Linux Kernel Security
@linkersec.bsky.social
Links related to Linux kernel security and exploitation.
Maintained by @andreyknvl.bsky.social and Alexander Popov.
Also on https://t.me/linkersec, https://x.com/linkersec, and https://infosec.exchange/@linkersec.
Maintained by @andreyknvl.bsky.social and Alexander Popov.
Also on https://t.me/linkersec, https://x.com/linkersec, and https://infosec.exchange/@linkersec.
Slice: SAST + LLM Interprocedural Context Extractor
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.
noperator.dev/posts/slice/
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.
noperator.dev/posts/slice/
November 18, 2025 at 12:48 AM
Slice: SAST + LLM Interprocedural Context Extractor
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.
noperator.dev/posts/slice/
Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.
noperator.dev/posts/slice/
Enhancing FineIBT
@lwndotnet.bsky.social article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
lwn.net/Articles/103...
@lwndotnet.bsky.social article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
lwn.net/Articles/103...
November 14, 2025 at 1:22 PM
Enhancing FineIBT
@lwndotnet.bsky.social article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
lwn.net/Articles/103...
@lwndotnet.bsky.social article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).
lwn.net/Articles/103...
Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE
Talk by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
Video: www.youtube.com/watch?v=_iSw...
Slides: hitcon.org/2025/slides/...
Talk by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
Video: www.youtube.com/watch?v=_iSw...
Slides: hitcon.org/2025/slides/...
November 13, 2025 at 8:01 PM
Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE
Talk by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
Video: www.youtube.com/watch?v=_iSw...
Slides: hitcon.org/2025/slides/...
Talk by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.
Video: www.youtube.com/watch?v=_iSw...
Slides: hitcon.org/2025/slides/...
Exploiting CVE-2025-21479 on a Samsung S23
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
xploitbengineer.github.io/CVE-2025-21479
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
xploitbengineer.github.io/CVE-2025-21479
November 11, 2025 at 6:09 PM
Exploiting CVE-2025-21479 on a Samsung S23
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
xploitbengineer.github.io/CVE-2025-21479
Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.
xploitbengineer.github.io/CVE-2025-21479
LPE via refcount imbalance in the af_unix of Ubuntu
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
ssd-disclosure.com/lpe-via-refc...
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
ssd-disclosure.com/lpe-via-refc...
November 11, 2025 at 12:42 AM
LPE via refcount imbalance in the af_unix of Ubuntu
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
ssd-disclosure.com/lpe-via-refc...
Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.
ssd-disclosure.com/lpe-via-refc...
kernelCTF: CVE-2025-38477
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
November 7, 2025 at 8:11 PM
kernelCTF: CVE-2025-38477
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
Defeating KASLR by Doing Nothing at All
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
November 6, 2025 at 4:13 PM
Defeating KASLR by Doing Nothing at All
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
Oops! It's a kernel stack use-after-free: Exploiting NVIDIA's GPU Linux drivers
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
October 25, 2025 at 12:44 AM
Oops! It's a kernel stack use-after-free: Exploiting NVIDIA's GPU Linux drivers
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
ksmbd - Exploiting CVE-2025-37947
Article by Norbert Szetei about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module.
Article: blog.doyensec.com/2025/10/08/k...
Exploit: github.com/doyensec/KSM...
Article by Norbert Szetei about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module.
Article: blog.doyensec.com/2025/10/08/k...
Exploit: github.com/doyensec/KSM...
October 24, 2025 at 12:38 AM
ksmbd - Exploiting CVE-2025-37947
Article by Norbert Szetei about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module.
Article: blog.doyensec.com/2025/10/08/k...
Exploit: github.com/doyensec/KSM...
Article by Norbert Szetei about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module.
Article: blog.doyensec.com/2025/10/08/k...
Exploit: github.com/doyensec/KSM...
Dirty Pageflags: Revisiting PTE Exploitation in Linux
Article by ptr-yudai on the exploitation technique of overwriting the R/W flag in a PTE entry to allow writing into read-only files.
ptr-yudai.hatenablog.com/entry/2025/0...
