https://github.com/xairy/linux-kernel-exploitation

A collection of links related to Linux kernel security and exploitation
https://github.com/xairy/linux-kernel-exploitation

exploit kernel-exploitation linux-kernel privilege-escalation security

Last synced: about 1 year ago
JSON representation

A collection of links related to Linux kernel security and exploitation

• Host: GitHub
• URL: https://github.com/xairy/linux-kernel-exploitation
• Owner: xairy
• License: cc-by-4.0
• Created: 2016-11-13T22:21:44.000Z (over 9 years ago)
• Default Branch: master
• Last Pushed: 2025-03-03T17:24:25.000Z (about 1 year ago)
• Last Synced: 2025-04-03T11:00:47.629Z (about 1 year ago)
• Topics: exploit, kernel-exploitation, linux-kernel, privilege-escalation, security
• Homepage:
• Size: 346 KB
• Stars: 5,872
• Watchers: 426
• Forks: 1,002
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-hacking - Linux Kernel Exploitation
• Hacking-Awesome - - A bunch of links related to Linux kernel fuzzing and exploitation (Uncategorized / Uncategorized)
• awesomehacking - Linux Kernel Exploitation
• awesomeos - xairys Linux Kernel Exploitation
• awesome-security-collection - **2660**星
• cyberelite - Linux Kernel Exploitation
• awesome-os - xairys Linux Kernel Exploitation
• fucking-Awesome-Hacking - Linux Kernel Exploitation
• Awesome-Embedded - Linux Kernel Exploitation - A bunch of links related to Linux kernel exploitation (Linux kernel and device driver development / ESP8266)
• Awesome-Hacking - Linux Kernel Exploitation
• awesome-hacking - Linux Kernel Exploitation
• awesome_hacking - Linux Kernel Exploitation
• awesome-hacking - Linux Kernel Exploitation

README

          
Linux Kernel Exploitation

=========================

A collection of links related to Linux kernel security and exploitation.

Updated bimonthly. Pull requests are welcome as well.

Follow [@andreyknvl](https://twitter.com/andreyknvl) on Twitter or [@xairy@infosec.exchange](https://infosec.exchange/@xairy) on Mastodon to be notified of updates.

Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https://twitter.com/linkersec), [Mastodon](https://infosec.exchange/@linkersec), or [Reddit](https://www.reddit.com/r/linkersec) for highlights.

## Trainings

See [xairy.io/trainings/](https://xairy.io/trainings/).

## Contents

- [Books](#books)

- [Techniques](#techniques)

	- [Exploitation](#exploitation)

	- [Protection Bypasses](#protection-bypasses)

- [Vulnerabilities](#vulnerabilities)

	- [Info-leaks](#info-leaks)

	- [LPE](#lpe)

	- [RCE](#rce)

	- [Other](#other)

- [Finding Bugs](#finding-bugs)

- [Defensive](#defensive)

- [Exploits](#exploits)

- [Tools](#tools)

	- [Fuzzers](#fuzzers)

	- [Assorted](#assorted)

- [Practice](#practice)

	- [Workshops](#workshops)

	- [CTF Tasks](#ctf-tasks)

	- [Other Tasks](#other-tasks)

	- [Playgrounds](#playgrounds)

	- [Infrastructure](#infrastructure)

- [Misc](#misc)

## Books

2014: "Android Hacker's Handbook" by Joshua J. Drake [[book](https://www.goodreads.com/book/show/17628293-android-hacker-s-handbook)]

2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani [[book](https://www.goodreads.com/book/show/9224826-a-guide-to-kernel-exploitation)] [[materials](https://github.com/yrp604/atc-sources)]

## Techniques

### Exploitation

[2025: "WHEN GOOD KERNEL DEFENSES GO BAD: Reliable and Stable Kernel Exploits via Defense-Amplified TLB Side-Channel Leaks" by Lukas Maar et al.](https://lukasmaar.github.io/papers/usenix25-tlbsidechannel.pdf) [paper] [[artifacts](https://zenodo.org/records/14736361)] [[github](https://github.com/isec-tugraz/TLBSideChannel)]

[2025: "Cross Cache Attack CheetSheet" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/03/cross-cache-attack-cheatsheet.html) [article]

[2024: "Linux Kernel Use Pipe Object to Do Data-Only Attack" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/16/linux-kernel-use-pipe-object-to-do-data-only-attack.html) [article]

[2024: "CTF-style Tricks of Linux Kernel Exploitation" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/04/ctf-style-tricks-of-linux-kernel-exploitation-part-1.html) [article] [[part 2](https://u1f383.github.io/linux/2024/08/07/ctf-style-tricks-of-linux-kernel-exploitation-part-2.html)]

[2024: "Linux Kernel exploitation cheatsheet" by Pumpkin Chang](https://u1f383.github.io/cheatsheet/1970/01/01/welcome-to-jekyll.html) [article]

[2024: "SLUB Internals for Exploit Developers" by Andrey Konovalov](https://static.sched.com/hosted_files/lsseu2024/37/2024%2C%20LSS%20EU_%20SLUB%20Internals%20for%20Exploit%20Developers.pdf) [slides] [[video](https://www.youtube.com/watch?v=XulsBDV4n3w)]

[2024: "SCAVY: Automated Discovery of Memory Corruption Targets in Linux Kernel for Privilege Escalation"](https://www.usenix.org/system/files/usenixsecurity24-avllazagaj.pdf) [paper]

[2024: "PageJack: A Powerful Exploit Technique With Page-Level UAF" by Zhiyun Qian et. al](https://i.blackhat.com/BH-US-24/Presentations/US24-Qian-PageJack-A-Powerful-Exploit-Technique-With-Page-Level-UAF-Thursday.pdf) [slides] [[code](https://github.com/Lotuhu/Page-UAF)] [[summary](https://phrack.org/issues/71/13.html#article)]

[2024: "SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel" by Lukas Maar et. al](https://stefangast.eu/papers/slubstick.pdf) [paper]

[2024: "Linux Kernel Exploitation - ret2usr" by Sascha Schirra](https://scoding.de/linux-kernel-exploitation-buffer_overflow) [article]

[2024: "Binary Exploitation Notes: Kernel" by Andrej Ljubic](https://ir0nstone.gitbook.io/notes/types/kernel) [articles]

[2024: "Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation"](https://arxiv.org/pdf/2406.02624) [paper]

[2024: "GhostRace: Exploiting and Mitigating Speculative Race Conditions"](https://www.vusec.net/projects/ghostrace/) [paper]

[2024: "K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel"](https://www.ndss-symposium.org/wp-content/uploads/2024-935-paper.pdf) [paper]

[2024: "Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems"](https://arxiv.org/pdf/2401.17618.pdf) [paper]

[2023: "Deep-Kernel Treasure Hunt: Finding exploitable structures in the Linux kernel" by Yudai Fujiwara](https://codeblue.jp/2023/result/pdf/cb23-deep-kernel-treasure-hunt-finding-exploitable-structures-in-the-linux-kernel-by-yudai-fujiwara.pdf) [slides] [[video](https://www.youtube.com/watch?v=mamm_23fHD4)]

[2023: "D^ 3CTF2023 d3kcache: From null-byte cross-cache overflow to infinite arbitrary read & write."](https://blog.arttnba3.cn/2023/05/02/CTF-0X08_D3CTF2023_D3KCACHE/) [article]

[2023: "No Tux Given: Diving Into Contemporary Linux Kernel Exploitation" by sam4k](https://sam4k.com/content/files/2024/01/no_tux_given.pdf) [slides]

[2023: "Linux Kernel Exploitation series" by santaclz](https://santaclz.github.io/2023/11/03/Linux-Kernel-Exploitation-Getting-started-and-BOF.html) [article] [[part2](https://santaclz.github.io/2024/01/20/Linux-Kernel-Exploitation-Heap-techniques.html)] [[part 3](https://santaclz.github.io/2024/01/29/Linux-Kernel-Exploitation-exploiting-race-condition-and-UAF.html)]

[2023: "RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections"](https://kylebot.net/papers/retspill.pdf) [paper]

[2023: "Understanding Dirty Pagetable - m0leCon Finals 2023 CTF Writeup"](https://ptr-yudai.hatenablog.com/entry/2023/12/08/093606) [article]

[2023: "Abusing RCU callbacks with a Use-After-Free read to defeat KASLR"](https://anatomic.rip/abusing_rcu_callbacks_to_defeat_kaslr/) [article]

[2023: "Evils in the Sparse Texture Memory: Exploit Kernel Based on Undefined Behaviors of Graphic APIs"](https://i.blackhat.com/EU-23/Presentations/EU-23-Jin-Evils-in-the-Sparse-Texture.pdf) [slides] [[abstract](https://www.blackhat.com/eu-23/briefings/schedule/index.html#evils-in-the-sparse-texture-memory-exploit-kernel-based-on-undefined-behaviors-of-graphic-apis-35059)]

[2023: "Breaking Hardware-Assisted Kernel Control-Flow Integrity with Page-Oriented Programming" by Seunghun Han](https://i.blackhat.com/BH-US-23/Presentations/US-23-Han-Lost-Control-Breaking-Hardware-Assisted-Kernel.pdf) [slides]

[2023: "Make KSMA Great Again: The Art of Rooting Android devices by GPU MMU features" by Yong Wang](https://i.blackhat.com/BH-US-23/Presentations/US-23-WANG-The-Art-of-Rooting-Android-devices-by-GPU-MMU-features.pdf) [[video](https://www.youtube.com/watch?v=2qkwSPnQqrU)] [slides]

[2023: "A new method for container escape using file-based DirtyCred" by Choo Yi Kai](https://starlabs.sg/blog/2023/07-a-new-method-for-container-escape-using-file-based-dirtycred/) [article]

[2023: "prctl anon_vma_name: An Amusing Linux Kernel Heap Spray" by Cherie-Anne Lee](https://starlabs.sg/blog/2023/07-prctl-anon_vma_name-an-amusing-heap-spray/) [article]

[2023: "Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel" by Nicolas Wu](https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html) [article]

[2023: "Exploit Engineering – Attacking the Linux Kernel" by Alex Plaskett and Cedric Halbronn](https://research.nccgroup.com/wp-content/uploads/2023/05/exploit-engineering-linux-kernel.pdf) [slides] [[video](https://www.youtube.com/watch?v=9wgHENj_YNk)]

[2023: "Algorithmic Heap Layout Manipulation in the Linux Kernel" by Max Ufer and Daniel Baier](https://escholarship.org/content/qt8ss3f7w1/qt8ss3f7w1.pdf) [paper] [[artifacts](https://github.com/fkie-cad/Algorithmic-Heap-Layout-Manipulation-in-the-Linux-Kernel)]

[2023: "The Return of Stack Overflows in the Linux Kernel" by Davide Ornaghi](https://conference.hitb.org/hitbsecconf2023ams/materials/D2%20COMMSEC%20-%20The%20Return%20of%20Stack%20Overflows%20in%20the%20Linux%20Kernel%20-%20Davide%20Ornaghi.pdf) [slides] [[video](https://www.youtube.com/watch?v=5b9UlBrzvG0)]

[2023: "Exploiting null-dereferences in the Linux kernel" by Seth Jenkins](https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html) [article]

[2023: "PSPRAY: Timing Side-Channel based Linux Kernel Heap Exploitation Technique"](https://www.usenix.org/system/files/sec23summer_79-lee-prepub.pdf) [paper] [[video](https://www.youtube.com/watch?v=C3ta-uUthfA)]

[2023: "Linux Kernel PWN | 06 DirtyCred"](https://blog.wohin.me/posts/linux-kernel-pwn-06/) [article]

[2023: "Linux Kernel PWN | 05 ret2dir"](https://blog.wohin.me/posts/linux-kernel-pwn-05/) [article]

[2022: "Ret2page: The Art of Exploiting Use-After-Free Vulnerabilities in the Dedicated Cache"](https://i.blackhat.com/USA-22/Thursday/US-22-WANG-Ret2page-The-Art-of-Exploiting-Use-After-Free-Vulnerabilities-in-the-Dedicated-Cache.pdf) [slides] [[video](https://www.youtube.com/watch?v=HZk2egYDXxg)]

[2022: "Devils Are in the File Descriptors: It Is Time To Catch Them All" by Le Wu](https://i.blackhat.com/USA-22/Wednesday/US-22-Wu-Devils-Are-in-the-File.pdf) [slides] [[video](https://www.youtube.com/watch?v=dIVjQrqpKC0)]

[2022: "FUSE for Linux Exploitation 101"](https://exploiter.dev/blog/2022/FUSE-exploit.html) [article]

[2022: "Kernel Exploit Recipes"](https://drive.google.com/file/d/1kRHgQ9qDr4vgxJ4rVL-UNKvCamva_TRB/view) [brochure]

[2022: "pipe_buffer arbitrary read write" by Jayden R](https://interruptlabs.co.uk/labs/pipe_buffer/) [article]

[2022: "Joy of exploiting the Kernel"](https://docs.google.com/presentation/d/e/2PACX-1vR4mpH3aARLMOhJemVGEw1cduXPEo_PvrbZMum8QwOJ6rhZvvezsif4qtgSydVVt8jPT1fztgD5Mj7q/pub?slide=id.p) [slides]

[2022: "An exploit primitive in the Linux kernel inspired by DirtyPipe"](https://github.com/veritas501/pipe-primitive) [article]

[2022: "DirtyCred: Escalating Privilege in Linux Kernel"](https://zplin.me/papers/DirtyCred.pdf) [paper] [[slides](https://zplin.me/papers/DirtyCred_CCS_slides.pdf)] [[artifacts](https://github.com/Markakd/DirtyCred)]

[2022: "DirtyCred: Cautious! A New Exploitation Method! No Pipe but as Nasty as Dirty Pipe"](https://i.blackhat.com/USA-22/Thursday/US-22-Lin-Cautious-A-New-Exploitation-Method.pdf) [slides] [[artifacts](https://github.com/Markakd/DirtyCred)]

[2022: "CoRJail: From Null Byte Overflow To Docker Escape Exploiting poll_list Objects In The Linux Kernel"](https://syst3mfailure.io/corjail) [article]

[2022: "Reviving Exploits Against Cred Structs - Six Byte Cross Cache Overflow to Leakless Data-Oriented Kernel Pwnage"](https://www.willsroot.io/2022/08/reviving-exploits-against-cred-struct.html) [article]

[2022: "USMA: Share Kernel Code With Me" by Yong Liu, Jun Yao, and Xiaodong Wang](https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-YongLiu-USMA-Share-Kernel-Code.pdf) [slides] [[paper](https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-YongLiu-USMA-Share-Kernel-Code-wp.pdf)] [[article](https://vul.360.net/archives/391?continueFlag=2065c4d6bed3a8e7a80c495d7066e013)]

