Linux Kernel Security
@linkersec.bsky.social
Links related to Linux kernel security and exploitation.
Maintained by @andreyknvl.bsky.social and Alexander Popov.
Also on https://t.me/linkersec, https://x.com/linkersec, and https://infosec.exchange/@linkersec.
Maintained by @andreyknvl.bsky.social and Alexander Popov.
Also on https://t.me/linkersec, https://x.com/linkersec, and https://infosec.exchange/@linkersec.
LinkPro: eBPF rootkit analysis
Théo Letailleur published an article with a detailed description of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".
www.synacktiv.com/en/publicati...
Théo Letailleur published an article with a detailed description of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".
www.synacktiv.com/en/publicati...
LinkPro: eBPF rootkit analysis
LinkPro: eBPF rootkit analysis
www.synacktiv.com
November 21, 2025 at 1:47 AM
LinkPro: eBPF rootkit analysis
Théo Letailleur published an article with a detailed description of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".
www.synacktiv.com/en/publicati...
Théo Letailleur published an article with a detailed description of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".
www.synacktiv.com/en/publicati...
Slice: SAST + LLM Interprocedural Context Extractor
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.
noperator.dev/posts/slice/
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.
noperator.dev/posts/slice/
November 18, 2025 at 12:48 AM
Slice: SAST + LLM Interprocedural Context Extractor
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.
noperator.dev/posts/slice/
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.
noperator.dev/posts/slice/
Enhancing FineIBT
@lwndotnet.bsky.social article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
lwn.net/Articles/103...
@lwndotnet.bsky.social article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
lwn.net/Articles/103...
November 14, 2025 at 1:22 PM
Enhancing FineIBT
@lwndotnet.bsky.social article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
lwn.net/Articles/103...
@lwndotnet.bsky.social article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
lwn.net/Articles/103...
Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE
Talk by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
Video: www.youtube.com/watch?v=_iSw...
Slides: hitcon.org/2025/slides/...
Talk by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
Video: www.youtube.com/watch?v=_iSw...
Slides: hitcon.org/2025/slides/...
November 13, 2025 at 8:01 PM
Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE
Talk by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
Video: www.youtube.com/watch?v=_iSw...
Slides: hitcon.org/2025/slides/...
Talk by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
Video: www.youtube.com/watch?v=_iSw...
Slides: hitcon.org/2025/slides/...
Exploiting CVE-2025-21479 on a Samsung S23
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
xploitbengineer.github.io/CVE-2025-21479
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
xploitbengineer.github.io/CVE-2025-21479
November 11, 2025 at 6:09 PM
Exploiting CVE-2025-21479 on a Samsung S23
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
xploitbengineer.github.io/CVE-2025-21479
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
xploitbengineer.github.io/CVE-2025-21479
LPE via refcount imbalance in the af_unix of Ubuntu
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
ssd-disclosure.com/lpe-via-refc...
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
ssd-disclosure.com/lpe-via-refc...
November 11, 2025 at 12:42 AM
LPE via refcount imbalance in the af_unix of Ubuntu
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
ssd-disclosure.com/lpe-via-refc...
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
ssd-disclosure.com/lpe-via-refc...
kernelCTF: CVE-2025-38477
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
November 7, 2025 at 8:11 PM
kernelCTF: CVE-2025-38477
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
Defeating KASLR by Doing Nothing at All
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
November 6, 2025 at 4:13 PM
Defeating KASLR by Doing Nothing at All
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
Oops! It's a kernel stack use-after-free: Exploiting NVIDIA's GPU Linux drivers
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
October 25, 2025 at 12:44 AM
Oops! It's a kernel stack use-after-free: Exploiting NVIDIA's GPU Linux drivers
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
ksmbd - Exploiting CVE-2025-37947
Article by Norbert Szetei about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module.
Article: blog.doyensec.com/2025/10/08/k...
Exploit: github.com/doyensec/KSM...
Article by Norbert Szetei about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module.
