Linux Kernel Security's Avatar

Linux Kernel Security

@linkersec.bsky.social

Links related to Linux kernel security and exploitation. Maintained by @andreyknvl.bsky.social and Alexander Popov. Also on https://t.me/linkersec, https://x.com/linkersec, and https://infosec.exchange/@linkersec.

180 Followers  |  0 Following  |  114 Posts  |  Joined: 24.11.2024  |  1.3757

Latest posts by linkersec.bsky.social on Bluesky

The researcher glitched the setresuid syscall handler to bypass its checks and obtain the UID of 0. Bypassing SELinux via glitching remains to be investigated.

07.02.2026 03:10 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Hardwear.io NL 2025: Glitching Google's TV Streamer From Adb To Root - Niek Timmers
YouTube video by hardwear.io Hardwear.io NL 2025: Glitching Google's TV Streamer From Adb To Root - Niek Timmers

setresuid(โšก): Glitching Google's TV Streamer from adb to root.

Talk by Niek Timmers about glitching the kernel of the Android-based Google TV Streamer device to escalate privileges via Electromagnetic Fault Injection.

Video: www.youtube.com/watch?v=-w5m...
Slides: hardwear.io/netherlands-...

07.02.2026 03:10 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Preview
[Cryptodev-linux] Page-level UAF exploitation IntroductionIn november 2025 I started a fuzzing campaign against cryptodev-linux as part of a school project. I found +10 bugs (UAF, NULL pointer dereferences and integer overflows) and among all of

[Cryptodev-linux] Page-level UAF exploitation

nasm_re posted an article about exploiting a page-level UAF in the out-of-tree cryptodev-linux driver. The researcher modified struct file sprayed into a freed page to escalate privileges.

nasm.re/posts/crypto...

05.02.2026 02:24 โ€” ๐Ÿ‘ 3    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

Authors found multiple Android vendor drivers affected by the issue. They also wrote an exploit for the IMG DXT GPU driver to escalate privileges on Pixel 10.

03.02.2026 17:33 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
POC2025 | Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers
YouTube video by POC2026 POC2025 | Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers

Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers

Talk by Xingyu Jin & Martijn Bogaard about a new type of logical bugs in kernel driver mmap handlers exploitable via the ptrace functionality.

Video: www.youtube.com/watch?v=yAUJ...
Slides: powerofcommunity.net/2025/slide/x...

03.02.2026 17:33 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby - Project Zero Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One ef...

Seth used the bug to escalate privileges from the mediacodec SELinux context and obtain root on Pixel 9.

This exploit is a part of an RCE chain developed by Seth and @natashenka.bsky.social.

projectzero.google/2026/01/pixe...

28.01.2026 17:18 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave

Article by Seth Jenkins about exploiting a use-after-free in the driver for BigWave โ€” an AV1 decoding hardware component present on Pixel SOCs.

projectzero.google/2026/01/pixe...

28.01.2026 17:18 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Preview
CVE-2025-38352 (Part 3) - Uncovering Chronomaly Walking through the exploit development process of the Chronomaly exploit for CVE-2025-38352.

Part 3๏ธโƒฃ shows a complex PoC exploit for the UAF caused by this race condition:

faith2dxy.xyz/2026-01-03/c...

19.01.2026 16:55 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
CVE-2025-38352 (Part 2) - Extending The Race Window Without a Kernel Patch Improving the PoC from the part 1 by extending the race window from userland.

Part 2๏ธโƒฃ explains how to extend the race window (a period of time when the race can be triggered):

faith2dxy.xyz/2025-12-24/c...

19.01.2026 16:55 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Preview
CVE-2025-38352 (Part 1) - In-the-wild Android Kernel Vulnerability Analysis + PoC Analyzing and writing a PoC for CVE-2025-38352.

Article series about exploiting CVE-2025-38352

Faith posted three articles about exploiting a race condition in the implementation of POSIX CPU timers.

