I found a Linux kernel security bug (in AF_UNIX) and decided to write a kernel exploit for it that can go straight from "attacker can run arbitrary native code in a seccomp-sandboxed Chrome renderer" to kernel compromise:
https://googleprojectzero.blogspot.com/2025/08/from-chrome-renderer-code-exec-to-kernel.html

This post includes fun things like:

• a nice semi-arbitrary read primitive combined with an annoying write primitive
• slowing down usercopy without FUSE or userfaultfd
• CONFIG_RANDOMIZE_KSTACK_OFFSET as an exploitation aid
• a rarely-used kernel feature that Chrome doesn't need but is reachable in the Chrome sandbox
• sched_getcpu() usable inside Chrome renderers despite getcpu being blocked by seccomp (thanks to vDSO)

"The WebP 0day" -- a full technical analysis the recently patched vulnerability in the WebP image library that was exploited in the wild (CVE-2023-4863).

https://blog.isosceles.com/the-webp-0day/

We suspect that this is the same bug that Citizen Lab reported to Apple after detecting an NSO Group exploit chain called "BLASTPASS" that was used to attack on a Washington DC-based civil society organization.

Many thanks to mistymntncop who made several key technical contributions to this analysis.