mediatek? more like media-rekt, amirite.
Article by hypr covering an assortment of bugs the author found in the MediaTek MT76xx and MT7915 Wi-Fi drivers.
The article also describes the nonsensical responses MediaTek gave to the bug reports, seemingly trying to weasel out of assigning a High impact rating to the reported bugs.
Article by hypr covering an assortment of bugs the author found in the MediaTek MT76xx and MT7915 Wi-Fi drivers.
The article also describes the nonsensical responses MediaTek gave to the bug reports, seemingly trying to weasel out of assigning a High impact rating to the reported bugs.
hyprblog
mediatek? more like media-REKT, amirite.
A year-in-review going over 19+ bugs in Mediatek’s MT76xx/MT7915 (and others) wifi chipsets I reported this year, PoCs included!
👍9🔥5😱3
Dangling pointers, fragile memory — from an undisclosed vulnerability to Pixel 9 Pro privilege escalation
Article about analyzing and exploiting a race condition that leads to a double-free in the Arm Mali GPU driver.
Article about analyzing and exploiting a race condition that leads to a double-free in the Arm Mali GPU driver.
京东獬豸信息安全实验室
悬挂的指针、脆弱的内存──从一个未公开的漏洞到 Pixel 9 Pro 提权
GPU 驱动由于其与内存管理的紧密联系,已经成为近年来 Android Kernel 中一个比较有价值的攻击面,与 GPU 相关的 CVE 不算少,但是只有很少数漏洞被公开分析,安全公告中也不会谈及漏洞细节,因此每个版本的 patch 就成了分析漏洞的重要线索。
🤯5👍2
Article series about exploiting CVE-2025-38352
Faith posted three articles about exploiting a race condition in the implementation of POSIX CPU timers.
Part 1️⃣ describes reproducing this race condition.
Part 2️⃣ explains how to extend the race window (a period of time when the race can be triggered).
Part 3️⃣ shows a complex PoC exploit for the UAF caused by this race condition.
Faith posted three articles about exploiting a race condition in the implementation of POSIX CPU timers.
Part 1️⃣ describes reproducing this race condition.
Part 2️⃣ explains how to extend the race window (a period of time when the race can be triggered).
Part 3️⃣ shows a complex PoC exploit for the UAF caused by this race condition.
faith2dxy.xyz
CVE-2025-38352 (Part 3) - Uncovering Chronomaly
Walking through the exploit development process of the Chronomaly exploit for CVE-2025-38352.
🔥11
A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave
Article by Seth Jenkins about exploiting a use-after-free in the driver for BigWave — an AV1 decoding hardware component present on Pixel SOCs.
Seth used the bug to escalate privileges from the mediacodec SELinux context and obtain root on Pixel 9.
This exploit is a part of an RCE chain developed by Seth and Natalie Silvanovich.
Article by Seth Jenkins about exploiting a use-after-free in the driver for BigWave — an AV1 decoding hardware component present on Pixel SOCs.
Seth used the bug to escalate privileges from the mediacodec SELinux context and obtain root on Pixel 9.
This exploit is a part of an RCE chain developed by Seth and Natalie Silvanovich.
👍7🔥4
Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers
Talk (slides) by Xingyu Jin and Martijn Bogaard about a new type of logical bugs in kernel driver mmap handlers exploitable via the ptrace functionality.
Authors found multiple Android vendor drivers affected by the issue. They also wrote an exploit for the IMG DXT GPU driver to escalate privileges on Pixel 10.
Talk (slides) by Xingyu Jin and Martijn Bogaard about a new type of logical bugs in kernel driver mmap handlers exploitable via the ptrace functionality.
Authors found multiple Android vendor drivers affected by the issue. They also wrote an exploit for the IMG DXT GPU driver to escalate privileges on Pixel 10.
YouTube
POC2025 | Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers
📌 Title
Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers
📌 Speaker
Xingyu Jin, Martijn Bogaard
(@Google)
#POC #PowerOfCommunity #POC2025
Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers
📌 Speaker
Xingyu Jin, Martijn Bogaard
(@Google)
#POC #PowerOfCommunity #POC2025
🔥14
[Cryptodev-linux] Page-level UAF exploitation
nasm_re posted an article about exploiting a page-level UAF in the out-of-tree cryptodev-linux driver. The researcher modified
nasm_re posted an article about exploiting a page-level UAF in the out-of-tree cryptodev-linux driver. The researcher modified
struct file sprayed into a freed page to escalate privileges.nasm.re
[Cryptodev-linux] Page-level UAF exploitation - nasm.re
LPE for cryptodev-linux oot module (CVE-2026-28529)
🔥12👍1
setresuid(⚡): Glitching Google's TV Streamer from adb to root.
