November/December updates

1 files changed, 66 insertions, 2 deletions

diff --git a/README.md b/README.md
index 185901c..a4c9503 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Exploitation
 
+[2025: "Extending Kernel Race Windows Using '/dev/shm'" by Faith](https://faith2dxy.xyz/2025-11-28/extending_race_window_fallocate/) [article]
+
 [2025: "System Register Hijacking: Compromising Kernel Integrity By Turning System Registers Against the System"](https://kylebot.net/papers/ret2entry.pdf) [paper]
 
 [2025: "Linux Kernel Exploitation for Beginners" by Kevin Massey](https://rvasec.com/slides/2025/Massey_Linux_Kernel_Exploitation_For_Beginners.pdf) [slides] [[video](https://www.youtube.com/watch?v=YfjHCt4SzQc)]
@@ -415,6 +417,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Info-leaks
 
+[2025: "Vulnerabilities in the /proc Component of the CAN BCM Protocol in the Linux kernel" by Anderson Nascimento](https://allelesecurity.com/wp-content/uploads/2025/12/Presentation_307.pdf) [slides] [CVE-2023-52922] [CVE-2025-38003] [CVE-2025-38004]
+
 [2025: "Use-after-free in CAN BCM subsystem leading to information disclosure (CVE-2023-52922)"](https://allelesecurity.com/use-after-free-vulnerability-in-can-bcm-subsystem-leading-to-information-disclosure-cve-2023-52922/) [article] [CVE-2023-52922]
 
 [2025: "KernelSnitch: Side-Channel Attacks on Kernel Data Structures" by Lukas Maar et al.](https://lukasmaar.github.io/papers/ndss25-kernelsnitch.pdf) [paper] [[slides](https://i.blackhat.com/Asia-25/Asia-25-Maar-KernelSnitch.pdf)]
@@ -474,6 +478,26 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### LPE
 
+[2025: "A tale of challenging MTE: Rooting Google Pixel with kernel MTE enabled in one shot" by Yong Wang](https://github.com/ThomasKing2014/slides/blob/master/2025/poc2025.pdf) [slides] [CVE-UNKNOWN]
+
+[2025: "CVE-2025-38352 (Part 1) - In-the-wild Android Kernel Vulnerability Analysis + PoC" by Faith](https://faith2dxy.xyz/2025-12-22/cve_2025_38352_analysis/) [article] [CVE-2025-38352]
+
+[2025: "CVE-2025-38352 (Part 2) - Extending The Race Window Without a Kernel Patch" by Faith](https://faith2dxy.xyz/2025-12-24/cve_2025_38352_analysis_part_2/) [article] [CVE-2025-38352]
+
+[2025: "CVE-2025-38352 (Part 3) - Uncovering Chronomaly" by Faith](https://faith2dxy.xyz/2026-01-03/cve_2025_38352_analysis_part_3/) [article] [exploit](https://github.com/farazsth98/chronomaly) [CVE-2025-38352]
+
+[2025: "Dangling pointers, fragile memory—from an undisclosed vulnerability to Pixel 9 Pro privilege escalation"](https://dawnslab.jd.com/Pixel_9_Pro_EoP/) [article] [CVE-2025-6349] [CVE-2025-8045]
+
+[2025: "Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers" by Xingyu Jin and Martijn Bogaard](https://powerofcommunity.net/2025/slide/x-84592.pdf) [slides] [CVE-2024-44068] [CVE‑2025‑23244] [CVE-2025-8109] [CVE-2024-49739]
+
+[2025: "Déjà Vu in Linux io_uring: Breaking Memory Sharing Again After Generations of Fixes" by Pumpkin Chang](https://u1f383.github.io/slides/talks/2025_Hexacon-Deja_Vu_in_Linux_io_uring_Breaking_Memory_Sharing_Again_After_Generations_of_Fixes.pdf) [slides] [[video](https://www.youtube.com/watch?v=Ry4eOgLCo90)] [CVE-2025-21836]
+
+[2025: "CUDA de Grâce" by Valentina Palmiotti and Samuel Lovejoy](https://docs.google.com/presentation/d/1FgfURpMyHhnflGWtxeq8ClPPaB5ZDCzT/edit?usp=sharing) [slides] [[video](https://www.youtube.com/watch?v=Lvz2_ZHj3lo)] [CVE-UNKNOWN]
+
+[2025: "An RbTree Family Drama: Exploiting a Linux Kernel 0-day Through Red-Black Tree Transformations" by Savino Dicanosa and William Liu](https://storage.googleapis.com/static.cor.team/assets/rbtree_family_drama_hexacon_2025.pdf) [slides] [[video](https://www.youtube.com/watch?v=C-52Gwmce3w)] [CVE-2025-38001]
+
+[2025: "Race Condition Symphony: From Tiny Idea to Pwnie" by Hyunwoo Kim and Wongi Lee](https://powerofcommunity.net/2025/slide/h-3938a.pdf) [slides] [CVE-2024-50264]
+
 [2025: "Exploiting CVE-2025-21479 on a Samsung S23" by XploitBengineer](https://xploitbengineer.github.io/CVE-2025-21479) [article] [CVE-2025-21479]
 
