Linux Kernel Security

The implemented exploit was used to pwn the kernelCTF mitigation-v4-6.6 instance. The exploit bypasses CONFIG_RANDOM_KMALLOC_CACHES and CONFIG_SLAB_VIRTUAL. github.com/google/securit…

A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets Excellent article by Quang Le about exploiting CVE-2025-38617 — a race condition that leads to a use-after-free in the packet sockets implementation. blog.calif.io/p/a-race-withi…

Analysis of the Linux kernel bugfixes @GuanniQu posted a detailed analysis: 1⃣ Kernel bugs hide for 2 years on average. Some hide for 20. pebblebed.com/blog/kernel-bu… 2⃣ Who Writes the Bugs? A Deeper Look at 125,000 Kernel Vulnerabilities. pebblebed.com/blog/kernel-bu…

The researcher glitched the setresuid syscall handler to bypass its checks and obtain the UID of 0. Bypassing SELinux via glitching remains to be investigated.

setresuid(⚡): Glitching Google's TV Streamer from adb to root. Talk by @tieknimmers about glitching the kernel of Android-based Google TV Streamer to escalate privileges via Electromagnetic Fault Injection. Slides: hardwear.io/netherlands-20… Video: youtube.com/watch?v=-w5mpX…

[Cryptodev-linux] Page-level UAF exploitation @nasm_re posted an article about exploiting a page-level UAF in the out-of-tree cryptodev-linux driver. The researcher modified struct file sprayed into a freed page to escalate privileges. nasm.re/posts/cryptode…

Authors found multiple Android vendor drivers affected by the issue. They also wrote an exploit for the IMG DXT GPU driver to escalate privileges on Pixel 10.

Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers Talk by @1ce0ear and @jmartijnb about a new type of logical bugs in kernel driver mmap handlers exploitable via the ptrace functionality. Slides: powerofcommunity.net/2025/slide/x-8… Video: youtube.com/watch?v=yAUJFr…

Seth used the bug to escalate privileges from the mediacodec SELinux context and obtain root on Pixel 9. This exploit is a part of an RCE chain developed by Seth and @natashenka. projectzero.google/2026/01/pixel-…

A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave Article by @__sethJenkins about exploiting a use-after-free in the driver for BigWave — an AV1 decoding hardware component present on Pixel SOCs. projectzero.google/2026/01/pixel-…

Part 3️⃣ shows a complex PoC exploit for the UAF caused by this race condition. faith2dxy.xyz/2026-01-03/cve…

Part 2️⃣ explains how to extend the race window (a period of time when the race can be triggered). faith2dxy.xyz/2025-12-24/cve…

Article series about exploiting CVE-2025-38352 @farazsth98 posted three articles about exploiting a race condition in the implementation of POSIX CPU timers. Part 1️⃣ describes reproducing this race condition faith2dxy.xyz/2025-12-22/cve… [1/3]

Dangling pointers, fragile memory — from an undisclosed vulnerability to Pixel 9 Pro privilege escalation Article about analyzing and exploiting a race condition that leads to a double-free in the Arm Mali GPU driver. dawnslab.jd.com/Pixel_9_Pro_Eo…

The article also describes the nonsensical responses MediaTek gave to the bug reports, seemingly trying to weasel out of assigning a High impact rating to the reported bugs.

mediatek? more like media-rekt, amirite. Article by @hyprdude covering an assortment of bugs the author found in the MediaTek MT76xx and MT7915 Wi-Fi drivers. blog.coffinsec.com/0days/2025/12/…

CVE-2025-68260: rust_binder: fix race condition on death_list First CVE was registered for the new Binder kernel driver written in Rust. The vulnerability is a race condition caused by a list operation in an unsafe code block. @gregkh/T/#u" target="_blank" rel="nofollow noopener">lore.kernel.org/linux-cve-anno…

Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit @MatheuzSecurity published an article about Singularity — a loadable kernel module rootkit developed for 6.x Linux kernels. The rootkit uses ftrace for hooking syscalls and hiding itself. blog.kyntra.io/Singularity-A-…

Extending Kernel Race Windows Using '/dev/shm' Article by @farazsth98 about extending race condition windows via FALLOC_FL_PUNCH_HOLE. The technique allows delaying user memory accesses from the kernel mode, similar to userfaultfd and FUSE. faith2dxy.xyz/2025-11-28/ext…

The exploit was also covered in a previously posted article. syst3mfailure.io/rbtree-family-…

An RbTree Family Drama Talk by William Liu and Savino Dicanosa @cor_ctf about exploiting CVE-2025-38001 — a use-after-free in the network packet scheduler. Slides: storage.googleapis.com/static.cor.tea… Video: youtube.com/watch?v=C-52Gw…