Andrey Konovalov
@andreyknvl.bsky.social
Security engineer at http://xairy.io. Focusing on the Linux kernel. Maintaining @linkersec.bsky.social. Trainings at http://xairy.io/trainings.
This is still not fixed btw.
Wrote a trigger for CVE-2025-38494/5 (an integer underflow in the HID subsystem) that leaks 64 KB of OOB memory over USB.
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
github.com/xairy/kernel...
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
github.com/xairy/kernel...
November 8, 2025 at 11:48 AM
This is still not fixed btw.
Reposted by Andrey Konovalov
kernelCTF: CVE-2025-38477
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
November 7, 2025 at 8:11 PM
kernelCTF: CVE-2025-38477
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
Reposted by Andrey Konovalov
Defeating KASLR by Doing Nothing at All
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
November 6, 2025 at 4:13 PM
Defeating KASLR by Doing Nothing at All
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
September/October updates · xairy/linux-kernel-exploitation@b26cc4a
github.com
November 6, 2025 at 7:58 PM
Reposted by Andrey Konovalov
Oops! It's a kernel stack use-after-free: Exploiting NVIDIA's GPU Linux drivers
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
October 25, 2025 at 12:44 AM
Oops! It's a kernel stack use-after-free: Exploiting NVIDIA's GPU Linux drivers
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
Sheaves support has been merged into SLUB.
Opt-in for now, but planned to replace the per-CPU partial slab layer for all caches in the future.
Gonna have to revise the slab shaping strategies once this happens.
Opt-in for now, but planned to replace the per-CPU partial slab layer for all caches in the future.
Gonna have to revise the slab shaping strategies once this happens.
October 24, 2025 at 2:04 PM
Sheaves support has been merged into SLUB.
Opt-in for now, but planned to replace the per-CPU partial slab layer for all caches in the future.
Gonna have to revise the slab shaping strategies once this happens.
Opt-in for now, but planned to replace the per-CPU partial slab layer for all caches in the future.
Gonna have to revise the slab shaping strategies once this happens.
Delivered a workshop at BalcCon this weekend on emulating/sniffing/MitM'ing USB devices with Raw Gadget and a Raspberry Pi.
All materials are public, so can go through the workshop on your own if you're interested.
github.com/xairy/raw-ga...
All materials are public, so can go through the workshop on your own if you're interested.
github.com/xairy/raw-ga...
raw-gadget/workshop at master · xairy/raw-gadget
USB Raw Gadget — a low-level interface for the Linux USB Gadget subsystem - xairy/raw-gadget
github.com
September 23, 2025 at 2:54 PM
Delivered a workshop at BalcCon this weekend on emulating/sniffing/MitM'ing USB devices with Raw Gadget and a Raspberry Pi.
All materials are public, so can go through the workshop on your own if you're interested.
github.com/xairy/raw-ga...
All materials are public, so can go through the workshop on your own if you're interested.
github.com/xairy/raw-ga...
Updated syzkaller documentation on USB fuzzing to explain how to handle certain tricky cases (e.g. driver quirks applied based on Vendor/Product IDs).
github.com/google/syzka...
github.com/google/syzka...
docs: update USB documentation · google/syzkaller@e2beed9
github.com
September 23, 2025 at 1:56 PM
Updated syzkaller documentation on USB fuzzing to explain how to handle certain tricky cases (e.g. driver quirks applied based on Vendor/Product IDs).
github.com/google/syzka...
github.com/google/syzka...
Wrote a trigger for CVE-2025-38494/5 (an integer underflow in the HID subsystem) that leaks 64 KB of OOB memory over USB.
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
github.com/xairy/kernel...
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
github.com/xairy/kernel...
September 11, 2025 at 3:39 PM
Wrote a trigger for CVE-2025-38494/5 (an integer underflow in the HID subsystem) that leaks 64 KB of OOB memory over USB.
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
github.com/xairy/kernel...
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
github.com/xairy/kernel...
Whoever is coming to BalCCon: I will be teaching a workshop Attacking USB with Raw Gadget (covering basics of USB emulation and sniffing).
If you wish to attend, you must bring Raspberry Pi 5 along with a few other things, see the workshop description.
github.com/xairy/raw-ga...
If you wish to attend, you must bring Raspberry Pi 5 along with a few other things, see the workshop description.
github.com/xairy/raw-ga...
raw-gadget/workshop at master · xairy/raw-gadget
USB Raw Gadget — a low-level interface for the Linux USB Gadget subsystem - xairy/raw-gadget
github.com
September 7, 2025 at 11:27 PM
Whoever is coming to BalCCon: I will be teaching a workshop Attacking USB with Raw Gadget (covering basics of USB emulation and sniffing).
