Déjà Vu in Linux io_uring
Talk (slides) by Pumpkin about exploiting CVE-2025-21836 — a race condition that leads to a use-after-free in the io_uring subsystem.
Talk (slides) by Pumpkin about exploiting CVE-2025-21836 — a race condition that leads to a use-after-free in the io_uring subsystem.
YouTube
HEXACON 2025 - Déjà Vu in Linux io_uring by Pumpkin
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
🔥8
An RbTree Family Drama
Talk (slides) by William Liu and Savino Dicanosa about exploiting CVE-2025-38001 — a use-after-free in the network packet scheduler.
The exploit was also covered in a previously posted article.
Talk (slides) by William Liu and Savino Dicanosa about exploiting CVE-2025-38001 — a use-after-free in the network packet scheduler.
The exploit was also covered in a previously posted article.
YouTube
HEXACON 2025 - An RbTree Family Drama by William Liu & Savino Dicanosa
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
🔥10
Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit
MatheuZSec published a detailed article about Singularity — a loadable kernel module rootkit developed for 6.x Linux kernels. The rootkit uses ftrace for hooking syscalls and hiding itself.
MatheuZSec published a detailed article about Singularity — a loadable kernel module rootkit developed for 6.x Linux kernels. The rootkit uses ftrace for hooking syscalls and hiding itself.
blog.kyntra.io
Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit – Kyntra Blog
Deep dive into a modern stealth Linux kernel rootkit with advanced evasion and persistence techniques
🔥12👍1
CVE-2025-68260: rust_binder: fix race condition on death_list
First CVE was registered for the new Binder kernel driver written in Rust. The vulnerability is a race condition caused by a list operation in an
First CVE was registered for the new Binder kernel driver written in Rust. The vulnerability is a race condition caused by a list operation in an
unsafe code block.🔥19🎉4
mediatek? more like media-rekt, amirite.
Article by hypr covering an assortment of bugs the author found in the MediaTek MT76xx and MT7915 Wi-Fi drivers.
The article also describes the nonsensical responses MediaTek gave to the bug reports, seemingly trying to weasel out of assigning a High impact rating to the reported bugs.
Article by hypr covering an assortment of bugs the author found in the MediaTek MT76xx and MT7915 Wi-Fi drivers.
The article also describes the nonsensical responses MediaTek gave to the bug reports, seemingly trying to weasel out of assigning a High impact rating to the reported bugs.
hyprblog
mediatek? more like media-REKT, amirite.
A year-in-review going over 19+ bugs in Mediatek’s MT76xx/MT7915 (and others) wifi chipsets I reported this year, PoCs included!
👍9🔥5😱3
Dangling pointers, fragile memory — from an undisclosed vulnerability to Pixel 9 Pro privilege escalation
Article about analyzing and exploiting a race condition that leads to a double-free in the Arm Mali GPU driver.
Article about analyzing and exploiting a race condition that leads to a double-free in the Arm Mali GPU driver.
京东獬豸信息安全实验室
悬挂的指针、脆弱的内存──从一个未公开的漏洞到 Pixel 9 Pro 提权
GPU 驱动由于其与内存管理的紧密联系,已经成为近年来 Android Kernel 中一个比较有价值的攻击面,与 GPU 相关的 CVE 不算少,但是只有很少数漏洞被公开分析,安全公告中也不会谈及漏洞细节,因此每个版本的 patch 就成了分析漏洞的重要线索。
🤯4👍2
Article series about exploiting CVE-2025-38352
Faith posted three articles about exploiting a race condition in the implementation of POSIX CPU timers.
Part 1️⃣ describes reproducing this race condition.
Part 2️⃣ explains how to extend the race window (a period of time when the race can be triggered).
Part 3️⃣ shows a complex PoC exploit for the UAF caused by this race condition.
Faith posted three articles about exploiting a race condition in the implementation of POSIX CPU timers.
Part 1️⃣ describes reproducing this race condition.