[2022: "Linux kernel heap feng shui in 2022" by Michael S and Vitaly Nikolenko](https://duasynt.com/blog/linux-kernel-heap-feng-shui-2022) [article]

[2022: "LiKE: A Series on Linux Kernel Exploitation" by sam4k](https://sam4k.com/like-a-series-on-linux-kernel-exploitation/) [article] [[modprobe_path](https://sam4k.com/like-techniques-modprobe_path/)]

[2022: "Racing against the clock -- hitting a tiny kernel race window" by Jann Horn](https://googleprojectzero.blogspot.com/2022/03/racing-against-clock-hitting-tiny.html) [article]

[2022: "Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability"](https://www.usenix.org/system/files/sec22fall_zeng.pdf) [paper] [[artifacts](https://github.com/sefcom/KHeaps)]

[2022: "Learning Linux kernel exploitation" by 0x434b](https://0x434b.dev/dabbling-with-linux-kernel-exploitation-ctf-challenges-to-learn-the-ropes/) [article] [[part 2](https://0x434b.dev/learning-linux-kernel-exploitation-part-2-cve-2022-0847/)]

[2021: "ExpRace: Exploiting Kernel Races through Raising Interrupts" at USENIX](https://www.usenix.org/system/files/sec21-lee-yoochan.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec21_slides_lee_yoochan.pdf)] [[video](https://www.youtube.com/watch?v=CIHRw5YPr9o)]

[2021: "Utilizing msg_msg Objects for Arbitrary Read and Arbitrary Write in the Linux Kernel"](https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html) [article] [[part2](https://syst3mfailure.io/wall-of-perdition)]

[2021: "Linux Kernel Exploitation Technique: Overwriting modprobe_path"](https://lkmidas.github.io/posts/20210223-linux-kernel-pwn-modprobe/) [article]

[2021: "Learning Linux Kernel Exploitation"](https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/) [article] [[part 2](https://lkmidas.github.io/posts/20210128-linux-kernel-pwn-part-2/)] [[part 3](https://lkmidas.github.io/posts/20210205-linux-kernel-pwn-part-3/)]

[2020: "PTMA (Page Table Manipulation Attack): Attacking the core of memory permission"](https://www.slideshare.net/JungseungLee2/page-table-manipulation-attack) [slides]

[2020: "Exploiting Kernel Races Through Taming Thread Interleaving"](https://i.blackhat.com/USA-20/Thursday/us-20-Lee-Exploiting-Kernel-Races-Through-Taming-Thread-Interleaving.pdf) [slides] [[video](https://www.youtube.com/watch?v=5M3WhLVLCzs)]

[2020: "Locating the kernel PGD on Android/aarch64" by Vitaly Nikolenko](https://duasynt.com/blog/android-pgd-page-tables) [article]

[2020: "A Systematic Study of Elastic Objects in Kernel Exploitation"](https://zplin.me/papers/ELOISE.pdf) [paper] [[video](https://www.youtube.com/watch?v=yXhH0IJAxkE)]

[2020: "Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers"](https://www.usenix.org/system/files/woot20-paper1-slides-cho.pdf) [slides] [[paper](https://www.usenix.org/system/files/woot20-paper-cho.pdf)] [[video](https://www.youtube.com/watch?v=uI377m9S0qs)]

[2020: "BlindSide: Speculative Probing: Hacking Blind in the Spectre Era"](https://www.vusec.net/projects/blindside/) [paper]

[2020: "Linux Kernel Stack Smashing" by Silvio Cesare](https://blog.infosectcbr.com.au/2020/02/linux-kernel-stack-smashing.html?m=1) [article]

[2020: "Structures that can be used in kernel exploits"](https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628) [article]

[2019: "The Route to Root: Container Escape Using Kernel Exploitation" by Nimrod Stoler](https://www.cyberark.com/resources/threat-research-blog/the-route-to-root-container-escape-using-kernel-exploitation) [article]

[2019: "Linux Kernel: the ROP Exploit of Stack Overflow in Android Kernel"](https://medium.com/@knownsec404team/linux-kernel-the-rop-exploit-of-stack-overflow-in-android-kernel-87aa8eda770d) [article]

[2019: "Hands Off and Putting SLAB/SLUB Feng Shui in Blackbox" by Yueqi (Lewis) Chen at Black Hat Europe](https://i.blackhat.com/eu-19/Wednesday/eu-19-Chen-Hands-Off-And-Putting-SLAB-SLUB-Feng-Shui-In-A-Blackbox.pdf) [slides] [[code](https://www.dropbox.com/sh/2kwcwqb8rjro80j/AAC8QBCIhcCylNUDLUd1OZCZa?dl=0)]

[2019: "SLAKE: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel" by Yueqi (Lewis) Chen and Xinyu Xing](http://personal.psu.edu/yxc431/publications/SLAKE_Slides.pdf) [slides] [[paper](http://personal.psu.edu/yxc431/publications/SLAKE.pdf)]

[2019: "Exploiting Race Conditions Using the Scheduler" by Jann Horn at Linux Security Summit EU](https://static.sched.com/hosted_files/lsseu2019/04/LSSEU2019%20-%20Exploiting%20race%20conditions%20on%20Linux.pdf) [slides] [[video](https://www.youtube.com/watch?v=MIJL5wLUtKE)]

[2019: "Kepler: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities"](https://www.usenix.org/sites/default/files/conference/protected-files/sec19_slides_wu-wei.pdf) [slides] [[video](https://www.youtube.com/watch?v=4b_GbFs5XZI)] [[paper](https://www.usenix.org/system/files/sec19-wu-wei.pdf)]

[2019: "Leak kernel pointer by exploiting uninitialized uses in Linux kernel" by Jinbum Park](https://jinb-park.github.io/leak-kptr.html) [slides]

[2019: "Kernel IDT priviledge escalation"](https://github.com/rdomanski/kernel/tree/master/writeups/Kernel-IDT-priviledge-escalation) [article]

[2018: "FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities"](http://personal.psu.edu/yxc431/publications/FUZE_Slides.pdf) [slides] [[paper](http://personal.psu.edu/yxc431/publications/FUZE.pdf)]

[2018: "Linux Kernel universal heap spray" by Vitaly Nikolenko](https://cyseclabs.com/blog/linux-kernel-heap-spray) [article]

[2018: "Linux-Kernel-Exploit Stack Smashing"](https://web.archive.org/web/20190421131414/http://tacxingxing.com/2018/02/15/linux-kernel-exploit-stack-smashing/) [article]

[2018: "Entering God Mode  -  The Kernel Space Mirroring Attack"](https://hackernoon.com/entering-god-mode-the-kernel-space-mirroring-attack-8a86b749545f) [article]

[2018: "Mirror Mirror: Rooting Android 8 with a Kernel Space Mirroring Attack" by Wang Yong at HitB](https://conference.hitb.org/hitbsecconf2018ams/materials/D1T2%20-%20Yong%20Wang%20&%20Yang%20Song%20-%20Rooting%20Android%208%20with%20a%20Kernel%20Space%20Mirroring%20Attack.pdf) [slides]

[2018: "KSMA: Breaking Android kernel isolation and Rooting with ARM MMU features" by Wang Yong at BlackHat](https://www.blackhat.com/docs/asia-18/asia-18-WANG-KSMA-Breaking-Android-kernel-isolation-and-Rooting-with-ARM-MMU-features.pdf) [slides]

[2018: "Still Hammerable and Exploitable: on the Effectiveness of Software-only Physical Kernel Isolation"](https://arxiv.org/pdf/1802.07060.pdf) [paper]

[2018: "linux kernel pwn notes"](https://www.cnblogs.com/hac425/p/9416886.html) [article]

[2018: "Use of timer_list structure in linux kernel exploit"](https://xz.aliyun.com/t/3455) [article]

[2018: "Entering God Mode — The Kernel Space Mirroring Attack"](https://medium.com/hackernoon/entering-god-mode-the-kernel-space-mirroring-attack-8a86b749545f) [article]

[2017: "Escalating Privileges in Linux using Fault Injection" by Niek Timmers and Cristofaro Mune](https://www.riscure.com/uploads/2017/10/escalating-privileges-in-linux-using-fi-presentation-fdtc-2017.pdf) [slides] [[video](https://www.youtube.com/watch?v=nqF_IjXg_uM)] [[paper](https://www.riscure.com/uploads/2017/10/Riscure_Whitepaper_Escalating_Privileges_in_Linux_using_Fault_Injection.pdf)]

[2017: "Kernel Driver mmap Handler Exploitation" by Mateusz Fruba](https://labs.withsecure.com/content/dam/labs/docs/mwri-mmap-exploitation-whitepaper-2017-09-18.pdf) [paper]

[2017: "Linux kernel addr_limit bug / exploitation" by Vitaly Nikolenko](https://www.youtube.com/watch?v=UFakJa3t8Ls) [video]

[2017: "The Stack Clash" by Qualys Research Team](https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt) [article]

[2017: "New Reliable Android Kernel Root Exploitation Techniques"](http://powerofcommunity.net/poc2016/x82.pdf) [slides]

[2017: "Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying"](https://www-users.cs.umn.edu/~kjlu/papers/tss.pdf) [paper]

[2017: "Breaking KASLR with perf" by Lizzie Dixon](https://blog.lizzie.io/kaslr-and-perf.html) [article]

[2017: "Linux kernel exploit cheetsheet"](https://github.com/verctor/MyNotes/blob/master/linux/linux_kernel_exploit_cheetsheet.md) [article]

[2016: "Getting Physical Extreme abuse of Intel based Paging Systems" by Nicolas Economou and Enrique Nissim](https://cansecwest.com/slides/2016/CSW2016_Economou-Nissim_GettingPhysical.pdf) [slides]

[2016: "Linux Kernel ROP - Ropping your way to # (Part 1)" by Vitaly Nikolenko](https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropping-your-way-to---(Part-1)/) [article] [[exercise](https://github.com/vnik5287/kernel_rop)]

[2016: "Linux Kernel ROP - Ropping your way to # (Part 2)" by Vitaly Nikolenko](https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropping-your-way-to---(Part-2)/) [article]

[2016: "Exploiting COF Vulnerabilities in the Linux kernel" by Vitaly Nikolenko at Ruxcon](https://ruxcon.org.au/assets/2016/slides/ruxcon2016-Vitaly.pdf) [slides]

[2016: "Using userfaultfd" by Lizzie Dixon](https://blog.lizzie.io/using-userfaultfd.html) [article]

[2016: "Direct Memory Attack the Kernel" by Ulf Frisk at DEF CON](https://www.youtube.com/watch?v=fXthwl6ShOg) [video]

[2016: "Randomization Can't Stop BPF JIT Spray" by Elena Reshetova at Black Hat](https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray.pdf) [slides] [[video](https://www.youtube.com/watch?v=_F7iQQ1Um2M)] [[paper](https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf)]

[2015: "Kernel Data Attack is a Realistic Security Threat"](https://www.eecis.udel.edu/~hnw/paper/kerneldata.pdf) [paper]

[2015: "From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel"](http://repository.root-me.org/Exploitation%20-%20Syst%C3%A8me/Unix/EN%20-%20From%20collision%20to%20exploitation%3A%20Unleashing%20Use-After-Free%20vulnerabilities%20in%20Linux%20Kernel.pdf) [paper]

[2015: "Modern Binary Exploitation: Linux Kernel Exploitation" by Patrick Biernat](http://security.cs.rpi.edu/courses/binexp-spring2015/lectures/23/13_lecture.pdf) [slides] [[exercise](https://github.com/RPISEC/MBE/tree/master/src/lab10)]

[2013: "Hacking like in the Movies: Visualizing Page Tables for Local Exploitation" at Black Hat](https://www.youtube.com/watch?v=Of6DemoMLaA)

[2013: "Exploiting linux kernel heap corruptions" by Mohamed Channam](http://resources.infosecinstitute.com/exploiting-linux-kernel-heap-corruptions-slub-allocator/) [article]

[2012: "Writing kernel exploits" by Keegan McAllister](https://tc.gtisc.gatech.edu/bss/2014/r/kernel-exploits.pdf) [slides]

[2012: "Understanding Linux Kernel Vulnerabilities" by Richard Carback](https://www.csee.umbc.edu/courses/undergraduate/421/Spring12/02/slides/ULKV.pdf) [slides]

[2012: "A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator" by Dan Rosenberg](https://www.vsecurity.com//download/papers/slob-exploitation.pdf) [paper]

[2012: "Attacking hardened Linux systems with kernel JIT spraying" by Keegan McAllister](https://mainisusuallyafunction.blogspot.ru/2012/11/attacking-hardened-linux-systems-with.html) [article] [[code 1](https://github.com/kmcallister/alameda)] [[code 2](https://github.com/01org/jit-spray-poc-for-ksp)]

[2012: "The Linux kernel memory allocators from an exploitation perspective" by Patroklos Argyroudis](https://argp.github.io/2012/01/03/linux-kernel-heap-exploitation/) [article]

[2012: "The Stack is Back" by Jon Oberheide](https://jon.oberheide.org/files/infiltrate12-thestackisback.pdf) [slides]

[2012: "Stackjacking" by Jon Oberheide and Dan Rosenberg](https://www.slideshare.net/scovetta/stackjacking) [slides]

[2011: "Stackjacking Your Way to grsec/PaX Bypass" by Jon Oberheide](https://jon.oberheide.org/blog/2011/04/20/stackjacking-your-way-to-grsec-pax-bypass/) [article]

[2010: "Much ado about NULL: Exploiting a kernel NULL dereference"](https://blogs.oracle.com/ksplice/entry/much_ado_about_null_exploiting1) [article]

[2010: "Exploiting Stack Overflows in the Linux Kernel" by Jon Oberheide](https://jon.oberheide.org/blog/2010/11/29/exploiting-stack-overflows-in-the-linux-kernel/) [article]

[2010: "Linux Kernel Exploitation: Earning Its Pwnie a Vuln at a Time" by Jon Oberheide at SOURCE Boston](https://jon.oberheide.org/files/source10-linuxkernel-jonoberheide.pdf) [slides]

[2009: "There's a party at ring0, and you're invited" by Tavis Ormandy and Julien Tinnes at CanSecWest](https://www.cr0.org/paper/to-jt-party-at-ring0.pdf) [slides]

[2007: "Kernel-mode exploits primer" by Sylvester Keil and Clemens Kolbitsch](http://old.iseclab.org/projects/vifuzz/docs/exploit.pdf) [paper]

