Extended the Pixel 8 KGDB article with the instructions on how to set up GEF. slub-dump, buddy-dump, and some other commands now work. Huge thanks to bata24 for implementing all required pieces.
xairy.io/articles/pix...
Gonna be teaching Exploiting the Android Kernel training at Zer0Con 2026 on March 30th β April 1st. This is a new training focused on data-only Android kernel exploitation techniques. Just a bit of time left to sign up. Pay attention to the requirements.
zer0con.org#training-sec...
Updates for the Linux kernel exploitation collection π
github.com/xairy/linux-...
Gonna be teaching Fuzzing the Linux Kernel training online via Ringzer0 on March 20β25. Covers using/extending syzkaller and KASAN and related areas. I don't deliver this training often, so don't miss the opportunity.
ringzer0.training/countermeasu...
The end of a good time
slab: remove struct kmem_cache_cpu
git.kernel.org/pub/scm/linu...
slab: remove cpu (partial) slabs usage from allocation paths
git.kernel.org/pub/scm/linu...
Updates for the Linux kernel exploitation collection π
github.com/xairy/linux-...
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
projectzero.google/2026/01/pixe...
π¨ REcon 2026 is LIVE!
π Call for papers and registration are now open!
Join the world's top reverse engineers & exploit devs in Montreal:
π Trainings: June 15-18
π
Conference: June 19-21
Tickets & early bird now open β recon.cx
Limited spots β see you in MTL! #REcon2026 #ReverseEngineering
@andreyknvl.bsky.social I don't know if this ever got brought up, but for a much more convenient way of doing this, Steam Deck supports this out of the box. You flip the toggle in BIOS, which is exposed by default, and then you can use the gadget directly within the OS. xairy.io/articles/thi...
Gonna be teaching Exploiting the Linux Kernel training at @offensivecon.bsky.social in Berlin on May 11β14th. Half of the spots already taken, so don't miss out. Also note that you can get a conference ticket as a bundle with a training.
π¨ In 2026, Andrey Konovalov - @andreyknvl.bsky.social - returns to OffensiveCon with a training on "Exploiting the Linux Kernel". Find more details hereπhttps://buff.ly/dKDboYt
π Don't miss this chance to improve your skillsβsign up now!
The trainings' content is unique and exclusive to #offensivecon26, so donβt miss out!
NEW: Get your training + conference ticket bundle and secure a conference ticket before the conference ticket shop opens!
Tickets: buff.ly/z8YNgoY
Don't worry, the conference ticket shop will openβ¦at some point
This is still not fixed btw.
kernelCTF: CVE-2025-38477
kernelCTF entry for a race condition in the network scheduler subsystem.
Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux.
github.com/n132/securit...
Defeating KASLR by Doing Nothing at All
Article by Seth Jenkins about a few problems with physical memory KASLR on arm64 devices.
googleprojectzero.blogspot.com/2025/11/defe...
Updates for the Linux kernel exploitation collection π
github.com/xairy/linux-...
Oops! It's a kernel stack use-after-free: Exploiting NVIDIA's GPU Linux drivers
Article by Robin Bastide about exploiting a NULL-pointer-dereference that led to a UAF access to the kernel stack in the NVIDIA GPU driver.
blog.quarkslab.com/nvidia_gpu_k...
Merge commit: git.kernel.org/pub/scm/linu...
RFC to replace per-CPU partials: lore.kernel.org/linux-mm/202...
LWN article: lwn.net/Articles/101...
Sheaves support has been merged into SLUB.
Opt-in for now, but planned to replace the per-CPU partial slab layer for all caches in the future.
Gonna have to revise the slab shaping strategies once this happens.
Delivered a workshop at BalcCon this weekend on emulating/sniffing/MitM'ing USB devices with Raw Gadget and a Raspberry Pi.
All materials are public, so can go through the workshop on your own if you're interested.
github.com/xairy/raw-ga...
Updated syzkaller documentation on USB fuzzing to explain how to handle certain tricky cases (e.g. driver quirks applied based on Vendor/Product IDs).
github.com/google/syzka...
I also suspect that the CVE-2025-38494/5 fix is what actually fixes CVE-2024-50302.
Assuming the used chain was portable enough to also cover devices with CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, replacing kmalloc with kzalloc possibly did nothing.
bsky.app/profile/andr...
"Wrote" is a strong word for this, I just cleaned up the reproducer from this syzbot report:
syzkaller.appspot.com/bug?extid=fb...
The report has been public on the dashboard for over 2 months now. And there's plenty of other USB bugs that are still not fixed.
Wrote a trigger for CVE-2025-38494/5 (an integer underflow in the HID subsystem) that leaks 64 KB of OOB memory over USB.
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
github.com/xairy/kernel...
Updated the collection of USB hacking links.
github.com/xairy/usb-ha...
Whoever is coming to BalCCon: I will be teaching a workshop Attacking USB with Raw Gadget (covering basics of USB emulation and sniffing).
If you wish to attend, you must bring Raspberry Pi 5 along with a few other things, see the workshop description.
github.com/xairy/raw-ga...
Updates for the Linux kernel exploitation collection π
github.com/xairy/linux-...
Linux Kernel netfilter: ipset: Missing Range Check LPE
ssd-disclosure.com/linux-kernel...
Announcing #Pwn2Own Ireland for 2025! We return to the Emerald Isle with our new partner #Meta & a $1,000,000 WhatsApp bounty. Plus new USB vectors on phones & more. Read the details https://www.zerodayinitiative.com/blog/2025/7/30/pwn2own-returns-to-ireland-with-a-one-million-dollar-whatsapp-target
Documented instructions for setting up KGDB on Pixel 8.
Including getting kernel log over UART via USB-Cereal, building/flashing custom kernel, breaking into KGDB via /proc/sysrq-trigger or by sending SysRq-G over serial, dealing with watchdogs, etc.
xairy.io/articles/pix...