Article by ptr-yudai on the exploitation technique of overwriting the R/W flag in a PTE entry to allow writing into read-only files.
ptr-yudai.hatenablog.com/entry/2025/0...
October 2, 2025 at 1:32 PM
Dirty Pageflags: Revisiting PTE Exploitation in Linux
Article by ptr-yudai on the exploitation technique of overwriting the R/W flag in a PTE entry to allow writing into read-only files.
ptr-yudai.hatenablog.com/entry/2025/0...
Article by ptr-yudai on the exploitation technique of overwriting the R/W flag in a PTE entry to allow writing into read-only files.
ptr-yudai.hatenablog.com/entry/2025/0...
Eternal-Tux: Crafting a Linux Kernel KSMBD 0-Click RCE Exploit from N-Days
William Liu posted an article about exploiting a slab object overflow (CVE-2023-52440) and remote infoleak (CVE-2023-4130) in the kernel SMB3 daemon to gain RCE.
www.willsroot.io/2025/09/ksmb...
William Liu posted an article about exploiting a slab object overflow (CVE-2023-52440) and remote infoleak (CVE-2023-4130) in the kernel SMB3 daemon to gain RCE.
www.willsroot.io/2025/09/ksmb...
October 1, 2025 at 11:12 PM
Eternal-Tux: Crafting a Linux Kernel KSMBD 0-Click RCE Exploit from N-Days
William Liu posted an article about exploiting a slab object overflow (CVE-2023-52440) and remote infoleak (CVE-2023-4130) in the kernel SMB3 daemon to gain RCE.
www.willsroot.io/2025/09/ksmb...
William Liu posted an article about exploiting a slab object overflow (CVE-2023-52440) and remote infoleak (CVE-2023-4130) in the kernel SMB3 daemon to gain RCE.
www.willsroot.io/2025/09/ksmb...
The anatomy of a bug: 6 Months at STAR Labs
Gerrard Tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions.
gerrardtai.com/anatomy-of-a...
Gerrard Tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions.
gerrardtai.com/anatomy-of-a...
September 30, 2025 at 10:11 PM
The anatomy of a bug: 6 Months at STAR Labs
Gerrard Tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions.
gerrardtai.com/anatomy-of-a...
Gerrard Tai posted an article describing their experience in finding kernel bugs and participating in the KernelCTF and Pwn2Own competitions.
gerrardtai.com/anatomy-of-a...
A Syzkaller Summer: Fixing False Positive Soft Lockups in net/sched Fuzzing
Article by Will's Root about fixing the soft lockup bug found when fuzzing the network scheduler subsystem with syzkaller.
www.willsroot.io/2025/09/syz-...
Article by Will's Root about fixing the soft lockup bug found when fuzzing the network scheduler subsystem with syzkaller.
www.willsroot.io/2025/09/syz-...
September 26, 2025 at 1:17 PM
A Syzkaller Summer: Fixing False Positive Soft Lockups in net/sched Fuzzing
Article by Will's Root about fixing the soft lockup bug found when fuzzing the network scheduler subsystem with syzkaller.
www.willsroot.io/2025/09/syz-...
Article by Will's Root about fixing the soft lockup bug found when fuzzing the network scheduler subsystem with syzkaller.
www.willsroot.io/2025/09/syz-...
corCTF 2025 - corphone
Article by Pumpkin about exploiting a UAF in a custom Android kernel module created for a CTF task.
u1f383.github.io/android/2025...
Article by Pumpkin about exploiting a UAF in a custom Android kernel module created for a CTF task.
u1f383.github.io/android/2025...
September 24, 2025 at 1:19 PM
corCTF 2025 - corphone
Article by Pumpkin about exploiting a UAF in a custom Android kernel module created for a CTF task.
u1f383.github.io/android/2025...
Article by Pumpkin about exploiting a UAF in a custom Android kernel module created for a CTF task.
u1f383.github.io/android/2025...
ksmbd - Fuzzing Improvements and Vulnerability Discovery
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
blog.doyensec.com/2025/09/02/k...
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
blog.doyensec.com/2025/09/02/k...