[2007: "Attacking the Core : Kernel Exploiting Notes"](http://phrack.org/archives/issues/64/6.txt) [article]

[2007: "The story of exploiting kmalloc() overflows"](http://www.ouah.org/kmallocstory.html) [article]

[2007: "Linux 2.6 Kernel Exploits" by Stephane Duverger](https://airbus-seclab.github.io/kernsploit/kernel_exploit_syscan07.pdf) [slides]

[2005: "Large memory management vulnerabilities" by Gael Delalleau at CancSecWest](https://cansecwest.com/core05/memory_vulns_delalleau.pdf) [slides]

[2005: "The story of exploiting kmalloc() overflows"](https://argp.github.io/public/kmalloc_exploitation.pdf) [article]

### Protection Bypasses

[2024: "SELinux bypasses"](https://klecko.github.io/posts/selinux-bypasses/) [article]

[2024: "Page-Oriented Programming: Subverting Control-Flow Integrity of Commodity Operating System Kernels with Non-Writable Code Pages" by Seunghun Han et al.](https://www.usenix.org/system/files/usenixsecurity24-han-seunghun.pdf) [paper] [[slides](https://www.usenix.org/system/files/usenixsecurity24_slides-han-seunghun.pdf)] [[video](https://www.youtube.com/watch?v=wSMByLg-ibs)]

[2024: "Defects-in-Depth: Analyzing the Integration of Effective Defenses against One-Day Exploits in Android Kernels" by Lukas Maar et. al](https://www.usenix.org/system/files/usenixsecurity24-maar-defects.pdf) [paper] [[artifacts](https://www.usenix.org/system/files/usenixsecurity24-appendix-maar-defects.pdf)]

[2024: "Leaking Host KASLR from Guest VMs Using Tagged TLB" by Reno Robert](https://pagedout.institute/download/PagedOut_004_beta1.pdf#page=58) [article]

[2024: "TikTag: Breaking ARM's Memory Tagging Extension with Speculative Execution" by Juhee Kim et al.](https://arxiv.org/pdf/2406.08719) [paper] [[code](https://github.com/compsec-snu/tiktag)]

[2023: "Leaky Address Masking: Exploiting Unmasked Spectre Gadgets with Noncanonical Address Translation"](https://download.vusec.net/papers/slam_sp24.pdf) [paper]

[2023: "MTE As Implemented, Part 3: The Kernel" by Mark Brand](https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-3-kernel.html) [article]

[2023: "Breaking Hardware-Assisted Kernel Control-Flow Integrity with Page-Oriented Programming" by Seunghun Han](https://i.blackhat.com/BH-US-23/Presentations/US-23-Han-Lost-Control-Breaking-Hardware-Assisted-Kernel.pdf) [slides]

[2023: "MTE As Implemented, Part 3: The Kernel" by Mark Brand](https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-3-kernel.html) [article]

[2023: "EPF: Evil Packet Filter" by Di Jin, Vaggelis Atlidakis, and Vasileios P. Kemerlis](https://cs.brown.edu/~vpk/papers/epf.atc23.pdf) [paper]

[2023: "Bypassing SELinux with init_module" by Sean Pesce](https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html) [article]

[2023: "Finding Gadgets for CPU Side-Channels with Static Analysis Tools" by Jordy Zomer and Alexandra Sandulescu](https://github.com/google/security-research/tree/master/pocs/cpus/spectre-gadgets) [article]

[2023: "Linux Kernel: Spectre-v1 gadgets" by Jordy Zomer and Alexandra Sandulescu](https://github.com/google/security-research/security/advisories/GHSA-m7j5-797w-vmrh) [article]

[2023: "Linux Kernel: Spectre v2 SMT mitigations problem" by Eduardo Vela](https://github.com/google/security-research/security/advisories/GHSA-mj4w-6495-6crx) [article]

[2022: "A Dirty Little History: Bypassing Spectre Hardware Defenses to Leak Kernel Data"](https://i.blackhat.com/USA-22/Thursday/US-22-Frigo-A-Dirty-Little-History.pdf) [slides]

[2022: "Tetragone: A Lesson in Security Fundamentals" by Pawel Wieczorkiewicz and Brad Spengler](https://grsecurity.net/tetragone_a_lesson_in_security_fundamentals) [article]

[2021: "Characterizing, Exploiting, and Detecting DMA Code Injection Vulnerabilities in the Presence of an IOMMU"](https://www.cs.tau.ac.il/~mad/publications/eurosys2021-dma.pdf) [paper]

[2021: "A General Approach to Bypassing Many Kernel Protections and its Mitigation" by Yueqi Chen](https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Chen-A-General-Approach-To-Bypassing-Many-Kernel-Protections-And-Its-Mitigation.pdf) [slides] [[video](https://www.youtube.com/watch?v=EIwEF3tCtg4)]

[2021: "Attacking Samsung RKP" by Alexandre Adamski](https://blog.impalabs.com/2111_attacking-samsung-rkp.html) [article]

[2020: "Things not to do when using an IOMMU" by Ilja van Sprundel and Joseph Tartaro](https://www.youtube.com/watch?v=p1HUpSkHcZ0) [video]

[2020: "SELinux RKP misconfiguration on Samsung S20 devices" by Vitaly Nikolenko](https://duasynt.com/blog/samsung-s20-rkp-selinux-disable) [article]

[2020: "TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs"](https://download.vusec.net/papers/tagbleed_eurosp20.pdf) [paper]

[2020: "Weaknesses in Linux Kernel Heap Hardening" by Silvio Cesare](https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html) [article]

[2020: "An Analysis of Linux Kernel Heap Hardening" by Silvio Cesare](https://blog.infosectcbr.com.au/2020/04/an-analysis-of-linux-kernel-heap.html) [article]

[2020: "PAN: Another day, another broken mitigation" by Siguza](https://siguza.github.io/PAN/) [article]

[2019: "KNOX Kernel Mitigation Bypasses" by Dong-Hoon You at PoC](http://powerofcommunity.net/poc2019/x82.pdf) [slides]

[2017: "Lifting the (Hyper) Visor: Bypassing Samsung’s Real-Time Kernel Protection" by Gal Beniamini](https://googleprojectzero.blogspot.com/2017/02/lifting-hyper-visor-bypassing-samsungs.html) [article]

[2016: "Linux Kernel x86-64 bypass SMEP - KASLR - kptr_restric"](https://web.archive.org/web/20171029060939/http://www.blackbunny.io/linux-kernel-x86-64-bypass-smep-kaslr-kptr_restric/) [article]

[2016: "Practical SMEP bypass techniques on Linux" by Vitaly Nikolenko at KIWICON](https://cyseclabs.com/slides/smep_bypass.pdf) [slides]

[2016: "Micro architecture attacks on KASLR" by Anders Fogh"](https://cyber.wtf/2016/10/25/micro-architecture-attacks-on-kasrl/) [article]

[2016: "Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR" by Dmitry Evtyushkin, Dmitry Ponomarev and Nael Abu-Ghazaleh](http://www.cs.ucr.edu/~nael/pubs/micro16.pdf) [slides]

[2016: "Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR" by Daniel Gruss, Clementine Maurice, Anders Fogh, Moritz Lipp and Stefan Mangard at CCS](https://www.youtube.com/watch?v=TJTQbs3oJx8) [video]

[2016: "Using Undocumented CPU Behavior to See Into Kernel Mode and Break KASLR in the Process" at Black Hat](https://www.youtube.com/watch?v=T3kmq2NLpH4) [video]

[2016: "Breaking KASLR with Intel TSX" Yeongjin Jang, Sangho Lee and Taesoo Kim at Black Hat](https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space-Layout-Randomization-KASLR-With-Intel-TSX.pdf) [slides] [[video](https://www.youtube.com/watch?v=rtuXG28g0CU)]

[2016: "Breaking KASLR with micro architecture" by Anders Fogh](https://dreamsofastone.blogspot.ru/2016/02/breaking-kasrl-with-micro-architecture.html) [article]

[2015: "Effectively bypassing kptr_restrict on Android" by Gal Beniamini](https://bits-please.blogspot.de/2015/08/effectively-bypassing-kptrrestrict-on.html) [article]

[2014: "ret2dir: Deconstructing Kernel Isolation" by Vasileios P. Kemerlis, Michalis Polychronakis and Angelos D. Keromytis at Black Hat Europe](https://www.blackhat.com/docs/eu-14/materials/eu-14-Kemerlis-Ret2dir-Deconstructing-Kernel-Isolation-wp.pdf) [paper] [[video](https://www.youtube.com/watch?v=kot-EQ9zf9k)]

[2013: "A Linux Memory Trick" by Dan Rosenberg](http://vulnfactory.org/blog/2013/02/06/a-linux-memory-trick/) [article]

[2011: "SMEP: What is It, and How to Beat It on Linux" by Dan Rosenberg](http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/) [article]

[2009: "Bypassing Linux' NULL pointer dereference exploit prevention (mmap_min_addr)"](http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html) [article]

## Vulnerabilities

[Project Zero bug reports](https://project-zero.issues.chromium.org/issues?q=componentid:1638259%20linux%20kernel)

[Google kernelCTF writeups and exploits](https://github.com/google/security-research/tree/master/pocs/linux/kernelctf)

[Assorted advisories by Gyorgy Miru and kutyacica](https://labs.taszk.io/blog/)

### Info-leaks

[2025: "KernelSnitch: Side-Channel Attacks on Kernel Data Structures" by Lukas Maar et al.](https://lukasmaar.github.io/papers/ndss25-kernelsnitch.pdf) [paper]

[2024: "Linux vDSO & VVAR" by Pumpkin Chang](https://u1f383.github.io/linux/2024/12/11/linux-vdso-and-vvar.html) [article] [CVE-2023-23586]

[2024: "CPU Speculation Vulnerabilities And Mitigations in the Linux Kernel" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/09/cpu-speculation-vulnerabilities-and-mitigations-in-the-linux-kernel.html) [article] [Spectre V1] [Spectre V2]

[2024: "Linux Kernel Meltdown Mitigation Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/01/linux-kernel-meltdown-mitigation-analysis.html) [article] [Meltdown]

[2024: "Out of the kernel, into the tokens" by Max Ammann and Emilio Lopez](https://blog.trailofbits.com/2024/03/08/out-of-the-kernel-into-the-tokens/) [article]

[2023: "The code that wasn’t there: Reading memory on an Android device by accident" by Man Yue Mo](https://github.blog/2023-02-23-the-code-that-wasnt-there-reading-memory-on-an-android-device-by-accident/) [article] [CVE-2022-25664]

[2023: "EntryBleed: A Universal KASLR Bypass against KPTI on Linux"](https://dl.acm.org/doi/pdf/10.1145/3623652.3623669) [paper] [CVE-2022-4543]

[2022: "EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)"](https://www.willsroot.io/2022/12/entrybleed.html) [article] [CVE-2022-4543]

[2022: "Yet another bug into Netfilter" by Arthur Mongodin](https://www.randorisec.fr/yet-another-bug-netfilter/) [article] [CVE-2022-1972]

[2022: "The AMD Branch (Mis)predictor: Just Set it and Forget it!" by Pawel Wieczorkiewicz](https://grsecurity.net/amd_branch_mispredictor_just_set_it_and_forget_it) [article] [Spectre]

[2022: "The AMD Branch (Mis)predictor Part 2: Where No CPU has Gone Before (CVE-2021-26341)" by Pawel Wieczorkiewicz](https://grsecurity.net/amd_branch_mispredictor_part_2_where_no_cpu_has_gone_before) [article] [Spectre]

[2021: "Samsung S10+/S9 kernel 4.14 (Android 10) Kernel Function Address (.text) and Heap Address Information Leak"](https://ssd-disclosure.com/ssd-advisory-samsung-s10-s9-kernel-4-14-android-10-kernel-function-address-text-and-heap-address-information-leak/) [article] [CVE-TBD]

[2021: "Linux Kernel /proc/pid/syscall information disclosure vulnerability"](https://talosintelligence.com/vulnerability_reports/TALOS-2020-1211) [article] [CVE-2020-28588]

[2021: "Spectre exploits in the "wild""](https://dustri.org/b/spectre-exploits-in-the-wild.html) [article]

[2021: "VDSO As A Potential KASLR Oracle" by Philip Pettersson and Alex Radocea](https://www.longterm.io/vdso_sidechannel.html) [article]

[2020: "PLATYPUS: Software-based Power Side-Channel Attacks on x86"](https://platypusattack.com/platypus.pdf) [paper]

[2019: "CVE-2018-3639 / CVE-2019-7308 - Analysis of Spectre Attacking Linux Kernel ebpf"](https://xz.aliyun.com/t/4230) [article] [CVE-2018-3639, CVE-2019-7308]

[2019: "From IP ID to Device ID and KASLR Bypass (Extended Version)"](https://arxiv.org/pdf/1906.10478.pdf) [paper]

[2018: "Kernel Memory disclosure & CANVAS Part 1 - Spectre: tips & tricks"](https://www.immunityinc.com/downloads/Kernel-Memory-Disclosure-and-Canvas_Part_1.pdf) [article] [Spectre]

[2018: "Kernel Memory disclosure & CANVAS Part 2 - CVE-2017-18344 analysis & exploitation notes"](https://www.immunityinc.com/downloads/Kernel-Memory-Disclosure-and-Canvas_Part_2.pdf) [article] [CVE-2017-18344]

[2018: "CVE-2017-18344: Exploiting an arbitrary-read vulnerability in the Linux kernel timer subsystem" by Andrey Konovalov](https://xairy.io/articles/cve-2017-18344) [article] [CVE-2017-18344]

[2017: "Linux kernel 2.6.0 to 4.12-rc4 infoleak due to a data race in ALSA timer" by Alexander Potapenko](http://seclists.org/oss-sec/2017/q2/455) [announcement] [CVE-2017-1000380]

[2017: "The Infoleak that (Mostly) Wasn't" by Brad Spengler](https://grsecurity.net/the_infoleak_that_mostly_wasnt.php) [article] [CVE-2017-7616]

[2016: "Exploiting a Linux Kernel Infoleak to bypass Linux kASLR"](https://marcograss.github.io/security/linux/2016/01/24/exploiting-infoleak-linux-kaslr-bypass.html) [article]

[2010: "Linux Kernel pktcdvd Memory Disclosure" by Jon Oberheide](https://jon.oberheide.org/blog/2010/10/23/linux-kernel-pktcdvd-memory-disclosure/) [article] [CVE-2010-3437]

[2009: "Linux Kernel x86-64 Register Leak" by Jon Oberheide](https://jon.oberheide.org/blog/2009/10/04/linux-kernel-x86-64-register-leak/) [article] [CVE-2009-2910]

