#Kernel_Security Unix GC Remastered mohandacherir.github.io/Qdiv… // A walkthrough of the rewritten AF_UNIX garbage collector, the CVE-2025-40214 scc_index uninitialised-field bug, and two reproducers

#reversing #Kernel_Security BYOVD and Looting LSASS in the Modern EDR Era g3tsyst3m.com/byovd/BYOVD-an… // The article details advanced BYOVD techniques exploiting kernel driver vulnerabilities to bypass Windows security, including methods for disabling LSASS protections, memory dumping, obfuscation, and defensive countermeasures

#Tech_book #Kernel_Security "Learning eBPF: Programming the Linux Kernel for Enhanced Observability, Networking, and Security", ]-> Repo github.com/lizrice/learning-…

#Kernel_Security CVE-2026-40369: Twelve Bytes to Escape the Browser Sandbox voidsec.com/cve-2026-40369-b… ]-> Full Exploit PoC - github.com/orinimron123/CVE-… // Windows kernel vulnerability enabling unprivileged arbitrary kernel memory writes via 'NtQuerySystemInformation', allowing privilege escalation to SYSTEM by forging tokens, affecting Windows 11 25H2 and Windows Server 2025

#Kernel_Security From Kernel Snitch to Practical msg_msg/pipe_buffer Heap KASLR Leaks lukasmaar.github.io/posts/he… ]-> KernelSnitch CrossCache Reuse Lab Workspace // A practical heap KASLR leak that does not rely on a memory-safety vulnerability. Because the attack recovers valid kernel pointers without triggering invalid accesses, it remains exploitable on systems with MTE. More importantly, when the leaked mm_struct pointer is tagged (e.g., on Google Pixels), KernelSnitch can recover its logical tag as well, highlighting its potential as a tag oracle for the leaked object

#tools #reversing #Kernel_Security 1⃣ PoisonX - Terminating Protected Windows Processes via BYOVD core-jmp.org/2026/04/poisonx… 2⃣ Signed to Kill: Reverse Engineering a 0-Day Used to Disable CrowdStrike EDR core-jmp.org/2026/04/signed-…

#exploit #Kernel_Security 1⃣ Multiple vulnerabilities in AppArmor cdn2.qualys.com/advisory/202… // AppArmor Sudo Postfix = root 2⃣ CVE-2026-29923: LPE Attack via pstrip64.sys github.com/athenasec16/CVE-2… // pstrip64.sys - legacy kernel-mode component. While its legitimate purpose is to enable advanced graphics card display tweaking, its deep system privileges make it a highly attractive target for attackers..

#Kernel_Security Linux File System Basics Part 1 u1f383.github.io/linux/2026/… // Overview and CVE-2022-0185 / CVE-2023-5345 Part 2 u1f383.github.io/linux/2026/… // Isolation, Permission Model and CVE-2023-0386

🚨 #exploit #Kernel_Security From virtio-snd 0-Day to Hypervisor Escape: Exploiting QEMU with an Uncontrolled Heap Overflow osec.io/blog/2026-03-17-virt… ]-> QEMU virtio-snd guest-to-host escape exploit github.com/otter-sec/qemu-es…

#exploit #Kernel_Security A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets blog.calif.io/p/a-race-withi… // A step-by-step guide to exploiting a 20-year-old bug in the Linux kernel to achieve full privilege escalation and container escape, plus a cool bug-hunting heuristic

#Kernel_Security "Unveiling BYOVD Threats: Malware’s Use and Abuse of Kernel Drivers", Feb. 2026. ]-> Artifact zenodo.org/records/17047559 // BYOVD attacks abuse legitimate, digitally signed Windows drivers that contain hidden flaws, allowing adversaries to slip into kernel space, disable security controls, and sustain stealthy campaigns ranging from ransomware to state-sponsored espionage. We first introduce the first dynamic taxonomy of BYOVD behavior. We propose a virtualization-based sandbox that follows every step of a driver’s execution path, from the originating user-mode request down to the lowest-level kernel instructions, without requiring driver re-signing or host mod-ifications

#Kernel_Security #Malware_analysis Hiding from the Panic Button: Singularity SysRq Hook blog.kyntra.io/Hiding-from-t… // This post examines sysrq_hook.c from the Singularity LKM rootkit (targeting Linux 6.x) and explains how it intercepts the scheduler and OOM reporting paths used by SysRq

#tools #Kernel_Security #Offensive_security AV/EDR Killer: AV/EDR processes termination by exploiting a vulnerable driver (BYOVD) github.com/xM0kht4r/AV-EDR-K… // This project demonstartes how a legit, and signed driver can be weponized to gain kernel level access

New technical blog on our website: An interactive C console tool that uses dbghelp and retrieves PDB symbols from Microsoft for ntoskrnl.exe. exploitpack.com/blogs/news/n… #CyberSec #infosec #windows #kalilinux #Kernel_Security #kernel #rop #cybersecurity

#reversing #Kernel_Security #Sec_code_review Exploiting Reversing (ER) series: Part 1 - Windows kernel drivers (1) exploitreversing.com/2023/04… Part 2 - Windows kernel drivers (2) exploitreversing.com/2024/01… Part 3 - Chrome exploitreversing.com/2025/01… Part 4 - macOS/iOS exploitreversing.com/2025/02… Part 5 - Hyper-V exploitreversing.com/2025/03… // step-by-step research series on Windows, macOS, hypervisors and browsers

#Kernel_Security #Mobile_security A 0-click exploit chain for the Pixel 9: Part 1 - Decoding Dolby projectzero.google/2026/01/p… Part 2 - Cracking the Sandbox with a Big Wave projectzero.google/2026/01/p… Part 3 - Where do we go from here? projectzero.google/2026/01/p… // CVE-2025-36934, CVE-2025-54957. The Dolby UDC is part of the 0-click attack surface of most Android devices because of audio transcription in the Google Messages application. Incoming audio messages are transcribed before a user interacts with the message..

#exploit #Kernel_Security 1⃣. CVE-2025-21479: github.com/zhuowei/cheese Exploiting KGSL in Qualcomm Drivers // PoC, demonstrating that it only affects Adreno A7xx (Snapdragon 8 Gen 1 / XR2 Gen 2 and newer) devices 2⃣. CVE-2025-60719: github.com/ghostbyt3/WinDriv… Windows Ancillary Function Driver for WinSock EoP Vulnerability // Tested On: afd.sys - 10.0.26100.7019, Win11 24H2. The Windows Ancillary Function Driver for WinSock is a kernel-mode component that implements low-level socket handling for Windows. It's a critical system driver that serves as the bridge between user-mode applications and the kernel networking stack. This is a Windows component that is responsible for serving the Winsock API. The vulnerability exists in the following functions, which all follow a similar methodology: AfdGetInformation, AfdSocketTransferEnd, and AfdSocketTransferBegin

#Kernel_Security #Mobile_security Dangling pointers, fragile memory - from an undisclosed vulnerability to Pixel 9 Pro privilege escalation dawnslab.jd.com/Pixel_9_Pro_… // CVE-2025-6349: All versions from r53p0-r54p1 CVE-2025-8045: All versions from r53p0-r54p1 CVE-2025-2879: All versions from r29p0-r49p4, r50p0-r54p0