Some notes on the security properties of the pipe_buffer kernel object

@a13xp0p0v posted an article about a few experiments with the pipe_buffer kernel object within his kernel-hack-drill project.

Alexander described multiple pipe_buffer features relevant for kernel exploits that rely on this object.

https://a13xp0p0v.github.io/2026/04/20/pipe-buffer-experiments.html

Out-of-Cancel: A Vulnerability Class Rooted in Workqueue Cancellation APIs

Hyunwoo Kim published an article describing a complicated exploit of a race condition caused by a misuse of the cancel_work_sync() kernel API in the network subsystem.

https://v4bel.github.io/linux/2026/03/23/ooc.html

Walkthrough of an N-day Android GPU driver vulnerability

Talk by Angus about analyzing CVE-2022-22706 — a logical bug in the Mali GPU driver that allows getting write access to read-only memory.

https://www.youtube.com/watch?v=G71dB0C4-dY

From KernelSnitch to Practical msg_msg/pipe_buffer Heap KASLR Leaks

Article by Lukas Maar about evaluating the KernelSnitch timing side-channel attack on a variety of systems, including Android.

The attack allows leaking addresses of exploitation-relevant kernel allocations.

Lukas also published the source code for executing the attack.

Article: https://lukasmaar.github.io/posts/heap-kaslr-leak/index.html
Source: https://github.com/lukasmaar/kernelsnitch

Assessing Claude Mythos Preview’s cybersecurity capabilities

Article by Nicholas Carlini et. al about the security research capabilities of the new Anthropic's LLM called Claude Mythos Preview.

The LLM was used to discover multiple 0-days in the Linux kernel and also write privilege escalation exploits for a few previously known vulnerabilities; the article provides a detailed write-up for two such exploits.

https://red.anthropic.com/2026/mythos-preview/

slab: support for compiler-assisted type-based slab cache partitioning

@melver posted a kernel patch that provides an alternative mode to RANDOM_KMALLOC_CACHES called TYPED_KMALLOC_CACHES.

The new mode leverages a Clang 22 feature called "allocation tokens". Unlike RANDOM_KMALLOC_CACHES, this mode deterministically assigns caches to allocations based on their types, and not allocation sites.

https://lore.kernel.org/all/2026033111[email protected]/

CrackArmor: Multiple vulnerabilities in AppArmor

Article about a variety of vulnerabilities found in the AppArmor LSM implementation, including a few kernel memory corruptions. Authors exploited them to achieve LPE on Ubuntu and Debian.

https://cdn2.qualys.com/advisory/2026/03/10/crack-armor.txt

A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets

Excellent article by Quang Le about exploiting CVE-2025-38617 — a race condition that leads to a use-after-free in the packet sockets implementation.

The implemented exploit was used to pwn the kernelCTF mitigation-v4-6.6 instance. The exploit bypasses CONFIG_RANDOM_KMALLOC_CACHES and CONFIG_SLAB_VIRTUAL.

Article: https://blog.calif.io/p/a-race-within-a-race-exploiting-cve
Exploit: https://github.com/google/security-research/pull/339

Analysis of Linux kernel bug fixes

Jenny Guanni Qu posted a detailed analysis of bug fixes in the Linux kernel:

— Kernel bugs hide for 2 years on average. Some hide for 20.

https://pebblebed.com/blog/kernel-bugs

— Who Writes the Bugs? A Deeper Look at 125,000 Kernel Vulnerabilities

https://pebblebed.com/blog/kernel-bugs-part2

setresuid(⚡): Glitching Google's TV Streamer from adb to root.

Talk by Niek Timmers about glitching the kernel of the Android-based Google TV Streamer device to escalate privileges via Electromagnetic Fault Injection.

The researcher glitched the setresuid syscall handler to bypass its checks and obtain the UID of 0. Bypassing SELinux via glitching remains to be investigated.

Video: https://www.youtube.com/watch?v=-w5mpXTnNJA
Slides: https://hardwear.io/netherlands-2025/presentation/Glitching-Googles-TV-Streamer-from-adb-to-root.pdf