 [2025: "LPE via refcount imbalance in the af_unix of Ubuntu's Kernel" by kylebot](https://ssd-disclosure.com/lpe-via-refcount-imbalance-in-the-af_unix-of-ubuntus-kernel/) [article] [CVE-UNKNOWN]
@@ -520,7 +544,7 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2025: "Kernel-Hack-Drill: Environment For Developing Linux Kernel Exploits" by Alexander Popov](https://a13xp0p0v.github.io/img/Alexander_Popov-Kernel_Hack_Drill-Zer0Con.pdf) [slides] [CVE-2024-50264]
 
-[2025: "Linux kernel hfsplus slab-out-of-bounds Write" by Attila Szasz](https://ssd-disclosure.com/ssd-advisory-linux-kernel-hfsplus-slab-out-of-bounds-write/) [article] [CVE-2025-0927]
+[2025: "Linux kernel hfsplus slab-out-of-bounds Write" by Attila Szasz](https://ssd-disclosure.com/ssd-advisory-linux-kernel-hfsplus-slab-out-of-bounds-write/) [article] [slides](https://drive.google.com/file/d/1Z_0jgLpGmcC3VO-jGxR-vwAAc9F9Ovcu/view) [CVE-2025-0927]
 
 [2025: "CVE-2024-53141: an OOB Write Vulnerability in Netfiler Ipset" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/07/cve-2024-53141-an-oob-write-vulnerability-in-netfilter-ipset.html) [article] [CVE-2024-53141]
 
@@ -656,6 +680,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2023: "CVE-2023-0386 analysis and exploitation" by chenaotian](https://github.com/chenaotian/CVE-2023-0386) [article] [CVE-2023-0386]
 
+[2022: "How we use Dirty Pipe to get reverse root shell on Android Emulator and Pixel 6" by LiN and YingMuo](https://hitcon.org/2022/slides/How%20we%20use%20Dirty%20Pipe%20to%20get%20reverse%20root%20shell%20on%20Android%20Emulator%20and%20Pixel%206.pdf) [slides] [[video](https://www.youtube.com/watch?v=gyku4QyV5eM)] [CVE-2022-0847]
+
 [2022: "Linux kernel io_uring module pbuf_ring vulnerability and privilege escalation 0day"](https://dawnslab.jd.com/linux-5.19-rc2_pbuf_ring_0day/) [article [CVE-UNKNOWN]
 
 [2022: "CVE-2022-1015: A validation flaw in Netfilter leading to Local Privilege Escalation" by Yordan Stoychev](https://anatomic.rip/cve-2022-1015/) [article] [CVE-2022-1015]
@@ -738,6 +764,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2022: "Linux Kernel PWN | 02 CVE-2009-1897"](https://blog.wohin.me/posts/linux-kernel-pwn-02/) [article] [CVE-2009-1897]
 
+[2021: "Typhoon Mangkhut: One-click Remote Universal Root Formed with Two Vulnerabilities"](https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Typhoon-Mangkhut-One-Click-Remote-Universal-Root-Formed-With-Two-Vulnerabilities.pdf) [slides] [[video](https://www.youtube.com/watch?v=a1vyt6iWmS4)] [CVE-2020-0423]
+
+[2021: "Analysis and Exploitation of CVE-2021-28664 for Android Privilege Escalation" by Bernard Lampe](https://www.bernardlampe.com/pub/Grayshift-CVE-2021-28664.pdf) [slides] [CVE-2021-28664]
+
 [2021: "Your Trash Kernel Bug, My Precious 0-day" by Zhenpeng Lin](https://zplin.me/talks/BHEU21_trash_kernel_bug.pdf) [slides] [CVE-2021-3715]
 
