to Pwnie
Slides from a talk by Hyunwoo Kim and Wongi Lee about exploiting CVE-2024-50264 — a race condition in the vsock subsystem.
Previously, Alexander Popov described another way to exploit this vulnerability.
Slides from a talk by Hyunwoo Kim and Wongi Lee about exploiting CVE-2024-50264 — a race condition in the vsock subsystem.
Previously, Alexander Popov described another way to exploit this vulnerability.
👍16
CUDA de Grâce
Talk (slides) by Valentina Palmiotti and Samuel Lovejoy about exploiting a race condition that leads to a double-free in the NVIDIA GPU driver to escape a container created with NVIDIA Container Toolkit.
Talk (slides) by Valentina Palmiotti and Samuel Lovejoy about exploiting a race condition that leads to a double-free in the NVIDIA GPU driver to escape a container created with NVIDIA Container Toolkit.
YouTube
HEXACON 2025 - CUDA de Grâce by Valentina Palmiotti & Samuel Lovejoy
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
🔥12
Déjà Vu in Linux io_uring
Talk (slides) by Pumpkin about exploiting CVE-2025-21836 — a race condition that leads to a use-after-free in the io_uring subsystem.
Talk (slides) by Pumpkin about exploiting CVE-2025-21836 — a race condition that leads to a use-after-free in the io_uring subsystem.
YouTube
HEXACON 2025 - Déjà Vu in Linux io_uring by Pumpkin
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
🔥8
An RbTree Family Drama
Talk (slides) by William Liu and Savino Dicanosa about exploiting CVE-2025-38001 — a use-after-free in the network packet scheduler.
The exploit was also covered in a previously posted article.
Talk (slides) by William Liu and Savino Dicanosa about exploiting CVE-2025-38001 — a use-after-free in the network packet scheduler.
The exploit was also covered in a previously posted article.
YouTube
HEXACON 2025 - An RbTree Family Drama by William Liu & Savino Dicanosa
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
🔥10
Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit
MatheuZSec published a detailed article about Singularity — a loadable kernel module rootkit developed for 6.x Linux kernels. The rootkit uses ftrace for hooking syscalls and hiding itself.
MatheuZSec published a detailed article about Singularity — a loadable kernel module rootkit developed for 6.x Linux kernels. The rootkit uses ftrace for hooking syscalls and hiding itself.
blog.kyntra.io
Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit – Kyntra Blog
Deep dive into a modern stealth Linux kernel rootkit with advanced evasion and persistence techniques
🔥12👍1
CVE-2025-68260: rust_binder: fix race condition on death_list
First CVE was registered for the new Binder kernel driver written in Rust. The vulnerability is a race condition caused by a list operation in an
First CVE was registered for the new Binder kernel driver written in Rust. The vulnerability is a race condition caused by a list operation in an
unsafe code block.🔥19🎉3
mediatek? more like media-rekt, amirite.
Article by hypr covering an assortment of bugs the author found in the MediaTek MT76xx and MT7915 Wi-Fi drivers.
The article also describes the nonsensical responses MediaTek gave to the bug reports, seemingly trying to weasel out of assigning a High impact rating to the reported bugs.
Article by hypr covering an assortment of bugs the author found in the MediaTek MT76xx and MT7915 Wi-Fi drivers.
The article also describes the nonsensical responses MediaTek gave to the bug reports, seemingly trying to weasel out of assigning a High impact rating to the reported bugs.
hyprblog
mediatek? more like media-REKT, amirite.
A year-in-review going over 19+ bugs in Mediatek’s MT76xx/MT7915 (and others) wifi chipsets I reported this year, PoCs included!
👍9🔥5😱3
Dangling pointers, fragile memory — from an undisclosed vulnerability to Pixel 9 Pro privilege escalation
Article about analyzing and exploiting a race condition that leads to a double-free in the Arm Mali GPU driver.
Article about analyzing and exploiting a race condition that leads to a double-free in the Arm Mali GPU driver.
京东獬豸信息安全实验室
悬挂的指针、脆弱的内存──从一个未公开的漏洞到 Pixel 9 Pro 提权
GPU 驱动由于其与内存管理的紧密联系,已经成为近年来 Android Kernel 中一个比较有价值的攻击面,与 GPU 相关的 CVE 不算少,但是只有很少数漏洞被公开分析,安全公告中也不会谈及漏洞细节,因此每个版本的 patch 就成了分析漏洞的重要线索。
🤯3👍2
Article series about exploiting CVE-2025-38352
Faith posted three articles about exploiting a race condition in the implementation of POSIX CPU timers.
Part 1️⃣ describes reproducing this race condition.
Part 2️⃣ explains how to extend the race window (a period of time when the race can be triggered).
Part 3️⃣ shows a complex PoC exploit for the UAF caused by this race condition.
Faith posted three articles about exploiting a race condition in the implementation of POSIX CPU timers.
Part 1️⃣ describes reproducing this race condition.
Part 2️⃣ explains how to extend the race window (a period of time when the race can be triggered).
Part 3️⃣ shows a complex PoC exploit for the UAF caused by this race condition.
faith2dxy.xyz
CVE-2025-38352 (Part 3) - Uncovering Chronomaly
Walking through the exploit development process of the Chronomaly exploit for CVE-2025-38352.
🔥8