The researcher glitched the setresuid syscall handler to bypass its checks and obtain the UID of 0. Bypassing SELinux via glitching remains to be investigated.
07.02.2026 03:10 โ ๐ 1 ๐ 0 ๐ฌ 0 ๐ 0@linkersec.bsky.social
Links related to Linux kernel security and exploitation. Maintained by @andreyknvl.bsky.social and Alexander Popov. Also on https://t.me/linkersec, https://x.com/linkersec, and https://infosec.exchange/@linkersec.
The researcher glitched the setresuid syscall handler to bypass its checks and obtain the UID of 0. Bypassing SELinux via glitching remains to be investigated.
07.02.2026 03:10 โ ๐ 1 ๐ 0 ๐ฌ 0 ๐ 0setresuid(โก): Glitching Google's TV Streamer from adb to root.
Talk by Niek Timmers about glitching the kernel of the Android-based Google TV Streamer device to escalate privileges via Electromagnetic Fault Injection.
Video: www.youtube.com/watch?v=-w5m...
Slides: hardwear.io/netherlands-...
[Cryptodev-linux] Page-level UAF exploitation
nasm_re posted an article about exploiting a page-level UAF in the out-of-tree cryptodev-linux driver. The researcher modified struct file sprayed into a freed page to escalate privileges.
nasm.re/posts/crypto...
Authors found multiple Android vendor drivers affected by the issue. They also wrote an exploit for the IMG DXT GPU driver to escalate privileges on Pixel 10.
03.02.2026 17:33 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers
Talk by Xingyu Jin & Martijn Bogaard about a new type of logical bugs in kernel driver mmap handlers exploitable via the ptrace functionality.
Video: www.youtube.com/watch?v=yAUJ...
Slides: powerofcommunity.net/2025/slide/x...
Seth used the bug to escalate privileges from the mediacodec SELinux context and obtain root on Pixel 9.
This exploit is a part of an RCE chain developed by Seth and @natashenka.bsky.social.
projectzero.google/2026/01/pixe...
A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave
Article by Seth Jenkins about exploiting a use-after-free in the driver for BigWave โ an AV1 decoding hardware component present on Pixel SOCs.
projectzero.google/2026/01/pixe...
Part 3๏ธโฃ shows a complex PoC exploit for the UAF caused by this race condition:
faith2dxy.xyz/2026-01-03/c...
Part 2๏ธโฃ explains how to extend the race window (a period of time when the race can be triggered):
faith2dxy.xyz/2025-12-24/c...
Article series about exploiting CVE-2025-38352
Faith posted three articles about exploiting a race condition in the implementation of POSIX CPU timers.
Part 1๏ธโฃ describes reproducing this race condition:
faith2dxy.xyz/2025-12-22/c...
Dangling pointers, fragile memory โ from an undisclosed vulnerability to Pixel 9 Pro privilege escalation
Article about analyzing and exploiting a race condition that leads to a double-free in the Arm Mali GPU driver.
dawnslab.jd.com/Pixel_9_Pro_...
The article also describes the nonsensical responses MediaTek gave to the bug reports, seemingly trying to weasel out of assigning a High impact rating to the reported bugs.
05.01.2026 23:43 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0mediatek? more like media-rekt, amirite.
Article by hypr covering an assortment of bugs the author found in the MediaTek MT76xx and MT7915 Wi-Fi drivers.
blog.coffinsec.com/0days/2025/1...
CVE-2025-68260: rust_binder: fix race condition on death_list
First CVE was registered for the new Binder kernel driver written in Rust. The vulnerability is a race condition caused by a list operation in an unsafe code block.
lore.kernel.org/linux-cve-an...
MatheuZSec published a detailed article about Singularity โ a loadable kernel module rootkit developed for 6.x Linux kernels. The rootkit uses ftrace for hooking syscalls and hiding itself.
Article: blog.kyntra.io/Singularity-...
Code: github.com/MatheuZSecur...
Extending Kernel Race Windows Using '/dev/shm'
Article by Faith about extending race condition windows via FALLOC_FL_PUNCH_HOLE. The technique allows delaying user memory accesses from the kernel mode, similar to userfaultfd and FUSE.
faith2dxy.xyz/2025-11-28/e...
The exploit was also covered in a previously posted article.
syst3mfailure.io/rbtree-famil...
An RbTree Family Drama
Talk by William Liu and Savino Dicanosa @cor_ctf about exploiting CVE-2025-38001 โ a use-after-free in the network packet scheduler.
Video: www.youtube.com/watch?v=C-52...
Slides: storage.googleapis.com/static.cor.t...
Dรฉjร Vu in Linux io_uring
Talk by Pumpkin about exploiting CVE-2025-21836 โ a race condition that leads to a use-after-free in the io_uring subsystem.
Video: www.youtube.com/watch?v=Ry4e...
Slides: u1f383.github.io/slides/talks...
CUDA de Grรขce
Talk by @chompie.rip and Samuel Lovejoy about exploiting a race condition that leads to a double-free in the NVIDIA GPU driver to escape a container created with NVIDIA Container Toolkit.
Video: www.youtube.com/watch?v=Lvz2...
Slides: docs.google.com/presentation...
Previously, Alexander Popov described another way to exploit this vulnerability.
a13xp0p0v.github.io/2025/09/02/k...
Race Condition Symphony: From Tiny Idea to Pwnie
Slides from a talk by Hyunwoo Kim and Wongi Lee about exploiting CVE-2024-50264 โ a race condition in the vsock subsystem.
powerofcommunity.net/2025/slide/h...
LinkPro: eBPF rootkit analysis
Thรฉo Letailleur published an article with a detailed description of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".
www.synacktiv.com/en/publicati...
Slice: SAST + LLM Interprocedural Context Extractor
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 โ a remotely-triggerable vulnerability in the ksmbd module.
noperator.dev/posts/slice/
The article also refers to another post "A hole in FineIBT protection" about a method to bypass this CFI mechanism.
lwn.net/Articles/101...
Enhancing FineIBT
@lwndotnet.bsky.social article that describes the talk by Scott Constable and Sebastian รsterlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
lwn.net/Articles/103...
Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE
Talk by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
Video: www.youtube.com/watch?v=_iSw...
Slides: hitcon.org/2025/slides/...
Exploiting CVE-2025-21479 on a Samsung S23
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
xploitbengineer.github.io/CVE-2025-21479
LPE via refcount imbalance in the af_unix of Ubuntu
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
ssd-disclosure.com/lpe-via-refc...
kernelCTF: CVE-2025-38477
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...