Andrey Konovalov's Avatar

Andrey Konovalov

@andreyknvl.bsky.social

Security engineer at http://xairy.io. Focusing on the Linux kernel. Maintaining @linkersec.bsky.social. Trainings at http://xairy.io/trainings.

148 Followers  |  88 Following  |  38 Posts  |  Joined: 24.11.2024  |  1.8744

Latest posts by andreyknvl.bsky.social on Bluesky

This is still not fixed btw.

08.11.2025 11:48 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

kernelCTF: CVE-2025-38477

kernelCTF entry for a race condition in the network scheduler subsystem.

Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.

github.com/n132/securit...

07.11.2025 20:11 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

Defeating KASLR by Doing Nothing at All

Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.

googleprojectzero.blogspot.com/2025/11/defe...

06.11.2025 16:13 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
September/October updates Β· xairy/linux-kernel-exploitation@b26cc4a

Updates for the Linux kernel exploitation collection πŸ˜‹

github.com/xairy/linux-...

06.11.2025 19:58 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

Oops! It's a kernel stack use-after-free: Exploiting NVIDIA's GPU Linux drivers

Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.

blog.quarkslab.com/nvidia_gpu_k...

25.10.2025 00:44 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0

Merge commit: git.kernel.org/pub/scm/linu...
RFC to replace per-CPU partials: lore.kernel.org/linux-mm/202...
LWN article: lwn.net/Articles/101...

24.10.2025 14:04 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Sheaves support has been merged into SLUB.

Opt-in for now, but planned to replace the per-CPU partial slab layer for all caches in the future.

Gonna have to revise the slab shaping strategies once this happens.

24.10.2025 14:04 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
raw-gadget/workshop at master Β· xairy/raw-gadget USB Raw Gadget β€” a low-level interface for the Linux USB Gadget subsystem - xairy/raw-gadget

Delivered a workshop at BalcCon this weekend on emulating/sniffing/MitM'ing USB devices with Raw Gadget and a Raspberry Pi.

All materials are public, so can go through the workshop on your own if you're interested.

github.com/xairy/raw-ga...

23.09.2025 14:54 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
docs: update USB documentation Β· google/syzkaller@e2beed9

Updated syzkaller documentation on USB fuzzing to explain how to handle certain tricky cases (e.g. driver quirks applied based on Vendor/Product IDs).

github.com/google/syzka...

23.09.2025 13:56 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

I also suspect that the CVE-2025-38494/5 fix is what actually fixes CVE-2024-50302.

Assuming the used chain was portable enough to also cover devices with CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, replacing kmalloc with kzalloc possibly did nothing.

bsky.app/profile/andr...

11.09.2025 15:38 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

"Wrote" is a strong word for this, I just cleaned up the reproducer from this syzbot report:

syzkaller.appspot.com/bug?extid=fb...

The report has been public on the dashboard for over 2 months now. And there's plenty of other USB bugs that are still not fixed.

11.09.2025 15:38 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image Post image

Wrote a trigger for CVE-2025-38494/5 (an integer underflow in the HID subsystem) that leaks 64 KB of OOB memory over USB.

Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).

github.com/xairy/kernel...

11.09.2025 15:38 β€” πŸ‘ 24    πŸ” 4    πŸ’¬ 1    πŸ“Œ 3
Preview
readme: new links Β· xairy/usb-hacking@4661f45

Updated the collection of USB hacking links.

github.com/xairy/usb-ha...

08.09.2025 20:41 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
raw-gadget/workshop at master Β· xairy/raw-gadget USB Raw Gadget β€” a low-level interface for the Linux USB Gadget subsystem - xairy/raw-gadget

Whoever is coming to BalCCon: I will be teaching a workshop Attacking USB with Raw Gadget (covering basics of USB emulation and sniffing).

If you wish to attend, you must bring Raspberry Pi 5 along with a few other things, see the workshop description.

github.com/xairy/raw-ga...

07.09.2025 23:27 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
July/August updates Β· xairy/linux-kernel-exploitation@3dbd2d4

Updates for the Linux kernel exploitation collection πŸ˜‹

github.com/xairy/linux-...

04.09.2025 16:46 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Linux Kernel netfilter: ipset: Missing Range Check LPE - SSD Secure Disclosure Affected Versions Vendor Response Linux kernel release the patch (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=35f56c554eb1b56b77b3cf197a6b00922d49033d) Background The...

Linux Kernel netfilter: ipset: Missing Range Check LPE

ssd-disclosure.com/linux-kernel...