 [2021: "[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver"](https://syst3mfailure.io/sixpack-slab-out-of-bounds) [article] [CVE-2021-42008]
@@ -1070,6 +1100,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Other
 
+[2025: "mediatek? more like media-rekt, amirite." by hypr](https://blog.coffinsec.com/0days/2025/12/15/more-like-mediarekt-amirite.html) [article]
+
 [2025: "Dissecting a 1-Day Vulnerability in Linux's XFRM Subsystem" by Shreyas Penkar](https://streypaws.github.io/posts/Dissecting-a-1-Day-Vulnerability-in-Linux-XFRM-Subsystem/) [article] [CVE-2025-39965] [[trigger](https://github.com/Shreyas-Penkar/CVE-2025-39965)]
 
 [2025: "A Quick Note on CVE-2025-38617" by Pumpkin Chang](https://u1f383.github.io/linux/2025/08/27/a-quick-note-on-CVE-2025-38617.html) [article] [CVE-2025-38617]
@@ -1229,6 +1261,18 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ## Finding Bugs
 
+[2025: "Build a Fake Phone, Find Real Bugs" by Romain Malmain](https://media.ccc.de/v/39c3-build-a-fake-phone-find-real-bugs-qualcomm-gpu-emulation-and-fuzzing-with-libafl-qemu) [video] [[code](https://github.com/rmalmain/39C3-build-a-fake-phone-find-real-bugs)]
+
+[2025: "A Modular Approach To Power Management Fuzzing"](https://lpc.events/event/19/contributions/2087/attachments/1897/4063/PM_USB_LPC_25.pdf) [slides] [[video](https://www.youtube.com/watch?v=TNMcqQsqgr4)]
+
+[2025: "KFuzzTest: Targeted Fuzzing of Internal Kernel Functions" by Ethan Graham](https://lpc.events/event/19/contributions/2196/attachments/1929/4123/KFuzzTest%20LPC%2012.12.2025.pdf) [slides] [[video](https://www.youtube.com/watch?v=B7plrw_5w4Q)]
+
+[2025: "SYZOS: Practical KVM fuzzing" by Alexander Potapenko](https://lpc.events/event/19/contributions/2217/attachments/1889/4069/SYZOS%20for%20LPC%202025.pdf) [slides] [[video](https://www.youtube.com/watch?v=sY27jwn9bLY)]
+
+[2025: "DNAFuzz: Descriptor-Aware Fuzzing for USB Drivers"](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/DNAFuzz_Camera_Ready.pdf) [paper]
+
+[2025: "Slice: SAST + LLM Interprocedural Context Extractor" by Caleb Gross](https://noperator.dev/posts/slice/) [article]
+
 [2025: "KNighter: Transforming Static Analysis with LLM-Synthesized Checkers"](https://arxiv.org/pdf/2503.09002) [paper] [[code](https://github.com/ise-uiuc/KNighter)]
 
 [2025: "SyzSpec: Specification Generation for Linux Kernel Fuzzing via Under-Constrained Symbolic Execution"](https://www.cs.ucr.edu/~zhiyunq/pub/ccs25_syzspec.pdf) [paper]
@@ -1656,6 +1700,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2024: "Notes on the 'slab: Introduce dedicated bucket allocator' series" by Julien Voisin](https://dustri.org/b/notes-on-the-slab-introduce-dedicated-bucket-allocator-series.html) [article]
 
+[2023: "Modern LInux Kernel Mitigations" by Ray Veldkamp and Matthew Kurz](https://www.youtube.com/watch?v=kNCtWCcixsU) [video]
+
+[2023: "An abridged history of Linux kernel hardening" by Russell Currey](https://www.youtube.com/watch?v=n7oUA2b15P8) [video]
+
 [2023: "Exploring Linux's New Random Kmalloc Caches" by sam4k](https://sam4k.com/exploring-linux-random-kmalloc-caches/) [article]
 
