November/December updates

author: Andrey Konovalov 2025-01-05 02:02:10 +0100
committer: Andrey Konovalov 2025-01-05 02:02:10 +0100
commit: 5e83aa512c646cd1db21032743401818b64ab8f5 (patch)
tree: 2d32ec275e3e22d4d51dc2776569093e17c76cc8 /README.md
parent: 5dc72e61f867c3cf89ee7f46e7f6fa98333558d2 (diff)
1 files changed, 85 insertions, 3 deletions
diff --git a/README.md b/README.md
index d58570c..ccca064 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 ### Exploitation
+[2025: "Cross Cache Attack CheetSheet" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/03/cross-cache-attack-cheatsheet.html) [article]
+[2024: "Linux Kernel Use Pipe Object to Do Data-Only Attack" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/16/linux-kernel-use-pipe-object-to-do-data-only-attack.html) [article]
+[2024: "CTF-style Tricks of Linux Kernel Exploitation" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/04/ctf-style-tricks-of-linux-kernel-exploitation-part-1.html) [article] [[part 2](https://u1f383.github.io/linux/2024/08/07/ctf-style-tricks-of-linux-kernel-exploitation-part-2.html)]
+[2024: "Linux Kernel exploitation cheatsheet" by Pumpkin Chang](https://u1f383.github.io/cheatsheet/1970/01/01/welcome-to-jekyll.html) [article]
 [2024: "SLUB Internals for Exploit Developers" by Andrey Konovalov](https://static.sched.com/hosted_files/lsseu2024/37/2024%2C%20LSS%20EU_%20SLUB%20Internals%20for%20Exploit%20Developers.pdf) [slides] [[video](https://www.youtube.com/watch?v=XulsBDV4n3w)]
 [2024: "SCAVY: Automated Discovery of Memory Corruption Targets in Linux Kernel for Privilege Escalation"](https://www.usenix.org/system/files/usenixsecurity24-avllazagaj.pdf) [paper]
@@ -287,6 +295,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 [2024: "SELinux bypasses"](https://klecko.github.io/posts/selinux-bypasses/) [article]
+[2024: "Page-Oriented Programming: Subverting Control-Flow Integrity of Commodity Operating System Kernels with Non-Writable Code Pages" by Seunghun Han et al.](https://www.usenix.org/system/files/usenixsecurity24-han-seunghun.pdf) [paper] [[slides](https://www.usenix.org/system/files/usenixsecurity24_slides-han-seunghun.pdf)] [[video](https://www.youtube.com/watch?v=wSMByLg-ibs)]
 [2024: "Defects-in-Depth: Analyzing the Integration of Effective Defenses against One-Day Exploits in Android Kernels" by Lukas Maar et. al](https://www.usenix.org/system/files/usenixsecurity24-maar-defects.pdf) [paper] [[artifacts](https://www.usenix.org/system/files/usenixsecurity24-appendix-maar-defects.pdf)]
 [2024: "Leaking Host KASLR from Guest VMs Using Tagged TLB" by Reno Robert](https://pagedout.institute/download/PagedOut_004_beta1.pdf#page=58) [article]
@@ -375,6 +385,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 ### Info-leaks
+[2025: "KernelSnitch: Side-Channel Attacks on Kernel Data Structures" by Lukas Maar et al.](https://lukasmaar.github.io/papers/ndss25-kernelsnitch.pdf) [paper]
+[2024: "Linux vDSO & VVAR" by Pumpkin Chang](https://u1f383.github.io/linux/2024/12/11/linux-vdso-and-vvar.html) [article] [CVE-2023-23586]
+[2024: "CPU Speculation Vulnerabilities And Mitigations in the Linux Kernel" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/09/cpu-speculation-vulnerabilities-and-mitigations-in-the-linux-kernel.html) [article] [Spectre V1] [Spectre V2]
+[2024: "Linux Kernel Meltdown Mitigation Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/01/linux-kernel-meltdown-mitigation-analysis.html) [article] [Meltdown]
 [2024: "Out of the kernel, into the tokens" by Max Ammann and Emilio Lopez](https://blog.trailofbits.com/2024/03/08/out-of-the-kernel-into-the-tokens/) [article]