[2009: "Linux Kernel getname() Stack Memory Disclosures" by Jon Oberheide](https://jon.oberheide.org/blog/2009/08/29/linux-kernel-getname-stack-memory-disclosures/) [article] [CVE-2009-3001]

### LPE

[2025: "CVE-2024-53141: an OOB Write Vulnerability in Netfiler Ipset" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/07/cve-2024-53141-an-oob-write-vulnerability-in-netfilter-ipset.html) [article] [CVE-2024-53141]

[2025: "Patch-Gapping the Google Container-Optimized OS for $0" by h0mbre](https://h0mbre.github.io/Patch_Gapping_Google_COS/) [article] [CVE-UNKNOWN]

[2025: "Mali-cious Intent: Exploiting GPU Vulnerabilities (CVE-2022-22706 / CVE-2021-39793)" by Ng Zhi Yang](https://starlabs.sg/blog/2025/12-mali-cious-intent-exploiting-gpu-vulnerabilities-cve-2022-22706/) [article] [CVE-2022-22706] [CVE-2021-39793]

[2024: "The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit" by Seth Jenkins](https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpectedly-excavating-exploit.html) [article] [CVE-2024-38402] [CVE-2024-21455] [CVE-2024-33060] [CVE-2024-49848] [CVE-2024-43047]

[2024: "OtterRoot: Netfilter Universal Root 1-day" by Pedro Pinto](https://osec.io/blog/2024-11-25-netfilter-universal-root-1-day) [article] [CVE-2024-26809]

[2024: "How I use a novel approach to exploit a limited OOB on Ubuntu at Pwn2Own Vancouver 2024" by Pumpkin Chang](https://u1f383.github.io/slides/talks/2024_POC-How_I_use_a_novel_approach_to_exploit_a_limited_OOB_on_Ubuntu_at_Pwn2Own_Vancouver_2024.pdf) [slides] [CVE-UNKNOWN]

[2024: "GPUAF - Two ways of Rooting All Qualcomm based Android phones" by Pan Zhenpeng and Jheng Bing Jhong](https://powerofcommunity.net/poc2024/Pan%20Zhenpeng%20&%20Jheng%20Bing%20Jhong,%20GPUAF%20-%20Two%20ways%20of%20rooting%20All%20Qualcomm%20based%20Android%20phones.pdf) [slides] [CVE-2024-23380] [CVE-2024-23373]

[2024: "Breaking through the cage: Get Android universal root by B-PUAF" by Lu Yutao and Ling Hanqin](https://powerofcommunity.net/poc2024/Hanqin%20Ling%20&%20Yutao%20Lu,%20Breaking%20through%20the%20cage%20-%20Get%20Android%20Universal%20Root%20by%20B-PUAF.pdf) [slides] [CVE-2024-46740]

[2024: "Unleashing a 0day: Pivoting Capabilities and Conquering the Linux Kernel" by Pedro Pinto](https://www.figma.com/deck/GyXCgKKy6rMuY7NVZtInjY/Unleadhing-a-Oday---Osec?node-id=13-225) [slides] [[video](https://www.youtube.com/watch?v=bxJhlwGjwWQ)] [CVE-2024-41010]

[2024: "Utilizing Cross-CPU Allocation to Exploit Preempt-Disabled Linux Kernel" by Mingi Cho and Wongi Lee](https://www.hexacon.fr/slides/Cho_Lee-Utilizing_Cross-CPU_Allocation_to_Exploit_Preempt-Disabled_Linux_Kernel.pdf) [slides] [CVE-2023-31248] [[video](https://www.youtube.com/watch?v=dUdU0lp35xU)] [CVE-2024-36978]

[2024: "1day vuln dev: DirtyCOW"](https://www.youtube.com/watch?v=lQOiH-43zOc) [video] [CVE-2016-5195]

[2024: "Race conditions in Linux Kernel perf events"](https://binarygecko.com/race-conditions-in-linux-kernel-perf-events/) [[code](https://github.com/Binary-Gecko/perf_PoC)] [CVE-UNKNOWN]

[2024: "CVE-2020-27786 (Race Condition + Use-After-Free)" by ii4gsp](https://ii4gsp.github.io/cve-2020-27786/) [article] [CVE-2020-27786]

[2024: "GPUAF Using a general GPU exploit tech to attack Pixel8" by Pan Zhenpeng and Jheng Bing Jhong](https://github.com/star-sg/OBO/blob/main/2024/Day%201/GPUAF%20-%20Using%20a%20general%20GPU%20exploit%20tech%20to%20attack%20Pixel8.pdf) [slides] [[video](https://www.youtube.com/watch?v=Mw6iCqjOV9Q)] [CVE-UNKNOWN]

[2024: "Linux Kernel taprio OOB"](https://ssd-disclosure.com/ssd-advisory-linux-kernel-taprio-oob/) [article] [CVE-2024-36974]

[2024: "CVE-2022-22265 Samsung npu driver" by Javier P Rufo](https://soez.github.io/posts/CVE-2022-22265-Samsung-npu-driver/) [article] [CVE-2022-22265]

[2024: "The Way to Android Root: Exploiting Your GPU On Smartphone" by Xiling Gong, Xuan Xing, and Eugene Rodionov](https://i.blackhat.com/BH-US-24/Presentations/REVISED02-US24-Gong-The-Way-to-Android-Root-Wednesday.pdf) [slides] [[video](https://www.youtube.com/watch?v=BN07rjaNqXk)] [CVE-2024-23380]

[2024: "Clash, Burn, and Exploit: Manipulate Filters to Pwn kernelCTF" by HexRabbit](https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20HexRabbit%20Chen%20-%20Clash%2C%20Burn%2C%20and%20Exploit%20-%20Manipulate%20Filters%20to%20Pwn%20kernelCTF.pdf) [slides] [[video](https://www.youtube.com/watch?v=_1DTkkaNqfM)] [CVE-2024-26925]

[2024: "A deep dive into CVE-2023-2163: How we found and fixed an eBPF Linux Kernel Vulnerability" by Juan Jose Lopez Jaimez and Meador Inge](https://bughunters.google.com/blog/6303226026131456/a-deep-dive-into-cve-2023-2163-how-we-found-and-fixed-an-ebpf-linux-kernel-vulnerability) [article] [CVE-2023-2163]

[2024: "Vulnerability in the eBPF verifier register limit tracking" by Juan Jose Lopez Jaimez](https://github.com/google/security-research/security/advisories/GHSA-hfqc-63c7-rj9f) [CVE-2024-41003]

[2024: "Android Binder Attack Matrix" by Utkarsh](https://utkarshcodes.medium.com/android-binder-attack-matrix-introduction-450d31d1d951) [article]

[[part 2](https://utkarshcodes.medium.com/android-binder-attack-matrix-cve-2023-20938-cve-2023-21255-uaf-details-article-1-4cc2eb3919f9)]

[[part 3](https://utkarshcodes.medium.com/android-binder-attack-matrix-exploitation-of-cve-2023-20938-article-2-6215160e3373)]

[[part 4](https://utkarshcodes.medium.com/android-binder-attack-matrix-fuzzing-binder-with-linux-kernel-library-lkl-article-3-62e931161eb5)]

[[part 5](https://utkarshcodes.medium.com/android-binder-attack-matrix-results-conclusion-d7143057408f)]

[2024: "Driving forward in Android drivers" by Seth Jenkins](https://googleprojectzero.blogspot.com/2024/06/driving-forward-in-android-drivers.html) [article] [[video](https://archive.org/details/shmoocon2024/Shmoocon2024-SethJenkins-Driving_Forward_in_Android_Drivers.mp4)] [CVE-2023-32837] [CVE-2023-32832]

[2024: "Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938" by Eugene Rodionov, Zi Fan Tan, and Gulshan Singh](https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/) [article] [CVE-2023-20938]

[2024: "How to Fuzz Your Way to Android Universal Root: Attacking Android Binder" by Eugene Rodionov and Zi Fan Tan](https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/offensivecon_24_binder.pdf) [slides] [[video](https://www.youtube.com/watch?v=U-xSM159YLI)] [CVE-2023-20938]

[2024: "Linux Kernel nft_validate_register_store Integer Overflow Privilege Escalation"](https://ssd-disclosure.com/ssd-advisory-linux-kernel-nft_validate_register_store-integer-overflow-privilege-escalation/) [article] [CVE-UNKNOWN]

[2024: "Game of Cross Cache: Let's win it in a more effective way!" by Le Wu](https://i.blackhat.com/Asia-24/Presentations/Asia-24-Wu-Game-of-Cross-Cache.pdf) [slides] [[video](https://www.youtube.com/watch?v=em9qgHm3uIk)] [CVE-2023-21400]

[2024: "LinkDoor: A Hidden Attack Surface in the Android Netlink Kernel Modules" by Chao Ma et al.](https://i.blackhat.com/Asia-24/Presentations/Asia-24-Ma-LinkDoor-A-Hidden-Attack.pdf) [slides] [CVE-2023-32878] [CVE-2023-32882]

[2024: "Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques" by notselwyn](https://pwning.tech/nftables/) [article] [[exploit](https://github.com/Notselwyn/CVE-2024-1086)] [CVE-2024-1086]

[2024: "64 bytes and a ROP chain – A journey through nftables" by Davide Ornaghi](https://betrusted.it/blog/64-bytes-and-a-rop-chain-part-1/) [article] [[part 2](https://betrusted.it/blog/64-bytes-and-a-rop-chain-part-2/)] [[exploit](https://github.com/TurtleARM/CVE-2023-0179-PoC)] [CVE-2023-0179]

[2024: "Mind the Patch Gap: Exploiting an io_uring Vulnerability in Ubuntu" by Oriol Castejon](https://blog.exodusintel.com/2024/03/27/mind-the-patch-gap-exploiting-an-io_uring-vulnerability-in-ubuntu/) [CVE-2024-0582]

[2024: "CVE-2022-2586 Writeup"](https://jmpeax.dev/CVE-2022-2586-writeup.html) [article] [CVE-2022-2586]

[2024: "n_gsm_exploit"](https://github.com/fff-vr/n_gsm_exploit) [article]

[2024: "The tale of a GSM Kernel LPE"](https://jmpeax.dev/The-tale-of-a-GSM-Kernel-LPE.html) [article] [[exploit](https://github.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit)] [[notes](https://mastodon.social/@gabe_k/112251322421680553)] [[discussion](https://www.openwall.com/lists/oss-security/2024/04/10/18)]

[2024: "Gaining kernel code execution on an MTE-enabled Pixel 8" by Man Yue Mo](https://github.blog/2024-03-18-gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/) [article] [[exploit](https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Mali/CVE_2023_6241)] [CVE-2023-6241]

[2024: "Mali GPU Kernel LPE: Android 14 kernel exploit for Pixel7/8 Pro" by Mohamed Ghannam](https://github.com/0x36/Pixel_GPU_Exploit) [article] [CVE-2023-26083]

[2024: "CVE-2023-5178: exploiting Linux kernel NVMe-oF-TCP driver on Ubuntu 23.10" by rockrid3r](https://rockrid3r.github.io/2024/02/07/CVE-2023-5178.html) [article] [CVE-2023-5178] [[exploit](https://github.com/rockrid3r/CVE-2023-5178)]

[2023: "Linux Kernel GSM Multiplexing Race Condition Local Privilege Escalation Vulnerability (CVE-2023-6546)" by Nassim Asrir](https://github.com/Nassim-Asrir/ZDI-24-020/) [CVE-2023-6546]

[2023: "Conquering the memory through io_uring - Analysis of CVE-2023-2598"](https://anatomic.rip/cve-2023-2598/) [article] [[exploit](https://github.com/ysanatomic/io_uring_LPE-CVE-2023-2598)] [CVE-2023-2598]

[2023: "Conquering a Use-After-Free in nf_tables: Detailed Analysis and Exploitation of CVE-2022-32250" by Yordan Stoychev](https://anatomic.rip/cve-2022-32250/) [article] [CVE-2022-32250]

[2023: "One shot, Triple kill: Pwning all three Google kernelCTF instances with a single 1-day Linux vulnerability"](https://kaist-hacking.github.io/pubs/2023/kim:kernel-ctf-slides.pdf) [slides] [[abstract](https://kaist-hacking.github.io/publication/kim-kernel-ctf/)] [CVE-2023-3390]

[2023: "Exploiting a bug in the Linux kernel with Zig" by Richard Palethorpe](https://richiejp.com/linux-kernel-exploit-tls_context-uaf) [article] [[video](https://www.youtube.com/watch?v=g7ATRgat0v4)] [CVE-2023-0461]

[2023: "Escaping the Google kCTF Container with a Data-Only Exploit" by h0mbre](https://h0mbre.github.io/kCTF_Data_Only_Exploit/) [article] [CVE-2022-3910]

[2023: "Analyzing a Modern In-the-wild Android Exploit" by Seth Jenkins](https://googleprojectzero.blogspot.com/2023/09/analyzing-modern-in-wild-android-exploit.html) [article] [CVE-2023-0266] [CVE-2023-26083]

[2023: "Old bug, shallow bug: Exploiting Ubuntu at Pwn2Own Vancouver 2023" by Tanguy Dubroca](https://www.synacktiv.com/publications/old-bug-shallow-bug-exploiting-ubuntu-at-pwn2own-vancouver-2023) [article] [CVE-2023-35001]

[2023: "Linux Kernel Exploit (CVE-2022–32250) with mqueue"](https://blog.theori.io/linux-kernel-exploit-cve-2022-32250-with-mqueue-a8468f32aab5) [article] [CVE-2022–32250]

[2023: "Bad io_uring: A New Era of Rooting for Android" by Zhenpeng Lin](https://i.blackhat.com/BH-US-23/Presentations/US-23-Lin-bad_io_uring.pdf) [slides] [[video](https://www.youtube.com/watch?v=fhx3W1z7YD0)] [CVE-2022-20409]

[2023: "CVE-2023-3389 - LinkedPoll" by Querijn Voet](https://qyn.app/posts/CVE-2023-3389/) [article] [CVE-2023-3389]

[2023: "GameOver(lay): Easy-to-exploit local privilege escalation vulnerabilities in Ubuntu Linux" by Sagi Tzadik and Shir Tamari](https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability) [article] [CVE-2023-2640] [CVE-2023-32629]

[2023: "StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability" by Ruihan Li](https://github.com/lrh2000/StackRot) [article] [CVE-2023-3269]

[2023: "No CVE for this. It has never been in the official kernel"](https://soez.github.io/posts/no-cve-for-this.-It-has-never-been-in-the-official-kernel/) [article]