 [2023: "Toolchain security features status update"](https://outflux.net/slides/2023/lpc/features.pdf) [slides] [[video](https://www.youtube.com/watch?v=OEFFqhP5sts)]
@@ -1963,6 +2011,10 @@ https://github.com/zhuowei/cheese
 
 https://github.com/FreeXR/eureka_panther-adreno-gpu-exploit-1 [CVE-2025-21479]
 
+https://github.com/polygraphene/DirtyPipe-Android [CVE-2022-0847]
+
+https://github.com/SpiralBL0CK/CVE-2023-1206-CVE-2025-40040-CVE-2024-49882
+
 
 ## Tools
 
@@ -2093,6 +2145,8 @@ https://github.com/kzall0c/vock [[demo video](https://www.youtube.com/watch?v=Qv
 
 https://github.com/bcoles/rootkit-signal-hunter
 
+https://github.com/mellow-hype/mt7622-qemu-vm
+
 
 ## Practice
 
@@ -2125,7 +2179,7 @@ WMCTF 2025 (wm_easyker): [writeup](https://blog.xmcve.com/2025/09/22/WMCTF2025-W
 
 STAR Labs Summer Pwnables 2025 (paradox_engine): [writeup](https://u1f383.github.io/linux/2025/09/01/starlabs-summer-pwnables-linux-kernel-challenge-writeup.html)
 
-BlackHat MEA 2025 Quals: [writeup](https://ptr-yudai.hatenablog.com/entry/2025/09/14/180326)
+BlackHat MEA 2025 Quals (Kinc): [writeup1](https://ptr-yudai.hatenablog.com/entry/2025/09/14/180326), [writeup 2](https://blog.bushwhackers.ru/blackhat-mea-ctf-qualification-kinc/)
 
 corCTF 2025 (corphone): [writeup](https://u1f383.github.io/android/2025/09/08/corCTF-2025-corphone.html)
 
@@ -2135,6 +2189,8 @@ TsukuCTF 2025 (easy_kernel, xcache, new_era): [writeup](https://iwancof.github.i
 
 LACTF 2025 (messenger): [writeup](https://terawhiz.github.io/2025/2/oob-write-to-page-uaf-lactf-2025/)
 
+AVSS 2024 Final: [writeups](https://blog.xmcve.com/2024/10/25/AVSS-2024-Final-Writeup)
+
 crewCTF 2024 (kUlele): [writeup](https://n132.github.io/2024/08/14/kUlele.html)
 
 HITCON CTF QUAL 2024 (Halloween): [writeup](https://u1f383.github.io/ctf/2024/07/16/hitcon-ctf-qual-2024-pwn-challenge-part-1-halloween-and-v8sbx.html)
@@ -2330,6 +2386,12 @@ https://github.com/0xor0ne/awesome-list/
 
 ## Misc
 
+[2025: "Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit" by MatheuZSec](https://blog.kyntra.io/Singularity-A-final-boss-linux-kernel-rootkit) [article]
+
+[2025: "Exploiting a 13-years old bug on QEMU"](https://kqx.io/post/qemu-nday/) [article]
+
+[2025: "LinkPro: eBPF rootkit analysis" by Théo Letailleur](https://www.synacktiv.com/en/publications/linkpro-ebpf-rootkit-analysis) [article]
+
 [2025: "The anatomy of a bug: 6 Months at STAR Labs" by Gerrard Tai](https://gerrardtai.com/anatomy-of-a-bug) [article]
 
 [2025: "Qualcomm DSP Kernel Internals" by Shreyas Penkar](https://streypaws.github.io/posts/DSP-Kernel-Internals/) [article]
@@ -2358,6 +2420,8 @@ https://github.com/0xor0ne/awesome-list/
 
 [2025: "Linux KASLR Entropy" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/02/linux-kaslr-entropy.html) [article]
 
+[2024: "Binder Internals"](https://androidoffsec.withgoogle.com/posts/binder-internals/) [article]
+
 [2024: "Linternals: Exploring The mm Subsystem via mmap" by Samuel Page](https://sam4k.com/linternals-exploring-the-mm-subsystem-part-1/) [article] [[part 2](https://sam4k.com/linternals-exploring-the-mm-subsystem-part-2/)]
 
 [2024: "Approaches to determining the attack surface for fuzzing the Linux kernel" by Pavel Teplyuk and Aleksey Yakunin](https://www.e3s-conferences.org/articles/e3sconf/pdf/2024/61/e3sconf_uesf2024_03005.pdf) [paper]