 [2023: "The code that wasn’t there: Reading memory on an Android device by accident" by Man Yue Mo](https://github.blog/2023-02-23-the-code-that-wasnt-there-reading-memory-on-an-android-device-by-accident/) [article] [CVE-2022-25664]
@@ -424,9 +442,19 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 ### LPE
-[2024: "Unleashing a 0day: Pivoting Capabilities and Conquering the Linux Kernel" by Pedro Pinto](https://www.figma.com/deck/GyXCgKKy6rMuY7NVZtInjY/Unleadhing-a-Oday---Osec?node-id=13-225) [slides] [CVE-2024-41010]
+[2024: "The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit" by Seth Jenkins](https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpectedly-excavating-exploit.html) [article] [CVE-2024-38402] [CVE-2024-21455] [CVE-2024-33060] [CVE-2024-49848] [CVE-2024-43047]
+[2024: "OtterRoot: Netfilter Universal Root 1-day" by Pedro Pinto](https://osec.io/blog/2024-11-25-netfilter-universal-root-1-day) [article] [CVE-2024-26809]
+[2024: "How I use a novel approach to exploit a limited OOB on Ubuntu at Pwn2Own Vancouver 2024" by Pumpkin Chang](https://u1f383.github.io/slides/talks/2024_POC-How_I_use_a_novel_approach_to_exploit_a_limited_OOB_on_Ubuntu_at_Pwn2Own_Vancouver_2024.pdf) [slides] [CVE-UNKNOWN]
-[2024: "Utilizing Cross-CPU Allocation to Exploit Preempt-Disabled Linux Kernel" by Mingi Cho and Wongi Lee](https://www.hexacon.fr/slides/Cho_Lee-Utilizing_Cross-CPU_Allocation_to_Exploit_Preempt-Disabled_Linux_Kernel.pdf) [slides] [CVE-2023-31248] [CVE-2024-36978]
+[2024: "GPUAF - Two ways of Rooting All Qualcomm based Android phones" by Pan Zhenpeng and Jheng Bing Jhong](https://powerofcommunity.net/poc2024/Pan%20Zhenpeng%20&%20Jheng%20Bing%20Jhong,%20GPUAF%20-%20Two%20ways%20of%20rooting%20All%20Qualcomm%20based%20Android%20phones.pdf) [slides] [CVE-2024-23380] [CVE-2024-23373]
+[2024: "Breaking through the cage: Get Android universal root by B-PUAF" by Lu Yutao and Ling Hanqin](https://powerofcommunity.net/poc2024/Hanqin%20Ling%20&%20Yutao%20Lu,%20Breaking%20through%20the%20cage%20-%20Get%20Android%20Universal%20Root%20by%20B-PUAF.pdf) [slides] [CVE-2024-46740]
+[2024: "Unleashing a 0day: Pivoting Capabilities and Conquering the Linux Kernel" by Pedro Pinto](https://www.figma.com/deck/GyXCgKKy6rMuY7NVZtInjY/Unleadhing-a-Oday---Osec?node-id=13-225) [slides] [[video](https://www.youtube.com/watch?v=bxJhlwGjwWQ)] [CVE-2024-41010]
+[2024: "Utilizing Cross-CPU Allocation to Exploit Preempt-Disabled Linux Kernel" by Mingi Cho and Wongi Lee](https://www.hexacon.fr/slides/Cho_Lee-Utilizing_Cross-CPU_Allocation_to_Exploit_Preempt-Disabled_Linux_Kernel.pdf) [slides] [CVE-2023-31248] [[video](https://www.youtube.com/watch?v=dUdU0lp35xU)] [CVE-2024-36978]
 [2024: "1day vuln dev: DirtyCOW"](https://www.youtube.com/watch?v=lQOiH-43zOc) [video] [CVE-2016-5195]
@@ -440,7 +468,9 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 [2024: "CVE-2022-22265 Samsung npu driver" by Javier P Rufo](https://soez.github.io/posts/CVE-2022-22265-Samsung-npu-driver/) [article] [CVE-2022-22265]
-[2024: "The Way to Android Root: Exploiting Your GPU On Smartphone" by Xiling Gong, Xuan Xing, and Eugene Rodionov](https://i.blackhat.com/BH-US-24/Presentations/REVISED02-US24-Gong-The-Way-to-Android-Root-Wednesday.pdf) [slides] [CVE-2024-23380]
+[2024: "The Way to Android Root: Exploiting Your GPU On Smartphone" by Xiling Gong, Xuan Xing, and Eugene Rodionov](https://i.blackhat.com/BH-US-24/Presentations/REVISED02-US24-Gong-The-Way-to-Android-Root-Wednesday.pdf) [slides] [[video](https://www.youtube.com/watch?v=BN07rjaNqXk)] [CVE-2024-23380]
