Mmm

@SinSinology which target?

🩸

Interesting bugs, from Chrome to kernel crash on some device without MTE.

@2st___ chrome?

Another RCE is born. Finding a useful infoleak is 10x harder than the OOB write. Hoping to catch this year's BlackHat :)

@thedawgyg Good luck

@hackyzh They also missed my bisect bonus and report quality bonus. I think its bc I accidentally made several of the comments protected (it auto did and I didn't know i could change at first). So gonna ask them to look at it again.

That was a bit disappointing... Just got $7000 for my Chrome heap overflow read. And $11,000 for the heap overflow write.... no bonus for report quality... ignored the bisect that was included... $11k for RCE in the renderer seems a bit low... so time for a new target...

@thedawgyg You can argue with them.Sometime they cloud make mistakes.

@hackyzh Yes I can. I provided poc with proven RIP control. Pc control. Was full write any value i want any location any size.

@ret2happy 打马干啥，25w😆

git.codelinaro.org/clo/la/platfor… I saw this patch a few months ago, but I haven't been able to create a reproducible proof-of-concept (PoC).

We are hiring! CPU security stuff google.com/about/careers/…

[446722008][reward: $100000] heap-use-after-free in content::indexed_db::Database::connections_ when force_closing_ is true crbug.com/446722008

@fattselimi 🤣

@hackyzh Here are 15 reputation points thank you for the commitment

MSRC is really ridiculous. I don't know if they're refusing bounties or what. I accidentally discovered and submitted OOB Write and UAF vulnerabilities, and they either said the vulnerabilities were low-risk or that they couldn't reproduce them in the latest version.

@fattselimi yep

@hackyzh They are really awful regarding bounties i found bug in microsoft.com main site and they refused to pay me bounty.

Comparatively, I prefer Google. In the past, when I submitted vulnerabilities to Google, at least they would keep in touch with me. After Microsoft shut down its services, they rarely responded anymore.

So, it's best not to submit vulnerabilities to MSRC, since they don't seem to care much about vulnerabilities and are even less concerned about the security of their own products.🤡

@farazsth98 The highest in chrome is 250K

I've only ever dreamed of finding a bug like this...

@farazsth98 Theoretically, it should be reproducible.

@hackyzh Hmm ok I took a quick look at the code, there are some changes, but nothing that should affect the PoC, so I think I can definitely get it working in QEMU on that same kernel version. But yeah I don't have a real device to test against so I'll finish the exploit in QEMU later 🥲

In my previous post about CVE-2025-38352, I used a kernel patch to extend the race window to help trigger the vulnerability. I've since improved it to work without the kernel patch. @hackyzh 👀 I also wrote a "Part 2" of the blog post. It's linked at the end of this thread!

@farazsth98 Linux localhost 5.10.157-android13-4-00001-g5c7ff5dc7aac-ab10381520

@hackyzh what's the `uname -a` string of the device btw?

@farazsth98 Yep

@hackyzh I'm curious, so please keep me updated 🙏

@farazsth98 Not sure.I will continue the investigation.

@hackyzh Oh, hmm.. I don't have any devices to test with 🥲 Do you have any idea what the issue could be? I wonder if the race window is not long enough because it can't create enough threads or if it's something else