If you wish to attend, you must bring Raspberry Pi 5 along with a few other things, see the workshop description.
github.com/xairy/raw-ga...
If you wish to attend, you must bring Raspberry Pi 5 along with a few other things, see the workshop description.
github.com/xairy/raw-ga...
July/August updates · xairy/linux-kernel-exploitation@3dbd2d4
github.com
September 4, 2025 at 4:46 PM
Reposted by Andrey Konovalov
Reposted by Andrey Konovalov
Announcing #Pwn2Own Ireland for 2025! We return to the Emerald Isle with our new partner #Meta & a $1,000,000 WhatsApp bounty. Plus new USB vectors on phones & more. Read the details https://www.zerodayinitiative.com/blog/2025/7/30/pwn2own-returns-to-ireland-with-a-one-million-dollar-whatsapp-target
July 31, 2025 at 7:10 PM
Announcing #Pwn2Own Ireland for 2025! We return to the Emerald Isle with our new partner #Meta & a $1,000,000 WhatsApp bounty. Plus new USB vectors on phones & more. Read the details https://www.zerodayinitiative.com/blog/2025/7/30/pwn2own-returns-to-ireland-with-a-one-million-dollar-whatsapp-target
Documented instructions for setting up KGDB on Pixel 8.
Including getting kernel log over UART via USB-Cereal, building/flashing custom kernel, breaking into KGDB via /proc/sysrq-trigger or by sending SysRq-G over serial, dealing with watchdogs, etc.
xairy.io/articles/pix...
Including getting kernel log over UART via USB-Cereal, building/flashing custom kernel, breaking into KGDB via /proc/sysrq-trigger or by sending SysRq-G over serial, dealing with watchdogs, etc.
xairy.io/articles/pix...
📲 Debugging the Pixel 8 kernel via KGDB
Instructions for getting kernel log, building custom kernel, and enabling KGDB on Pixel 8
xairy.io
July 28, 2025 at 8:20 PM
Documented instructions for setting up KGDB on Pixel 8.
Including getting kernel log over UART via USB-Cereal, building/flashing custom kernel, breaking into KGDB via /proc/sysrq-trigger or by sending SysRq-G over serial, dealing with watchdogs, etc.
xairy.io/articles/pix...
Including getting kernel log over UART via USB-Cereal, building/flashing custom kernel, breaking into KGDB via /proc/sysrq-trigger or by sending SysRq-G over serial, dealing with watchdogs, etc.
xairy.io/articles/pix...
Reposted by Andrey Konovalov
Linux Kernel Hardening: Ten Years Deep
Talk by Kees Cook about the relevance of various Linux kernel vulnerability classes and the mitigations that address them.
Video: www.youtube.com/watch?v=c_Nx...
Slides: static.sched.com/hosted_files...
Talk by Kees Cook about the relevance of various Linux kernel vulnerability classes and the mitigations that address them.
Video: www.youtube.com/watch?v=c_Nx...
Slides: static.sched.com/hosted_files...
July 15, 2025 at 4:42 PM
Linux Kernel Hardening: Ten Years Deep
Talk by Kees Cook about the relevance of various Linux kernel vulnerability classes and the mitigations that address them.
Video: www.youtube.com/watch?v=c_Nx...
Slides: static.sched.com/hosted_files...
Talk by Kees Cook about the relevance of various Linux kernel vulnerability classes and the mitigations that address them.
Video: www.youtube.com/watch?v=c_Nx...
Slides: static.sched.com/hosted_files...
Reposted by Andrey Konovalov
Bypass Kernel Barriers: Fuzzing Linux Kernel in Userspace With LKL
Xuan Xing & Eugene Rodionov gave a talk about fuzzing the Linux kernel interfaces fully in user space using LKL (Linux Kernel Library).
Video: www.youtube.com/watch?v=Wxmi...
Slides: static.sched.com/hosted_files...
Xuan Xing & Eugene Rodionov gave a talk about fuzzing the Linux kernel interfaces fully in user space using LKL (Linux Kernel Library).
Video: www.youtube.com/watch?v=Wxmi...
Slides: static.sched.com/hosted_files...
Bypass Kernel Barriers: Fuzzing Linux Kernel in Userspace With LKL - Xuan Xing & Eugene Rodionov
YouTube video by The Linux Foundation
www.youtube.com
July 10, 2025 at 12:32 PM
Bypass Kernel Barriers: Fuzzing Linux Kernel in Userspace With LKL
Xuan Xing & Eugene Rodionov gave a talk about fuzzing the Linux kernel interfaces fully in user space using LKL (Linux Kernel Library).
Video: www.youtube.com/watch?v=Wxmi...