Part 1๏ธโƒฃ describes reproducing this race condition:

faith2dxy.xyz/2025-12-22/c...

19.01.2026 16:55 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Preview
ๆ‚ฌๆŒ‚็š„ๆŒ‡้’ˆใ€่„†ๅผฑ็š„ๅ†…ๅญ˜โ”€โ”€ไปŽไธ€ไธชๆœชๅ…ฌๅผ€็š„ๆผๆดžๅˆฐ Pixel 9 Pro ๆๆƒ GPU ้ฉฑๅŠจ็”ฑไบŽๅ…ถไธŽๅ†…ๅญ˜็ฎก็†็š„็ดงๅฏ†่”็ณป๏ผŒๅทฒ็ปๆˆไธบ่ฟ‘ๅนดๆฅ Android Kernel ไธญไธ€ไธชๆฏ”่พƒๆœ‰ไปทๅ€ผ็š„ๆ”ปๅ‡ป้ข๏ผŒไธŽ GPU ็›ธๅ…ณ็š„ CVE ไธ็ฎ—ๅฐ‘๏ผŒไฝ†ๆ˜ฏๅชๆœ‰ๅพˆๅฐ‘ๆ•ฐๆผๆดž่ขซๅ…ฌๅผ€ๅˆ†ๆž๏ผŒๅฎ‰ๅ…จๅ…ฌๅ‘ŠไธญไนŸไธไผš่ฐˆๅŠๆผๆดž็ป†่Š‚๏ผŒๅ› ๆญคๆฏไธช็‰ˆๆœฌ็š„ patch ๅฐฑๆˆไบ†ๅˆ†ๆžๆผๆดž็š„้‡่ฆ็บฟ็ดขใ€‚

Dangling pointers, fragile memory โ€” from an undisclosed vulnerability to Pixel 9 Pro privilege escalation

Article about analyzing and exploiting a race condition that leads to a double-free in the Arm Mali GPU driver.

dawnslab.jd.com/Pixel_9_Pro_...

09.01.2026 02:11 โ€” ๐Ÿ‘ 2    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

The article also describes the nonsensical responses MediaTek gave to the bug reports, seemingly trying to weasel out of assigning a High impact rating to the reported bugs.

05.01.2026 23:43 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
mediatek? more like media-REKT, amirite. A year-in-review going over 19+ bugs in Mediatekโ€™s MT76xx/MT7915 (and others) wifi chipsets I reported this year, PoCs included!

mediatek? more like media-rekt, amirite.

Article by hypr covering an assortment of bugs the author found in the MediaTek MT76xx and MT7915 Wi-Fi drivers.

blog.coffinsec.com/0days/2025/1...

05.01.2026 23:43 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Post image

CVE-2025-68260: rust_binder: fix race condition on death_list

First CVE was registered for the new Binder kernel driver written in Rust. The vulnerability is a race condition caused by a list operation in an unsafe code block.

lore.kernel.org/linux-cve-an...

22.12.2025 19:07 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit โ€“ Kyntra Blog Deep dive into a modern stealth Linux kernel rootkit with advanced evasion and persistence techniques

MatheuZSec published a detailed article about Singularity โ€” a loadable kernel module rootkit developed for 6.x Linux kernels. The rootkit uses ftrace for hooking syscalls and hiding itself.

Article: blog.kyntra.io/Singularity-...
Code: github.com/MatheuZSecur...

18.12.2025 01:39 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Extending Kernel Race Windows Using '/dev/shm'

Article by Faith about extending race condition windows via FALLOC_FL_PUNCH_HOLE. The technique allows delaying user memory accesses from the kernel mode, similar to userfaultfd and FUSE.

faith2dxy.xyz/2025-11-28/e...

16.12.2025 00:02 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
[CVE-2025-38001] Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: An RBTree Family Drama (Part One: LTS & COS) CVE-2025-38001 is a Use-After-Free vulnerability in the Linux network packet scheduler, specifically in the HFSC queuing discipline. When the HFSC qdisc is utilized with NETEM and NETEM packet duplica...