[2023: "CVE-2020-27786 exploitation userfaultfd + patching file struct etc passwd"](https://soez.github.io/posts/CVE-2020-27786-exploitation-userfaultfd-+-patching-file-struct-etc-passwd/) [article] [CVE-2020-27786]

[2023: "Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability" by Vu Thi Lan](https://starlabs.sg/blog/2023/06-breaking-the-code-exploiting-and-examining-cve-2023-1829-in-cls_tcindex-classifier-vulnerability/) [article] [CVE-2023-1829]

[2023: "CVE-2023-2008 - Analyzing and exploiting a bug in the udmabuf driver"](https://labs.bluefrostsecurity.de/blog/cve-2023-2008.html) [article] [CVE-2023-2008]

[2023: "Rooting with root cause: finding a variant of a Project Zero bug" by Man Yue Mo](https://github.blog/2023-05-25-rooting-with-root-cause-finding-a-variant-of-a-project-zero-bug/) [article] [CVE-2022-46395]

[2023: "Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel" by Moshe Kol](https://0xkol.github.io/assets/files/Racing_Against_the_Lock__Exploiting_Spinlock_UAF_in_the_Android_Kernel.pdf) [article] [[slides](https://0xkol.github.io/assets/files/OffensiveCon23_Racing_Against_the_Lock__Exploiting_Spinlock_UAF_in_the_Android_Kernel.pdf)] [[video](https://www.youtube.com/watch?v=E3CVDOlcHC4)] [[exploit](https://github.com/0xkol/badspin)] [CVE-2022-20421]

[2023: "Two bugs with one PoC: Roo2ng Pixel 6 from Android 12 to Android 1" by Yong Wang](https://i.blackhat.com/Asia-23/AS-23-WANG-Two-bugs-with-one-PoC-Rooting-Pixel-6-from-Android-12-to-Android-13.pdf) [slides] [CVE-2021-28664]

[2023: "The OverlayFS vulnerability CVE-2023-0386: Overview, detection, and remediation"](https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/) [article] [CVE-2023-0386]

[2023: "Pwning Pixel 6 with a leftover patch" by Man Yue Mo](https://github.blog/2023-04-06-pwning-pixel-6-with-a-leftover-patch/) [article] [GHSL-2023-005]

[2023: "Revisiting CVE-2017-11176" by Nils Ole Timm](https://labs.bluefrostsecurity.de/revisiting-cve-2017-11176) [article] [CVE-2017-11176]

[2023: "Rooting the FiiO M6" by Jack Maginnes](https://stigward.github.io/posts/fiio-m6-kernel-bug/) [article] [[part 2](https://stigward.github.io/posts/fiio-m6-exploit/)] [[video](https://www.youtube.com/watch?v=Cd_CAYe4M_M&t=3s)]

[2023: "Exploiting CVE-2021-3490 for Container Escapes" by Karsten Kyonig](https://www.crowdstrike.com/blog/exploiting-cve-2021-3490-for-container-escapes/) [article] [CVE-2021-3490]

[2023: "Pwning the all Google phone with a non-Google bug"](https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/) [article] [CVE-2022-38181]

[2022: "CVE-2022-1015: A validation flaw in Netfilter leading to Local Privilege Escalation" by Yordan Stoychev](https://anatomic.rip/cve-2022-1015/) [article] [CVE-2022-1015]

[2022: "CVE-2022-22265: Samsung NPU device driver double free in Android" by Xingyu Jin](https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-22265.html) [article] [CVE-2022-22265]

[2022: "Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg" by Sergi Martinez](https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter-use-after-free-in-kmalloc-cg/) [article] [CVE-2022-32250]

[2022: "Exploiting CVE-2022-42703 - Bringing back the stack attack" by Seth Jenkins](https://googleprojectzero.blogspot.com/2022/12/exploiting-CVE-2022-42703-bringing-back-the-stack-attack.html) [article] [CVE-2022-42703]

[2022: "CVE-2022-2602: DirtyCred File Exploitation applied on an io_uring UAF"](https://1day.dev/notes/CVE-2022-2602-DirtyCred-File-Exploitation-applied-on-an-io_uring-UAF/) [article] [CVE-2022-2602]

[2022: "DirtyCred Remastered: how to turn an UAF into Privilege Escalation"](https://exploiter.dev/blog/2022/CVE-2022-2602.html) [article] [CVE-2022-2602]

[2022: "Exploiting cross table object reference in Linux Netfilter table (NFT) module"](https://docs.google.com/presentation/d/1qcPPz9E_X3z5h_E-Cc7Qmy1ppP4hWjFZQCQ5ZCb9hw8/edit?usp=sharing) [slides] [CVE-2022-2078] [CVE-2022-2586]

[2022: "Linux Kernel n-day exploit development"](https://1day.dev/notes/Linux-Kernel-n-day-exploit-development/) [article] [CVE-2020-27786]

[2022: "Linux Kernel Exploit Development: 1day case study" by Alessandro Groppo](https://blog.hacktivesecurity.com/index.php/2022/06/13/linux-kernel-exploit-development-1day-case-study/) [article] [CVE-2020-27786]

[2022: "[CVE-2022-1786] A Journey To The Dawn"](https://blog.kylebot.net/2022/10/16/CVE-2022-1786/) [article] [CVE-2022-1786]

[2022: "A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain" by Maddie Stone](https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-samsung-in-the-wild-exploit-chain.html) [article] [CVE-2021-25369] [CVE-2021-25370]

[2022: "Attacking the Android kernel using the Qualcomm TrustZone" by Tamir Zahavi-Brunner](https://tamirzb.com/attacking-android-kernel-using-qualcomm-trustzone) [article] [[video](https://www.youtube.com/watch?v=WXqff23dT5I)] [CVE-2021-1961]

[2022: "SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)"](https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/) [article] [[slides](https://conference.hitb.org/hitbsecconf2022sin/materials/D1T1%20-%20Settlers%20of%20Netlink%20-%20Exploiting%20a%20Limited%20UAF%20on%20Ubuntu%2022.04%20to%20Achieve%20LPE%20-%20Aaron%20Adams.pdf)] [[video](https://www.youtube.com/watch?v=7T_ajYpRWJw)] [CVE-2022-32250]

[2022: "Linux Kernel Exploit (CVE-2022-32250) with mqueue"](https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/) [article] [CVE-2022-32250]

[2022: "N-day exploit for CVE-2022-2586: Linux kernel nft_object UAF" by Alejandro Guerrero](https://www.openwall.com/lists/oss-security/2022/08/29/5) [article] [CVE-2022-2586]

[2022: "Monitoring Surveillance Vendors: A Deep Dive into In-the-Wild Android Full Chains in 2021"](https://i.blackhat.com/USA-22/Wednesday/US-22-Jin-Monitoring-Surveillance-Vendors.pdf) [slides] [CVE-2021-0920]

[2022: "CVE-2022-29582: An io_uring vulnerability" by Awarau and David Bouman](https://ruia-ruia.github.io/2022/08/05/CVE-2022-29582-io-uring/) [article] [CVE-2022-29582]

[2022: "Linux kernel io_uring module pbuf_ring vulnerability and privilege escalation 0day"](https://dawnslab.jd.com/linux-5.19-rc2_pbuf_ring_0day/) [article]

[2022: "Corrupting memory without memory corruption" by Man Yue Mo](https://github.blog/2022-07-27-corrupting-memory-without-memory-corruption/) [article] [CVE-2022-20186]

[2022: "[CVE-2022-34918] A crack in the Linux firewall" by Arthur Mongodin](https://www.randorisec.fr/crack-linux-firewall/) [article] [CVE-2022-34918] [[exploit](https://github.com/randorisec/CVE-2022-34918-LPE-PoC)]

[2022: "CVE-2022-34918: netfilter analysis notes"](https://veritas501.github.io/2022_08_02-CVE-2022-34918%20netfilter%20%E5%88%86%E6%9E%90%E7%AC%94%E8%AE%B0/) [article] [CVE-2022-34918]

[2022: "Practice of USMA-based Kernel Universal EXP Writing Ideas on CVE-2022-34918"](https://veritas501.github.io/2022_08_11_%E5%9F%BA%E4%BA%8EUSMA%E7%9A%84%E5%86%85%E6%A0%B8%E9%80%9A%E7%94%A8EXP%E7%BC%96%E5%86%99%E6%80%9D%E8%B7%AF%E5%9C%A8%20CVE-2022-34918%20%E4%B8%8A%E7%9A%84%E5%AE%9E%E8%B7%B5/) [article] [CVE-2022-34918]

[2022: "The Android kernel mitigations obstacle race" by Man Yue Mo](https://github.blog/2022-06-16-the-android-kernel-mitigations-obstacle-race/) [article] [CVE-2022-22057]

[2022: "io_uring - new code, new bugs, and a new exploit technique" by Lam Jun Rong](https://starlabs.sg/blog/2022/06/io_uring-new-code-new-bugs-and-a-new-exploit-technique/) [article] [CVE-2021-41073]

[2022: "Exploration of the Dirty Pipe Vulnerability (CVE-2022-0847)" by lolcads](https://lolcads.github.io/posts/2022/06/dirty_pipe_cve_2022_0847/) [article] [CVE-2022-0847]

[2022: "DirtyPipe-Android/TECHNICAL-DETAILS.md" by polygraphene](https://github.com/polygraphene/DirtyPipe-Android/blob/master/TECHNICAL-DETAILS.md) [article] [CVE-2022-0847]

[2022: "Weaponizing dirtypipe on android" by Giovanni Rocca](https://docs.google.com/presentation/d/1Tq00gy1GtiK0OvNYOy_kCz0er9ZECBXGoy5Lfy5MD3M/edit?usp=sharing) [slides] [[exploit](https://github.com/iGio90/DirtyPipeZ)] [CVE-2022-0847]

[2022: "How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables" by David Bouman](https://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/) [CVE-2022-1015] [CVE-2022-1016]

[2022: "The Discovery and Exploitation of CVE-2022-25636" by Nick Gregory](https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/) [article] [CVE-2022-25636]

[2022: "CVE-2022-27666: Exploit esp6 modules in Linux kernel" by ETenal](https://etenal.me/archives/1825) [article] [CVE-2022-27666]

[2022: "Put an io_uring on it: Exploiting the Linux Kernel" by Valentina Palmiotti](https://www.graplsecurity.com/post/iou-ring-exploiting-the-linux-kernel) [article] [CVE-2021-41073]

[2022: "The Dirty Pipe Vulnerability" by Max Kellermann](https://dirtypipe.cm4all.com/) [article] [CVE-2022-0847]

[2022: "CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers"](https://www.willsroot.io/2022/01/cve-2022-0185.html) [article] [CVE-2022-0185]

[2022: "CVE-2022-0185: Linux kernel slab out-of-bounds write: exploit and writeup" by Alejandro Guerrero](https://www.openwall.com/lists/oss-security/2022/01/25/14) [article] [CVE-2022-0185]

[2022: "CVE-2022-0185: A Case Study"](https://www.hackthebox.com/blog/CVE-2022-0185:_A_case_study) [article] [CVE-2022-0185]

[2022: "CVE-2022-0185: Analysis and utilization and thinking and practice of new primitives for pipe"](https://veritas501.github.io/2022_03_16-CVE_2022_0185%E5%88%86%E6%9E%90%E5%8F%8A%E5%88%A9%E7%94%A8%E4%B8%8Epipe%E6%96%B0%E5%8E%9F%E8%AF%AD%E6%80%9D%E8%80%83%E4%B8%8E%E5%AE%9E%E8%B7%B5/#%E7%9C%9F%E2%80%A2%E6%AD%A3%E6%96%87-%E6%96%B0%E5%9E%8B%E5%88%A9%E7%94%A8%E5%8E%9F%E8%AF%AD-pipe) [article] [CVE-2022-0185]

[2022: "Linux kernel Use-After-Free (CVE-2021-23134) PoC"](https://web.archive.org/web/20220616193522/https://ruia-ruia.github.io/NFC-UAF/) [article] [CVE-2021-23134]

[2022: "Exploiting CVE-2021-26708 (Linux kernel) with ssh"](https://hardenedvault.net/2022/03/01/poc-cve-2021-26708.html) [article] [CVE-2021-26708]

[2022: "exploiting CVE-2019-2215" by cutesmilee](https://cutesmilee.github.io/kernel/linux/android/2022/02/17/cve-2019-2215_writeup.html) [article] [CVE-2019-2215]

[2022: "Linux Kernel PWN | 02 CVE-2009-1897"](https://blog.wohin.me/posts/linux-kernel-pwn-02/) [article] [CVE-2009-1897]

[2021: "Your Trash Kernel Bug, My Precious 0-day" by Zhenpeng Lin](https://zplin.me/talks/BHEU21_trash_kernel_bug.pdf) [slides] [CVE-2021-3715]

[2021: "[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver"](https://syst3mfailure.io/sixpack-slab-out-of-bounds) [article] [CVE-2021-42008]

[2021: "PWN2OWN Local Escalation of Privilege Category, Ubuntu Desktop Exploit"](https://flatt.tech/assets/reports/210401_pwn2own/whitepaper.pdf) [article] [CVE-TBD]

[2021: "Reversing and Exploiting Samsung's NPU" by Maxime Peterlin](https://blog.impalabs.com/2103_reversing-samsung-npu.html) [article] [[part 2](https://blog.impalabs.com/2110_exploiting-samsung-npu.html)] [slides](https://github.com/Impalabs/conferences/blob/master/2021-barbhack21/21-Barbhack21-Reversing_and_Exploiting_Samsungs_Neural_Processing_Unit.pdf)

[2021: "Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver" by Man Yue Mo](https://securitylab.github.com/research/qualcomm_npu/) [article] [CVE-2021-1940, CVE-2021-1968, CVE-2021-1969]

[2021: "Exploiting CVE-2021-43267" by Blasty](https://haxx.in/posts/pwning-tipc/) [article] [CVE-2021-43267]

[2021: "How a simple Linux kernel memory corruption bug can lead to complete system compromise" by Jann Horn](https://googleprojectzero.blogspot.com/2021/10/how-simple-linux-kernel-memory.html) [article] [CVE-TBD]

[2021: "SuDump: Exploiting suid binaries through the kernel" by Itai Greenhut](https://alephsecurity.com/2021/10/20/sudump/) [article] [CVE-TBD]

[2021: "CVE-2021-34866 Writeup" by HexRabbit](https://blog.hexrabbit.io/2021/11/03/CVE-2021-34866-writeup/) [article] [CVE-2021-34866]

