A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets

Excellent article by Quang Le about exploiting CVE-2025-38617 — a race condition that leads to a use-after-free in the packet sockets implementation.

The implemented exploit was used to pwn the kernelCTF mitigation-v4-6.6 instance. The exploit bypasses CONFIG_RANDOM_KMALLOC_CACHES and CONFIG_SLAB_VIRTUAL.

Article: https://blog.calif.io/p/a-race-within-a-race-exploiting-cve
Exploit: https://github.com/google/security-research/pull/339

Analysis of Linux kernel bug fixes

Jenny Guanni Qu posted a detailed analysis of bug fixes in the Linux kernel:

— Kernel bugs hide for 2 years on average. Some hide for 20.

https://pebblebed.com/blog/kernel-bugs

— Who Writes the Bugs? A Deeper Look at 125,000 Kernel Vulnerabilities

https://pebblebed.com/blog/kernel-bugs-part2

A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave

Article by @jenkins about exploiting a use-after-free in the driver for BigWave — an AV1 decoding hardware component present on Pixel SOCs.

Seth used the bug to escalate privileges from the mediacodec SELinux context and obtain root on Pixel 9.

This exploit is a part of an RCE chain developed by Seth and @natashenka.

Userspace part: https://projectzero.google/2026/01/pixel-0-click-part-1.html
Kernel part: https://projectzero.google/2026/01/pixel-0-click-part-2.html
Final part: https://projectzero.google/2026/01/pixel-0-click-part-3.html

CVE-2025-68260: rust_binder: fix race condition on death_list

First CVE was registered for the new Binder kernel driver written in Rust. The vulnerability is a race condition caused by a list operation in an unsafe code block.

https://lore.kernel.org/linux-cve-announce/2025121614-CVE-2025-68260-558d@gregkh/T/#u

Extending Kernel Race Windows Using '/dev/shm'

Article by Faith about extending race condition windows via FALLOC_FL_PUNCH_HOLE. The technique allows delaying user memory accesses from the kernel mode, similar to userfaultfd and FUSE.

https://faith2dxy.xyz/2025-11-28/extending_race_window_fallocate/

Race Condition Symphony: From Tiny Idea to Pwnie

Slides from a talk by Hyunwoo Kim and Wongi Lee about exploiting CVE-2024-50264 — a race condition in the vsock subsystem.

Previously, @a13xp0p0v described another way to exploit this vulnerability.

Slides: https://powerofcommunity.net/2025/slide/h-3938a.pdf
Alexander's article: https://a13xp0p0v.github.io/2025/09/02/kernel-hack-drill-and-CVE-2024-50264.html

Slice: SAST + LLM Interprocedural Context Extractor

Amazing article by Caleb Gross about combining the use of CodeQL and LLMs to reliably rediscover CVE-2025-37899 — a remotely-triggerable vulnerability in the ksmbd module.

https://noperator.dev/posts/slice/

Enhancing FineIBT

@lwn article that describes the talk by Scott Constable and Sebastian Österlund about the ongoing work to improve FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking).

The article also refers to another post "A hole in FineIBT protection" about a method to bypass this CFI mechanism.

Article: https://lwn.net/Articles/1039633/
A hole in FineIBT protection: https://lwn.net/Articles/1011680/

Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE

Talk by Pan Zhenpeng and Jheng Bing Jhong about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files.

Video: https://www.youtube.com/watch?v=_iSwTuBIZQ8
Slides: https://hitcon.org/2025/slides/b7635c13-282e-4673-8297-43ed3550b3d3.pdf

Exploiting CVE-2025-21479 on a Samsung S23

Article by XploitBengineer about exploiting a logical bug in the Qualcomm Adreno GPU firmware to take over the kernel on Samsung S23 via a combination of page table attacks.

https://xploitbengineer.github.io/CVE-2025-21479