| Website | https://xairy.io |
| Trainings | https://xairy.io/trainings |
Gonna be teaching Exploiting the Android Kernel training at Zer0Con 2026 on March 30th — April 1st. This is a new training focused on data-only Android kernel exploitation techniques. Just a bit of time left to sign up. Pay attention to the requirements.
Sheaves support has been merged into SLUB.
Opt-in for now, but planned to replace the per-CPU partial slab layer for all caches in the future.
Gonna have to revise the slab shaping strategies once this happens.
Merge commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b9120619246d
RFC to replace per-CPU partials: https://lore.kernel.org/linux-mm/20251[email protected]/
LWN article: https://lwn.net/Articles/1010667/
"Wrote" is a strong word for this, I just cleaned up the reproducer from this syzbot report:
https://syzkaller.appspot.com/bug?extid=fbe9fff1374eefadffb9
The report has been public on the dashboard for over 2 months now. And there's plenty of other USB bugs that are still not fixed.
Wrote a trigger for CVE-2025-38494/5 (an integer underflow in the HID subsystem) that leaks 64 KB of OOB memory over USB.
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
https://github.com/xairy/kernel-exploits/tree/master/CVE-2025-38494
Schedule for my Fuzzing/Exploiting the Linux Kernel trainings for the rest of the year ⬇️
Fuzzing the Linux Kernel:
— August 4–5 online via Black Hat US:
https://www.blackhat.com/us-25/training/schedule/index.html#fuzzing-the-linux-kernel-online-44479
Exploiting the Linux Kernel:
— September 1–3 in Berlin at Nullcon:
https://nullcon.net/berlin-2025/training/exploiting-the-linux-kernel-berlin-2025
— October 6–9 in Paris at Hexacon:
https://www.hexacon.fr/trainer/konovalov/
— October 26 — November 1 online via Ringzer0:
https://ringzer0.training/countermeaasure25-exploiting-the-linux-kernel/
Gave a talk on external fuzzing of Linux kernel USB drivers with syzkaller at SAFACon.
Includes a demonstration of how to rediscover CVE-2024-53104, an out-of-bounds bug in the USB Video Class driver.
Slides: https://docs.google.com/presentation/d/1NulLxRowsHzgcL1AFzNF_w8nh3zk2BKKPfGi_1j76A8/edit?usp=sharing
(If you use newer Ubuntu and the code formatting looks off, use File → Print preview; @ubuntu still hasn't fixed the issues with their monospace fonts.)
Similarly for CVE-2024-53197 (OOB for Extigy and Mbox devices), syzbot even gets to snd_usb_mbox2_boot_quirk — the buggy function. But then fails to pass the descriptor size check due to no Mbox-specific descriptions.
For CVE-2024-53104 (OOB write in uvc_parse_format), syzbot reaches uvc_parse_streaming — parent function of uvc_parse_format — but fails to get to the bug: syzkaller has no descriptions for streaming interface descriptors.
Schedule for my Linux kernel security trainings this year is shaping up 🥳
New standalone training this year: Fuzzing the Linux Kernel. Focused on fuzzing with syzkaller but also covers using/extending KASAN.
The usual Exploiting the Linux Kernel training is on the menu as well.
List of scheduled trainings:
— Exploiting the Linux Kernel on March 9–15 online with Rinzer0.
First time I'm teaching this training online publicly. This session follows the less intense 7-day format offered by Rinzer0 (but the content is the same).
https://ringzer0.training/bootstrap25-exploiting-the-linux-kernel/
— Fuzzing the Linux Kernel on April 7–9 in Seoul at Zer0Con.
This is the new standalone training I'm starting to offer this year.
https://zer0con.org/#training-section
— Exploiting the Linux Kernel on May 12–15 in Berlin at OffensiveCon.
More than half of the spots already gone — don't miss out.
https://www.offensivecon.org/trainings/2025/exploiting-the-linux-kernel.html
Getting made fun of because you cover laptop webcam with a sticker? 😭
Here are materials from my talk about controlling ThinkPad X230 webcam LED over USB presented at POC 😎
Use these as a comeback 😁
Slides: https://docs.google.com/presentation/d/1NSS2frdiyRVr-5vIjAU-2wf_agzpdiMR1DvVhz2eDwc/edit?usp=sharing
Code: https://github.com/xairy/lights-out