[2021: "Kernel Pwning with eBPF: a Love Story" by Valentina Palmiotti](https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story) [article] [CVE-2021-3490]

[2021: "The Art of Exploiting UAF by Ret2bpf in Android Kernel" by Xingyu Jin and Richard Neal](https://i.blackhat.com/EU-21/Wednesday/EU-21-Jin-The-Art-of-Exploiting-UAF-by-Ret2bpf-in-Android-Kernel-wp.pdf) [article] [[slides](https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20The%20Art%20of%20Exploiting%20UAF%20by%20Ret2bpf%20in%20Android%20Kernel%20-%20Xingyu%20Jin%20&%20Richard%20Neal.pdf)] [[video](https://www.youtube.com/watch?v=7UXtirV1Vzg)] [CVE-2021-0399]

[2021: "Internal of the Android kernel backdoor vulnerability"](https://vul.360.net/archives/263) [article] [CVE-2021-28663]

[2021: "Escape from chrome sandbox to root"](https://vul.360.net/archives/217) [article] [CVE-2020-0423]

[2021: "CVE-2017-11176" by Maher Azzouzi](https://github.com/MaherAzzouzi/LinuxKernelStudy/tree/main/CVE-2017-11176) [article] [CVE-2017-11176]

[2021: "Sequoia: A deep root in Linux's filesystem layer (CVE-2021-33909)" by Qualys Research Team](https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt) [article] [CVE-2021-33909]

[2021: "CVE-2021-22555: Turning \x00\x00 into 10000$" by Andy Nguyen](https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html) [CVE-2021-22555, article]

[2021: "Exploitation of a double free vulnerability in Ubuntu shiftfs driver (CVE-2021-3492)" by Vincent Dehors](https://www.synacktiv.com/publications/exploitation-of-a-double-free-vulnerability-in-ubuntu-shiftfs-driver-cve-2021-3492.html) [article] [CVE-2021-3492]

[2021: "CVE-2021-20226 a reference counting bug which leads to local privilege escalation in io_uring"](https://flattsecurity.medium.com/cve-2021-20226-a-reference-counting-bug-which-leads-to-local-privilege-escalation-in-io-uring-e946bd69177a) [article] [CVE-2021–20226]

[2021: "CVE-2021-32606: CAN ISOTP local privilege escalation"](https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-32606/cve-2021-32606.md) [article] [CVE-2021-32606]

[2021: "CVE-2021-3609: CAN BCM local privilege escalation"](https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-3609/cve-2021-3609.md) [article] [[announcement](https://www.openwall.com/lists/oss-security/2021/06/19/1)] [CVE-2021-3609]

[2021: "Blue Klotski (CVE-2021-3573) and the story for fixing" by f0rm2l1n](https://f0rm2l1n.github.io/2021-07-23-Blue-Klotski/) [article] [[announcement](https://www.openwall.com/lists/oss-security/2021/06/08/2)] [CVE-2021-3573]

[2021: "ZDI-20-1440: An Incorrect Calculation Bug in the Linux Kernel eBPF Verifier" by Lucas Leong](https://www.zerodayinitiative.com/blog/2021/1/18/zdi-20-1440-an-incorrect-calculation-bug-in-the-linux-kernel-ebpf-verifier) [article]

[2021: "ZDI-20-1440 Writeup" by HexRabbit](https://blog.hexrabbit.io/2021/02/07/ZDI-20-1440-writeup/) [article]

[2021: "SSD Advisory – OverlayFS PE"](https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/) [article] [CVE-2021-3493]

[2021: "[BugTales] A Nerve-Racking Bug Collision in Samsung's NPU Driver" by Gyorgy Miru](https://labs.taszk.io/articles/post/bug_collision_in_samsungs_npu_driver/) [article] [CVE-2020-28343, SVE-2020-18610]

[2021: "CVE-2021-20226: A Reference-Counting Bug in the Linux Kernel io_uring Subsystem" by Lucas Leong](https://www.zerodayinitiative.com/blog/2021/4/22/cve-2021-20226-a-reference-counting-bug-in-the-linux-kernel-iouring-subsystem) [article] [CVE-2021-20226]

[2021: "One day short of a full chain: Part 1 - Android Kernel arbitrary code execution" by Man Yue Mo](https://securitylab.github.com/research/one_day_short_of_a_fullchain_android/) [article] [GHSL-2020-375]

[2021: "New Old Bugs in the Linux Kernel"](https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html) [article] [CVE-2021-27365, CVE-2021-27363, CVE-2021-27364]

[2021: "Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel"](https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html) [article] [[slides](https://a13xp0p0v.github.io/img/CVE-2021-26708.pdf)] [[video](https://www.youtube.com/watch?v=EMcjHfceX44)] [CVE-2021-26708]

[2021: "Improving the exploit for CVE-2021-26708 in the Linux kernel to bypass LKRG" by Alexander Popov](https://a13xp0p0v.github.io/2021/08/25/lkrg-bypass.html) [article] [[slides](https://a13xp0p0v.github.io/img/CVE-2021-26708_LKRG_bypass.pdf)] [[video](https://www.youtube.com/watch?v=n6YLiYiCIMA)]

[2021: "Gaining root access in Linux using the CVE-2021-26708 vulnerability" by Markel Azpeitia Loiti](https://addi.ehu.es/bitstream/handle/10810/53355/GrAL_MAzpeitia.pdf) [paper]

[2021: "CVE-2014-3153" by Maher Azzouzi](https://github.com/MaherAzzouzi/LinuxKernelStudy/tree/main/CVE-2014-3153) [article] [CVE-2014-3153]

[2021: "The curious case of CVE-2020-14381"](https://blog.frizn.fr/linux-kernel/cve-2020-14381) [article] [CVE-2020-14381]

[2021: "Galaxy's Meltdown - Exploiting SVE-2020-18610"](https://github.com/vngkv123/articles/blob/main/Galaxy's%20Meltdown%20-%20Exploiting%20SVE-2020-18610.md) [article] [CVE-2020-28343, SVE-2020-18610]

[2021: "In-the-Wild Series: Android Exploits" by Mark Brand](https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html) [article]

[2021: "Exploiting CVE-2014-3153 (Towelroot)" by Elon Gliksberg](https://elongl.github.io/exploitation/2021/01/08/cve-2014-3153.html) [article] [CVE-2014-3153]

[2021: "CVE-2014-3153" by Maher Azzouzi](https://github.com/MaherAzzouzi/LinuxKernelStudy/tree/main/CVE-2014-3153) [article] [CVE-2014-3153]

[2020: "An iOS hacker tries Android" by Brandon Azad](https://googleprojectzero.blogspot.com/2020/12/an-ios-hacker-tries-android.html) [article] [CVE-2020-28343, SVE-2020-18610]

[2020: "Exploiting a Single Instruction Race Condition in Binder"](https://blog.longterm.io/cve-2020-0423.html) [article] [CVE-2020-0423]

[2020: "Three Dark clouds over the Android kernel" by Jun Yao](https://github.com/2freeman/Slides/blob/main/PoC-2020-Three%20Dark%20clouds%20over%20the%20Android%20kernel.pdf) [slides] [CVE-2020-3680]

[2020: "Kernel Exploitation With A File System Fuzzer"](https://cyberweek.ae/materials/2020/D1T2%20-%20Kernel%20Exploitation%20with%20a%20File%20System%20Fuzzer.pdf) [slides] [[video](https://www.youtube.com/watch?v=95f1b4FcrQ4)] [CVE-2019-19377]

[2020: "Finding and exploiting a bug (LPE) in an old Android phone" by Brandon Falk](https://www.youtube.com/watch?v=g62FXds2pt8) [stream] [[part 2](https://www.youtube.com/watch?v=qnyFk-f3Koo)] [[summary](https://www.youtube.com/watch?v=t-t7D0vQNmo)]

[2020: "CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel" by Or Cohen](https://unit42.paloaltonetworks.com/cve-2020-14386/) [article] [CVE-2020-14386]

[2020: "Attacking the Qualcomm Adreno GPU" by Ben Hawkes](https://googleprojectzero.blogspot.com/2020/09/attacking-qualcomm-adreno-gpu.html) [article] [CVE-2020-11179]

[2020: "TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices" by Guang Gong at Black Hat](https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices.pdf) [slides] [[paper](https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf)] [CVE-2019-10567]

[2020: "Binder - Analysis and exploitation of CVE-2020-0041" by Jean-Baptiste Cayrou](https://www.synacktiv.com/posts/exploit/binder-analysis-and-exploitation-of-cve-2020-0041.html) [article] [CVE-2020-0041]

[2020: "Binder IPC and its vulnerabilities" by Jean-Baptiste Cayrou at THCON](https://www.synacktiv.com/ressources/thcon2020_binder.pdf) [slides] [CVE-2019-2215, CVE-2019-2025, CVE-2019-2181, CVE-2019-2214, CVE-2020-0041]

[2020: "Exploiting CVE-2020-0041 - Part 2: Escalating to root" by Eloi Sanfelix and Jordan Gruskovnjak](https://labs.bluefrostsecurity.de/blog/2020/04/08/cve-2020-0041-part-2-escalating-to-root/) [article] [CVE-2020-0041]

[2020: "A bug collision tale" by Eloi Sanfelix at OffensiveCon](https://labs.bluefrostsecurity.de/files/OffensiveCon2020_bug_collision_tale.pdf) [slides] [[video](https://www.youtube.com/watch?v=WOdRkZwGYDQ)] [CVE-2019-2025]

[2020: "CVE-2020-8835: Linux Kernel Privilege Escalation via Improper eBPF Program Verification" by Manfred Paul](https://www.zerodayinitiative.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification) [article] [CVE-2020-8835]

[2020: "Mitigations are attack surface, too" by Jann Horn](https://googleprojectzero.blogspot.com/2020/02/mitigations-are-attack-surface-too.html) [article]

[2020: "CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem" by Alexander Popov](https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html) [article] [[slides](https://a13xp0p0v.github.io/img/CVE-2019-18683.pdf)] [CVE-2019-18683]

[2020: "Multiple Kernel Vulnerabilities Affecting All Qualcomm Devices" by Tamir Zahavi-Brunner](https://blog.zimperium.com/multiple-kernel-vulnerabilities-affecting-all-qualcomm-devices/) [article] [CVE-2019-14040, CVE-2019-14041]

[2019: "CVE-2017-16995 Analysis - eBPF Sign Extension LPE" by senyuuri](https://blog.senyuuri.info/2019/01/19/kernel-epbf-sign-extension/) [article] [CVE-2017-16995]

[2019: "Kernel Research / mmap handler exploitation" by deshal3v](https://deshal3v.github.io/blog/kernel-research/mmap_exploitation) [article] [CVE-2019-18675]

[2019: "Bad Binder: Android In-The-Wild Exploit" by Maddie Stone](https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html) [article] [CVE-2019-2215]

[2019: "Analyzing Android's CVE-2019-2215 (/dev/binder UAF)"](https://dayzerosec.com/posts/analyzing-androids-cve-2019-2215-dev-binder-uaf/) [article] [CVE-2019-2215]

[2019: "Stream Cut: Android Kernel Exploitation with Binder Use-After-Free (CVE-2019-2215)"](https://www.youtube.com/watch?v=yrLXvmzUQME) [video] [CVE-2019-2215]

[2019: "CVE-2019-2215 - Android kernel binder vulnerability analysis"](https://xz.aliyun.com/t/6853) [article] [CVE-2019-2215]

[2019: "Deep Analysis of Exploitable Linux Kernel Vulnerabilities" by Tong Lin and Luhai Chen at Linux Security Summit EU](https://www.youtube.com/watch?v=MYEAGmP_id4) [video] [CVE-2017-16995, CVE-2017-10661]

[2019: "Tailoring CVE-2019-2215 to Achieve Root" by Grant Hernandez](https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/) [article] [CVE-2019-2215]

[2019: "From Zero to Root: Building Universal Android Rooting with a Type Confusion Vulnerability" by Wang Yong](https://github.com/ThomasKing2014/slides/blob/master/Building%20universal%20Android%20rooting%20with%20a%20type%20confusion%20vulnerability.pdf) [slides] [CVE-2018-9568, WrongZone]

[2019: "KARMA takes a look at offense and defense: WrongZone from exploitation to repair"](https://mp.weixin.qq.com/s?__biz=MzA3NTQ3ODI0NA==&mid=2247485060&idx=1&sn=b3773b0478f7b5ee39fa1a6527b4f3ff) [article] [CVE-2018-9568, WrongZone]

[2019: "Android Binder: The Bridge To Root" by Hongli Han and Mingjian Zhou](https://conference.hitb.org/hitbsecconf2019ams/materials/D2T2%20-%20Binder%20-%20The%20Bridge%20to%20Root%20-%20Hongli%20Han%20&%20Mingjian%20Zhou.pdf) [slides] [CVE-2019-2025]

[2019: "The ‘Waterdrop’ in Android: A Binder Kernel Vulnerability" by Hongli Han](http://blogs.360.cn/post/Binder_Kernel_Vul_EN.html) [article] [CVE-2019-2025]

[2019: "An Exercise in Practical Container Escapology" by Nick Freeman](https://capsule8.com/blog/practical-container-escape-exercise/) [article] [CVE-2017-1000112]

[2019: "Taking a page from the kernel's book: A TLB issue in mremap()" by Jann Horn](https://googleprojectzero.blogspot.com/2019/01/taking-page-from-kernels-book-tlb-issue.html) [article] [CVE-2018-18281]

[2019: "CVE-2018-18281 - Analysis of TLB Vulnerabilities in Linux Kernel"](https://xz.aliyun.com/t/4005) [article]

[2019: "Analysis of Linux xfrm Module Cross-Border Read-Write Escalation Vulnerability (CVE-2017-7184)"](http://p4nda.top/2019/02/16/CVE-2017-7184/) [article] [CVE-2017-7184]

[2019: "Analysis of Escalation Vulnerability Caused by Integer Extension of Linux ebpf Module (CVE-2017-16995)"](http://p4nda.top/2019/01/18/CVE-2017-16995/) [article] [CVE-2017-16995]

[2019: "Linux kernel 4.20 BPF integer overflow vulnerability analysis"](http://p4nda.top/2019/01/02/kernel-bpf-overflow/) [article]

[2019: "Attacking DRM subsystem to gain kernel privilege on Chromebooks" by Di Shen](https://speakerdeck.com/retme7/attacking-drm-subsystem-to-gain-kernel-privilege-on-chromebooks) [slides] [[video](https://www.youtube.com/watch?v=lBgtZvIxEwA)] [CVE-2019-16508]