+[2024: "Clash, Burn, and Exploit: Manipulate Filters to Pwn kernelCTF" by HexRabbit](https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20HexRabbit%20Chen%20-%20Clash%2C%20Burn%2C%20and%20Exploit%20-%20Manipulate%20Filters%20to%20Pwn%20kernelCTF.pdf) [slides] [[video](https://www.youtube.com/watch?v=_1DTkkaNqfM)] [CVE-2024-26925]
 [2024: "A deep dive into CVE-2023-2163: How we found and fixed an eBPF Linux Kernel Vulnerability" by Juan Jose Lopez Jaimez and Meador Inge](https://bughunters.google.com/blog/6303226026131456/a-deep-dive-into-cve-2023-2163-how-we-found-and-fixed-an-ebpf-linux-kernel-vulnerability) [article] [CVE-2023-2163]
@@ -942,6 +972,28 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 ### Other
+[2025: "Some Casual Notes for CVE-2024-26921" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/04/some-casual-notes-for-cve-2024-26921.html) [article] [CVE-2024-26921]
+[2024: "Linux Kernel ICMPv6 & CVE-2023-6200" by Pumpkin Chang](https://u1f383.github.io/linux/2024/12/04/linux-kernel-icmpv6-and-cve-2023-6200.html) [article] [CVE-2023-6200]
+[2024: "Linux Kernel Perf CVE-2023-5717 Quick Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/11/17/linux-kernel-perf-cve-2023-5717-quick-analysis.html) [article] [CVE-2023-5717]
+[2024: "A Quick Note for Perf CVE-2024-46713" by Pumpkin Chang](https://u1f383.github.io/linux/2024/11/15/a-quick-note-for-perf-cve-2024-46713.html) [article] [CVE-2024-46713]
+[2024: "Linux Kernel Perf CVE-2023-6931 Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/11/14/linux-kernel-perf-cve-2023-6931-analysis.html) [article] [CVE-2023-6931]
+[2024: "Linux Kernel Vsock 1-day Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/11/12/linux-kernel-vsock-1-day-analysis.html) [article] [CVE-UNKNOWN]
+[2024: "Three Linux net/sched 1-day Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/09/05/three-linux-net_sched-1-day-analysis.html) [article] [CVE-2024-36974] [CVE-2023-0590]
+[2024: "Two Linux net/sched 1-day Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/31/two-linux-net_sched-1-day-analysis.html) [article] [CVE-2024-36978]
+[2024: "CVE-2024-41010 - Linux net/sched UAF 1-day Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/07/29/cve-2024-41010-linux-net_sched-uaf-1-day-analysis.html) [article] [CVE-2024-41010]
+[2024: "Linux eBPF Design and Vulnerability Case Study" by Pumpkin Chang](https://u1f383.github.io/linux/2024/07/12/linux-eBPF-design-and-vulnerability-case-study-part-1.html) [article] [[part 2](https://u1f383.github.io/linux/2024/07/20/linux-eBPF-design-and-vulnerability-case-study-part-2.html)] [CVE-2024-41009] [CVE-2022-23222] [CVE-2023-52447]
+[2024: "Linux Kernel: TOCTOU in Exec System" by Marco Vanotti](https://github.com/google/security-research/security/advisories/GHSA-c45w-xwww-rfgg) [article] [CVE-2024-43882]
 [2024: "CVE-2024-26926 Analysis" by Maher Azzouzi](https://github.com/MaherAzzouzi/LinuxKernel-nday/blob/main/CVE-2024-26926/CVE_2024_26926_Analysis.pdf) [article] [CVE-2024-26926]
 [2024: "CVE-2024-44068: Samsung m2m1shot_scaler0 device driver page use-after-free in Android"](https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2024/CVE-2024-44068.html) [article] [CVE-2024-44068]
@@ -1031,6 +1083,18 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 ## Finding Bugs
+[2024: "CountDown: Refcount-guided Fuzzing for Exposing Temporal Memory Errors in Linux Kernel" by Shuangpeng Bai et al.](https://huhong789.github.io/papers/bai:countdown.pdf) [paper]
+[2024: "A Little Goes a Long Way: Tuning Configuration Selection for Continuous Kernel Fuzzing" by Sanan Hasanov et al.](https://paulgazzillo.com/papers/icse25.pdf) [paper]
