Linux Kernel Security
@linkersec.bsky.social
Links related to Linux kernel security and exploitation.
Maintained by @andreyknvl.bsky.social and Alexander Popov.
Also on https://t.me/linkersec, https://x.com/linkersec, and https://infosec.exchange/@linkersec.
Maintained by @andreyknvl.bsky.social and Alexander Popov.
Also on https://t.me/linkersec, https://x.com/linkersec, and https://infosec.exchange/@linkersec.
CVE-2025-68260: rust_binder: fix race condition on death_list
First CVE was registered for the new Binder kernel driver written in Rust. The vulnerability is a race condition caused by a list operation in an unsafe code block.
lore.kernel.org/linux-cve-an...
First CVE was registered for the new Binder kernel driver written in Rust. The vulnerability is a race condition caused by a list operation in an unsafe code block.
lore.kernel.org/linux-cve-an...
December 22, 2025 at 7:07 PM
CVE-2025-68260: rust_binder: fix race condition on death_list
First CVE was registered for the new Binder kernel driver written in Rust. The vulnerability is a race condition caused by a list operation in an unsafe code block.
lore.kernel.org/linux-cve-an...
First CVE was registered for the new Binder kernel driver written in Rust. The vulnerability is a race condition caused by a list operation in an unsafe code block.
lore.kernel.org/linux-cve-an...
MatheuZSec published a detailed article about Singularity — a loadable kernel module rootkit developed for 6.x Linux kernels. The rootkit uses ftrace for hooking syscalls and hiding itself.
Article: blog.kyntra.io/Singularity-...
Code: github.com/MatheuZSecur...
Article: blog.kyntra.io/Singularity-...
Code: github.com/MatheuZSecur...
Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit – Kyntra Blog
Deep dive into a modern stealth Linux kernel rootkit with advanced evasion and persistence techniques
blog.kyntra.io
December 18, 2025 at 1:39 AM
MatheuZSec published a detailed article about Singularity — a loadable kernel module rootkit developed for 6.x Linux kernels. The rootkit uses ftrace for hooking syscalls and hiding itself.
Article: blog.kyntra.io/Singularity-...
Code: github.com/MatheuZSecur...
Article: blog.kyntra.io/Singularity-...
Code: github.com/MatheuZSecur...
Extending Kernel Race Windows Using '/dev/shm'
Article by Faith about extending race condition windows via FALLOC_FL_PUNCH_HOLE. The technique allows delaying user memory accesses from the kernel mode, similar to userfaultfd and FUSE.
faith2dxy.xyz/2025-11-28/e...
Article by Faith about extending race condition windows via FALLOC_FL_PUNCH_HOLE. The technique allows delaying user memory accesses from the kernel mode, similar to userfaultfd and FUSE.
faith2dxy.xyz/2025-11-28/e...
December 16, 2025 at 12:02 AM
Extending Kernel Race Windows Using '/dev/shm'
Article by Faith about extending race condition windows via FALLOC_FL_PUNCH_HOLE. The technique allows delaying user memory accesses from the kernel mode, similar to userfaultfd and FUSE.
faith2dxy.xyz/2025-11-28/e...
Article by Faith about extending race condition windows via FALLOC_FL_PUNCH_HOLE. The technique allows delaying user memory accesses from the kernel mode, similar to userfaultfd and FUSE.
faith2dxy.xyz/2025-11-28/e...
An RbTree Family Drama
Talk by William Liu and Savino Dicanosa @cor_ctf about exploiting CVE-2025-38001 — a use-after-free in the network packet scheduler.
Video: www.youtube.com/watch?v=C-52...
Slides: storage.googleapis.com/static.cor.t...
Talk by William Liu and Savino Dicanosa @cor_ctf about exploiting CVE-2025-38001 — a use-after-free in the network packet scheduler.
Video: www.youtube.com/watch?v=C-52...
Slides: storage.googleapis.com/static.cor.t...
HEXACON 2025 - An RbTree Family Drama by William Liu & Savino Dicanosa
YouTube video by Hexacon
www.youtube.com
December 10, 2025 at 1:58 AM
An RbTree Family Drama
Talk by William Liu and Savino Dicanosa @cor_ctf about exploiting CVE-2025-38001 — a use-after-free in the network packet scheduler.
Video: www.youtube.com/watch?v=C-52...
Slides: storage.googleapis.com/static.cor.t...
