Linux Kernel Security

Analysis of Linux kernel bug fixes

Jenny Guanni Qu posted a detailed analysis:

— Kernel bugs hide for 2 years on average. Some hide for 20.

pebblebed.com/blog/kernel-...

— Who Writes the Bugs? A Deeper Look at 125,000 Kernel Vulnerabilities

pebblebed.com/blog/kernel-...

The researcher glitched the setresuid syscall handler to bypass its checks and obtain the UID of 0. Bypassing SELinux via glitching remains to be investigated.

Hardwear.io NL 2025: Glitching Google's TV Streamer From Adb To Root - Niek Timmers YouTube video by hardwear.io

setresuid(⚡): Glitching Google's TV Streamer from adb to root.

Talk by Niek Timmers about glitching the kernel of the Android-based Google TV Streamer device to escalate privileges via Electromagnetic Fault Injection.

Video: www.youtube.com/watch?v=-w5m...
Slides: hardwear.io/netherlands-...

[Cryptodev-linux] Page-level UAF exploitation IntroductionIn november 2025 I started a fuzzing campaign against cryptodev-linux as part of a school project. I found +10 bugs (UAF, NULL pointer dereferences and integer overflows) and among all of

[Cryptodev-linux] Page-level UAF exploitation

nasm_re posted an article about exploiting a page-level UAF in the out-of-tree cryptodev-linux driver. The researcher modified struct file sprayed into a freed page to escalate privileges.

nasm.re/posts/crypto...

Authors found multiple Android vendor drivers affected by the issue. They also wrote an exploit for the IMG DXT GPU driver to escalate privileges on Pixel 10.

POC2025 | Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers YouTube video by POC2026

Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers

Talk by Xingyu Jin & Martijn Bogaard about a new type of logical bugs in kernel driver mmap handlers exploitable via the ptrace functionality.

Video: www.youtube.com/watch?v=yAUJ...
Slides: powerofcommunity.net/2025/slide/x...

Seth used the bug to escalate privileges from the mediacodec SELinux context and obtain root on Pixel 9.

This exploit is a part of an RCE chain developed by Seth and @natashenka.bsky.social.

projectzero.google/2026/01/pixe...

A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave

Article by Seth Jenkins about exploiting a use-after-free in the driver for BigWave — an AV1 decoding hardware component present on Pixel SOCs.

projectzero.google/2026/01/pixe...

CVE-2025-38352 (Part 3) - Uncovering Chronomaly Walking through the exploit development process of the Chronomaly exploit for CVE-2025-38352.

Part 3️⃣ shows a complex PoC exploit for the UAF caused by this race condition:

faith2dxy.xyz/2026-01-03/c...

CVE-2025-38352 (Part 2) - Extending The Race Window Without a Kernel Patch Improving the PoC from the part 1 by extending the race window from userland.

Part 2️⃣ explains how to extend the race window (a period of time when the race can be triggered):

faith2dxy.xyz/2025-12-24/c...

CVE-2025-38352 (Part 1) - In-the-wild Android Kernel Vulnerability Analysis + PoC Analyzing and writing a PoC for CVE-2025-38352.

Article series about exploiting CVE-2025-38352

Faith posted three articles about exploiting a race condition in the implementation of POSIX CPU timers.

Part 1️⃣ describes reproducing this race condition:

faith2dxy.xyz/2025-12-22/c...

悬挂的指针、脆弱的内存──从一个未公开的漏洞到 Pixel 9 Pro 提权 GPU 驱动由于其与内存管理的紧密联系，已经成为近年来 Android Kernel 中一个比较有价值的攻击面，与 GPU 相关的 CVE 不算少，但是只有很少数漏洞被公开分析，安全公告中也不会谈及漏洞细节，因此每个版本的 patch 就成了分析漏洞的重要线索。

Dangling pointers, fragile memory — from an undisclosed vulnerability to Pixel 9 Pro privilege escalation

Article about analyzing and exploiting a race condition that leads to a double-free in the Arm Mali GPU driver.

dawnslab.jd.com/Pixel_9_Pro_...

The article also describes the nonsensical responses MediaTek gave to the bug reports, seemingly trying to weasel out of assigning a High impact rating to the reported bugs.

mediatek? more like media-REKT, amirite. A year-in-review going over 19+ bugs in Mediatek’s MT76xx/MT7915 (and others) wifi chipsets I reported this year, PoCs included!

mediatek? more like media-rekt, amirite.

