#Kernel_Security — Search

No JavaScript? That's cool, but you'll need to disable Turbo mode as it uses JavaScript in the client.

#exploit #Kernel_Security Won't Fix: Kernel DoS via NULL FastMutex Dereference cravaterouge.com/articles/null-… // This vulnerability affects Win11 24H2/25H2, Windows Sever 2025 (and likely several preceding versions), even with the latest security patches applied as of Mar.2026

Won't Fix: Kernel DoS via NULL FastMutex Dereference | CravateRouge Ltd

Unprivileged kernel DoS via NULL pointer dereference of FastMutex affecting Windows 11/Server 2025, marked "Won't Fix" by Microsoft.

From cravaterouge.com

131

Mr. OS @ksg93rd · 4d

#Kernel_Security #Malware_analysis From W-2 to BYOVD: How a Tax Search Leads to Kernel-Mode AV/EDR Kill huntress.com/blog/w2-malver… // This campaign illustrates how commodity tooling has lowered the barrier for sophisticated attacks. They combined commercially available cloaking services (Adspect, JustCloakIt), free-tier ScreenConnect instances, an off-the-shelf crypter, and a signed Huawei driver with an exploitable weakness to build an end-to-end kill chain that goes from a Google search to kernel-mode EDR termination

How a Tax Search Leads to Kernel-Mode AV/EDR Kill | Huntress

Huntress uncovers a tax-themed malvertising campaign using Google Ads, dual cloaking, rogue ScreenConnect, and an undocumented Huawei driver to kill AV/EDR.

From huntress.com

103

Mr. OS @ksg93rd · Mar 18

🚨 #exploit #Kernel_Security From virtio-snd 0-Day to Hypervisor Escape: Exploiting QEMU with an Uncontrolled Heap Overflowosec.io/blog/2026-03-1…F ]-> QEMU virtio-snd guest-to-host escape exploitgithub.com/otter-sec/qemu…6

From virtio-snd 0-Day to Hypervisor Escape: Exploiting QEMU with an Uncontrolled Heap Overflow

Turning an uncontrolled heap overflow into a reliable QEMU guest-to-host escape using new glibc allocator behavior and QEMU-specific heap spray techniques.

From osec.io

232

Mr. OS @ksg93rd · Mar 4

#exploit #Kernel_Security A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets blog.calif.io/p/a-race-withi… // A step-by-step guide to exploiting a 20-year-old bug in the Linux kernel to achieve full privilege escalation and container escape, plus a cool bug-hunting heuristic

A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets

A step-by-step guide to exploiting a 20-year-old bug in the Linux kernel to achieve full privilege escalation and container escape, plus a cool bug-hunting heuristic.

From blog.calif.io

648

Mr. OS @ksg93rd · Feb 27

#Kernel_Security "Unveiling BYOVD Threats: Malware’s Use and Abuse of Kernel Drivers", Feb. 2026. ]-> Artifact zenodo.org/records/170475… // BYOVD attacks abuse legitimate, digitally signed Windows drivers that contain hidden flaws, allowing adversaries to slip into kernel space, disable security controls, and sustain stealthy campaigns ranging from ransomware to state-sponsored espionage. We first introduce the first dynamic taxonomy of BYOVD behavior. We propose a virtualization-based sandbox that follows every step of a driver’s execution path, from the originating user-mode request down to the lowest-level kernel instructions, without requiring driver re-signing or host mod-ifications

Mr. OS @ksg93rd · Feb 21

#Kernel_Security #Malware_analysis Hiding from the Panic Button: Singularity SysRq Hook blog.kyntra.io/Hiding-from-th… // This post examines sysrq_hook.c from the Singularity LKM rootkit (targeting Linux 6.x) and explains how it intercepts the scheduler and OOM reporting paths used by SysRq

868

Mr. OS @ksg93rd · Feb 18

#tools #Kernel_Security ksentinel - Kernel Syscalls Integrity Monitor github.com/MatheuZSecurit… // ksentinel monitors critical kernel functions and the syscall table for unauthorized modifications. It detects common syscalls that are targeted by most rootkits including ftrace hooks, kprobes, and syscall table hijacking

GitHub - MatheuZSecurity/ksentinel: Linux kernel integrity monitor for detecting syscall hooking

