Ezrak1e

3)CVE-2025-62221: Incorrect input in `cldflt!CldSyncDisconnectRoot` caused `CldSyncDisconnectRootByObject` to not execute but still return 0. This resulted in `RtlDeleteElementGenericTableAvl`. After `closehandle` was executed, this resulted in a dangling pointer to +0x60.

Some LPE analysis in the December patch CVE-2025-62472&CVE-2025-59517&CVE-2025-62221 1)CVE-2025-62472:rasmans!QueueCloseConnections. Write an out-of-bounds conn pointer -> overwrite the user_data linked list -> unlink -> uaf(conn) -> uaf(port) -> lpe

2)CVE-2025-59517:VspVsmbCommonRelativeCreate calls IoCreateFileEx with the IO_NO_PARAMETER_CHECKING (INPC) and IO_FORCE_ACCESS_CHECK (IFAC) options, but without the OBJ_FORCE_ACCESS_CHECK (OFAC) option，With the WS2IFSL driver, arbitrary address calls can be achieved->LPE

Our talk "Dark Corners: How a Failed Patch Left VMware ESXi VM Escapes Open for Two Years" has been accepted by BlackHat USA 2025! Super excited to present this work with @0x140ce and @ezrak1e. See you at #BHUSA! @BlackHatEvents #dark-corners-how-a-failed-patch-left-vmware-esxi-vm-escapes-open-for-two-years-45785" target="_blank" rel="nofollow noopener">blackhat.com/us-25/briefing…

#58 Thanks to MSRC

@zh1x1an1221 @PatrickAlphaC 成功

Under the guidance of several web3 friends, I tried to find some web3 bugs. Currently, 3 high and 2 medium in code4rena. Recently, I spent a day trying @PatrickAlphaC Codehawks and found the first one. Although it is low-risk, it is also very happy.

@KeyZ3r0 从k神学到了很多

Have similar experience in this situation. Tips: DON'T stop considering the possibility of one more vulnerability when you read an official document or vulnerability analysis.🤔

However, due to the limitations of ZwOpenFile below, I did not complete the full exploit in the Chrome Sandbox. If you have the sechangenotifyprivilege permission, you can use \device\namedpipe\ to bypass it. hope someone can find a way to bypass it.

The vulnerability is in IopXxxControlFile and can be triggered even in the chrome sandbox🤣

A funny story about a vulnerability I found last year. It was fixed in February this year, probably CVE-2024-21371. The interesting point is that I discovered it and completed the exploit based on a piece of source code disclosed in the high-quality documentation report of msrc🤣

Since RtlIsSandboxedToken, this vulnerability can only be triggered by a sandboxed process.

Successfully bypassing the ArrayBuffer isolation in Adobe Reader and completing the fullchain with @ezrak1e, I will have the opportunity to share with how to perform heap layout under ArrayBuffer isolation and how my vul can reuse the ArrayBuffer as an arbitrary R/W primitive.

@danis_jiang @0x140ce 阿干带带我

@ezrak1e @0x140ce master of pwn👍

Using a memory corruption vulnerability to achieve LPE on Windows11 Another Windows 11 kernel vulnerability was used for Adobe Sandbox Escape with @0x140ce to complete the Adobe Fullchian exploit Finally Escape from VMware ESXi’s vm with my teammates @0x140ce and @danis_jiang🫡

Escape from VMware ESXi’s vm with my teammates @0x140ce and @ezrak1e , such an unforgettable moment🎉🎉🎉

A vulnerability in Windows’s File History Service allows local users to gain elevated privileges on the Windows operating system reddit.com/r/ReverseEngin…

I public my researching on CNG Key isolation with CVE-2023-28229 and CVE-2023-36906 on my blog, MSRC marked it as Exploitation less likely, but I complete the exploitation in a short time.😅😅 whereisk0shl.top/post/isolate-m…

Entered the MSRC MVR list, ranking #19 in the overall leaderboard and #6 in Windows. Congrats to all reserachers on the list, and thanks to @msftsecresponse 😃

#8 Thanks to MSRC