Article: blog.doyensec.com/2025/10/08/k...
Exploit: github.com/doyensec/KSM...
October 24, 2025 at 12:38 AM
ksmbd - Exploiting CVE-2025-37947
Article by Norbert Szetei about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module.
Article: blog.doyensec.com/2025/10/08/k...
Exploit: github.com/doyensec/KSM...
Article by Norbert Szetei about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module.
Article: blog.doyensec.com/2025/10/08/k...
Exploit: github.com/doyensec/KSM...
Dirty Pageflags: Revisiting PTE Exploitation in Linux
Article by ptr-yudai on the exploitation technique of overwriting the R/W flag in a PTE entry to allow writing into read-only files.
ptr-yudai.hatenablog.com/entry/2025/0...
Article by ptr-yudai on the exploitation technique of overwriting the R/W flag in a PTE entry to allow writing into read-only files.
ptr-yudai.hatenablog.com/entry/2025/0...
October 2, 2025 at 1:32 PM
Dirty Pageflags: Revisiting PTE Exploitation in Linux
Article by ptr-yudai on the exploitation technique of overwriting the R/W flag in a PTE entry to allow writing into read-only files.
ptr-yudai.hatenablog.com/entry/2025/0...
Article by ptr-yudai on the exploitation technique of overwriting the R/W flag in a PTE entry to allow writing into read-only files.
ptr-yudai.hatenablog.com/entry/2025/0...
Eternal-Tux: Crafting a Linux Kernel KSMBD 0-Click RCE Exploit from N-Days
William Liu posted an article about exploiting a slab object overflow (CVE-2023-52440) and remote infoleak (CVE-2023-4130) in the kernel SMB3 daemon to gain RCE.
www.willsroot.io/2025/09/ksmb...
William Liu posted an article about exploiting a slab object overflow (CVE-2023-52440) and remote infoleak (CVE-2023-4130) in the kernel SMB3 daemon to gain RCE.
www.willsroot.io/2025/09/ksmb...
October 1, 2025 at 11:12 PM
Eternal-Tux: Crafting a Linux Kernel KSMBD 0-Click RCE Exploit from N-Days
William Liu posted an article about exploiting a slab object overflow (CVE-2023-52440) and remote infoleak (CVE-2023-4130) in the kernel SMB3 daemon to gain RCE.
www.willsroot.io/2025/09/ksmb...
William Liu posted an article about exploiting a slab object overflow (CVE-2023-52440) and remote infoleak (CVE-2023-4130) in the kernel SMB3 daemon to gain RCE.
www.willsroot.io/2025/09/ksmb...
The anatomy of a bug: 6 Months at STAR Labs
Gerrard Tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions.
gerrardtai.com/anatomy-of-a...
Gerrard Tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions.
gerrardtai.com/anatomy-of-a...
September 30, 2025 at 10:11 PM
The anatomy of a bug: 6 Months at STAR Labs
Gerrard Tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions.
gerrardtai.com/anatomy-of-a...
Gerrard Tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions.
gerrardtai.com/anatomy-of-a...
A Syzkaller Summer: Fixing False Positive Soft Lockups in net/sched Fuzzing
Article by Will's Root about fixing the soft lockup bug found when fuzzing the network scheduler subsystem with syzkaller.
www.willsroot.io/2025/09/syz-...
Article by Will's Root about fixing the soft lockup bug found when fuzzing the network scheduler subsystem with syzkaller.
www.willsroot.io/2025/09/syz-...
September 26, 2025 at 1:17 PM
A Syzkaller Summer: Fixing False Positive Soft Lockups in net/sched Fuzzing
Article by Will's Root about fixing the soft lockup bug found when fuzzing the network scheduler subsystem with syzkaller.
www.willsroot.io/2025/09/syz-...
Article by Will's Root about fixing the soft lockup bug found when fuzzing the network scheduler subsystem with syzkaller.
www.willsroot.io/2025/09/syz-...
corCTF 2025 - corphone
Article by Pumpkin about exploiting a UAF in a custom Android kernel module created for a CTF task.
u1f383.github.io/android/2025...