Talk (slides) by Niek Timmers about glitching the kernel of the Android-based Google TV Streamer device to escalate privileges via Electromagnetic Fault Injection.
The researcher glitched the setresuid syscall handler to bypass its checks and obtain the UID of 0. Bypassing SELinux via glitching remains to be investigated.
Talk (slides) by Niek Timmers about glitching the kernel of the Android-based Google TV Streamer device to escalate privileges via Electromagnetic Fault Injection.
The researcher glitched the setresuid syscall handler to bypass its checks and obtain the UID of 0. Bypassing SELinux via glitching remains to be investigated.
YouTube
Hardwear.io NL 2025: Glitching Google's TV Streamer From Adb To Root - Niek Timmers
Talk Title: Setresuid(⚡): Glitching Google's TV Streamer from adb to root
Speaker: Niek Timmers
Abstract:
Google's TV Streamer is a next-generation 4K TV streaming device, built around a System-on-Chip (SoC) made by Mediatek and running Android 14. It incorporates…
Speaker: Niek Timmers
Abstract:
Google's TV Streamer is a next-generation 4K TV streaming device, built around a System-on-Chip (SoC) made by Mediatek and running Android 14. It incorporates…
👍14🔥5
Analysis of Linux kernel bug fixes
Jenny Guanni Qu posted a detailed analysis of bug fixes in the Linux kernel:
▪️ Part 1: Kernel bugs hide for 2 years on average. Some hide for 20.
▪️ Part 2: Who Writes the Bugs? A Deeper Look at 125,000 Kernel Vulnerabilities
Jenny Guanni Qu posted a detailed analysis of bug fixes in the Linux kernel:
▪️ Part 1: Kernel bugs hide for 2 years on average. Some hide for 20.
▪️ Part 2: Who Writes the Bugs? A Deeper Look at 125,000 Kernel Vulnerabilities
🔥15👍5
A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets
Excellent article by Quang Le about exploiting CVE-2025-38617 — a race condition that leads to a use-after-free in the packet sockets implementation.
The implemented exploit was used to pwn the kernelCTF mitigation-v4-6.6 instance. The exploit bypasses CONFIG_RANDOM_KMALLOC_CACHES and CONFIG_SLAB_VIRTUAL.
Excellent article by Quang Le about exploiting CVE-2025-38617 — a race condition that leads to a use-after-free in the packet sockets implementation.
The implemented exploit was used to pwn the kernelCTF mitigation-v4-6.6 instance. The exploit bypasses CONFIG_RANDOM_KMALLOC_CACHES and CONFIG_SLAB_VIRTUAL.
🔥17👎1🤯1
CrackArmor: Multiple vulnerabilities in AppArmor
Article about a variety of vulnerabilities found in the AppArmor LSM implementation, including a few kernel memory corruptions. Authors exploited them to achieve LPE on Ubuntu and Debian.
Article about a variety of vulnerabilities found in the AppArmor LSM implementation, including a few kernel memory corruptions. Authors exploited them to achieve LPE on Ubuntu and Debian.
🔥12👍2😱1
slab: support for compiler-assisted type-based slab cache partitioning
Marco Elver posted a kernel patch that provides an alternative mode to RANDOM_KMALLOC_CACHES called TYPED_KMALLOC_CACHES.
The new mode leverages a Clang 22 feature called "allocation tokens". Unlike RANDOM_KMALLOC_CACHES, this mode deterministically assigns caches to allocations based on their types, and not allocation sites.
Marco Elver posted a kernel patch that provides an alternative mode to RANDOM_KMALLOC_CACHES called TYPED_KMALLOC_CACHES.
The new mode leverages a Clang 22 feature called "allocation tokens". Unlike RANDOM_KMALLOC_CACHES, this mode deterministically assigns caches to allocations based on their types, and not allocation sites.
🔥11🤔3👍1
Assessing Claude Mythos Preview’s cybersecurity capabilities
Article by Nicholas Carlini et. al about the security research capabilities of the new Anthropic's LLM called Claude Mythos Preview.
The LLM was used to discover multiple 0-days in the Linux kernel and also write privilege escalation exploits for a few previously known vulnerabilities; the article provides a detailed write-up for two such exploits.