Talk by William Liu and Savino Dicanosa @cor_ctf about exploiting CVE-2025-38001 — a use-after-free in the network packet scheduler.
Video: www.youtube.com/watch?v=C-52...
Slides: storage.googleapis.com/static.cor.t...
Déjà Vu in Linux io_uring
Talk by Pumpkin about exploiting CVE-2025-21836 — a race condition that leads to a use-after-free in the io_uring subsystem.
Video: www.youtube.com/watch?v=Ry4e...
Slides: u1f383.github.io/slides/talks...
Talk by Pumpkin about exploiting CVE-2025-21836 — a race condition that leads to a use-after-free in the io_uring subsystem.
Video: www.youtube.com/watch?v=Ry4e...
Slides: u1f383.github.io/slides/talks...
HEXACON 2025 - Déjà Vu in Linux io_uring by Pumpkin
YouTube video by Hexacon
www.youtube.com
December 6, 2025 at 12:44 AM
Déjà Vu in Linux io_uring
Talk by Pumpkin about exploiting CVE-2025-21836 — a race condition that leads to a use-after-free in the io_uring subsystem.
Video: www.youtube.com/watch?v=Ry4e...
Slides: u1f383.github.io/slides/talks...
Talk by Pumpkin about exploiting CVE-2025-21836 — a race condition that leads to a use-after-free in the io_uring subsystem.
Video: www.youtube.com/watch?v=Ry4e...
Slides: u1f383.github.io/slides/talks...
CUDA de Grâce
Talk by @chompie.rip and Samuel Lovejoy about exploiting a race condition that leads to a double-free in the NVIDIA GPU driver to escape a container created with NVIDIA Container Toolkit.
Video: www.youtube.com/watch?v=Lvz2...
Slides: docs.google.com/presentation...
Talk by @chompie.rip and Samuel Lovejoy about exploiting a race condition that leads to a double-free in the NVIDIA GPU driver to escape a container created with NVIDIA Container Toolkit.
Video: www.youtube.com/watch?v=Lvz2...
Slides: docs.google.com/presentation...
HEXACON 2025 - CUDA de Grâce by Valentina Palmiotti & Samuel Lovejoy
YouTube video by Hexacon
www.youtube.com
December 5, 2025 at 2:01 AM
CUDA de Grâce
Talk by @chompie.rip and Samuel Lovejoy about exploiting a race condition that leads to a double-free in the NVIDIA GPU driver to escape a container created with NVIDIA Container Toolkit.
Video: www.youtube.com/watch?v=Lvz2...
Slides: docs.google.com/presentation...
Talk by @chompie.rip and Samuel Lovejoy about exploiting a race condition that leads to a double-free in the NVIDIA GPU driver to escape a container created with NVIDIA Container Toolkit.
Video: www.youtube.com/watch?v=Lvz2...
Slides: docs.google.com/presentation...
Race Condition Symphony: From Tiny Idea to Pwnie
Slides from a talk by Hyunwoo Kim and Wongi Lee about exploiting CVE-2024-50264 — a race condition in the vsock subsystem.
powerofcommunity.net/2025/slide/h...
Slides from a talk by Hyunwoo Kim and Wongi Lee about exploiting CVE-2024-50264 — a race condition in the vsock subsystem.
powerofcommunity.net/2025/slide/h...
November 25, 2025 at 1:50 AM
Race Condition Symphony: From Tiny Idea to Pwnie
Slides from a talk by Hyunwoo Kim and Wongi Lee about exploiting CVE-2024-50264 — a race condition in the vsock subsystem.
powerofcommunity.net/2025/slide/h...
Slides from a talk by Hyunwoo Kim and Wongi Lee about exploiting CVE-2024-50264 — a race condition in the vsock subsystem.
powerofcommunity.net/2025/slide/h...
LinkPro: eBPF rootkit analysis
Théo Letailleur published an article with a detailed description of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".
www.synacktiv.com/en/publicati...
Théo Letailleur published an article with a detailed description of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".
www.synacktiv.com/en/publicati...
LinkPro: eBPF rootkit analysis
LinkPro: eBPF rootkit analysis
www.synacktiv.com
November 21, 2025 at 1:47 AM
LinkPro: eBPF rootkit analysis
Théo Letailleur published an article with a detailed description of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".
www.synacktiv.com/en/publicati...