[2018: "Linux kernel 4.20 BPF integer overflow-heap overflow vulnerability and its exploitation"](https://www.anquanke.com/post/id/166819) [article]

[2018: "CVE-2017-11176: A step-by-step Linux Kernel exploitation](https://blog.lexfo.fr/) [article] [CVE-2017-11176]

[2018: "A cache invalidation bug in Linux memory management" by Jann Horn](https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html) [article] [CVE-2018-17182]

[2018: "Dissecting a 17-year-old kernel bug" by Vitaly Nikolenko at beVX](https://cyseclabs.com/slides/bevx-talk.pdf) [slides] [CVE-2018-6554, CVE-2018-6555]

[2018: "SSD Advisory – IRDA Linux Driver UAF"](https://blogs.securiteam.com/index.php/archives/3759) [article] [CVE-2018-6554, CVE-2018-6555]

[2018: "Integer overflow in Linux's create_elf_tables()"](https://www.openwall.com/lists/oss-security/2018/09/25/4) [announcement] [CVE-2018-14634]

[2018: "MMap Vulnerabilities – Linux Kernel"](https://research.checkpoint.com/mmap-vulnerabilities-linux-kernel/) [article] [CVE-2018-8781]

[2018: "Ubuntu kernel eBPF 0day analysis"](https://security.tencent.com/index.php/blog/msg/124) [article] [CVE-2017-16995]

[2018: "eBPF and Analysis of the get-rekt-linux-hardened.c Exploit for CVE-2017-16995"](https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html) [article] [CVE-2017-16695]

[2017: "Challenge Impossible -- Multiple Exploit On Android" by Hanxiang Wen and Xiaodong Wang](https://hitcon.org/2017/CMT/slide-files/d1_s4_r2.pdf) [slides] [CVE-2017-0437]

[2017: "CVE-2017-1000112: Exploiting an out-of-bounds bug in the Linux kernel UFO packets" by Andrey Konovalov](https://xairy.io/articles/cve-2017-1000112) [article] [CVE-2017-1000112]

[2017: "Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112" by Krishs Patil](https://securingtomorrow.mcafee.com/mcafee-labs/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112/) [article] [CVE-2017-1000112]

[2017: "Adapting the POC for CVE-2017-1000112 to Other Kernels"](https://ricklarabee.blogspot.de/2017/12/adapting-poc-for-cve-2017-1000112-to.html) [article] [CVE-2017-1000112]

[2017: "The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel" by Di Shen](https://speakerdeck.com/retme7/the-art-of-exploiting-unconventional-use-after-free-bugs-in-android-kernel) [slides] [CVE-2017-0403, CVE-2016-6787] [[video](https://www.youtube.com/watch?v=U2qvK1hJ6zg)]

[2017: "Exploiting CVE-2017-5123 with full protections. SMEP, SMAP, and the Chrome Sandbox!" by Chris Salls](https://salls.github.io/Linux-Kernel-CVE-2017-5123/) [article] [CVE-2017-5123]

[2017: "Exploiting CVE-2017-5123" by Federico Bento](https://reverse.put.as/2017/11/07/exploiting-cve-2017-5123/) [article] [CVE-2017-5123]

[2017: "Escaping Docker container using waitid() – CVE-2017-5123" by Daniel Shapira](https://www.twistlock.com/2017/12/27/escaping-docker-container-using-waitid-cve-2017-5123/) [article] [CVE-2017-5123]

[2017: "LKE v4.13.x - waitid() LPE" by HyeongChan Kim](http://kozistr.tech/sec-res/2017/10/29/LKE-CVE-2017-5123.html) [article] [CVE-2017-5123]

[2017: "Exploiting on CVE-2016-6787"](https://hardenedlinux.github.io/system-security/2017/10/16/Exploiting-on-CVE-2016-6787.html) [article] [CVE-2016-6787]

[2017: "Race For Root: The Analysis Of The Linux Kernel Race Condition Exploit" by Alexander Popov](https://www.youtube.com/watch?v=g7Qm0NpPAz4) [video] [CVE-2017-2636]

[2017: "Race For Root: The Analysis Of The Linux Kernel Race Condition Exploit" by Alexander Popov](https://program.sha2017.org/system/event_attachments/attachments/000/000/111/original/a13xp0p0v_race_for_root_SHA2017.pdf) [slides] [CVE-2017-2636]

[2017: "CVE-2017-2636: exploit the race condition in the n_hdlc Linux kernel driver bypassing SMEP" by Alexander Popov](https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html) [article] [CVE-2017-2636]

[2017: "CVE-2017-2636: local privilege escalation flaw in n_hdlc" by Alexander Popov](http://seclists.org/oss-sec/2017/q1/569) [announcement] [CVE-2017-2636]

[2017: "Dirty COW and why lying is bad even if you are the Linux kernel"](https://chao-tic.github.io/blog/2017/05/24/dirty-cow) [article] [CVE-2016-5195]

[2017: "NDAY-2017-0103: Arbitrary kernel write in sys_oabi_epoll_wait" by Zuk Avraham](https://blog.zimperium.com/nday-2017-0103-arbitrary-kernel-write-in-sys_oabi_epoll_wait/) [article] [CVE-2016-3857]

[2017: "NDAY-2017-0106: Elevation of Privilege in NVIDIA nvhost-vic driver" by Zuk Avraham](https://blog.zimperium.com/nday-2017-0106-elevation-of-privilege-in-nvidia-nvhost-vic-driver/) [article] [CVE-2016-2434]

[2017: "PWN2OWN 2017 Linux kernel privilege escalation analysis"](https://zhuanlan.zhihu.com/p/26674557) [article] [CVE-2017-7184]

[2017: "Exploiting the Linux kernel via packet sockets" by Andrey Konovalov](https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html) [article] [CVE-2017-7308]

[2017: "Solving a post exploitation issue with CVE-2017-7308"](https://www.coresecurity.com/core-labs/articles/solving-post-exploitation-issue-cve-2017-7308) [article] [CVE-2017-7308]

[2017: "NDAY-2017-0105: Elevation of Privilege Vulnerability in MSM Thermal Drive" by Zuk Avraham](https://blog.zimperium.com/nday-2017-0105-elevation-of-privilege-vulnerability-in-msm-thermal-driver/) [article] [CVE-2016-2411]

[2017: "NDAY-2017-0102: Elevation of Privilege Vulnerability in NVIDIA Video Driver" by Zuk Avraham](https://blog.zimperium.com/nday-2017-0102-elevation-of-privilege-vulnerability-in-nvidia-video-driver/) [article] [CVE-2016-2435]

[2017: "CVE-2017-6074: Exploiting a double-free in the Linux kernel DCCP sockets" by Andrey Konovalov](https://xairy.io/articles/cve-2017-6074) [article] [CVE-2017-6074]

[2016: "CVE-2016-8655 Linux af_packet.c race condition (local root)" by Philip Pettersson](http://seclists.org/oss-sec/2016/q4/607) [announcement] [CVE-2016-8655]

[2016: "Rooting Every Android From Extension To Exploitation" by Di Shen and James Fang at Black Hat](https://speakerdeck.com/retme7/rooting-every-android-from-extension-to-exploitation) [slides] [[article](https://www.blackhat.com/docs/eu-16/materials/eu-16-Shen-Rooting-Every-Android-From-Extension-To-Exploitation-wp.pdf)] [CVE-2015-0570, CVE-2016-0820, CVE-2016-2475, CVE-2016-8453]

[2016: "Talk is Cheap, Show Me the Code" by James Fang, Di Shen and Wen Niu](https://speakerdeck.com/retme7/talk-is-cheap-show-me-the-code) [slides] [CVE-2015-1805]

[2016: "CVE-2016-3873: Arbitrary Kernel Write in Nexus 9" by Sagi Kedmi](https://sagi.io/2016/09/cve-2016-3873-arbitrary-kernel-write-in-nexus-9/) [article] [CVE-2016-3873]

[2016: "Exploiting Recursion in the Linux Kernel" by Jann Horn](https://googleprojectzero.blogspot.de/2016/06/exploiting-recursion-in-linux-kernel_20.html) [article] [CVE-2016-1583]

[2016: "ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728)" By Perception Point Research Team](http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/) [article] [CVE-2016-0728]

[2016: "CVE20160728 Exploit Code Explained" by Shilong Zhao](http://dreamhack.it/linux/2016/01/25/cve-2016-0728-exploit-code-explained.html) [article] [CVE-2016-0728]

[2016: "CVE-2016-0728 vs Android" by Collin Mulliner](https://www.mulliner.org/blog/blosxom.cgi/security/CVE-2016-0728_vs_android.writeback?advanced_search=1) [article] [CVE-2016-0728]

[2016: "Notes about CVE-2016-7117" by Lizzie Dixon](https://blog.lizzie.io/notes-about-cve-2016-7117.html) [article] [CVE-2016-7117]

[2016: "CVE-2016-2384: exploiting a double-free in the usb-midi linux kernel driver" by Andrey Konovalov](https://xairy.github.io/blog/2016/cve-2016-2384) [article] [CVE-2016-2384]

[2016: "CVE-2016-6187: Exploiting Linux kernel heap off-by-one" by Vitaly Nikolenko](https://cyseclabs.com/blog/cve-2016-6187-heap-off-by-one-exploit) [article] [CVE-2016-6187]

[2016: "CVE-2014-2851 group_info UAF Exploitation" by Vitaly Nikolenko](https://cyseclabs.com/page?n=02012016) [article] [CVE-2014-2851]

[2016: "Perf: From Profiling To Kernel Exploiting" by Wish Wu at HITB Ams](https://conference.hitb.org/hitbsecconf2016ams/wp-content/uploads/2015/11/D2T2-Wish-Wu-Perf-From-Profiling-to-Kernel-Exploiting.pdf) [slides] [[video](https://www.youtube.com/watch?v=37v14rMtALs)] [CVE-2016-0819]

[2016: "QUADROOTER: NEW VULNERABILITIES AFFECTING OVER 900 MILLION ANDROID DEVICES"](https://www.blackhat.com/docs/eu-16/materials/eu-16-Donenfeld-Stumping-The-Mobile-Chipset-wp.pdf) [article] [CVE-2016-2503, CVE-2106-2504, CVE-2016-2059, CVE-2016-5340]

[2016: "STUMPING THE MOBILE CHIPSET: New 0days from down under" by Adam Donenfeld at DEF CON](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Adam-Donenfeld-Stumping-The-Mobile-Chipset.pdf) [slides] [CVE-2016-2503, CVE-2106-2504, CVE-2016-2059, CVE-2016-5340]

[2015: "Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)" by Gal Beniamini](https://bits-please.blogspot.de/2015/08/android-linux-kernel-privilege.html) [article] [CVE-2014-4322]

[2015: "Exploiting "BadIRET" vulnerability" by Rafal Wojtczuk](https://web.archive.org/web/20171118232027/https://blogs.bromium.com/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/) [article] [CVE-2014-9322]

[2015: "Follow-up on Exploiting "BadIRET" vulnerability (CVE-2014-9322)" by Adam Zabrocki](http://blog.pi3.com.pl/?p=509) [article] [CVE-2014-9322]

[2015: "Ah! Universal Android Rooting Is Back" by Wen Xu at Black Hat](https://www.blackhat.com/docs/us-15/materials/us-15-Xu-Ah-Universal-Android-Rooting-Is-Back.pdf) [slides] [[video](https://www.youtube.com/watch?v=HVP1c7Ct1nM)] [[paper](https://www.blackhat.com/docs/us-15/materials/us-15-Xu-Ah-Universal-Android-Rooting-Is-Back-wp.pdf)] [CVE-2015-3636]

[2015: "When is something overflowing" by Keen Team](https://www.slideshare.net/PeterHlavaty/overflow-48573748) [slides]

[2015: "Exploiting the DRAM rowhammer bug to gain kernel privileges" by Mark Seaborn and Thomas Dullien](https://googleprojectzero.blogspot.de/2015/03/exploiting-dram-rowhammer-bug-to-gain.html) [article] [Rowhammer]

[2015: "CVE-2014-4943 - PPPoL2TP DoS Analysis" by Vitaly Nikolenko](https://cyseclabs.com/page?n=01102015) [article] [CVE-2014-4943]

[2015: "CVE-2015-0568: Use-After-Free Vulnerability in the Camera Driver of Qualcomm MSM 7x30"](http://c0reteam.org/2015/11/18/cve-20150568) [article] [CVE-2015-0568]

[2014: "Exploiting CVE-2014-0196 a walk-through of the Linux pty race condition PoC" by Samuel Gross](http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html) [article] [CVE-2014-0196]

[2014: "CVE-2014-4014: Linux Kernel Local Privilege Escalation "exploitation"" by Vitaly Nikolenko](https://cyseclabs.com/blog/cve-2014-4014-local-privilege-escalation) [article] [CVE-2014-4014]

[2014: "CVE-2014-4699: Linux Kernel ptrace/sysret vulnerability analysis" by Vitaly Nikolenko](https://cyseclabs.com/blog/cve-2014-4699-linux-kernel-ptrace-sysret-analysis) [article] [CVE-2014-4699]

[2014: "How to exploit the x32 recvmmsg() kernel vulnerability CVE 2014-0038" by Samuel Gross](http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html) [article] [CVE-2014-0038]

[2014: "Exploiting the Futex Bug and uncovering Towelroot"](http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/) [article] [CVE-2014-3153]

[2014: "CVE-2014-3153 Exploit" by Joel Eriksson](http://www.clevcode.org/cve-2014-3153-exploit/) [article] [CVE-2014-3153]

[2013: "Privilege Escalation Kernel Exploit" by Julius Plenz](https://blog.plenz.com/2013-02/privilege-escalation-kernel-exploit.html) [article] [CVE-2013-1763]

[2013: "A closer look at a recent privilege escalation bug in Linux (CVE-2013-2094)" by Joe Damato](http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/) [article] [CVE-2013-2094]

[2012: "Linux Local Privilege Escalation via SUID /proc/pid/mem Write" by Jason Donenfeld](https://git.zx2c4.com/CVE-2012-0056/about/) [article] [CVE-2012-0056]

[2011: "Kernel Exploitation Via Uninitialized Stack" by Kees Cook at DEF CON](https://www.defcon.org/images/defcon-19/dc-19-presentations/Cook/DEFCON-19-Cook-Kernel-Exploitation.pdf) [slides] [[video](https://www.youtube.com/watch?v=jg-wnwnkbsy)] [CVE-2010-2963]

[2010: "CVE-2010-2963 v4l compat exploit" by Kees Cook](https://outflux.net/blog/archives/2010/10/19/cve-2010-2963-v4l-compat-exploit/) [article] [CVE-2010-2963]