+[2024: "Hunting Bugs in Linux Kernel With KASAN: How to Use it & What's the Benefit?" by Slava Moskvin](https://slavamoskvin.com/hunting-bugs-in-linux-kernel-with-kasan-how-to-use-it-whats-the-benefit/) [article]
+[2024: "Finding Bugs in Kernel" by Slava Moskvin](https://slavamoskvin.com/finding-bugs-in-kernel.-part-1-crashing-a-vulnerable-driver-with-syzkaller/) [article] [[part 2](https://slavamoskvin.com/finding-bugs-in-kernel.-part-2-fuzzing-the-actual-kernel/)]
+[2024: "OZZ: Identifying Kernel Out-of-Order Concurrency Bugs with In-Vivo Memory Access Reordering" by Dae R. Jeong et al.](https://dl.acm.org/doi/pdf/10.1145/3694715.3695944) [paper]
+[2024: "Fuzzing the EBPF Subsystem" by Zac Ecob](https://www.youtube.com/watch?v=bww1HkBiYpA) [video]
 [2024: "Head First Reporting of Linux Kernel CVEs: Practical Use of the Kernel Fuzzer" by Yunseong Kim](https://static.sched.com/hosted_files/sosscdjapan2024/7a/Head%20First%20Reporting%20of%20Linux%20Kernel%20CVEs%20-%20sosscj24.pdf) [slides]
 [2024: "Finding Bugs in Kernel. Part 1: Crashing a Vulnerable Driver with Syzkaller" by Vyacheslav Moskvin](https://www.linkedin.com/pulse/finding-bugs-kernel-part-1-crashing-vulnerable-driver-moskvin-4vwje/) [article]
@@ -1332,6 +1396,12 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 ["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map)
+[2024: "Diving into Linux kernel security" by Alexander Popov](https://a13xp0p0v.github.io/img/Alexander_Popov-H2HC-2024.pdf) [slides]
+[2024: "A Decade of Low-hanging Fruit in the Linux Kernel" by Kees Cook](https://outflux.net/slides/2024/bsidespdx/decade.pdf) [slides]
+[2024: "An adventure with formal verification of Linux kernel code" by Julia Lawall](https://drive.google.com/file/d/1EWDPz9vUZF7qjk-f8fCP7lUMu4iSfstz/view) [slides] [[video](https://www.youtube.com/watch?v=n1Wqz1pQsY0)]
 [2024: "Diving into the kernel mitigations" by Breno Leitao](https://www.youtube.com/watch?v=srPeMl9FZI8) [video]
 [2024: "Security Features status update" by Kees Cook](https://lpc.events/event/18/contributions/1920/attachments/1547/3228/Security%20Features%20status%20update.pdf) [slides] [[video](https://www.youtube.com/watch?v=68PZz_9cPms)]
@@ -2014,6 +2084,18 @@ https://github.com/0xor0ne/awesome-list/
 ## Misc
+[2025: "Linux KASLR Entropy" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/02/linux-kaslr-entropy.html) [article]
+[2024: "Approaches to determining the attack surface for fuzzing the Linux kernel" by Pavel Teplyuk and Aleksey Yakunin](https://www.e3s-conferences.org/articles/e3sconf/pdf/2024/61/e3sconf_uesf2024_03005.pdf) [paper]
+[2024: "The Feasibility of Using Hardware Breakpoints To Extend the Race Window" by Pumpkin Chang](https://u1f383.github.io/linux/2024/12/29/the-feasibility-of-using-hardware-breakpoints-to-extend-the-race-window.html) [article]
+[2024: "Linux Kernel Heap Spraying Over A Network Connection" by Pumpkin Chang](https://u1f383.github.io/linux/2024/06/20/linux-kernel-heap-spraying-over-a-network-connection.html) [article]
+[2024: "Dashing Kernel Exploitation" by Eduardo Vela and Jordy Zomer](https://github.com/google/security-research/blob/master/analysis/kernel/slides/Dashing%20Kernel%20Exploitation-H2HC-2024.pdf) [slides] [[code](https://github.com/google/security-research/tree/master/analysis/kernel/dashboard)]
+[2024: "Linux Kernel Attack Surface: beyond IOCTL. DMA-BUF" by Slava Moskvin](https://slavamoskvin.com/linux-kernel-attack-surface-beyond-ioctl.-dma-buf/) [article]