Théo Letailleur published an article with a detailed description of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".
www.synacktiv.com/en/publicati...
Slice: SAST + LLM Interprocedural Context Extractor
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.
noperator.dev/posts/slice/
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.
noperator.dev/posts/slice/
November 18, 2025 at 12:48 AM
Slice: SAST + LLM Interprocedural Context Extractor
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.
noperator.dev/posts/slice/
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.
noperator.dev/posts/slice/
Enhancing FineIBT
@lwndotnet.bsky.social article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
lwn.net/Articles/103...
@lwndotnet.bsky.social article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
lwn.net/Articles/103...
November 14, 2025 at 1:22 PM
Enhancing FineIBT
@lwndotnet.bsky.social article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
lwn.net/Articles/103...
@lwndotnet.bsky.social article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
lwn.net/Articles/103...
Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE
Talk by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
Video: www.youtube.com/watch?v=_iSw...
Slides: hitcon.org/2025/slides/...
Talk by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
Video: www.youtube.com/watch?v=_iSw...
Slides: hitcon.org/2025/slides/...
November 13, 2025 at 8:01 PM
Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE
Talk by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
Video: www.youtube.com/watch?v=_iSw...
Slides: hitcon.org/2025/slides/...
Talk by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
Video: www.youtube.com/watch?v=_iSw...
Slides: hitcon.org/2025/slides/...
Exploiting CVE-2025-21479 on a Samsung S23
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
xploitbengineer.github.io/CVE-2025-21479
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
xploitbengineer.github.io/CVE-2025-21479
November 11, 2025 at 6:09 PM
Exploiting CVE-2025-21479 on a Samsung S23
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
xploitbengineer.github.io/CVE-2025-21479
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
xploitbengineer.github.io/CVE-2025-21479
LPE via refcount imbalance in the af_unix of Ubuntu
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
ssd-disclosure.com/lpe-via-refc...
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
ssd-disclosure.com/lpe-via-refc...
November 11, 2025 at 12:42 AM
LPE via refcount imbalance in the af_unix of Ubuntu
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
ssd-disclosure.com/lpe-via-refc...
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
ssd-disclosure.com/lpe-via-refc...
kernelCTF: CVE-2025-38477
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
November 7, 2025 at 8:11 PM
kernelCTF: CVE-2025-38477
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
Defeating KASLR by Doing Nothing at All
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
November 6, 2025 at 4:13 PM
Defeating KASLR by Doing Nothing at All
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
Oops! It's a kernel stack use-after-free: Exploiting NVIDIA's GPU Linux drivers
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
October 25, 2025 at 12:44 AM
Oops! It's a kernel stack use-after-free: Exploiting NVIDIA's GPU Linux drivers
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
ksmbd - Exploiting CVE-2025-37947
Article by Norbert Szetei about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module.
Article: blog.doyensec.com/2025/10/08/k...
Exploit: github.com/doyensec/KSM...
Article by Norbert Szetei about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module.
Article: blog.doyensec.com/2025/10/08/k...
Exploit: github.com/doyensec/KSM...
October 24, 2025 at 12:38 AM
ksmbd - Exploiting CVE-2025-37947
Article by Norbert Szetei about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module.
Article: blog.doyensec.com/2025/10/08/k...
Exploit: github.com/doyensec/KSM...
Article by Norbert Szetei about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module.
Article: blog.doyensec.com/2025/10/08/k...
Exploit: github.com/doyensec/KSM...
Dirty Pageflags: Revisiting PTE Exploitation in Linux
Article by ptr-yudai on the exploitation technique of overwriting the R/W flag in a PTE entry to allow writing into read-only files.
ptr-yudai.hatenablog.com/entry/2025/0...
Article by ptr-yudai on the exploitation technique of overwriting the R/W flag in a PTE entry to allow writing into read-only files.
ptr-yudai.hatenablog.com/entry/2025/0...
October 2, 2025 at 1:32 PM
Dirty Pageflags: Revisiting PTE Exploitation in Linux
Article by ptr-yudai on the exploitation technique of overwriting the R/W flag in a PTE entry to allow writing into read-only files.
ptr-yudai.hatenablog.com/entry/2025/0...
Article by ptr-yudai on the exploitation technique of overwriting the R/W flag in a PTE entry to allow writing into read-only files.
ptr-yudai.hatenablog.com/entry/2025/0...
