LJP

That's my chain — a full chain w/ logic bugs only! No memory corruption, no AI, and of course no collisions at all 😉

DEVCORE is having a day! Confirmed: Angelboy (@scwuaptx) & TwinkleStar03 (@_twinklestar03) of DEVCORE Research Team used an Improper Access Control bug to escalate privileges on Microsoft Windows 11, earning $30,000 and 3 Master of Pwn points. Full win, let's go! 🔥 #Pwn2Own #P2OBerlin

In a video highlight from Day 1 of #Pwn2Own Berlin, @orange_8361 of DEVCORE Research Team (@d3vc0r3) takes on Microsoft Edge with a sandbox escape! He earns $175,000 and 17.5 Master of Pwn points. youtube.com/shorts/8ngMzEV…

Nice work! Angelboy & TwinkleStar03 (@scwuaptx & @_twinklestar03) of DEVCORE Research Team + DEVCORE Internship Program was able to exploit Microsoft Windows 11! If confirmed, they win $30,000 and 3 Master of Pwn points. They're off to the disclosure room to explain how they did it. #Pwn2Own #P2OBerlin

Confirmed! Orange Tsai (@orange_8361) of DEVCORE Research Team (@d3vc0r3) chained 4 logic bugs to achieve a sandbox escape on Microsoft Edge, earning $175,000 and 17.5 Master of Pwn points. Full win! #Pwn2Own #P2OBerlin

Amaze! Amaze! Amaze! Orange Tsai (@orange_8361) of DEVCORE Research Team (@d3vc0r3) was able to exploit Edge with a sandbox escape! If confirmed, we wins $175K. He's off to the disclosure room to explain how he did it. #Pwn2Own #P2OBerlin

Honestly, with a little LLM help, I found variants, built a working PoC, and sent a polished patch to maintainer on the same day CopyFail dropped. So I’m curious why Xint didn’t find those variants before disclosure, assuming AI tools are used heavily in their workflow👀 Disclaimer: I’m an independent reporter and the patch author of the xfrm-ESP vulnerability, unrelated to the Dirty Frag post.

My HEXACON talk video is out! It covers a small race condition in the Linux kernel’s io_uring. I recommend watching it at 1.25× speed since I’m still not great at speaking 😅 youtube.com/watch?v=Ry4eOg… Here is the slide! u1f383.github.io/slides/talks/2…

This new 0day found by Google Big Sleep if not via fuzzing harness but purely by reasoning would be super cool! Coincidence with the Gemini 3 seems pretty strong released today. chromereleases.googleblog.com/2025/11/stable… Remind us the Man Yue Mo inline cache blog and the history of this surface: github.blog/security/vulne…

Angelboy (@scwuaptx) takes the CODE BLUE 2025 stage with his latest findings in Kernel Streaming vulnerabilities -- this time diving deep into the MDL cache mechanism and unveiling even more vulnerabilities. codeblue.jp/en/program/tim… #codeblue_jp #MSRC #VulnerabilityResearch

(CVE-2025-8880)[$70000][433533359][wasm]Consumers of ReadableStream subject to data race with SharedArrayBuffer-> RCE + V8sbx bypass is now open with exploit(exploited in v8ctf as 0-day) issues.chromium.org/issues/4335333… #comment3" target="_blank" rel="nofollow noopener">issues.chromium.org/issues/4335333… Reported by Seunghyun Lee (@0x10n)

(CVE-2025-5063)[$50000][411573532][vt/cc]Heap-UAF in cc::LayerTreeHost::NotifyTransitionRequestsFinished is now open with writeup, PoC & exploit issues.chromium.org/issues/4115735… PoC: #comment12" target="_blank" rel="nofollow noopener">issues.chromium.org/issues/4115735… Writeup & exploit: #comment14" target="_blank" rel="nofollow noopener">issues.chromium.org/issues/4115735… Reported by "[f4@dnpushme]"

HITCON 2025 - Kernel 不死！Windows 與 Linux 核心漏洞的進擊💥 從 Windows 的 Kernel Streaming 到 Linux 的 net/sched 模組，現代作業系統儘管層層防護、緩解機制日新月異，但這些防線背後依然潛藏著漏洞溫床。在本次議程雙響炮中，我們將帶你直擊兩場由頂尖研究者針對核心漏洞的探索旅程——踏上學習進階漏洞利用與繞過緩解措施的技巧，全面揭示 OS 核心防線下仍持續滲漏的真實現況。 🎥 Frame by Frame, Kernel Streaming Keeps Giving Vulnerabilities - angelboy Kernel Streaming 去年成為 Windows 核心中備受關注的攻擊面，講者將揭露超過 10 個「由網路攝影機影像輸入觸發」的全新漏洞類型，精心構造的 frame 可觸發任意實體記憶體寫入，有效繞過現代核心防禦機制。本議程不只拆解設計缺陷，也示範如何從看似無法利用的 bug 建立穩定提權 exploit，教你辨識更多本地提權機會並強化防禦思維。想知道影像如何攻破核心？這場絕對不容錯過！ 🐧 正確入侵 Linux 的方式：Zero Day、嶄新技巧與失敗的教訓 - Pumpkin Linux kernel 漏洞利用難度向來高，但這位講者在 kernelCTF 的實戰環境中，針對 net/sched 子系統漏洞運用兩項新穎技巧，成功在最新 LTS 版本實現提權至 root： 🔹 劫持次級物件，簡化 Use-After-Free (UAF) 漏洞利用 🔹 控制 kernel 變數，即使僅有 kernel base 洩漏，也能構造偽造物件或 ROP 鏈 除了技術細節，講者也會分享研究歷程與心得，談談 Linux kernel 研究心態、漏洞開發方法，以及從中衍生的嶄新技巧。 不論你是 Windows、Linux 陣營，這兩場演講都將帶你見識核心漏洞研究的尖端進展，學習如何發掘潛藏在現代作業系統中的設計破口，並掌握突破緩解機制的進階思維。 🔗購票連結：hitcon.kktix.cc/events/hitcon-… 🎙️完整議程表：hitcon.org/2025/zh-TW/age… #HITCON #HITCON2025 #漏洞研究 #提權攻擊 #資安議程

[434179415][hole] Remove hole raw number value chromium-review.googlesource.com/c/v8/v8/+/6786…

POV: You finally find one crash that you can actually exploit!

ITW 0-day Google Chrome Sandbox Escape crbug.com/405143032

(CVE-2025-6424)[1966423]UAF in FontFaceSet::Load(exploitable crash) #CVE-2025-6424" target="_blank" rel="nofollow noopener">mozilla.org/en-US/security… hg-edge.mozilla.org/mozilla-centra… Reported by @ljp_tw & @h3xr4bb1t Great job!

Nice! Pumpkin (@u1f383) from DEVCORE Research Team was able to demonstrate their privilege escalation on Red Hat Enterprise Linux. He's off to the disclosure to provide the details.

Uploaded my slides from POC2024. I'll soon be giving a slightly shorter version of the same talk on CODE BLUE 2024 too. github.com/leesh3288/talk…

[41480462, 378421873][liftoff][memory64] Fix IndexStaticallyInBounds for negative index chromium.googlesource.com/v8/v8/+/553df4… Regress test: ./d8 --turboshaft-wasm --allow-natives-syntax --experimental-wasm-memory64 memory-huge-constant-index.js chromium.googlesource.com/v8/v8/+/553df4…