V4bel

1

1.8K

5unkn0wn@5unKn0wn·24 Oca

This is my first Linux kernel exploit for Google kCTF, and the patch commit is now public: git.kernel.org/pub/scm/linux/… Actually, this bug was found by AI while analyzing 1-day variants, I'd like to share my approach for these AI things to find bug, and exploitation write-up later.

English

6

59

535

27.8K

V4bel@v4bel·16 Eki

At this POC, we will present our work on CVE-2024-50264. This vsock vulnerability is the most impressive bug I’ve found :)

POC_Crew@POC_Crew

[POC2025] SPEAKER UPDATE 👥 Hyunwoo Kim(@v4bel) & Wongi Lee(@_qwerty_po) - "Race Condition Symphony: From Tiny Idea to Pwnie" #POC2025

English

24

5.3K

V4bel retweetledi

Linux Kernel Security@linkersec·30 Eyl

The anatomy of a bug: 6 Months at STAR Labs @gerrard_tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions gerrardtai.com/anatomy-of-a-b…

English

24

128

10.7K

V4bel retweetledi

Project Zero Bugs@ProjectZeroBugs·8 Ağu

From Chrome renderer code exec to kernel with MSG_OOB googleprojectzero.blogspot.com/2025/08/from-c…

English

14

78

9.3K

V4bel@v4bel·9 Ağu

@h0mbre_ 😁😁

QME

1

804

h0mbre@h0mbre_·9 Ağu

@v4bel @_qwerty_po @PwnieAwards congrats!!

English

0

2

1.1K

V4bel@v4bel·9 Ağu

Our CVE-2024-50264 with @_qwerty_po has won the Best Privilege Escalation category at the 2025 Pwnie Awards. Thank you, @PwnieAwards!!

English

8

12

132

15K

V4bel@v4bel·1 Ağu

I have now left @theori_io. After a brief break, I plan to resume my research 🤟

English

We are very happy to announce the nominees for the 2025 Pwnie Awards! As a reminder, we will be presenting the winners at DEF CON this year. Saturday the 9th, 10:00AM Main Stage. Hope to see you there! docs.google.com/document/d/1fy…

36

4.1K

V4bel@v4bel·24 Tem

Our CVE‑2024‑50264 has been nominated for the Best PE at the Pwnie Awards 🫢

Pwnie Awards@PwnieAwards

English

5

55

12.5K

V4bel@v4bel·30 Haz

@th31nitiate oh I phrased that confusingly. It’s not “a vuln discovered at Pwn2Own,” but “a vuln I found for Pwn2Own.”

English

1

542

Dr.Moon@th31nitiate·30 Haz

@v4bel Why is it pwn2own that this discovery was made what makes it diffirent anyother time or place ?

English

0

7

557

V4bel@v4bel·30 Haz

CVE-2025-38087: Linux Kernel Traffic Control TAPRIO Use-After-Free This is a 64byte UAF write vuln I discovered for Pwn2Own. However, I couldn’t reliably exploit it due to the extremely narrow race window, so I had no choice but to patch it 😥 git.kernel.org/pub/scm/linux/…

English

18

107

8.9K

V4bel@v4bel·2 Haz

@_qwerty_po and I exploited a VSock 1-day in Google kernelCTF back in *February*, securing $71,337 🥳 (CVE-2025-21756, exp237/exp249) And I’ve just published the write-up: github.com/google/securit… A kernel developer reviewing a patch for a separate VSock bug I submitted accidentally discovered this vulnerability, and we were the first to exploit it. PoC 💻: root on Ubuntu 24.04

English

49

206

15K

V4bel@v4bel·11 Haz

@u1f383 Those two contexts are protected by ->current_entry_lock.

English

0

6

507

Pumpkin 🎃@u1f383·11 Haz

@ky1ebot May I kindly ask: if `rcu_replace_pointer()` is called during the time window when `switch_schedules()` switches from admin to oper and then resets admin to NULL, can the UAF still be triggered?

English

0

4

700

kylebot@ky1ebot·11 Haz

This is interesting. I exploited and reported this kernel bug at pwn2own in March last year and it got patched after more than half a year in Oct. And to this day, there is no mention that it is exploitable. Btw, the patch only reduces race window. github.com/torvalds/linux…

English

13

102

8.6K

V4bel@v4bel·16 May

@darkfloyd1014 Thank you! 🥂

English

0

2

227

Mr. Anthony 安東尼@darkfloyd1014·16 May

@_qwerty_po and @v4bel congratulations 🥂

Sweet! Hyunwoo Kim (@V4bel) and Wongi Lee (@_qwerty_po) of Theori were able to escalate to root on Red Hat Enterprise Linux. They head off to the disclosure room to cover the details of their exploit.

English

0

4

958

V4bel retweetledi

TrendAI Zero Day Initiative@thezdi·15 May

We have another collision. Hyunwoo Kim (@V4bel) and Wongi Lee (@_qwerty_po) of Theori were able to escalate to root on Red Hat Linux with an info leak and a UAF, but one of the bugs used was an N-day. They still win $15,000 and 1.5 Master of Pwn points. #Pwn2Own

English

14

74

13.6K

V4bel@v4bel·15 May

@pr0Ln Thank you! 😊

English

134

Gwangun Jung@pr0Ln·15 May

Congratulations, my coworkers!

We have another collision. Hyunwoo Kim (@V4bel) and Wongi Lee (@_qwerty_po) of Theori were able to escalate to root on Red Hat Linux with an info leak and a UAF, but one of the bugs used was an N-day. They still win $15,000 and 1.5 Master of Pwn points. #Pwn2Own

Gwangjin-gu, Republic of Korea 🇰🇷 English

0

13

1.1K

V4bel@v4bel·15 May

@u1f383 😱

QME

1

201

Pumpkin 🎃@u1f383·15 May

Billy again…

After a dramatic pause in getting things setup Billy(@st424204) and Ramdhan(@n0psledbyte) of STAR Labs preformed a Docker Desktop escape to pop calc - and they are also now off to the disclosure room - good luck! #Pwn2Own #P2OBerlin

English

24

2.5K

V4bel retweetledi

TrendAI Zero Day Initiative@thezdi·15 May

Sweet! Hyunwoo Kim (@V4bel) and Wongi Lee (@_qwerty_po) of Theori were able to escalate to root on Red Hat Enterprise Linux. They head off to the disclosure room to cover the details of their exploit.

English

15

114

11.8K

V4bel@v4bel·15 May

@h0mbre_ Thank you!! 😆

English

4

221

h0mbre@h0mbre_·15 May

congrats @v4bel @_qwerty_po!

We have another collision. Hyunwoo Kim (@V4bel) and Wongi Lee (@_qwerty_po) of Theori were able to escalate to root on Red Hat Linux with an info leak and a UAF, but one of the bugs used was an N-day. They still win $15,000 and 1.5 Master of Pwn points. #Pwn2Own

English