Fuzzing Linux Kernel Modules, with Slava Moskvin
Stream by Slava Moskvin hosted by Stephen Sims about building a custom fuzzer to rediscover CVE-2025-0927 in the HFS+ filesystem implementation.
Slava started with a simple fuzzer implementation and then improved it step-by-step by adding coverage collection, proper seed generation, mutations, etc.
The source code of the fuzzer is public.
Stream by Slava Moskvin hosted by Stephen Sims about building a custom fuzzer to rediscover CVE-2025-0927 in the HFS+ filesystem implementation.
Slava started with a simple fuzzer implementation and then improved it step-by-step by adding coverage collection, proper seed generation, mutations, etc.
The source code of the fuzzer is public.
YouTube
Fuzzing Linux Kernel Modules, with Slava Moskvin
In this video/stream, weβll walk through the process of fuzzing Linux kernel modules from scratch: picking a subsystem, analyzing its attack surface, compiling a custom kernel, writing a simple fuzzer, and progressively making it smarterβeventually turningβ¦
π₯19
CVE-2023-52927 - Turning a Forgotten Syzkaller Report into kCTF Exploit
Article by HoΓ ng HαΊ£i Long about finding an unfixed netfilter use-after-free bug reported by syzbot. The researcher exploited it to pwn the kernelCTF COS instance.
Article by HoΓ ng HαΊ£i Long about finding an unfixed netfilter use-after-free bug reported by syzbot. The researcher exploited it to pwn the kernelCTF COS instance.
π₯21
Debugging the Pixel 8 kernel via KGDB
Article by Andrey Konovalov about setting up KGDB on Pixel 8 for debugging its kernel.
Provides instructions for getting the kernel log over UART via USB-Cereal, building and flashing a kernel with KGDB, breaking into KGDB via /proc/sysrq-trigger or by sending SysRq-G over a serial connection, dealing with watchdogs, etc.
Article by Andrey Konovalov about setting up KGDB on Pixel 8 for debugging its kernel.
Provides instructions for getting the kernel log over UART via USB-Cereal, building and flashing a kernel with KGDB, breaking into KGDB via /proc/sysrq-trigger or by sending SysRq-G over a serial connection, dealing with watchdogs, etc.
π₯21π5
Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: A RBTree Family Drama
Crusaders of Rust posted an article about exploiting a UAF in the network packet scheduler. The researchers manipulated red-black trees in the kernel to achieve a page-level UAF, which they used to escalate privileges.
Crusaders of Rust posted an article about exploiting a UAF in the network packet scheduler. The researchers manipulated red-black trees in the kernel to achieve a page-level UAF, which they used to escalate privileges.
[CVE-2025-38001] Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: An RBTree Family Drama (Part One: LTS & COS)
CVE-2025-38001 is a Use-After-Free vulnerability in the Linux network packet scheduler, specifically in the HFSC queuing discipline. When the HFSC qdisc is utilized with NETEM and NETEM packet duplication is enabled, using HFSC_RSC it is possible to causeβ¦
π₯13π±2
From Chrome renderer code exec to kernel with MSG_OOB
Jann Horn posted an article about exploiting CVE-2025-38236, a UAF in the UNIX domain sockets. The article contains many interesting notes and takeaways on writing kernel exploits that work from within the Chrome renderer sandbox.
Jann Horn posted an article about exploiting CVE-2025-38236, a UAF in the UNIX domain sockets. The article contains many interesting notes and takeaways on writing kernel exploits that work from within the Chrome renderer sandbox.
projectzero.google
From Chrome renderer code exec to kernel with MSG_OOB - Project Zero
IntroductionIn early June, I was reviewing a new Linux kernel feature when I learned about the MSG_OOB feature supported by stream-oriented UNIX domain socke...
π₯14π2π2
Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel
Alexander Popov (me) published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
Despite the bug collision with other researchers, Alexander found a new exploitation method for this bug by relying on his pet project kernel-hack-drill.
Alexander Popov (me) published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
Despite the bug collision with other researchers, Alexander found a new exploitation method for this bug by relying on his pet project kernel-hack-drill.
π₯19π3π3
arm64: Linear mapping is mapped at the same static virtual address
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
π€―12π2π₯2
ksmbd - Fuzzing Improvements and Vulnerability Discovery
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
Covers the improvements made to the fuzzer since the previous article. These improvements allowed finding an impressive amount of 23 bugs in ksmbd.
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
Covers the improvements made to the fuzzer since the previous article. These improvements allowed finding an impressive amount of 23 bugs in ksmbd.
π₯5π1
USB HID info-leak exploit for CVE-2025-38494/CVE-2025-38495
Exploit by Andrey Konovalov for an integer underflow bug in the HID subsystem that allows leaking up to 64 KB of kernel memory over USB.
The bug is still not fixed in the Pixel and Ubuntu kernels.
Exploit by Andrey Konovalov for an integer underflow bug in the HID subsystem that allows leaking up to 64 KB of kernel memory over USB.
The bug is still not fixed in the Pixel and Ubuntu kernels.
π₯22π±7π1
A Syzkaller Summer: Fixing False Positive Soft Lockups in net/sched Fuzzing
Article by Will's Root about fixing the soft lockup bug found when fuzzing the network scheduler subsystem with syzkaller.
The article also gives a summary about the exploitable bugs the author managed to find in the same subsystem.
Article by Will's Root about fixing the soft lockup bug found when fuzzing the network scheduler subsystem with syzkaller.
The article also gives a summary about the exploitable bugs the author managed to find in the same subsystem.
π₯9
The anatomy of a bug: 6 Months at STAR Labs
Gerrard Tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions.
Gerrard Tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions.
π₯9
Eternal-Tux: Crafting a Linux Kernel KSMBD 0-Click RCE Exploit from N-Days
William Liu posted an article about exploiting a slab object overflow (CVE-2023-52440) and remote infoleak (CVE-2023-4130) in the kernel SMB3 daemon to gain RCE.
William Liu posted an article about exploiting a slab object overflow (CVE-2023-52440) and remote infoleak (CVE-2023-4130) in the kernel SMB3 daemon to gain RCE.
π₯10π€3π2π1
ksmbd - Exploiting CVE-2025-37947
Article by Norbert Szetei about locally exploiting CVE-2025-37947 β a page OOB write in the ksmbd module.
Article by Norbert Szetei about locally exploiting CVE-2025-37947 β a page OOB write in the ksmbd module.
π12
Oops! It's a kernel stack use-after-free: Exploiting NVIDIA's GPU Linux drivers
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
The article shows an interesting scenario of how a NULL-pointer-dereference can lead to a more severe memory corruption. It also demonstrates a few techniques of shaping vmalloc memory for exploitation.
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
The article shows an interesting scenario of how a NULL-pointer-dereference can lead to a more severe memory corruption. It also demonstrates a few techniques of shaping vmalloc memory for exploitation.
π5π€―4π₯1
Defeating KASLR by Doing Nothing at All
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
π₯11π€―3π2π€2
kernelCTF: CVE-2025-38477
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
π13