fa
Feedback
Linux Kernel Security

Linux Kernel Security

رفتن به کانال در Telegram

Links related to Linux kernel security and exploitation | Chat @linkersec_chat | @xairy @a13xp0p0v

نمایش بیشتر
4 569
مشترکین
+624 ساعت
+627 روز
+16430 روز
آرشیو پست ها
A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets Excellent article by Quang Le about exploiting CVE-20
A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets Excellent article by Quang Le about exploiting CVE-2025-38617 — a race condition that leads to a use-after-free in the packet sockets implementation. The implemented exploit was used to pwn the kernelCTF mitigation-v4-6.6 instance. The exploit bypasses CONFIG_RANDOM_KMALLOC_CACHES and CONFIG_SLAB_VIRTUAL.

Analysis of the Linux kernel bugfixes Jenny Guanni Qu posted a detailed analysis on the bugs in the Linux kernel: ▪️ Part 1:
Analysis of the Linux kernel bugfixes Jenny Guanni Qu posted a detailed analysis on the bugs in the Linux kernel: ▪️ Part 1: Kernel bugs hide for 2 years on average. Some hide for 20. ▪️ Part 2: Who Writes the Bugs? A Deeper Look at 125,000 Kernel Vulnerabilities

setresuid(⚡): Glitching Google's TV Streamer from adb to root. Talk (slides) by Niek Timmers about glitching the kernel of the Android-based Google TV Streamer device to escalate privileges via Electromagnetic Fault Injection. The researcher glitched the setresuid syscall handler to bypass its checks and obtain the UID of 0. Bypassing SELinux via glitching remains to be investigated.

[Cryptodev-linux] Page-level UAF exploitation nasm_re posted an article about exploiting a page-level UAF in the out-of-tree cryptodev-linux driver. The researcher modified struct file sprayed into a freed page to escalate privileges.

Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers Talk (slides) by Xingyu Jin and Martijn Bogaard about a new type of logical bugs in kernel driver mmap handlers exploitable via the ptrace functionality. Authors found multiple Android vendor drivers affected by the issue. They also wrote an exploit for the IMG DXT GPU driver to escalate privileges on Pixel 10.

A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave Article by Seth Jenkins about exploiting
A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave Article by Seth Jenkins about exploiting a use-after-free in the driver for BigWave — an AV1 decoding hardware component present on Pixel SOCs. Seth used the bug to escalate privileges from the mediacodec SELinux context and obtain root on Pixel 9. This exploit is a part of an RCE chain developed by Seth and Natalie Silvanovich.

Article series about exploiting CVE-2025-38352 Faith posted three articles about exploiting a race condition in the implementation of POSIX CPU timers. Part 1️⃣ describes reproducing this race condition. Part 2️⃣ explains how to extend the race window (a period of time when the race can be triggered). Part 3️⃣ shows a complex PoC exploit for the UAF caused by this race condition.

Dangling pointers, fragile memory — from an undisclosed vulnerability to Pixel 9 Pro privilege escalation Article about analyzing and exploiting a race condition that leads to a double-free in the Arm Mali GPU driver.

mediatek? more like media-rekt, amirite. Article by hypr covering an assortment of bugs the author found in the MediaTek MT76xx and MT7915 Wi-Fi drivers. The article also describes the nonsensical responses MediaTek gave to the bug reports, seemingly trying to weasel out of assigning a High impact rating to the reported bugs.

CVE-2025-68260: rust_binder: fix race condition on death_list First CVE was registered for the new Binder kernel driver writt
CVE-2025-68260: rust_binder: fix race condition on death_list First CVE was registered for the new Binder kernel driver written in Rust. The vulnerability is a race condition caused by a list operation in an unsafe code block.

Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit MatheuZSec published a detailed article about Singularity — a loadable kernel module rootkit developed for 6.x Linux kernels. The rootkit uses ftrace for hooking syscalls and hiding itself.

Extending Kernel Race Windows Using '/dev/shm' Article by Faith about extending race condition windows via FALLOC_FL_PUNCH_HO
Extending Kernel Race Windows Using '/dev/shm' Article by Faith about extending race condition windows via FALLOC_FL_PUNCH_HOLE. The technique allows delaying user memory accesses from the kernel mode, similar to userfaultfd and FUSE.

An RbTree Family Drama Talk (slides) by William Liu and Savino Dicanosa about exploiting CVE-2025-38001 — a use-after-free in the network packet scheduler. The exploit was also covered in a previously posted article.

Déjà Vu in Linux io_uring Talk (slides) by Pumpkin about exploiting CVE-2025-21836 — a race condition that leads to a use-after-free in the io_uring subsystem.

CUDA de Grâce Talk (slides) by Valentina Palmiotti and Samuel Lovejoy about exploiting a race condition that leads to a double-free in the NVIDIA GPU driver to escape a container created with NVIDIA Container Toolkit.

Race Condition Symphony: From Tiny Idea to Pwnie Slides from a talk by Hyunwoo Kim and Wongi Lee about exploiting CVE-2024-50
Race Condition Symphony: From Tiny Idea to Pwnie Slides from a talk by Hyunwoo Kim and Wongi Lee about exploiting CVE-2024-50264 — a race condition in the vsock subsystem. Previously, Alexander Popov described another way to exploit this vulnerability.

LinkPro: eBPF rootkit analysis Théo Letailleur published an article with a detailed description of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".

Slice: SAST + LLM Interprocedural Context Extractor Amazing article by Caleb Gross about combining the use of CodeQL and LLMs
Slice: SAST + LLM Interprocedural Context Extractor Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.

Enhancing FineIBT LWN article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to im
Enhancing FineIBT LWN article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking). The article also refers to another post "A hole in FineIBT protection" about a method to bypass this CFI mechanism.

Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE Talk (slides) by Pan Zhenpeng and Jheng Bing Jhong about
Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE Talk (slides) by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.