This article uses the espintcp vulnerability (CVE-2026-23239) as a case study to look at the structure in which the Out-of-Cancel bug class shows up, and to walk through how combining complex kernel interleavings makes the bug actually exploitable.
A step-by-step guide to exploiting a 20-year-old bug in the Linux kernel to achieve full privilege escalation and container escape, plus a cool bug-hunting heuristic.
Walking through the exploit development process of the Chronomaly exploit for CVE-2025-38352.
Improving the PoC from the part 1 by extending the race window from userland.
Analyzing and writing a PoC for CVE-2025-38352.
We used AI agents to reverse engineer Windows kernel drivers to find zero-days. It worked better than expected. Which is bad.
A Remote Pre-Authentication Overflow in LLDB's debugserver
Defending against malicious terminal pastes
Cross-cache attacks are highly powerful in Linux kernel exploitation because they can transfer a UAF from one object to another, even if the other object is allocated from a different slab.
A new approach to the Overwriting modprobe_path technique is introduced, addressing changes in the Upstream kernel that prevent triggering via dummy files. | Vulnerability Research
In this post, I will explain PageJack, a universal and data-only exploitation technique that turns an off-by-one bug into a page UAF. Download the handouts beforehand.
In this post, I will explain USMA, a universal and data-only exploitation technique that allows us to patch kernel code from user space. Download the handouts beforehand.
In this post, I will explain Dirty Pipe, a universal and data-only exploitation technique that allows us to arbitrarily overwrite read-only files. Download the handouts beforehand.
In this post, I will explain DirtyCred, a universal and data-only exploitation technique that allows us to escalate privileges without a write primitive. Download the handouts beforehand.