Part 2️⃣ explains how to extend the race window (a period of time when the race can be triggered).
Part 3️⃣ shows a complex PoC exploit for the UAF caused by this race condition.
faith2dxy.xyz
CVE-2025-38352 (Part 3) - Uncovering Chronomaly
Walking through the exploit development process of the Chronomaly exploit for CVE-2025-38352.
🔥10
A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave
Article by Seth Jenkins about exploiting a use-after-free in the driver for BigWave — an AV1 decoding hardware component present on Pixel SOCs.
Seth used the bug to escalate privileges from the mediacodec SELinux context and obtain root on Pixel 9.
This exploit is a part of an RCE chain developed by Seth and Natalie Silvanovich.
Article by Seth Jenkins about exploiting a use-after-free in the driver for BigWave — an AV1 decoding hardware component present on Pixel SOCs.
Seth used the bug to escalate privileges from the mediacodec SELinux context and obtain root on Pixel 9.
This exploit is a part of an RCE chain developed by Seth and Natalie Silvanovich.
👍7🔥4
Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers
Talk (slides) by Xingyu Jin and Martijn Bogaard about a new type of logical bugs in kernel driver mmap handlers exploitable via the ptrace functionality.
Authors found multiple Android vendor drivers affected by the issue. They also wrote an exploit for the IMG DXT GPU driver to escalate privileges on Pixel 10.
Talk (slides) by Xingyu Jin and Martijn Bogaard about a new type of logical bugs in kernel driver mmap handlers exploitable via the ptrace functionality.
Authors found multiple Android vendor drivers affected by the issue. They also wrote an exploit for the IMG DXT GPU driver to escalate privileges on Pixel 10.
YouTube
POC2025 | Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers
📌 Title
Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers
📌 Speaker
Xingyu Jin, Martijn Bogaard
(@Google)
#POC #PowerOfCommunity #POC2025
Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers
📌 Speaker
Xingyu Jin, Martijn Bogaard
(@Google)
#POC #PowerOfCommunity #POC2025
🔥13
[Cryptodev-linux] Page-level UAF exploitation
nasm_re posted an article about exploiting a page-level UAF in the out-of-tree cryptodev-linux driver. The researcher modified
nasm_re posted an article about exploiting a page-level UAF in the out-of-tree cryptodev-linux driver. The researcher modified
struct file sprayed into a freed page to escalate privileges.nasm.re
[Cryptodev-linux] Page-level UAF exploitation
IntroductionIn november 2025 I started a fuzzing campaign against cryptodev-linux as part of a school project. I found +10 bugs (UAF, NULL pointer dereferences and integer overflows) and among all of
🔥9👍1
setresuid(⚡): Glitching Google's TV Streamer from adb to root.
Talk (slides) by Niek Timmers about glitching the kernel of the Android-based Google TV Streamer device to escalate privileges via Electromagnetic Fault Injection.
The researcher glitched the setresuid syscall handler to bypass its checks and obtain the UID of 0. Bypassing SELinux via glitching remains to be investigated.
Talk (slides) by Niek Timmers about glitching the kernel of the Android-based Google TV Streamer device to escalate privileges via Electromagnetic Fault Injection.
The researcher glitched the setresuid syscall handler to bypass its checks and obtain the UID of 0. Bypassing SELinux via glitching remains to be investigated.
YouTube
Hardwear.io NL 2025: Glitching Google's TV Streamer From Adb To Root - Niek Timmers
Talk Title: Setresuid(⚡): Glitching Google's TV Streamer from adb to root
Speaker: Niek Timmers
Abstract:
Google's TV Streamer is a next-generation 4K TV streaming device, built around a System-on-Chip (SoC) made by Mediatek and running Android 14. It incorporates…
Speaker: Niek Timmers
Abstract:
Google's TV Streamer is a next-generation 4K TV streaming device, built around a System-on-Chip (SoC) made by Mediatek and running Android 14. It incorporates…
👍6