Article by Pumpkin about exploiting a UAF in a custom Android kernel module created for a CTF task.
u1f383.github.io/android/2025...
September 24, 2025 at 1:19 PM
corCTF 2025 - corphone
Article by Pumpkin about exploiting a UAF in a custom Android kernel module created for a CTF task.
u1f383.github.io/android/2025...
Article by Pumpkin about exploiting a UAF in a custom Android kernel module created for a CTF task.
u1f383.github.io/android/2025...
Exploit for an integer underflow bug in the HID subsystem that allows leaking up to 64 KB of kernel memory over USB.
Wrote a trigger for CVE-2025-38494/5 (an integer underflow in the HID subsystem) that leaks 64 KB of OOB memory over USB.
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
github.com/xairy/kernel...
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
github.com/xairy/kernel...
September 23, 2025 at 1:33 PM
Exploit for an integer underflow bug in the HID subsystem that allows leaking up to 64 KB of kernel memory over USB.
ksmbd - Fuzzing Improvements and Vulnerability Discovery
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
blog.doyensec.com/2025/09/02/k...
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
blog.doyensec.com/2025/09/02/k...
September 10, 2025 at 3:49 PM
ksmbd - Fuzzing Improvements and Vulnerability Discovery
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
blog.doyensec.com/2025/09/02/k...
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
blog.doyensec.com/2025/09/02/k...
arm64: Linear mapping is mapped at the same static virtual address
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
project-zero.issues.chromium.org/issues/43420...
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
project-zero.issues.chromium.org/issues/43420...
September 10, 2025 at 12:05 AM
arm64: Linear mapping is mapped at the same static virtual address
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
project-zero.issues.chromium.org/issues/43420...
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
project-zero.issues.chromium.org/issues/43420...
Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel
Alexander Popov published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
a13xp0p0v.github.io/2025/09/02/k...
Alexander Popov published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
a13xp0p0v.github.io/2025/09/02/k...
September 4, 2025 at 7:15 PM
Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel
Alexander Popov published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
a13xp0p0v.github.io/2025/09/02/k...
Alexander Popov published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
a13xp0p0v.github.io/2025/09/02/k...
Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel
Alexander Popov published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
a13xp0p0v.github.io/2025/09/02/k...
Alexander Popov published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
a13xp0p0v.github.io/2025/09/02/k...
September 4, 2025 at 4:55 PM
Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel
Alexander Popov published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
a13xp0p0v.github.io/2025/09/02/k...
Alexander Popov published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
a13xp0p0v.github.io/2025/09/02/k...
From Chrome renderer code exec to kernel with MSG_OOB
Jann Horn posted an article about exploiting CVE-2025-38236, a UAF in the UNIX domain sockets.
googleprojectzero.blogspot.com/2025/08/from...
Jann Horn posted an article about exploiting CVE-2025-38236, a UAF in the UNIX domain sockets.
googleprojectzero.blogspot.com/2025/08/from...
August 24, 2025 at 8:44 AM
From Chrome renderer code exec to kernel with MSG_OOB
Jann Horn posted an article about exploiting CVE-2025-38236, a UAF in the UNIX domain sockets.
googleprojectzero.blogspot.com/2025/08/from...
Jann Horn posted an article about exploiting CVE-2025-38236, a UAF in the UNIX domain sockets.
googleprojectzero.blogspot.com/2025/08/from...
Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k
Article by Crusaders of Rust about exploiting a UAF in the network packet scheduler. Researchers manipulated red-black trees to achieve a page-level UAF and escalate privileges.
syst3mfailure.io/rbtree-famil...
Article by Crusaders of Rust about exploiting a UAF in the network packet scheduler. Researchers manipulated red-black trees to achieve a page-level UAF and escalate privileges.
syst3mfailure.io/rbtree-famil...