Slides: static.sched.com/hosted_files...
Xuan Xing & Eugene Rodionov gave a talk about fuzzing the Linux kernel interfaces fully in user space using LKL (Linux Kernel Library).
Video: www.youtube.com/watch?v=Wxmi...
Slides: static.sched.com/hosted_files...
Schedule for my Fuzzing/Exploiting the Linux Kernel trainings for the rest of the year ⬇️
July 1, 2025 at 10:01 PM
Schedule for my Fuzzing/Exploiting the Linux Kernel trainings for the rest of the year ⬇️
Reposted by Andrey Konovalov
RVAsec 2025: Kevin Massey - Linux Kernel Exploitation for Beginners
youtu.be/YfjHCt4SzQc
Linux Kernel Exploitation For
Beginners
rvasec.com/slides/2025/...
youtu.be/YfjHCt4SzQc
Linux Kernel Exploitation For
Beginners
rvasec.com/slides/2025/...
RVAsec 2025: Kevin Massey - Linux Kernel Exploitation for Beginners
YouTube video by RVAsec
youtu.be
June 30, 2025 at 3:13 AM
RVAsec 2025: Kevin Massey - Linux Kernel Exploitation for Beginners
youtu.be/YfjHCt4SzQc
Linux Kernel Exploitation For
Beginners
rvasec.com/slides/2025/...
youtu.be/YfjHCt4SzQc
Linux Kernel Exploitation For
Beginners
rvasec.com/slides/2025/...
Reposted by Andrey Konovalov
KernelGP: Racing Against the Android Kernel
Talk by Chariton Karamitas about ways to use FUSE for kernel exploitation from unprivileged SELinux contexts on Android.
www.youtube.com/watch?v=DJBG...
Talk by Chariton Karamitas about ways to use FUSE for kernel exploitation from unprivileged SELinux contexts on Android.
www.youtube.com/watch?v=DJBG...
OffensiveCon25 - Chariton Karamitas - KernelGP: Racing Against the Android Kernel
YouTube video by OffensiveCon
www.youtube.com
June 4, 2025 at 2:42 PM
KernelGP: Racing Against the Android Kernel
Talk by Chariton Karamitas about ways to use FUSE for kernel exploitation from unprivileged SELinux contexts on Android.
www.youtube.com/watch?v=DJBG...
Talk by Chariton Karamitas about ways to use FUSE for kernel exploitation from unprivileged SELinux contexts on Android.
www.youtube.com/watch?v=DJBG...
Reposted by Andrey Konovalov
Linux Kernel Exploitation series
Awesome series of articles by r1ru that outlines many commonly-used modern exploitation techniques.
r1ru.github.io/categories/l...
Awesome series of articles by r1ru that outlines many commonly-used modern exploitation techniques.
r1ru.github.io/categories/l...
May 11, 2025 at 11:06 PM
Linux Kernel Exploitation series
Awesome series of articles by r1ru that outlines many commonly-used modern exploitation techniques.
r1ru.github.io/categories/l...
Awesome series of articles by r1ru that outlines many commonly-used modern exploitation techniques.
r1ru.github.io/categories/l...
Reposted by Andrey Konovalov
with offensivecon around the corner, i figured id write another post on linux kernel exploitation techniques - this time i cover the world of page table exploitation! enjoy 🤓
sam4k.com/page-table-k...
sam4k.com/page-table-k...
Kernel Exploitation Techniques: Turning The (Page) Tables
This post explores attacking page tables as a Linux kernel exploitation technique for gaining powerful read/write primitives.
sam4k.com
May 8, 2025 at 1:58 PM
with offensivecon around the corner, i figured id write another post on linux kernel exploitation techniques - this time i cover the world of page table exploitation! enjoy 🤓
sam4k.com/page-table-k...
sam4k.com/page-table-k...
Gave a talk on external fuzzing of Linux kernel USB drivers with syzkaller at SAFACon.
Includes a demonstration of how to rediscover CVE-2024-53104, an out-of-bounds bug in the USB Video Class driver.
Slides: docs.google.com/presentation...
Includes a demonstration of how to rediscover CVE-2024-53104, an out-of-bounds bug in the USB Video Class driver.
Slides: docs.google.com/presentation...
May 6, 2025 at 8:17 PM
Gave a talk on external fuzzing of Linux kernel USB drivers with syzkaller at SAFACon.
Includes a demonstration of how to rediscover CVE-2024-53104, an out-of-bounds bug in the USB Video Class driver.
Slides: docs.google.com/presentation...
Includes a demonstration of how to rediscover CVE-2024-53104, an out-of-bounds bug in the USB Video Class driver.
Slides: docs.google.com/presentation...