Article by hypr covering an assortment of bugs the author found in the MediaTek MT76xx and MT7915 Wi-Fi drivers.

blog.coffinsec.com/0days/2025/1...

CVE-2025-68260: rust_binder: fix race condition on death_list

First CVE was registered for the new Binder kernel driver written in Rust. The vulnerability is a race condition caused by a list operation in an unsafe code block.

lore.kernel.org/linux-cve-an...

Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit – Kyntra Blog Deep dive into a modern stealth Linux kernel rootkit with advanced evasion and persistence techniques

MatheuZSec published a detailed article about Singularity — a loadable kernel module rootkit developed for 6.x Linux kernels. The rootkit uses ftrace for hooking syscalls and hiding itself.

Article: blog.kyntra.io/Singularity-...
Code: github.com/MatheuZSecur...

Extending Kernel Race Windows Using '/dev/shm'

Article by Faith about extending race condition windows via FALLOC_FL_PUNCH_HOLE. The technique allows delaying user memory accesses from the kernel mode, similar to userfaultfd and FUSE.

faith2dxy.xyz/2025-11-28/e...

[CVE-2025-38001] Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: An RBTree Family Drama (Part One: LTS & COS) CVE-2025-38001 is a Use-After-Free vulnerability in the Linux network packet scheduler, specifically in the HFSC queuing discipline. When the HFSC qdisc is utilized with NETEM and NETEM packet duplica...

The exploit was also covered in a previously posted article.

syst3mfailure.io/rbtree-famil...

HEXACON 2025 - An RbTree Family Drama by William Liu & Savino Dicanosa YouTube video by Hexacon

An RbTree Family Drama

Talk by William Liu and Savino Dicanosa @cor_ctf about exploiting CVE-2025-38001 — a use-after-free in the network packet scheduler.

Video: www.youtube.com/watch?v=C-52...
Slides: storage.googleapis.com/static.cor.t...

HEXACON 2025 - Déjà Vu in Linux io_uring by Pumpkin YouTube video by Hexacon

Déjà Vu in Linux io_uring

Talk by Pumpkin about exploiting CVE-2025-21836 — a race condition that leads to a use-after-free in the io_uring subsystem.

Video: www.youtube.com/watch?v=Ry4e...
Slides: u1f383.github.io/slides/talks...

HEXACON 2025 - CUDA de Grâce by Valentina Palmiotti & Samuel Lovejoy YouTube video by Hexacon

CUDA de Grâce

Talk by @chompie.rip and Samuel Lovejoy about exploiting a race condition that leads to a double-free in the NVIDIA GPU driver to escape a container created with NVIDIA Container Toolkit.

Video: www.youtube.com/watch?v=Lvz2...
Slides: docs.google.com/presentation...

Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel Some memory corruption bugs are much harder to exploit than others. They can involve race conditions, crash the system, and impose limitations that make a researcher's life difficult. Working with suc...

Previously, Alexander Popov described another way to exploit this vulnerability.

a13xp0p0v.github.io/2025/09/02/k...

Race Condition Symphony: From Tiny Idea to Pwnie

Slides from a talk by Hyunwoo Kim and Wongi Lee about exploiting CVE-2024-50264 — a race condition in the vsock subsystem.

powerofcommunity.net/2025/slide/h...

LinkPro: eBPF rootkit analysis LinkPro: eBPF rootkit analysis

LinkPro: eBPF rootkit analysis

Théo Letailleur published an article with a detailed description of an eBPF rootkit that hides itself on the compromised system and activates its features upon receiving a "magic packet".

www.synacktiv.com/en/publicati...

Slice: SAST + LLM Interprocedural Context Extractor

Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.

noperator.dev/posts/slice/

The article also refers to another post "A hole in FineIBT protection" about a method to bypass this CFI mechanism.

lwn.net/Articles/101...

Enhancing FineIBT

@lwndotnet.bsky.social article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).

lwn.net/Articles/103...

Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE

Talk by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.

Video: www.youtube.com/watch?v=_iSw...
Slides: hitcon.org/2025/slides/...

Exploiting CVE-2025-21479 on a Samsung S23

Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.

xploitbengineer.github.io/CVE-2025-21479

LPE via refcount imbalance in the af_unix of Ubuntu

Article and exploit by kylebot for a refcount imbalance bug in the Ubuntu kernel's Unix sockets implementation disclosed during the TyphoonPWN 2025 competition.

ssd-disclosure.com/lpe-via-refc...