[CVE-2025-38001] Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: A RBTree Family Drama (Part One: LTS & COS)
CVE-2025-38001 is a Use-After-Free vulnerability in the Linux network packet scheduler, specifically in the HFSC queuing discipline. When the HFSC qdisc is utilized with NETEM and NETEM packet duplica...
syst3mfailure.io
August 9, 2025 at 9:13 PM
Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k
Article by Crusaders of Rust about exploiting a UAF in the network packet scheduler. Researchers manipulated red-black trees to achieve a page-level UAF and escalate privileges.
syst3mfailure.io/rbtree-famil...
Article by Crusaders of Rust about exploiting a UAF in the network packet scheduler. Researchers manipulated red-black trees to achieve a page-level UAF and escalate privileges.
syst3mfailure.io/rbtree-famil...
Setting up kernel exploit debugging environment on Pixel 8 ⬇️
Documented instructions for setting up KGDB on Pixel 8.
Including getting kernel log over UART via USB-Cereal, building/flashing custom kernel, breaking into KGDB via /proc/sysrq-trigger or by sending SysRq-G over serial, dealing with watchdogs, etc.
xairy.io/articles/pix...
Including getting kernel log over UART via USB-Cereal, building/flashing custom kernel, breaking into KGDB via /proc/sysrq-trigger or by sending SysRq-G over serial, dealing with watchdogs, etc.
xairy.io/articles/pix...
📲 Debugging the Pixel 8 kernel via KGDB
Instructions for getting kernel log, building custom kernel, and enabling KGDB on Pixel 8
xairy.io
August 8, 2025 at 1:41 AM
Setting up kernel exploit debugging environment on Pixel 8 ⬇️
CVE-2023-52927 - Turning a Forgotten Syzkaller Report into kCTF Exploit
Article by Hoàng Hải Long about finding an unfixed netfilter use-after-free bug reported by syzbot. The researcher exploited it to pwn the kernelCTF COS instance.
seadragnol.github.io/posts/CVE-20...
Article by Hoàng Hải Long about finding an unfixed netfilter use-after-free bug reported by syzbot. The researcher exploited it to pwn the kernelCTF COS instance.
seadragnol.github.io/posts/CVE-20...
July 17, 2025 at 8:26 PM
CVE-2023-52927 - Turning a Forgotten Syzkaller Report into kCTF Exploit
Article by Hoàng Hải Long about finding an unfixed netfilter use-after-free bug reported by syzbot. The researcher exploited it to pwn the kernelCTF COS instance.
seadragnol.github.io/posts/CVE-20...
Article by Hoàng Hải Long about finding an unfixed netfilter use-after-free bug reported by syzbot. The researcher exploited it to pwn the kernelCTF COS instance.
seadragnol.github.io/posts/CVE-20...
Fuzzing Linux Kernel Modules, with Slava Moskvin
Stream by @sl4v.bsky.social hosted by @steph3nsims.bsky.social about building a custom fuzzer to rediscover CVE-2025-0927 in the HFS+ filesystem implementation.
www.youtube.com/live/uCcsZrX...
Stream by @sl4v.bsky.social hosted by @steph3nsims.bsky.social about building a custom fuzzer to rediscover CVE-2025-0927 in the HFS+ filesystem implementation.
www.youtube.com/live/uCcsZrX...
Fuzzing Linux Kernel Modules, with Slava Moskvin
YouTube video by Off By One Security
www.youtube.com
July 16, 2025 at 5:07 PM
Fuzzing Linux Kernel Modules, with Slava Moskvin
Stream by @sl4v.bsky.social hosted by @steph3nsims.bsky.social about building a custom fuzzer to rediscover CVE-2025-0927 in the HFS+ filesystem implementation.
www.youtube.com/live/uCcsZrX...
Stream by @sl4v.bsky.social hosted by @steph3nsims.bsky.social about building a custom fuzzer to rediscover CVE-2025-0927 in the HFS+ filesystem implementation.
www.youtube.com/live/uCcsZrX...