 [2024: "More Bang for Your Bug!" by Eduardo Vela and Space Meyer](https://docs.google.com/presentation/d/163DiKhThCTEb4Udv9FWfBQOiDtOXQHiCZ61pE-srBOw/present) [slides] [[video](https://www.youtube.com/watch?v=S0Wzy0Knw0M)]
 [2024: "Linux Kernel CVEs, What Has Caused So Many to Suddenly Show Up?" by Greg Kroah-Hartman](https://git.sr.ht/~gregkh/presentation-security/blob/main/security-stuff.pdf) [slides] [[video](https://www.youtube.com/watch?v=Rg_VPMT0XXw)]
author	Andrey Konovalov	2025-01-05 02:02:10 +0100
committer	Andrey Konovalov	2025-01-05 02:02:10 +0100
commit	5e83aa512c646cd1db21032743401818b64ab8f5 (patch)
tree	2d32ec275e3e22d4d51dc2776569093e17c76cc8 /README.md
parent	5dc72e61f867c3cf89ee7f46e7f6fa98333558d2 (diff)

diff --git a/README.md b/README.md index d58570c..ccca064 100644 --- a/README.md +++ b/README.md
@@ -52,6 +52,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
52		52
53	### Exploitation	53	### Exploitation
54		54
		55	[2025: "Cross Cache Attack CheetSheet" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/03/cross-cache-attack-cheatsheet.html) [article]
		56
		57	[2024: "Linux Kernel Use Pipe Object to Do Data-Only Attack" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/16/linux-kernel-use-pipe-object-to-do-data-only-attack.html) [article]
		58
		59	[2024: "CTF-style Tricks of Linux Kernel Exploitation" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/04/ctf-style-tricks-of-linux-kernel-exploitation-part-1.html) [article] [[part 2](https://u1f383.github.io/linux/2024/08/07/ctf-style-tricks-of-linux-kernel-exploitation-part-2.html)]
		60
		61	[2024: "Linux Kernel exploitation cheatsheet" by Pumpkin Chang](https://u1f383.github.io/cheatsheet/1970/01/01/welcome-to-jekyll.html) [article]
		62
55	[2024: "SLUB Internals for Exploit Developers" by Andrey Konovalov](https://static.sched.com/hosted_files/lsseu2024/37/2024%2C%20LSS%20EU_%20SLUB%20Internals%20for%20Exploit%20Developers.pdf) [slides] [[video](https://www.youtube.com/watch?v=XulsBDV4n3w)]	63	[2024: "SLUB Internals for Exploit Developers" by Andrey Konovalov](https://static.sched.com/hosted_files/lsseu2024/37/2024%2C%20LSS%20EU_%20SLUB%20Internals%20for%20Exploit%20Developers.pdf) [slides] [[video](https://www.youtube.com/watch?v=XulsBDV4n3w)]
56		64
57	[2024: "SCAVY: Automated Discovery of Memory Corruption Targets in Linux Kernel for Privilege Escalation"](https://www.usenix.org/system/files/usenixsecurity24-avllazagaj.pdf) [paper]	65	[2024: "SCAVY: Automated Discovery of Memory Corruption Targets in Linux Kernel for Privilege Escalation"](https://www.usenix.org/system/files/usenixsecurity24-avllazagaj.pdf) [paper]
@@ -287,6 +295,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
287		295
288	[2024: "SELinux bypasses"](https://klecko.github.io/posts/selinux-bypasses/) [article]	296	[2024: "SELinux bypasses"](https://klecko.github.io/posts/selinux-bypasses/) [article]
289		297
		298	[2024: "Page-Oriented Programming: Subverting Control-Flow Integrity of Commodity Operating System Kernels with Non-Writable Code Pages" by Seunghun Han et al.](https://www.usenix.org/system/files/usenixsecurity24-han-seunghun.pdf) [paper] [[slides](https://www.usenix.org/system/files/usenixsecurity24_slides-han-seunghun.pdf)] [[video](https://www.youtube.com/watch?v=wSMByLg-ibs)]
		299
290	[2024: "Defects-in-Depth: Analyzing the Integration of Effective Defenses against One-Day Exploits in Android Kernels" by Lukas Maar et. al](https://www.usenix.org/system/files/usenixsecurity24-maar-defects.pdf) [paper] [[artifacts](https://www.usenix.org/system/files/usenixsecurity24-appendix-maar-defects.pdf)]	300	[2024: "Defects-in-Depth: Analyzing the Integration of Effective Defenses against One-Day Exploits in Android Kernels" by Lukas Maar et. al](https://www.usenix.org/system/files/usenixsecurity24-maar-defects.pdf) [paper] [[artifacts](https://www.usenix.org/system/files/usenixsecurity24-appendix-maar-defects.pdf)]