[2010: "Exploiting large memory management vulnerabilities in Xorg server running on Linux" by Rafal Wojtczuk](http://invisiblethingslab.com/resources/misc-2010/xorg-large-memory-attacks.pdf) [article] [CVE-2010-2240]

[2010: "CVE-2007-4573: The Anatomy of a Kernel Exploit" by Nelson Elhage](https://blog.nelhage.com/2010/02/cve-2007-4573-the-anatomy-of-a-kernel-exploit/) [article] [CVE-2007-4573]

[2010: "Linux Kernel CAN SLUB Overflow" by Jon Oberheide](https://jon.oberheide.org/blog/2010/09/10/linux-kernel-can-slub-overflow/) [article] [CVE-2010-2959]

[2010: "af_can linux kernel overflow" by Ben Hawkes](http://inertiawar.com/af_can/) [article] [CVE-2010-2959]

[2010: "linux compat vulns (part 1)" by Ben Hawkes](http://inertiawar.com/compat1/) [article] [CVE-2010-3081]

[2010: "linux compat vulns (part 2)" by Ben Hawkes](http://inertiawar.com/compat2/) [article] [CVE-2010-3301]

[2010: "Some Notes on CVE-2010-3081 Exploitability"](https://blog.nelhage.com/2010/11/exploiting-cve-2010-3081/) [article] [CVE-2010-3081]

[2010: "Anatomy of an exploit: CVE-2010-3081"](https://blogs.oracle.com/ksplice/anatomy-of-an-exploit%3a-cve-2010-3081) [article] [CVE-2010-3081]

[2010: "CVE-2010-4258: Turning denial-of-service into privilege escalation" by Nelson Elhage](https://blog.nelhage.com/2010/12/cve-2010-4258-from-dos-to-privesc/) [article] [CVE-2010-4258]

[2009: "Linux NULL pointer dereference due to incorrect proto_ops initializations (CVE-2009-2692)"](http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html) [article] [CVE-2009-2692]

[2009: "Even when one byte matters"](https://kernelbof.blogspot.de/2009/07/even-when-one-byte-matters.html) [article] [CVE-2009-1046]

[2009: "CVE-2008-0009/CVE-2008-0010: Linux kernel vmsplice(2) Privilege Escalation"](https://xorl.wordpress.com/2009/08/10/cve-2008-0600cve-2008-0010-linux-kernel-vmsplice2-privilege-escalation/) [article] [CVE-2008-0009, CVE-2008-0010]

[2008: "vmsplice(): the making of a local root exploit" by Jonathan Corbet](https://lwn.net/Articles/268783/) [article] [CVE-2008-0600]

[2004: "Linux kernel do_mremap VMA limit local privilege escalation vulnerability"](http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt) [article] [CVE-2004-0077]

### RCE

[2024: "Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap" by Robert Herrera and Alex Plaskett](https://www.nccgroup.com/media/uzbp3ttw/bhus24_sonos_whitepaper.pdf) [article] [[slides](https://i.blackhat.com/BH-US-24/Presentations/US-24-Herrera-Listen-Up-Sonos-Over-The-Air-Exploitation-and-Covert-Wiretap-Thursday.pdf)] [[video](https://www.youtube.com/watch?v=piw0CZ46-Q0)] [CVE-2023-50809] [CVE-2024-20018]

[2023: "Abusing Linux In-Kernel SMB Server to Gain Kernel Remote Code Execution" by Guillaume Teissier and Quentin Minster](https://www.youtube.com/watch?v=XT6jLBbzwFM) [video] [CVE-2022-47943] [CVE-2023-2593]

[2022: "Writing a Linux Kernel Remote in 2022" by Samuel Page](https://blog.immunityinc.com/p/writing-a-linux-kernel-remote-in-2022/) [article] [[slides](https://conference.hitb.org/hitbsecconf2022sin/materials/D1T1%20-%20Erybody%20Gettin%20TIPC%20-%20Demystifying%20Remote%20Linux%20Kernel%20Exploitation%20-%20Sam%20Page.pdf)] [CVE-2022-0435]

[2022: "Zenith: Pwn2Own TP-Link AC1750 Smart Wi-Fi Router Remote Code Execution Vulnerability" by Axel Souchet](https://github.com/0vercl0k/zenith) [article] [CVE-2022-24354]

[2021: "BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution" by Andy Nguyen](https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup): [BadChoice](https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq), [BadKarma](https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq), [BadVibes](https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649) [article] [CVE-2020-12352, CVE-2020-12351, CVE-2020-24490]

[2017: "Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)" by Gal Beniamini](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html) [article] [CVE-2017-0569]

[2017: "BlueBorn: The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks"](http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf?t=1505222709963) [paper] [CVE-2017-1000251]

[2016: "CVE Publication: CVE 2016-8633" by Eyal Itkin](https://eyalitkin.wordpress.com/2016/11/06/cve-publication-cve-2016-8633/) [article] [CVE-2016-8633]

[2011: "Owned Over Amateur Radio: Remote Kernel Exploitation in 2011" at DEF CON](http://cs.dartmouth.edu/~sergey/cs258/2012/Dan-Rosenberg-lecture.pdf) [slides] [[video](https://www.youtube.com/watch?v=kBjD0HITQZA)] [CVE-2011-1493]

[2009: "When a "potential D.o.S." means a one-shot remote kernel exploit: the SCTP story"](https://kernelbof.blogspot.de/2009/04/kernel-memory-corruptions-are-not-just.html) [article] [CVE-2009-0065]

### Other

[2025: "A Series of io_uring pbuf Vulnerabilities" by Pumpkin Chang](https://u1f383.github.io/linux/2025/03/02/a-series-of-io_uring-pbuf-vulnerabilities.html) [article] [CVE-2024-0582] [CVE-2024-35880] [CVE-UNKNOWN]

[2025: The io_uring Promotion in kernelCTF And Two Vulnerabilities Analysis](https://u1f383.github.io/linux/2025/02/28/the-io_uring-promotion-in-kernelCTF-and-two-vulnerabilities-analysis.html) [article] [CVE-UNKNOWN] [CVE-2023-52926]

[2025: "Linux Kernel Some Vsock Vulnerabilities Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2025/02/24/linux-kernel-some-vsock-vulnerabilities-analysis.html) [article] [CVE-2025-21669] [CVE-2025-21670] [CVE-2025-21666]

[2025: "From Zero to Emo – My Journey of Many Failures in kernelCTF" by Pumpkin Chang](https://u1f383.github.io/linux/2025/02/21/from-zero-to-emo-my-journey-of-many-failures-in-kernelCTF.html) [article] [CVE-2024-56770] [CVE-2025-21703] [CVE-2025-21700]

[2025: "A 1-day a Day in the Lunar New Year" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/27/a-1-day-a-day-in-the-lunar-new-year.html) [article] [CVE-UNKNOWN]

[2025: "Memory-related CVEs Exploited in kernelCTF" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/12/memory-related-cves-exploited-in-kernelctf.html) [article] [CVE-2024-50066] [CVE-2023-3269]

[2025: "Two Network-related vunlnerabilities Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/08/two-network-related-vulnerabilities-analysis.html) [article] [CVE-2023-6932] [CVE-2023-0461]

[2025: "Cellebrite zero-day exploit used to target phone of Serbian student activist"](https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/) [article] [CVE-2024-53104] [CVE-2024-53197] [CVE-2024-50302]

[2025: "Accidentally uncovering a seven years old vulnerability in the Linux kernel" by Anderson Nascimento](https://allelesecurity.com/accidentally-uncovering-a-seven-years-old-vulnerability-in-the-linux-kernel/) [article] [CVE-2024-36904]

[2025: "Linux Kernel: Out of bounds Write in ksmbd_vfs_stream_write" by Jordy Zomer](https://github.com/google/security-research/security/advisories/GHSA-qmm2-xfcw-4r29) [article] [CVE-2024-56626]

[2025: "Linux Kernel: Out of bounds Read in ksmbd_vfs_stream_read" by Jordy Zomer](https://github.com/google/security-research/security/advisories/GHSA-gqrv-6fcf-hvv8) [article] [CVE-2024-56627]

[2025: "Linux Kernel: Integer Overflow in eBPF XSK map_delete_elem Leads to Out-of-Bounds" by Jordy Zomer](https://github.com/google/security-research/security/advisories/GHSA-cqc2-6j63-6qrx) [article] [CVE-2024-56614]

[2025: "Integer Overflow in eBPF DEVMAP map_delete_elem Leads to Out-of-Bounds" by Jordy Zomer](https://github.com/google/security-research/security/advisories/GHSA-fphp-6498-x998) [article] [CVE-2024-56615]

[2025: "Some Casual Notes for CVE-2024-26921" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/04/some-casual-notes-for-cve-2024-26921.html) [article] [CVE-2024-26921]

[2024: "Linux Kernel ICMPv6 & CVE-2023-6200" by Pumpkin Chang](https://u1f383.github.io/linux/2024/12/04/linux-kernel-icmpv6-and-cve-2023-6200.html) [article] [CVE-2023-6200]

[2024: "Linux Kernel Perf CVE-2023-5717 Quick Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/11/17/linux-kernel-perf-cve-2023-5717-quick-analysis.html) [article] [CVE-2023-5717]

[2024: "A Quick Note for Perf CVE-2024-46713" by Pumpkin Chang](https://u1f383.github.io/linux/2024/11/15/a-quick-note-for-perf-cve-2024-46713.html) [article] [CVE-2024-46713]

[2024: "Linux Kernel Perf CVE-2023-6931 Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/11/14/linux-kernel-perf-cve-2023-6931-analysis.html) [article] [CVE-2023-6931]

[2024: "Linux Kernel Vsock 1-day Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/11/12/linux-kernel-vsock-1-day-analysis.html) [article] [CVE-UNKNOWN]

[2024: "Three Linux net/sched 1-day Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/09/05/three-linux-net_sched-1-day-analysis.html) [article] [CVE-2024-36974] [CVE-2023-0590]

[2024: "Two Linux net/sched 1-day Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/31/two-linux-net_sched-1-day-analysis.html) [article] [CVE-2024-36978]

[2024: "CVE-2024-41010 - Linux net/sched UAF 1-day Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/07/29/cve-2024-41010-linux-net_sched-uaf-1-day-analysis.html) [article] [CVE-2024-41010]

[2024: "Linux eBPF Design and Vulnerability Case Study" by Pumpkin Chang](https://u1f383.github.io/linux/2024/07/12/linux-eBPF-design-and-vulnerability-case-study-part-1.html) [article] [[part 2](https://u1f383.github.io/linux/2024/07/20/linux-eBPF-design-and-vulnerability-case-study-part-2.html)] [CVE-2024-41009] [CVE-2022-23222] [CVE-2023-52447]

[2024: "Linux Kernel: TOCTOU in Exec System" by Marco Vanotti](https://github.com/google/security-research/security/advisories/GHSA-c45w-xwww-rfgg) [article] [CVE-2024-43882]

[2024: "CVE-2024-26926 Analysis" by Maher Azzouzi](https://github.com/MaherAzzouzi/LinuxKernel-nday/blob/main/CVE-2024-26926/CVE_2024_26926_Analysis.pdf) [article] [CVE-2024-26926]

[2024: "CVE-2024-44068: Samsung m2m1shot_scaler0 device driver page use-after-free in Android"](https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2024/CVE-2024-44068.html) [article] [CVE-2024-44068]

[2024: "Deep Dive into RCU Race Condition: Analysis of TCP-AO UAF (CVE-2024–27394)"](https://blog.theori.io/deep-dive-into-rcu-race-condition-analysis-of-tcp-ao-uaf-cve-2024-27394-f40508b84c42) [article] [CVE-2024–27394]

[2024: "ZDI-24-821: A Remote UAF in The Kernel's net/tipc" by Sam Page](https://sam4k.com/zdi-24-821-a-remote-use-after-free-in-the-kernels-net-tipc/) [article] [ZDI-24-821] [CVE-2024-36886]

[2024: "Race condition in 9p file system"](https://r00tkitsmm.github.io/fuzzing/2024/05/29/Race-into-9p.html) [article]

[2024: "Notes about ZDI-24-195 in ksmbd"](https://twitter.com/Shiftreduce/status/1773385937893896206) [thread] [ZDI-24-195]

[2024: "PowerVR GPU - GPU Firmware may overwrite arbitrary kernel pages by RGXCreateFreeList"](https://bugs.chromium.org/p/apvi/issues/detail?id=140) [report]

[2024: "PowerVR GPU - UAF race conditon by DevmemIntPFNotify and DevmemIntCtxRelease"](https://bugs.chromium.org/p/apvi/issues/detail?id=141) [report]

[2023: "Ubuntu Shiftfs: Unbalanced Unlock Exploitation Attempt" by Jean-Baptiste Cayrou](https://www.synacktiv.com/sites/default/files/2023-11/ubuntu_shiftfs.pdf) [slides] [CVE-2023-2612]

[2023: "Attacking NPUs of Multiple Platforms"](https://i.blackhat.com/EU-23/Presentations/EU-23-Zhang-Attacking-NPUs-of-Multiple-Platforms.pdf) [slides] [CVE-2022-22265] [CVE-2020-28343] [SVE-2021-20204] [CVE-2023-42483] [CVE-2023-45864]

[2023: "Deep Dive: Qualcomm MSM Linux Kernel & ARM Mali GPU 0-day Exploit Attacks of October 2023" by Alisa Esage](https://zerodayengineering.com/insights/qualcomm-msm-arm-mali-0days.html) [article] [CVE-2023-33063] [CVE-2023-33106] [CVE-2023-33107] [CVE-2022-22071] [CVE-2023-4211]

[2023: "Unleashing ksmbd: remote exploitation of the Linux kernel (ZDI-23-979, ZDI-23-980)" by notselwyn](https://pwning.tech/ksmbd/) [article] [CVE-2023-3866] [CVE-2023-3865] [[exploits](https://github.com/Notselwyn/exploits)]

[2023: "CVE-2023-4273: a vulnerability in the Linux exFAT driver" by Maxim Suhanov](https://dfir.ru/2023/08/23/cve-2023-4273-a-vulnerability-in-the-linux-exfat-driver/) [article] [CVE-2023-4273]

[2023: "Linux IPv6 'Route of Death' 0day" by Max VA](https://www.interruptlabs.co.uk/articles/linux-ipv6-route-of-death) [article] [CVE-2023-2156]

[2022: "Linux Kernel: Infoleak in Bluetooth L2CAP Handling"](https://github.com/google/security-research/security/advisories/GHSA-vccx-8h74-2357) [advisory] [CVE-2022-42895]

[2022: "Linux Kernel: UAF