Linux kernel integrity monitor for detecting syscall hooking - MatheuZSecurity/ksentinel

From github.com

220

Mr. OS @ksg93rd · Feb 4

#Kernel_Security "Out Of Control: How KCFG and KCET Redefine Control Flow Integrity in the Windows Kernel", Black Hat USA 2025. ]-> What keeps kernel shadow stack effective against kernel exploits? tandasat.github.io/blog/2025/04/0… // - Out-of-context calls (calling into other valid SSP values) is an interesting vector for research - Remapping attacks are still possible - HLAT mitigates this (available in 24H2) - The presence of HVCI, KCFG and KCET raises the bar for attackers, while also outright mitigating some primitives

157

Mr. OS @ksg93rd · Jan 22

#tools #Kernel_Security #Offensive_security AV/EDR Killer: AV/EDR processes termination by exploiting a vulnerable driver (BYOVD) github.com/xM0kht4r/AV-ED… // This project demonstartes how a legit, and signed driver can be weponized to gain kernel level access

GitHub - xM0kht4r/AV-EDR-Killer: AV/EDR processes termination by exploiting a vulnerable driver...

AV/EDR processes termination by exploiting a vulnerable driver (BYOVD) - xM0kht4r/AV-EDR-Killer

From github.com

457

Mr. OS @ksg93rd · Jan 21

#hardening #Kernel_Security "OAMAC: Origin-Aware Mandatory Access Control for Practical Post-Compromise Attack Surface Reduction", Jan 2026. ]-> OAMAC - prototype Linux security mechanism github.com/omeroooor/oamac // Modern OS provide powerful mandatory access control mechanisms, yet they largely reason about who executes code rather than how execution originates. As a result, processes launched remotely, locally, or by background services are often treated equivalently once privileges are obtained, complicating security reasoning and enabling post-compromise abuse of sensitive system interfaces. OAMAC - kernel-level enforcement model that treats execution origin - such as physical user presence, remote access, or service execution - as a first-class security attribute

GitHub - omeroooor/oamac: OAMAC is a prototype Linux security mechanism that enforces origin-aware...

OAMAC is a prototype Linux security mechanism that enforces origin-aware mandatory access control (MAC) using eBPF LSM. It distinguishes between execution origins such as physical, remote, and serv...

From github.com

165

Mr. OS @ksg93rd · Jan 18

#reversing #Kernel_Security #Sec_code_review Exploiting Reversing (ER) series: Part 1 - Windows kernel drivers (1) exploitreversing.com/2023/04/11/exp… Part 2 - Windows kernel drivers (2) exploitreversing.com/2024/01/03/exp… Part 3 - Chrome exploitreversing.com/2025/01/22/exp… Part 4 - macOS/iOS exploitreversing.com/2025/02/04/exp… Part 5 - Hyper-V exploitreversing.com/2025/03/12/exp… // step-by-step research series on Windows, macOS, hypervisors and browsers

Exploiting Reversing (ER) series: article 01 | Windows kernel drivers – part 01

The first article (109 pages) in the Exploiting Reversing (ER) series, a step-by-step vulnerability research series on Windows, macOS, hypervisors and browsers, is available for reading on: (PDF): …

From exploitreversing.com

330

17.1K

Mr. OS @ksg93rd · Jan 17

#Kernel_Security #Mobile_security A 0-click exploit chain for the Pixel 9: Part 1 - Decoding Dolby projectzero.google/2026/01/pixel-… Part 2 - Cracking the Sandbox with a Big Wave projectzero.google/2026/01/pixel-… Part 3 - Where do we go from here? projectzero.google/2026/01/pixel-… // CVE-2025-36934, CVE-2025-54957. The Dolby UDC is part of the 0-click attack surface of most Android devices because of audio transcription in the Google Messages application. Incoming audio messages are transcribed before a user interacts with the message..

A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here?

While our previous two blog posts provided technical recommendations for increasing the effort re...

