Linux Kernel Security

[CVE-2025-38001] Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: A RBTree Family Drama (Part One: LTS & COS) CVE-2025-38001 is a Use-After-Free vulnerability in the Linux network packet scheduler, specifically in the HFSC queuing discipline. When the HFSC qdisc is utilized with NETEM and NETEM packet duplica...

Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k

Article by Crusaders of Rust about exploiting a UAF in the network packet scheduler. Researchers manipulated red-black trees to achieve a page-level UAF and escalate privileges.

syst3mfailure.io/rbtree-famil...

Setting up kernel exploit debugging environment on Pixel 8 ⬇️

CVE-2023-52927 - Turning a Forgotten Syzkaller Report into kCTF Exploit

Article by Hoàng Hải Long about finding an unfixed netfilter use-after-free bug reported by syzbot. The researcher exploited it to pwn the kernelCTF COS instance.

seadragnol.github.io/posts/CVE-20...

GitHub - sl4v/hfsplus-kernel-fuzzing-demo: Minimal Linux kernel fuzzer demo targeting HFS+ Minimal Linux kernel fuzzer demo targeting HFS+. Contribute to sl4v/hfsplus-kernel-fuzzing-demo development by creating an account on GitHub.

Slava started with a simple fuzzer implementation and then improved it step-by-step by adding coverage collection, proper seed generation, mutations, etc.

The source code of the fuzzer is public.

github.com/sl4v/hfsplus...

Fuzzing Linux Kernel Modules, with Slava Moskvin YouTube video by Off By One Security

Fuzzing Linux Kernel Modules, with Slava Moskvin

Stream by @sl4v.bsky.social hosted by @steph3nsims.bsky.social about building a custom fuzzer to rediscover CVE-2025-0927 in the HFS+ filesystem implementation.

www.youtube.com/live/uCcsZrX...

Linux Kernel Hardening: Ten Years Deep

Talk by Kees Cook about the relevance of various Linux kernel vulnerability classes and the mitigations that address them.

Video: www.youtube.com/watch?v=c_Nx...
Slides: static.sched.com/hosted_files...

YouTube video by The Linux Foundation Bypass Kernel Barriers: Fuzzing Linux Kernel in Userspace With LKL - Xuan Xing & Eugene Rodionov

Bypass Kernel Barriers: Fuzzing Linux Kernel in Userspace With LKL

Xuan Xing & Eugene Rodionov gave a talk about fuzzing the Linux kernel interfaces fully in user space using LKL (Linux Kernel Library).

Video: www.youtube.com/watch?v=Wxmi...
Slides: static.sched.com/hosted_files...

The Journey of Bypassing Ubuntu’s Unprivileged Namespace Restriction

Article by Pumpkin about the internals of the Ubuntu's implementation of restricting unprivileged user namespaces and figuring out another bypass method.

u1f383.github.io/linux/2025/0...

The researchers leaked the kernel base address using the EntryBleed side-channel attack and then turned the UAF on the vsock_sock structure into a RIP control primitive to execute a ROP-chain.

Exploiting the CVE-2025-21756 1-day vulnerability

Hyunwoo Kim and Wongi Lee posted a kernelCTF report about exploiting a UAF in the vsock subsystem of the Linux kernel.

github.com/google/secur...

Solo: A Pixel 6 Pro Story (When one bug is all you need)

Awesome article by Lin Ze Wei about adapting the Pixel 7/8 exploit for a bug in the Mali GPU driver to Pixel 6 Pro.

starlabs.sg/blog/2025/06...

securitylab/SecurityExploits/Android/Mali/CVE-2025-0072 at main · github/securitylab Resources related to GitHub Security Lab. Contribute to github/securitylab development by creating an account on GitHub.

Author published an exploit for this bug that disable SELinux and gains root privileges on Pixel 8 running from the untrusted_app context. The exploit is not affected by MTE.

github.com/github/secur...