291		301
292	[2024: "Leaking Host KASLR from Guest VMs Using Tagged TLB" by Reno Robert](https://pagedout.institute/download/PagedOut_004_beta1.pdf#page=58) [article]	302	[2024: "Leaking Host KASLR from Guest VMs Using Tagged TLB" by Reno Robert](https://pagedout.institute/download/PagedOut_004_beta1.pdf#page=58) [article]
@@ -375,6 +385,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
375		385
376	### Info-leaks	386	### Info-leaks
377		387
		388	[2025: "KernelSnitch: Side-Channel Attacks on Kernel Data Structures" by Lukas Maar et al.](https://lukasmaar.github.io/papers/ndss25-kernelsnitch.pdf) [paper]
		389
		390	[2024: "Linux vDSO & VVAR" by Pumpkin Chang](https://u1f383.github.io/linux/2024/12/11/linux-vdso-and-vvar.html) [article] [CVE-2023-23586]
		391
		392	[2024: "CPU Speculation Vulnerabilities And Mitigations in the Linux Kernel" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/09/cpu-speculation-vulnerabilities-and-mitigations-in-the-linux-kernel.html) [article] [Spectre V1] [Spectre V2]
		393
		394	[2024: "Linux Kernel Meltdown Mitigation Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/01/linux-kernel-meltdown-mitigation-analysis.html) [article] [Meltdown]
		395
378	[2024: "Out of the kernel, into the tokens" by Max Ammann and Emilio Lopez](https://blog.trailofbits.com/2024/03/08/out-of-the-kernel-into-the-tokens/) [article]	396	[2024: "Out of the kernel, into the tokens" by Max Ammann and Emilio Lopez](https://blog.trailofbits.com/2024/03/08/out-of-the-kernel-into-the-tokens/) [article]
379		397
380	[2023: "The code that wasn’t there: Reading memory on an Android device by accident" by Man Yue Mo](https://github.blog/2023-02-23-the-code-that-wasnt-there-reading-memory-on-an-android-device-by-accident/) [article] [CVE-2022-25664]	398	[2023: "The code that wasn’t there: Reading memory on an Android device by accident" by Man Yue Mo](https://github.blog/2023-02-23-the-code-that-wasnt-there-reading-memory-on-an-android-device-by-accident/) [article] [CVE-2022-25664]
@@ -424,9 +442,19 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
424		442
425	### LPE	443	### LPE
426		444
427	[2024: "Unleashing a 0day: Pivoting Capabilities and Conquering the Linux Kernel" by Pedro Pinto](https://www.figma.com/deck/GyXCgKKy6rMuY7NVZtInjY/Unleadhing-a-Oday---Osec?node-id=13-225) [slides] [CVE-2024-41010]	445	[2024: "The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit" by Seth Jenkins](https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpectedly-excavating-exploit.html) [article] [CVE-2024-38402] [CVE-2024-21455] [CVE-2024-33060] [CVE-2024-49848] [CVE-2024-43047]
		446
		447	[2024: "OtterRoot: Netfilter Universal Root 1-day" by Pedro Pinto](https://osec.io/blog/2024-11-25-netfilter-universal-root-1-day) [article] [CVE-2024-26809]
		448
		449	[2024: "How I use a novel approach to exploit a limited OOB on Ubuntu at Pwn2Own Vancouver 2024" by Pumpkin Chang](https://u1f383.github.io/slides/talks/2024_POC-How_I_use_a_novel_approach_to_exploit_a_limited_OOB_on_Ubuntu_at_Pwn2Own_Vancouver_2024.pdf) [slides] [CVE-UNKNOWN]
428		450