September 10, 2025 at 3:49 PM
ksmbd - Fuzzing Improvements and Vulnerability Discovery
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
blog.doyensec.com/2025/09/02/k...
Another article by Norbert Szetei about fuzzing the ksmbd module with syzkaller.
blog.doyensec.com/2025/09/02/k...
arm64: Linear mapping is mapped at the same static virtual address
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
project-zero.issues.chromium.org/issues/43420...
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
project-zero.issues.chromium.org/issues/43420...
September 10, 2025 at 12:05 AM
arm64: Linear mapping is mapped at the same static virtual address
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
project-zero.issues.chromium.org/issues/43420...
Bug report by Seth Jenkins and Jann Horn showing that the physmap region is mapped at a fixed virtual address on Android despite KASLR.
project-zero.issues.chromium.org/issues/43420...
Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel
Alexander Popov published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
a13xp0p0v.github.io/2025/09/02/k...
Alexander Popov published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
a13xp0p0v.github.io/2025/09/02/k...
September 4, 2025 at 7:15 PM
Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel
Alexander Popov published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
a13xp0p0v.github.io/2025/09/02/k...
Alexander Popov published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
a13xp0p0v.github.io/2025/09/02/k...
Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel
Alexander Popov published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
a13xp0p0v.github.io/2025/09/02/k...
Alexander Popov published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
a13xp0p0v.github.io/2025/09/02/k...
September 4, 2025 at 4:55 PM
Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel
Alexander Popov published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
a13xp0p0v.github.io/2025/09/02/k...
Alexander Popov published an article about exploiting a race condition in AF_VSOCK subsystem, the bug that received a Pwnie Award 2025.
a13xp0p0v.github.io/2025/09/02/k...
From Chrome renderer code exec to kernel with MSG_OOB
Jann Horn posted an article about exploiting CVE-2025-38236, a UAF in the UNIX domain sockets.
googleprojectzero.blogspot.com/2025/08/from...
Jann Horn posted an article about exploiting CVE-2025-38236, a UAF in the UNIX domain sockets.
googleprojectzero.blogspot.com/2025/08/from...
August 24, 2025 at 8:44 AM
From Chrome renderer code exec to kernel with MSG_OOB
Jann Horn posted an article about exploiting CVE-2025-38236, a UAF in the UNIX domain sockets.
googleprojectzero.blogspot.com/2025/08/from...
Jann Horn posted an article about exploiting CVE-2025-38236, a UAF in the UNIX domain sockets.
googleprojectzero.blogspot.com/2025/08/from...
CVE-2023-52927 - Turning a Forgotten Syzkaller Report into kCTF Exploit
Article by Hoàng Hải Long about finding an unfixed netfilter use-after-free bug reported by syzbot. The researcher exploited it to pwn the kernelCTF COS instance.
seadragnol.github.io/posts/CVE-20...
Article by Hoàng Hải Long about finding an unfixed netfilter use-after-free bug reported by syzbot. The researcher exploited it to pwn the kernelCTF COS instance.
seadragnol.github.io/posts/CVE-20...
July 17, 2025 at 8:26 PM
CVE-2023-52927 - Turning a Forgotten Syzkaller Report into kCTF Exploit
Article by Hoàng Hải Long about finding an unfixed netfilter use-after-free bug reported by syzbot. The researcher exploited it to pwn the kernelCTF COS instance.
seadragnol.github.io/posts/CVE-20...
Article by Hoàng Hải Long about finding an unfixed netfilter use-after-free bug reported by syzbot. The researcher exploited it to pwn the kernelCTF COS instance.
seadragnol.github.io/posts/CVE-20...
Linux Kernel Hardening: Ten Years Deep
Talk by Kees Cook about the relevance of various Linux kernel vulnerability classes and the mitigations that address them.
Video: www.youtube.com/watch?v=c_Nx...
Slides: static.sched.com/hosted_files...
Talk by Kees Cook about the relevance of various Linux kernel vulnerability classes and the mitigations that address them.
Video: www.youtube.com/watch?v=c_Nx...
