Thomas King

@[email protected]
117 Followers
21 Following
21 Posts
Android/Browser Vulnerability Research, Reverse Engineering.
Thomas King1d ago
I finally understand why some good guys quit the Android bug bounty program.
Thomas KingAug 11, 2025
Jann HornAug 8, 2025

I found a Linux kernel security bug (in AF_UNIX) and decided to write a kernel exploit for it that can go straight from "attacker can run arbitrary native code in a seccomp-sandboxed Chrome renderer" to kernel compromise:
https://googleprojectzero.blogspot.com/2025/08/from-chrome-renderer-code-exec-to-kernel.html

This post includes fun things like:

  • a nice semi-arbitrary read primitive combined with an annoying write primitive
  • slowing down usercopy without FUSE or userfaultfd
  • CONFIG_RANDOMIZE_KSTACK_OFFSET as an exploitation aid
  • a rarely-used kernel feature that Chrome doesn't need but is reachable in the Chrome sandbox
  • sched_getcpu() usable inside Chrome renderers despite getcpu being blocked by seccomp (thanks to vDSO)
From Chrome renderer code exec to kernel with MSG_OOB

Posted by Jann Horn, Google Project Zero Introduction In early June, I was reviewing a new Linux kernel feature when I learned about the...

Thomas KingJul 31, 2025
Terence EdenJul 25, 2025
I've found that replying to unsolicited messages with "杀ηŒͺη›˜?" is a remarkably effective way of flushing out scammers πŸ˜†
Thomas KingMar 16, 2024
Ivan FratricMar 15, 2024
A nice dav1d AV1 decoder integer overflow found by @x43r0 https://bugs.chromium.org/p/project-zero/issues/detail?id=2502
2502 - project-zero - Project Zero - Monorail

Thomas KingSep 22, 2023
Ben HawkesSep 21, 2023

"The WebP 0day" -- a full technical analysis the recently patched vulnerability in the WebP image library that was exploited in the wild (CVE-2023-4863).

https://blog.isosceles.com/the-webp-0day/

We suspect that this is the same bug that Citizen Lab reported to Apple after detecting an NSO Group exploit chain called "BLASTPASS" that was used to attack on a Washington DC-based civil society organization.

Many thanks to mistymntncop who made several key technical contributions to this analysis.

The WebP 0day

Early last week, Google released a new stable update for Chrome. The update included a single security fix that was reported by Apple's Security Engineering and Architecture (SEAR) team. The issue, CVE-2023-4863, was a heap buffer overflow in the WebP image library, and it had a familiar warning attached: "Google

Isosceles Blog
Thomas KingJul 20, 2023
Due to lack of visa, I can’t attend BlackHat USA 2023. I hope pre-recording brings you enjoyment.
Thomas KingMay 11, 2023
Done
Thomas KingMar 18, 2023
James Forshaw Mar 16, 2023
Some fun issues in the Samsung Exynos baseband. https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html
Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems

Posted by Tim Willis, Project Zero In late 2022 and early 2023, Project Zero reported eighteen 0-day vulnerabilities in Exynos Modems...

Thomas KingJan 5, 2023
ProteasJan 4, 2023
`bindiff-tool` is an assistant for `BinDiff`, with this tool, you can use `js` to program `BinDiff` results partially: https://github.com/Proteas/bindiff-tool
GitHub - Proteas/bindiff-tool: An assistant for BinDiff

An assistant for BinDiff. Contribute to Proteas/bindiff-tool development by creating an account on GitHub.

GitHub
Thomas KingDec 23, 2022
Jann HornDec 8, 2022
Seth Jenkins (@jenkins) wrote a blog post on a new kernel exploitation technique for exploiting a temporary-increment-at-controlled-address bug without an infoleak: https://googleprojectzero.blogspot.com/2022/12/exploiting-CVE-2022-42703-bringing-back-the-stack-attack.html
Exploiting CVE-2022-42703 - Bringing back the stack attack

Seth Jenkins, Project Zero This blog post details an exploit for CVE-2022-42703 (P0 issue 2351 - Fixed 5 September 2022), a bug Jann Horn ...