The exploit was also covered in a previously posted article.

syst3mfailure.io/rbtree-famil...

10.12.2025 01:58 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
HEXACON 2025 - An RbTree Family Drama by William Liu & Savino Dicanosa
YouTube video by Hexacon HEXACON 2025 - An RbTree Family Drama by William Liu & Savino Dicanosa

An RbTree Family Drama

Talk by William Liu and Savino Dicanosa @cor_ctf about exploiting CVE-2025-38001 โ€” a use-after-free in the network packet scheduler.

Video: www.youtube.com/watch?v=C-52...
Slides: storage.googleapis.com/static.cor.t...

10.12.2025 01:58 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
HEXACON 2025 - Dรฉjร  Vu in Linux io_uring by Pumpkin
YouTube video by Hexacon HEXACON 2025 - Dรฉjร  Vu in Linux io_uring by Pumpkin

Dรฉjร  Vu in Linux io_uring

Talk by Pumpkin about exploiting CVE-2025-21836 โ€” a race condition that leads to a use-after-free in the io_uring subsystem.

Video: www.youtube.com/watch?v=Ry4e...
Slides: u1f383.github.io/slides/talks...

06.12.2025 00:44 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
HEXACON 2025 - CUDA de Grรขce by Valentina Palmiotti & Samuel Lovejoy
YouTube video by Hexacon HEXACON 2025 - CUDA de Grรขce by Valentina Palmiotti & Samuel Lovejoy

CUDA de Grรขce

Talk by @chompie.rip and Samuel Lovejoy about exploiting a race condition that leads to a double-free in the NVIDIA GPU driver to escape a container created with NVIDIA Container Toolkit.

Video: www.youtube.com/watch?v=Lvz2...
Slides: docs.google.com/presentation...

05.12.2025 02:01 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel Some memory corruption bugs are much harder to exploit than others. They can involve race conditions, crash the system, and impose limitations that make a researcher's life difficult. Working with suc...

Previously, Alexander Popov described another way to exploit this vulnerability.

a13xp0p0v.github.io/2025/09/02/k...

25.11.2025 01:50 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Race Condition Symphony: From Tiny Idea to Pwnie

Slides from a talk by Hyunwoo Kim and Wongi Lee about exploiting CVE-2024-50264 โ€” a race condition in the vsock subsystem.

powerofcommunity.net/2025/slide/h...

25.11.2025 01:50 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Preview
LinkPro: eBPF rootkit analysis LinkPro: eBPF rootkit analysis

LinkPro: eBPF rootkit analysis

Thรฉo Letailleur published an article with a detailed description of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".

www.synacktiv.com/en/publicati...

21.11.2025 01:47 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Slice: SAST + LLM Interprocedural Context Extractor

Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 โ€” a remotely-triggerable vulnerability in the ksmbd module.

noperator.dev/posts/slice/

18.11.2025 00:48 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

The article also refers to another post "A hole in FineIBT protection" about a method to bypass this CFI mechanism.

lwn.net/Articles/101...

14.11.2025 13:22 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Enhancing FineIBT

@lwndotnet.bsky.social article that describes the talk by Scott Constable and Sebastian ร–sterlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).

lwn.net/Articles/103...

14.11.2025 13:22 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Post image

Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE

Talk by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.

Video: www.youtube.com/watch?v=_iSw...
Slides: hitcon.org/2025/slides/...

13.11.2025 20:01 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Exploiting CVE-2025-21479 on a Samsung S23

Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.

xploitbengineer.github.io/CVE-2025-21479

11.11.2025 18:09 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

LPE via refcount imbalance in the af_unix of Ubuntu

Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.

ssd-disclosure.com/lpe-via-refc...

11.11.2025 00:42 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

kernelCTF: CVE-2025-38477

kernelCTF entry for a race condition in the network scheduler subsystem.

Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.

github.com/n132/securit...

07.11.2025 20:11 โ€” ๐Ÿ‘ 2    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0