429	[2024: "Utilizing Cross-CPU Allocation to Exploit Preempt-Disabled Linux Kernel" by Mingi Cho and Wongi Lee](https://www.hexacon.fr/slides/Cho_Lee-Utilizing_Cross-CPU_Allocation_to_Exploit_Preempt-Disabled_Linux_Kernel.pdf) [slides] [CVE-2023-31248] [CVE-2024-36978]	451	[2024: "GPUAF - Two ways of Rooting All Qualcomm based Android phones" by Pan Zhenpeng and Jheng Bing Jhong](https://powerofcommunity.net/poc2024/Pan%20Zhenpeng%20&%20Jheng%20Bing%20Jhong,%20GPUAF%20-%20Two%20ways%20of%20rooting%20All%20Qualcomm%20based%20Android%20phones.pdf) [slides] [CVE-2024-23380] [CVE-2024-23373]
		452
		453	[2024: "Breaking through the cage: Get Android universal root by B-PUAF" by Lu Yutao and Ling Hanqin](https://powerofcommunity.net/poc2024/Hanqin%20Ling%20&%20Yutao%20Lu,%20Breaking%20through%20the%20cage%20-%20Get%20Android%20Universal%20Root%20by%20B-PUAF.pdf) [slides] [CVE-2024-46740]
		454
		455	[2024: "Unleashing a 0day: Pivoting Capabilities and Conquering the Linux Kernel" by Pedro Pinto](https://www.figma.com/deck/GyXCgKKy6rMuY7NVZtInjY/Unleadhing-a-Oday---Osec?node-id=13-225) [slides] [[video](https://www.youtube.com/watch?v=bxJhlwGjwWQ)] [CVE-2024-41010]
		456
		457	[2024: "Utilizing Cross-CPU Allocation to Exploit Preempt-Disabled Linux Kernel" by Mingi Cho and Wongi Lee](https://www.hexacon.fr/slides/Cho_Lee-Utilizing_Cross-CPU_Allocation_to_Exploit_Preempt-Disabled_Linux_Kernel.pdf) [slides] [CVE-2023-31248] [[video](https://www.youtube.com/watch?v=dUdU0lp35xU)] [CVE-2024-36978]
430		458
431	[2024: "1day vuln dev: DirtyCOW"](https://www.youtube.com/watch?v=lQOiH-43zOc) [video] [CVE-2016-5195]	459	[2024: "1day vuln dev: DirtyCOW"](https://www.youtube.com/watch?v=lQOiH-43zOc) [video] [CVE-2016-5195]
432		460
@@ -440,7 +468,9 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
440		468
441	[2024: "CVE-2022-22265 Samsung npu driver" by Javier P Rufo](https://soez.github.io/posts/CVE-2022-22265-Samsung-npu-driver/) [article] [CVE-2022-22265]	469	[2024: "CVE-2022-22265 Samsung npu driver" by Javier P Rufo](https://soez.github.io/posts/CVE-2022-22265-Samsung-npu-driver/) [article] [CVE-2022-22265]
442		470
443	[2024: "The Way to Android Root: Exploiting Your GPU On Smartphone" by Xiling Gong, Xuan Xing, and Eugene Rodionov](https://i.blackhat.com/BH-US-24/Presentations/REVISED02-US24-Gong-The-Way-to-Android-Root-Wednesday.pdf) [slides] [CVE-2024-23380]	471	[2024: "The Way to Android Root: Exploiting Your GPU On Smartphone" by Xiling Gong, Xuan Xing, and Eugene Rodionov](https://i.blackhat.com/BH-US-24/Presentations/REVISED02-US24-Gong-The-Way-to-Android-Root-Wednesday.pdf) [slides] [[video](https://www.youtube.com/watch?v=BN07rjaNqXk)] [CVE-2024-23380]
		472
		473	[2024: "Clash, Burn, and Exploit: Manipulate Filters to Pwn kernelCTF" by HexRabbit](https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20HexRabbit%20Chen%20-%20Clash%2C%20Burn%2C%20and%20Exploit%20-%20Manipulate%20Filters%20to%20Pwn%20kernelCTF.pdf) [slides] [[video](https://www.youtube.com/watch?v=_1DTkkaNqfM)] [CVE-2024-26925]
444		474
445	[2024: "A deep dive into CVE-2023-2163: How we found and fixed an eBPF Linux Kernel Vulnerability" by Juan Jose Lopez Jaimez and Meador Inge](https://bughunters.google.com/blog/6303226026131456/a-deep-dive-into-cve-2023-2163-how-we-found-and-fixed-an-ebpf-linux-kernel-vulnerability) [article] [CVE-2023-2163]	475	[2024: "A deep dive into CVE-2023-2163: How we found and fixed an eBPF Linux Kernel Vulnerability" by Juan Jose Lopez Jaimez and Meador Inge](https://bughunters.google.com/blog/6303226026131456/a-deep-dive-into-cve-2023-2163-how-we-found-and-fixed-an-ebpf-linux-kernel-vulnerability) [article] [CVE-2023-2163]
446		476
@@ -942,6 +972,28 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
942		972
943	### Other	973	### Other
944		974
