Walkthrough of an N-day Android GPU driver vulnerability
Talk by Angus about analyzing CVE-2022-22706 — a logical bug in the Mali GPU driver that allows getting write access to read-only memory.
www.youtube.com/watch?v=G71d...
The attack allows leaking addresses of exploitation-relevant kernel allocations.
Lukas also published the source code for executing the attack.
github.com/lukasmaar/ke...
From KernelSnitch to Practical msg_msg/pipe_buffer Heap KASLR Leaks
Article by Lukas Maar about evaluating the KernelSnitch timing side-channel attack on a variety of systems, including Android.
lukasmaar.github.io/posts/heap-k...
The LLM was used to discover multiple 0-days in the Linux kernel and also write privilege escalation exploits for a few previously known vulnerabilities; the article provides a detailed write-up for two such exploits.
Assessing Claude Mythos Preview’s cybersecurity capabilities
Article by Nicholas Carlini et. al about the security research capabilities of the new Anthropic's LLM called Claude Mythos Preview.
red.anthropic.com/2026/mythos-...
The new mode leverages a Clang 22 feature called "allocation tokens". Unlike RANDOM_KMALLOC_CACHES, this mode deterministically assigns caches to allocations based on their types, and not allocation sites.
slab: support for compiler-assisted type-based slab cache partitioning
Marco Elver posted a kernel patch that provides an alternative mode to RANDOM_KMALLOC_CACHES called TYPED_KMALLOC_CACHES.
lore.kernel.org/all/20260331...
CrackArmor: Multiple vulnerabilities in AppArmor
Article about a variety of vulnerabilities found in the AppArmor LSM implementation, including a few kernel memory corruptions. Authors exploited them to achieve LPE on Ubuntu and Debian.
cdn2.qualys.com/advisory/202...
The implemented exploit was used to pwn the kernelCTF mitigation-v4-6.6 instance. The exploit bypasses CONFIG_RANDOM_KMALLOC_CACHES and CONFIG_SLAB_VIRTUAL.
github.com/google/secur...
A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets
Excellent article by Quang Le about exploiting CVE-2025-38617 — a race condition that leads to a use-after-free in the packet sockets implementation.
blog.calif.io/p/a-race-wit...
Analysis of Linux kernel bug fixes
Jenny Guanni Qu posted a detailed analysis:
— Kernel bugs hide for 2 years on average. Some hide for 20.
pebblebed.com/blog/kernel-...
— Who Writes the Bugs? A Deeper Look at 125,000 Kernel Vulnerabilities
pebblebed.com/blog/kernel-...
The researcher glitched the setresuid syscall handler to bypass its checks and obtain the UID of 0. Bypassing SELinux via glitching remains to be investigated.
setresuid(⚡): Glitching Google's TV Streamer from adb to root.
Talk by Niek Timmers about glitching the kernel of the Android-based Google TV Streamer device to escalate privileges via Electromagnetic Fault Injection.
Video: www.youtube.com/watch?v=-w5m...
Slides: hardwear.io/netherlands-...
[Cryptodev-linux] Page-level UAF exploitation
nasm_re posted an article about exploiting a page-level UAF in the out-of-tree cryptodev-linux driver. The researcher modified struct file sprayed into a freed page to escalate privileges.
nasm.re/posts/crypto...
Authors found multiple Android vendor drivers affected by the issue. They also wrote an exploit for the IMG DXT GPU driver to escalate privileges on Pixel 10.
Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers
Talk by Xingyu Jin & Martijn Bogaard about a new type of logical bugs in kernel driver mmap handlers exploitable via the ptrace functionality.
Video: www.youtube.com/watch?v=yAUJ...
Slides: powerofcommunity.net/2025/slide/x...
Seth used the bug to escalate privileges from the mediacodec SELinux context and obtain root on Pixel 9.
This exploit is a part of an RCE chain developed by Seth and @natashenka.bsky.social.
projectzero.google/2026/01/pixe...
A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave
Article by Seth Jenkins about exploiting a use-after-free in the driver for BigWave — an AV1 decoding hardware component present on Pixel SOCs.
projectzero.google/2026/01/pixe...
Part 3️⃣ shows a complex PoC exploit for the UAF caused by this race condition:
faith2dxy.xyz/2026-01-03/c...
Part 2️⃣ explains how to extend the race window (a period of time when the race can be triggered):
faith2dxy.xyz/2025-12-24/c...
Article series about exploiting CVE-2025-38352
Faith posted three articles about exploiting a race condition in the implementation of POSIX CPU timers.
Part 1️⃣ describes reproducing this race condition:
faith2dxy.xyz/2025-12-22/c...
Dangling pointers, fragile memory — from an undisclosed vulnerability to Pixel 9 Pro privilege escalation
Article about analyzing and exploiting a race condition that leads to a double-free in the Arm Mali GPU driver.
dawnslab.jd.com/Pixel_9_Pro_...
The article also describes the nonsensical responses MediaTek gave to the bug reports, seemingly trying to weasel out of assigning a High impact rating to the reported bugs.
mediatek? more like media-rekt, amirite.
Article by hypr covering an assortment of bugs the author found in the MediaTek MT76xx and MT7915 Wi-Fi drivers.
blog.coffinsec.com/0days/2025/1...
CVE-2025-68260: rust_binder: fix race condition on death_list
First CVE was registered for the new Binder kernel driver written in Rust. The vulnerability is a race condition caused by a list operation in an unsafe code block.
lore.kernel.org/linux-cve-an...
MatheuZSec published a detailed article about Singularity — a loadable kernel module rootkit developed for 6.x Linux kernels. The rootkit uses ftrace for hooking syscalls and hiding itself.
Article: blog.kyntra.io/Singularity-...
Code: github.com/MatheuZSecur...
Extending Kernel Race Windows Using '/dev/shm'
Article by Faith about extending race condition windows via FALLOC_FL_PUNCH_HOLE. The technique allows delaying user memory accesses from the kernel mode, similar to userfaultfd and FUSE.
faith2dxy.xyz/2025-11-28/e...
An RbTree Family Drama
Talk by William Liu and Savino Dicanosa @cor_ctf about exploiting CVE-2025-38001 — a use-after-free in the network packet scheduler.
Video: www.youtube.com/watch?v=C-52...
Slides: storage.googleapis.com/static.cor.t...
Déjà Vu in Linux io_uring
Talk by Pumpkin about exploiting CVE-2025-21836 — a race condition that leads to a use-after-free in the io_uring subsystem.
Video: www.youtube.com/watch?v=Ry4e...
Slides: u1f383.github.io/slides/talks...