Slides: static.sched.com/hosted_files...
July 15, 2025 at 4:42 PM
Linux Kernel Hardening: Ten Years Deep
Talk by Kees Cook about the relevance of various Linux kernel vulnerability classes and the mitigations that address them.
Video: www.youtube.com/watch?v=c_Nx...
Slides: static.sched.com/hosted_files...
Talk by Kees Cook about the relevance of various Linux kernel vulnerability classes and the mitigations that address them.
Video: www.youtube.com/watch?v=c_Nx...
Slides: static.sched.com/hosted_files...
The Journey of Bypassing Ubuntu’s Unprivileged Namespace Restriction
Article by Pumpkin about the internals of the Ubuntu's implementation of restricting unprivileged user namespaces and figuring out another bypass method.
u1f383.github.io/linux/2025/0...
Article by Pumpkin about the internals of the Ubuntu's implementation of restricting unprivileged user namespaces and figuring out another bypass method.
u1f383.github.io/linux/2025/0...
July 9, 2025 at 2:06 PM
The Journey of Bypassing Ubuntu’s Unprivileged Namespace Restriction
Article by Pumpkin about the internals of the Ubuntu's implementation of restricting unprivileged user namespaces and figuring out another bypass method.
u1f383.github.io/linux/2025/0...
Article by Pumpkin about the internals of the Ubuntu's implementation of restricting unprivileged user namespaces and figuring out another bypass method.
u1f383.github.io/linux/2025/0...
Exploiting the CVE-2025-21756 1-day vulnerability
Hyunwoo Kim and Wongi Lee posted a kernelCTF report about exploiting a UAF in the vsock subsystem of the Linux kernel.
github.com/google/secur...
Hyunwoo Kim and Wongi Lee posted a kernelCTF report about exploiting a UAF in the vsock subsystem of the Linux kernel.
github.com/google/secur...
June 17, 2025 at 10:45 PM
Exploiting the CVE-2025-21756 1-day vulnerability
Hyunwoo Kim and Wongi Lee posted a kernelCTF report about exploiting a UAF in the vsock subsystem of the Linux kernel.
github.com/google/secur...
Hyunwoo Kim and Wongi Lee posted a kernelCTF report about exploiting a UAF in the vsock subsystem of the Linux kernel.
github.com/google/secur...
Solo: A Pixel 6 Pro Story (When one bug is all you need)
Awesome article by Lin Ze Wei about adapting the Pixel 7/8 exploit for a bug in the Mali GPU driver to Pixel 6 Pro.
starlabs.sg/blog/2025/06...
Awesome article by Lin Ze Wei about adapting the Pixel 7/8 exploit for a bug in the Mali GPU driver to Pixel 6 Pro.
starlabs.sg/blog/2025/06...
June 16, 2025 at 3:17 PM
Solo: A Pixel 6 Pro Story (When one bug is all you need)
Awesome article by Lin Ze Wei about adapting the Pixel 7/8 exploit for a bug in the Mali GPU driver to Pixel 6 Pro.
starlabs.sg/blog/2025/06...
Awesome article by Lin Ze Wei about adapting the Pixel 7/8 exploit for a bug in the Mali GPU driver to Pixel 6 Pro.
starlabs.sg/blog/2025/06...
Bypassing MTE with CVE-2025-0072
Article by Man Yue Mo about exploiting a page use-after-free vulnerability in the ARM's Mali GPU driver in the code that manages userspace-mapped pages.
github.blog/security/vul...
Article by Man Yue Mo about exploiting a page use-after-free vulnerability in the ARM's Mali GPU driver in the code that manages userspace-mapped pages.
github.blog/security/vul...
June 9, 2025 at 1:35 PM
Bypassing MTE with CVE-2025-0072
Article by Man Yue Mo about exploiting a page use-after-free vulnerability in the ARM's Mali GPU driver in the code that manages userspace-mapped pages.
github.blog/security/vul...
Article by Man Yue Mo about exploiting a page use-after-free vulnerability in the ARM's Mali GPU driver in the code that manages userspace-mapped pages.
github.blog/security/vul...