Links related to Linux kernel security and exploitation.
Maintained by @xairy and @a13xp0p0v.
Exploiting the CVE-2025-21756 1-day vulnerability
Hyunwoo Kim and Wongi Lee posted a kernelCTF report about exploiting a UAF in the vsock subsystem of the Linux kernel.
The researchers leaked the kernel base address using the EntryBleed side-channel attack and then turned the UAF on the vsock_sock structure into a RIP control primitive to execute a ROP-chain.
Solo: A Pixel 6 Pro Story (When one bug is all you need)
Awesome article by Lin Ze Wei about adapting the Pixel 7/8 exploit for a bug in the Mali GPU driver to Pixel 6 Pro.
https://starlabs.sg/blog/2025/06-solo-a-pixel-6-pro-story-when-one-bug-is-all-you-need/
Bypassing MTE with CVE-2025-0072
Article by Man Yue Mo about exploiting a page use-after-free vulnerability in the ARM's Mali GPU driver in the code that manages userspace-mapped pages.
Author published an exploit for this bug that disable SELinux and gains root privileges on Pixel 8 running from the untrusted_app context. The exploit is not affected by MTE.
Article: https://github.blog/security/vulnerability-research/bypassing-mte-with-cve-2025-0072/
Exploit: https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Mali/CVE-2025-0072
How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel's SMB implementation
Article by Sean Heelan about rediscovering a bug in the ksmbd module via the OpenAI's o3 model and then finding a 0-day vulnerability as well.
The researcher had to rerun the prompt multiple times before getting a true-positive result. The o3 model managed to find the 0-day vulnerability in only ~1 out of 50 runs.
Android In-The-Wild: Unexpectedly Excavating a Kernel Exploit
Talk by Seth Jenkins about analyzing the traces of an In-The-Wild exploit that targeted the Qualcomm adsprpc driver.
Based on a previously published article.
Talk: https://www.youtube.com/watch?v=lnK1iACJ3-c
Article: https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpectedly-excavating-exploit.html
KernelGP: Racing Against the Android Kernel
Talk by Chariton Karamitas about ways to use FUSE for kernel exploitation from unprivileged SELinux contexts on Android.
Kernel Exploitation Techniques: Turning The (Page) Tables
Article by @sam4k giving a great introduction to the page table attacks.
[CVE-2025-37752] Two Bytes Of Madness: Pwning The Linux Kernel With A 0x0000 Written 262636 Bytes Out-Of-Bounds
Great article by D3vil about exploiting a type confusion in the network scheduler subsystem and pwning all kernelCTF instances.
Author exploited a severely-limited OOB side-effect of the bug to corrupt pipe_inode_info->tmp_page and gain a page UAF read/write primitive. Researcher then swapped the private_data and f_cred fields of a signalfd file structure and overwrote the credentials via signalfd_ctx.
A Quick Dive Into The Linux Kernel Page Allocator
Article by D3vil that explains the internals of the Page allocator.
Linux Kernel Exploitation series
Awesome series of articles by r1ru that outlines many commonly-used modern exploitation techniques.
Comes with the reference exploit code.
Articles: https://r1ru.github.io/categories/linux-kernel-exploitation/
Code: https://github.com/r1ru/linux-kernel-exploitation
RISC-V support in kernel-hardening-checker
@a13xp0p0v added RISC-V support to kernel-hardening-checker. Now, you can check the Linux kernel security parameters for RISC-V in addition to X86_64, ARM64, X86_32, and ARM.
CVE-2025-21756: Attack of the Vsock
Michael Hoefler published an article about exploiting an incorrect reference counter decrement causing a UAF in the vsock subsystem.
With advice from h0mbre, the researcher used brute force to bypass KASLR and hijacked the control flow for LPE.
Gave a talk on external fuzzing of Linux kernel USB drivers with syzkaller at SAFACon.
Includes a demonstration of how to rediscover CVE-2024-53104, an out-of-bounds bug in the USB Video Class driver.
Slides: https://docs.google.com/presentation/d/1NulLxRowsHzgcL1AFzNF_w8nh3zk2BKKPfGi_1j76A8/edit?usp=sharing
(If you use newer Ubuntu and the code formatting looks off, use File → Print preview; @ubuntu still hasn't fixed the issues with their monospace fonts.)
Exploiting CVE-2024-0582 via the Dirty Pagetable Method
Kuzey Arda Bulut posted an article about exploiting CVE-2024-0582 in io_uring using the Dirty Pagetable technique.
https://kuzey.rs/posts/Dirty_Page_Table/
This bug was previously reported by @jann and exploited by Oriol Castejón.
https://project-zero.issues.chromium.org/issues/42451653
https://blog.exodusintel.com/2024/03/27/mind-the-patch-gap-exploiting-an-io_uring-vulnerability-in-ubuntu/
Kernel-Hack-Drill: Environment For Developing Linux Kernel Exploits
Alexander Popov @a13xp0p0v published the slides from his talk at Zer0Con 2025. In this talk, he presented the kernel-hack-drill open-source project and showed how it helped him to exploit CVE-2024-50264 in the Linux kernel.
Slides: https://a13xp0p0v.github.io/img/Alexander_Popov-Kernel_Hack_Drill-Zer0Con.pdf
Project: https://github.com/a13xp0p0v/kernel-hack-drill
Three bypasses of Ubuntu's unprivileged user namespace restrictions
Article about bypassing the recent Ubuntu's restriction on getting capabilities in unprivileged user namespaces.
https://www.qualys.com/2025/three-bypasses-of-Ubuntu-unprivileged-user-namespace-restrictions.txt
When Good Kernel Defences Go Bad: Reliable and Stable Kernel Exploits via Defense-Amplified TLB Side-Channel Leaks
Awesome paper by Lukas Maar et al. about leaking exploitation-relevant kernel addresses via a TLB side-channel attack.
Authors demonstrate how to leak the addresses of the physmap, vmemmap, and vmalloc memory regions, addresses of page tables of all levels, addresses of kernel stacks, and addresses of various kernel objects including msg_msg, pipe_buffer, cred, file, and seq_file.
Authors then show how to apply the discovered techniques in exploits; the code is public.
Paper: https://lukasmaar.github.io/papers/usenix25-tlbsidechannel.pdf
Code: https://github.com/isec-tugraz/TLBSideChannel
Linux kernel Rust module for rootkit detection
Article by Antoine Doglioli about implementing an in-kernel detector for many existing rootkits. The detector is written in Rust.
https://blog.thalium.re/posts/linux-kernel-rust-module-for-rootkit-detection/
Linux kernel hfsplus slab-out-of-bounds Write
Outstanding article by Attila Szasz about exploiting a slab out-of-bounds bug in the HFS+ filesystem driver.
The author discovered that Ubuntu allows local (not remote/SSH'd) non-privileged users to mount arbitrary filesystems via udisks2 due to the used polkit rules. This includes filesystems whose mounting normally requires CAP_SYS_ADMIN in the init user namespace.
The article thoroughly describes a variety of techniques used in the exploit, including a cross-cache attack, page_alloc-level memory shaping, arbitrary write via red-black trees, and modprobe_path privilege escalation.
https://ssd-disclosure.com/ssd-advisory-linux-kernel-hfsplus-slab-out-of-bounds-write/
Reviving the modprobe_path Technique: Overcoming search_binary_handler() Patch
V4bel posted another method of triggering modprobe for executing the modprobe_path privilege escalation technique. This method relies on AF_ALG sockets instead of creating a special executable file.
