nicolas vamous

Slides from Samuel Groß talk(@5aelo) about v8sbx hw-support powerofcommunity.net/2025/slide/s-9… developer.arm.com/community/arm-…

We released our Fuzzilli-based V8 Sandbox fuzzer: github.com/googleprojectz… It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!

We are back😎 Say hello to our kernelCTF submission for CVE-2025-37752🩸 Who would have thought you could pwn a kernel with just a 0x0000 written 262636 bytes out of bounds? Read the full writeup at: syst3mfailure.io/two-bytes-of-m… 👀

@javierprtd This technique has been disclosed before.

I need to confirm, but I think there’s another strategy to exploit a file UAF. You have to do what’s shown here gum3t.xyz/posts/a-gau-ha… but instead of spraying /etc/passwd, spray page tables (the file content, I think only comes from the buddy allocator), without cross-cache!

@VAR10CK @LiangWenfeng_ like how？

@LiangWenfeng_ This should be a fake account

github.com/hardenedlinux/… #noexec #bypass

I've written a post on SELinux and some public bypasses for Android kernel exploitation. It's especially relevant for Samsung and Huawei devices due to their use of hypervisors. Check it out here: klecko.github.io/posts/selinux-…

More details about CVE-2024-44068 - it’s part of an EoP chain in the wild: googleprojectzero.github.io/0days-in-the-w…

@1ce0ear Bring me fly.

S10 bug CVE-2024-44068

@mboehme_ This video is an excellent broader overview. Despite being relative obscure I find it presents some good intuitive models: youtube.com/watch?v=mQEpPN… I'm following other work related to automated proof generation such as AlphaGeometry. I can see parallels with symbolic execution.

Qualcomm KGSL: reclaimed / in-reclaim objects can still be mapped into VBOs bugs.chromium.org/p/project-zero…

Linux: LSM can prevent POSIX lock removal in fcntl/close race cleanup path bugs.chromium.org/p/project-zero…

I just released the blog explaining how I leveraged CVE-2022-22265 in the Samsung npu driver. Double free to achieve UAF over signalfd + cross cache + Dirty Page Table + code inject into libbase.so for execution by init. Hope you can enjoy it soez.github.io/posts/CVE-2022…

Linux: landlock can be disabled thanks to missing cred_transfer hook; and Smack looks dodgy too bugs.chromium.org/p/project-zero…

OBS heap overflow vulnerability in parsing GIF image: github.com/google/securit…

Philipp and Valentin wondered how good "safe" allocators actually are and dissected Android's scudo. We found that the zygote fork model results in unexpected bypasses for several mitigations, including the breaking the guarantees of the safe allocator. Join us tomorrow at 10:45!

Cool over-the-air exploit against Sonos. Looks like they exploited the same Wi-Fi overflow I found a few years ago :) Surprising that MediaTek isn't shipping the updated driver AFIAK, exploiting it requires knowing the WPA2 passphrase. Shameless plug: papers.mathyvanhoef.com/woot2018.pdf

Linux: DRM: refcount incremented too late in drm_file_update_pid() bugs.chromium.org/p/project-zero…

SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel A paper by Lukas Maar, @notbobbytables, et al. about exploiting slab memory corruptions via a cross-allocator attack targeting user page tables. stefangast.eu/papers/slubsti…

Looking for universal, backward-compatible kernel read and write primitives for both ARM and Intel-based macOS systems? No problem! Check it out at: github.com/wangtielei/POC…. The PoC uses only existing kernel mechanisms and does not require complex memory manipulation techniques.