13.08.2025 01:53 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Announcing #Pwn2Own Ireland for 2025! We return to the Emerald Isle with our new partner #Meta & a $1,000,000 WhatsApp bounty. Plus new USB vectors on phones & more. Read the details https://www.zerodayinitiative.com/blog/2025/7/30/pwn2own-returns-to-ireland-with-a-one-million-dollar-whatsapp-target

31.07.2025 19:10 β€” πŸ‘ 5    πŸ” 4    πŸ’¬ 1    πŸ“Œ 0
Preview
πŸ“² Debugging the Pixel 8 kernel via KGDB Instructions for getting kernel log, building custom kernel, and enabling KGDB on Pixel 8

Documented instructions for setting up KGDB on Pixel 8.

Including getting kernel log over UART via USB-Cereal, building/flashing custom kernel, breaking into KGDB via /proc/sysrq-trigger or by sending SysRq-G over serial, dealing with watchdogs, etc.

xairy.io/articles/pix...

28.07.2025 20:20 β€” πŸ‘ 4    πŸ” 3    πŸ’¬ 0    πŸ“Œ 1
Post image

Linux Kernel Hardening: Ten Years Deep

Talk by Kees Cook about the relevance of various Linux kernel vulnerability classes and the mitigations that address them.

Video: www.youtube.com/watch?v=c_Nx...
Slides: static.sched.com/hosted_files...

15.07.2025 16:42 β€” πŸ‘ 7    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Bypass Kernel Barriers: Fuzzing Linux Kernel in Userspace With LKL - Xuan Xing & Eugene Rodionov
YouTube video by The Linux Foundation Bypass Kernel Barriers: Fuzzing Linux Kernel in Userspace With LKL - Xuan Xing & Eugene Rodionov

Bypass Kernel Barriers: Fuzzing Linux Kernel in Userspace With LKL

Xuan Xing & Eugene Rodionov gave a talk about fuzzing the Linux kernel interfaces fully in user space using LKL (Linux Kernel Library).

Video: www.youtube.com/watch?v=Wxmi...
Slides: static.sched.com/hosted_files...

10.07.2025 12:32 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

Exploiting the Linux Kernel on October 26 β€” November 1 online via Ringzer0.

ringzer0.training/countermeaas...

01.07.2025 22:01 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Exploiting the Linux Kernel on October 6–9 in Paris at Hexacon β€ͺβ€ͺ@hexacon.bsky.social‬.

www.hexacon.fr/trainer/kono...

01.07.2025 22:01 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

Exploiting the Linux Kernel on September 1–3 in Berlin at Nullcon.

nullcon.net/berlin-2025/...

01.07.2025 22:01 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

Fuzzing the Linux Kernel on August 4–5 online via Black Hat US.

www.blackhat.com/us-25/traini...

01.07.2025 22:01 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Schedule for my Fuzzing/Exploiting the Linux Kernel trainings for the rest of the year ⬇️

01.07.2025 22:01 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
May/June updates Β· xairy/linux-kernel-exploitation@e4d394c

Updates for the Linux kernel exploitation collection πŸ˜‹

github.com/xairy/linux-...

01.07.2025 14:44 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
RVAsec 2025: Kevin Massey - Linux Kernel Exploitation for Beginners
YouTube video by RVAsec RVAsec 2025: Kevin Massey - Linux Kernel Exploitation for Beginners

RVAsec 2025: Kevin Massey - Linux Kernel Exploitation for Beginners

youtu.be/YfjHCt4SzQc

Linux Kernel Exploitation For
Beginners

rvasec.com/slides/2025/...

30.06.2025 03:13 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
OffensiveCon25 - Chariton Karamitas - KernelGP: Racing Against the Android Kernel
YouTube video by OffensiveCon OffensiveCon25 - Chariton Karamitas - KernelGP: Racing Against the Android Kernel

KernelGP: Racing Against the Android Kernel

Talk by Chariton Karamitas about ways to use FUSE for kernel exploitation from unprivileged SELinux contexts on Android.

www.youtube.com/watch?v=DJBG...

04.06.2025 14:42 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

Linux Kernel Exploitation series

Awesome series of articles by r1ru that outlines many commonly-used modern exploitation techniques.

r1ru.github.io/categories/l...

11.05.2025 23:06 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Preview
Kernel Exploitation Techniques: Turning The (Page) Tables This post explores attacking page tables as a Linux kernel exploitation technique for gaining powerful read/write primitives.

with offensivecon around the corner, i figured id write another post on linux kernel exploitation techniques - this time i cover the world of page table exploitation! enjoy πŸ€“

sam4k.com/page-table-k...

08.05.2025 13:58 β€” πŸ‘ 13    πŸ” 4    πŸ’¬ 1    πŸ“Œ 0

@andreyknvl is following 20 prominent accounts