Bypassing MTE with CVE-2025-0072

Article by Man Yue Mo about exploiting a page use-after-free vulnerability in the ARM's Mali GPU driver in the code that manages userspace-mapped pages.

github.blog/security/vul...

The researcher had to rerun the prompt multiple times before getting a true-positive result. The o3 model managed to find the 0-day vulnerability in only ~1 out of 50 runs.

How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel's SMB implementation

Article by Sean Heelan about rediscovering a bug in the ksmbd module via the OpenAI's o3 model and then finding a 0-day vulnerability as well.

sean.heelan.io/2025/05/22/h...

Based on a previously published article.

googleprojectzero.blogspot.com/2024/12/qual...

YouTube video by OffensiveCon OffensiveCon25 - Seth Jenkins - Android In-The-Wild: Unexpectedly Excavating a Kernel Exploit

Android In-The-Wild: Unexpectedly Excavating a Kernel Exploit

Talk by Seth Jenkins about analyzing the traces of an In-The-Wild exploit that targeted the Qualcomm adsprpc driver.

www.youtube.com/watch?v=lnK1...

YouTube video by OffensiveCon OffensiveCon25 - Chariton Karamitas - KernelGP: Racing Against the Android Kernel

KernelGP: Racing Against the Android Kernel

Talk by Chariton Karamitas about ways to use FUSE for kernel exploitation from unprivileged SELinux contexts on Android.

www.youtube.com/watch?v=DJBG...

Kernel Exploitation Techniques: Turning The (Page) Tables

Article by @sam4k.com giving a great introduction to the page table attacks.

sam4k.com/page-table-k...

Author exploited a severely-limited OOB side-effect of the bug to corrupt pipe_inode_info->tmp_page and gain a page UAF read/write primitive. Researcher then swapped the private_data and f_cred fields of a signalfd file structure and overwrote the credentials via signalfd_ctx.

[CVE-2025-37752] Two Bytes Of Madness: Pwning The Linux Kernel With A 0x0000 Written 262636 Bytes Out-Of-Bounds

Great article by D3vil about exploiting a type confusion in the network scheduler subsystem and pwning all kernelCTF instances.

syst3mfailure.io/two-bytes-of...

A Quick Dive Into The Linux Kernel Page Allocator

Article by D3vil that explains the internals of the Page allocator.

syst3mfailure.io/linux-page-a...

GitHub - r1ru/linux-kernel-exploitation: A collection of PoCs for advanced Linux kernel exploits. A collection of PoCs for advanced Linux kernel exploits. - GitHub - r1ru/linux-kernel-exploitation: A collection of PoCs for advanced Linux kernel exploits.

Comes with the reference exploit code.

github.com/r1ru/linux-k...

Linux Kernel Exploitation series

Awesome series of articles by r1ru that outlines many commonly-used modern exploitation techniques.

r1ru.github.io/categories/l...

RISC-V support in kernel-hardening-checker

Alexander Popov added RISC-V support to kernel-hardening-checker. Now, you can check the Linux kernel security parameters for RISC-V in addition to X86_64, ARM64, X86_32, and ARM.

github.com/a13xp0p0v/ke...

With advice from h0mbre, the researcher used brute force to bypass KASLR and hijacked the control flow for LPE.

CVE-2025-21756: Attack of the Vsock

Michael Hoefler published an article about exploiting an incorrect reference counter decrement causing a UAF in the vsock subsystem.

hoefler.dev/articles/vso...

Guidance on how to use syzkaller to find bugs in USB drivers that can be exploited by a malicious USB device 👇

This bug was previously reported by Jann Horn and exploited by Oriol Castejón.

project-zero.issues.chromium.org/issues/42451...
blog.exodusintel.com/2024/03/27/m...

Exploiting CVE-2024-0582 via the Dirty Pagetable Method

Kuzey Arda Bulut posted an article about exploiting CVE-2024-0582 in io_uring using the Dirty Pagetable technique.

kuzey.rs/posts/Dirty_...