From projectzero.google

3.1K

Mr. OS @ksg93rd · Jan 14

#exploit #Kernel_Security 1⃣. CVE-2025-21479: github.com/zhuowei/cheese Exploiting KGSL in Qualcomm Drivers // PoC, demonstrating that it only affects Adreno A7xx (Snapdragon 8 Gen 1 / XR2 Gen 2 and newer) devices 2⃣. CVE-2025-60719: github.com/ghostbyt3/WinD… Windows Ancillary Function Driver for WinSock EoP Vulnerability // Tested On: afd.sys - 10.0.26100.7019, Win11 24H2. The Windows Ancillary Function Driver for WinSock is a kernel-mode component that implements low-level socket handling for Windows. It's a critical system driver that serves as the bridge between user-mode applications and the kernel networking stack. This is a Windows component that is responsible for serving the Winsock API. The vulnerability exists in the following functions, which all follow a similar methodology: AfdGetInformation, AfdSocketTransferEnd, and AfdSocketTransferBegin

GitHub - zhuowei/cheese: CVE-2025-21479 proof-of-concept, I think

CVE-2025-21479 proof-of-concept, I think. Contribute to zhuowei/cheese development by creating an account on GitHub.

From github.com

5.8K

Mr. OS @ksg93rd · Jan 10

#Kernel_Security #Mobile_security Dangling pointers, fragile memory - from an undisclosed vulnerability to Pixel 9 Pro privilege escalation dawnslab.jd.com/Pixel_9_Pro_EoP // CVE-2025-6349: All versions from r53p0-r54p1 CVE-2025-8045: All versions from r53p0-r54p1 CVE-2025-2879: All versions from r29p0-r49p4, r50p0-r54p0

2.3K

Mr. OS @ksg93rd · Jan 8

#Research #Kernel_Security PatchGuard Peekaboo: Hiding Processes on Systems with PatchGuard in 2026 outflank.nl/blog/2026/01/0… // This research centers on a specific objective: hiding processes from user-mode enumeration by manipulating kernel structures - specifically, the process linked lists that Windows uses to track active processes

186

Mr. OS @ksg93rd · Dec 29, 2025

#exploit #Kernel_Security #Mobile_security CVE-2025-38352: Part 1 - faith2dxy.xyz/2025-12-22/cve… In-the-wild Android Kernel Vulnerability Analysis + PoC github.com/farazsth98/poc… Part 2 - faith2dxy.xyz/2025-12-24/cve… Extending The Race Window Without a Kernel Patch ]-> Final PoC github.com/farazsth98/poc… // This is a PoC for CVE-2025-38352, a vulnerability in the Linux kernel's POSIX CPU timers implementation. The September 2025 Android Bulletin mentions that this vulnerability has been used in limited, targeted exploitation in the wild

CVE-2025-38352 (Part 1) - In-the-wild Android Kernel Vulnerability Analysis + PoC

Analyzing and writing a PoC for CVE-2025-38352.

From faith2dxy.xyz

5.3K

Mr. OS @ksg93rd · Dec 28, 2025

#Kernel_Security "Reviving Discarded Vulnerabilities: Exploiting Previously Unexploitable Linux Kernel Bugs Through Control Metadata Fields", CCS 2025. ]-> github.com/Roarcannotprog… // This paper presents a novel approach to revive these previously discarded vulnerabilities by exploiting Control Metadata Fields (CMFs) within Linux objects, rather than traditional pointer manipulation

GitHub - Roarcannotprogramming/Weak-Primitive

Contribute to Roarcannotprogramming/Weak-Primitive development by creating an account on GitHub.

From github.com

1.9K

Jawad Al Hashmi @kindnessuae · Dec 24, 2025

Replying to @ksg93rd

@ksg93rd Critical findings on this Linux UAF. Reinforces the need for rigorous penetration testing. #Kernel_Security

134

Mr. OS @ksg93rd · Dec 24, 2025

#exploit #Kernel_Security "Exploiting a Linux Kernel 0-day Through Red-Black Tree Transformations", HexaCon 2025. ]-> Linux HFSC Eltree UAF - Debian 12 PoC - github.com/0xdevil/CVE-20… // CVE-2025-38001 Analysis + RbTree Attack Against LTS/COS + Mitigations Exploit See also: ]-> EntryBleed: A Universal KASLR Bypass against KPTI on Linux (2023)

GitHub - 0xdevil/CVE-2025-38001: CVE-2025-38001: Linux HFSC Eltree Use-After-Free - Debian 12 PoC

CVE-2025-38001: Linux HFSC Eltree Use-After-Free - Debian 12 PoC - 0xdevil/CVE-2025-38001

From github.com

216

8.1K