Eternal-Tux: Crafting a Linux Kernel KSMBD 0-Click RCE Exploit from N-Days
William Liu posted an article about exploiting a slab object overflow (CVE-2023-52440) and remote infoleak (CVE-2023-4130) in the kernel SMB3 daemon to gain RCE.
www.willsroot.io/2025/09/ksmb...
William Liu posted an article about exploiting a slab object overflow (CVE-2023-52440) and remote infoleak (CVE-2023-4130) in the kernel SMB3 daemon to gain RCE.
www.willsroot.io/2025/09/ksmb...
October 1, 2025 at 11:12 PM
Eternal-Tux: Crafting a Linux Kernel KSMBD 0-Click RCE Exploit from N-Days
William Liu posted an article about exploiting a slab object overflow (CVE-2023-52440) and remote infoleak (CVE-2023-4130) in the kernel SMB3 daemon to gain RCE.
www.willsroot.io/2025/09/ksmb...
William Liu posted an article about exploiting a slab object overflow (CVE-2023-52440) and remote infoleak (CVE-2023-4130) in the kernel SMB3 daemon to gain RCE.
www.willsroot.io/2025/09/ksmb...
The anatomy of a bug: 6 Months at STAR Labs
Gerrard Tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions.
gerrardtai.com/anatomy-of-a...
Gerrard Tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions.
gerrardtai.com/anatomy-of-a...
September 30, 2025 at 10:11 PM
The anatomy of a bug: 6 Months at STAR Labs
Gerrard Tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions.
gerrardtai.com/anatomy-of-a...
Gerrard Tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions.
gerrardtai.com/anatomy-of-a...
A Syzkaller Summer: Fixing False Positive Soft Lockups in net/sched Fuzzing
Article by Will's Root about fixing the soft lockup bug found when fuzzing the network scheduler subsystem with syzkaller.
www.willsroot.io/2025/09/syz-...
Article by Will's Root about fixing the soft lockup bug found when fuzzing the network scheduler subsystem with syzkaller.
www.willsroot.io/2025/09/syz-...
September 26, 2025 at 1:17 PM
A Syzkaller Summer: Fixing False Positive Soft Lockups in net/sched Fuzzing
Article by Will's Root about fixing the soft lockup bug found when fuzzing the network scheduler subsystem with syzkaller.
www.willsroot.io/2025/09/syz-...
Article by Will's Root about fixing the soft lockup bug found when fuzzing the network scheduler subsystem with syzkaller.
www.willsroot.io/2025/09/syz-...
corCTF 2025 - corphone
Article by Pumpkin about exploiting a UAF in a custom Android kernel module created for a CTF task.
u1f383.github.io/android/2025...
Article by Pumpkin about exploiting a UAF in a custom Android kernel module created for a CTF task.
u1f383.github.io/android/2025...
September 24, 2025 at 1:19 PM
corCTF 2025 - corphone
Article by Pumpkin about exploiting a UAF in a custom Android kernel module created for a CTF task.
u1f383.github.io/android/2025...
Article by Pumpkin about exploiting a UAF in a custom Android kernel module created for a CTF task.
u1f383.github.io/android/2025...
Exploit for an integer underflow bug in the HID subsystem that allows leaking up to 64 KB of kernel memory over USB.
Wrote a trigger for CVE-2025-38494/5 (an integer underflow in the HID subsystem) that leaks 64 KB of OOB memory over USB.
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
github.com/xairy/kernel...
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
github.com/xairy/kernel...
September 23, 2025 at 1:33 PM
Exploit for an integer underflow bug in the HID subsystem that allows leaking up to 64 KB of kernel memory over USB.
ksmbd - Fuzzing Improvements and Vulnerability Discovery
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
blog.doyensec.com/2025/09/02/k...
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
blog.doyensec.com/2025/09/02/k...
September 10, 2025 at 3:49 PM
ksmbd - Fuzzing Improvements and Vulnerability Discovery
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
blog.doyensec.com/2025/09/02/k...
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
blog.doyensec.com/2025/09/02/k...
arm64: Linear mapping is mapped at the same static virtual address
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
project-zero.issues.chromium.org/issues/43420...
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
project-zero.issues.chromium.org/issues/43420...
September 10, 2025 at 12:05 AM
arm64: Linear mapping is mapped at the same static virtual address
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
project-zero.issues.chromium.org/issues/43420...
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
project-zero.issues.chromium.org/issues/43420...