Article by Nicholas Carlini et. al about the security research capabilities of the new Anthropic's LLM called Claude Mythos Preview.
The LLM was used to discover multiple 0-days in the Linux kernel and also write privilege escalation exploits for a few previously known vulnerabilities; the article provides a detailed write-up for two such exploits.
🤔8👏2😱2👎1🤯1
From KernelSnitch to Practical msg_msg/pipe_buffer Heap KASLR Leaks
Article by Lukas Maar about evaluating the KernelSnitch timing side-channel attack on a variety of systems, including Android.
The attack allows leaking addresses of exploitation-relevant kernel allocations.
Lukas also published the source code for executing the attack.
Article by Lukas Maar about evaluating the KernelSnitch timing side-channel attack on a variety of systems, including Android.
The attack allows leaking addresses of exploitation-relevant kernel allocations.
Lukas also published the source code for executing the attack.
👍6🔥5
Walkthrough of an N-day Android GPU driver vulnerability
Talk by Angus about analyzing CVE-2022-22706 — a logical bug in the Mali GPU driver that allows getting write access to read-only memory.
Talk by Angus about analyzing CVE-2022-22706 — a logical bug in the Mali GPU driver that allows getting write access to read-only memory.
YouTube
Walkthrough of an N-day Android GPU driver vulnerability - Angus, BSides Canberra 2025
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
👍4👏2😱1
Out-of-Cancel: A Vulnerability Class Rooted in Workqueue Cancellation APIs
Hyunwoo Kim published an article describing a complicated exploit of a race condition caused by a misuse of the cancel_work_sync() kernel API in the network subsystem.
Hyunwoo Kim published an article describing a complicated exploit of a race condition caused by a misuse of the cancel_work_sync() kernel API in the network subsystem.
👍3🔥3👏1
Some notes on the security properties of the pipe_buffer kernel object
a13xp0p0v (me) posted an article about a few experiments with the
Alexander described multiple
a13xp0p0v (me) posted an article about a few experiments with the
pipe_buffer kernel object within his kernel-hack-drill project.Alexander described multiple
pipe_buffer features relevant for kernel exploits that rely on this object.Alexander Popov
Some notes on the security properties of the pipe_buffer kernel object
Many exploits of Linux kernel vulnerabilities use the pipe_buffer kernel object to build strong exploit primitives. When I was experimenting with my personal project kernel-hack-drill, I discovered some interesting properties of pipe_buffer, which may not…
👍11🔥7🎉2
Recent Page Cache Corruption Bugs
Multitude of vulnerabilities that allow overwriting the page cache and thus changing the in-memory contents of read-only files to gain LPE or escape a container in certain scenarios.
All stem from kernel code paths that perform in-place overwrites of user-supplied input pages without verifying that the pages are writable.
Copy Fail (CVE-2026-31431):
— Announcement;
— Better write-up.
Dirty Frag (CVE-2026-43284 and CVE-2026-43500):
— Covers two independent vulnerabilities that do not require chaining;
— CVE-2026-43284 is alternatively titled Copy Fail 2;
— Original write-up;
— Avoiding bruteforcing for CVE-2026-43500.
Fragnesia (CVE-2026-46300):
— Original report;
— Variant.
DirtyCBC / DirtyDecrypt (CVE-2026-31635?):
— Write-up;
— Another exploit.
Multitude of vulnerabilities that allow overwriting the page cache and thus changing the in-memory contents of read-only files to gain LPE or escape a container in certain scenarios.
All stem from kernel code paths that perform in-place overwrites of user-supplied input pages without verifying that the pages are writable.
Copy Fail (CVE-2026-31431):
— Announcement;
— Better write-up.
Dirty Frag (CVE-2026-43284 and CVE-2026-43500):
— Covers two independent vulnerabilities that do not require chaining;
— CVE-2026-43284 is alternatively titled Copy Fail 2;
— Original write-up;
— Avoiding bruteforcing for CVE-2026-43500.
Fragnesia (CVE-2026-46300):
— Original report;
— Variant.
DirtyCBC / DirtyDecrypt (CVE-2026-31635?):
— Write-up;
— Another exploit.
🔥8👏5
Discovery & Validation in the Linux Kernel
Three-part article by Samuel Page about analyzing two vulnerabilities (in CAN sockets and FUSE) and attempting to use local LLMs to rediscover the bugs.
Three-part article by Samuel Page about analyzing two vulnerabilities (in CAN sockets and FUSE) and attempting to use local LLMs to rediscover the bugs.
🔥8