		975	[2025: "Some Casual Notes for CVE-2024-26921" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/04/some-casual-notes-for-cve-2024-26921.html) [article] [CVE-2024-26921]
		976
		977	[2024: "Linux Kernel ICMPv6 & CVE-2023-6200" by Pumpkin Chang](https://u1f383.github.io/linux/2024/12/04/linux-kernel-icmpv6-and-cve-2023-6200.html) [article] [CVE-2023-6200]
		978
		979	[2024: "Linux Kernel Perf CVE-2023-5717 Quick Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/11/17/linux-kernel-perf-cve-2023-5717-quick-analysis.html) [article] [CVE-2023-5717]
		980
		981	[2024: "A Quick Note for Perf CVE-2024-46713" by Pumpkin Chang](https://u1f383.github.io/linux/2024/11/15/a-quick-note-for-perf-cve-2024-46713.html) [article] [CVE-2024-46713]
		982
		983	[2024: "Linux Kernel Perf CVE-2023-6931 Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/11/14/linux-kernel-perf-cve-2023-6931-analysis.html) [article] [CVE-2023-6931]
		984
		985	[2024: "Linux Kernel Vsock 1-day Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/11/12/linux-kernel-vsock-1-day-analysis.html) [article] [CVE-UNKNOWN]
		986
		987	[2024: "Three Linux net/sched 1-day Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/09/05/three-linux-net_sched-1-day-analysis.html) [article] [CVE-2024-36974] [CVE-2023-0590]
		988
		989	[2024: "Two Linux net/sched 1-day Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/31/two-linux-net_sched-1-day-analysis.html) [article] [CVE-2024-36978]
		990
		991	[2024: "CVE-2024-41010 - Linux net/sched UAF 1-day Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/07/29/cve-2024-41010-linux-net_sched-uaf-1-day-analysis.html) [article] [CVE-2024-41010]
		992
		993	[2024: "Linux eBPF Design and Vulnerability Case Study" by Pumpkin Chang](https://u1f383.github.io/linux/2024/07/12/linux-eBPF-design-and-vulnerability-case-study-part-1.html) [article] [[part 2](https://u1f383.github.io/linux/2024/07/20/linux-eBPF-design-and-vulnerability-case-study-part-2.html)] [CVE-2024-41009] [CVE-2022-23222] [CVE-2023-52447]
		994
		995	[2024: "Linux Kernel: TOCTOU in Exec System" by Marco Vanotti](https://github.com/google/security-research/security/advisories/GHSA-c45w-xwww-rfgg) [article] [CVE-2024-43882]
		996
945	[2024: "CVE-2024-26926 Analysis" by Maher Azzouzi](https://github.com/MaherAzzouzi/LinuxKernel-nday/blob/main/CVE-2024-26926/CVE_2024_26926_Analysis.pdf) [article] [CVE-2024-26926]	997	[2024: "CVE-2024-26926 Analysis" by Maher Azzouzi](https://github.com/MaherAzzouzi/LinuxKernel-nday/blob/main/CVE-2024-26926/CVE_2024_26926_Analysis.pdf) [article] [CVE-2024-26926]
946		998
947	[2024: "CVE-2024-44068: Samsung m2m1shot_scaler0 device driver page use-after-free in Android"](https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2024/CVE-2024-44068.html) [article] [CVE-2024-44068]	999	[2024: "CVE-2024-44068: Samsung m2m1shot_scaler0 device driver page use-after-free in Android"](https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2024/CVE-2024-44068.html) [article] [CVE-2024-44068]
@@ -1031,6 +1083,18 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
1031		1083
1032	## Finding Bugs	1084	## Finding Bugs
1033		1085
		1086	[2024: "CountDown: Refcount-guided Fuzzing for Exposing Temporal Memory Errors in Linux Kernel" by Shuangpeng Bai et al.](https://huhong789.github.io/papers/bai:countdown.pdf) [paper]
		1087
		1088	[2024: "A Little Goes a Long Way: Tuning Configuration Selection for Continuous Kernel Fuzzing" by Sanan Hasanov et al.](https://paulgazzillo.com/papers/icse25.pdf) [paper]
		1089
		1090	[2024: "Hunting Bugs in Linux Kernel With KASAN: How to Use it & What's the Benefit?" by Slava Moskvin](https://slavamoskvin.com/hunting-bugs-in-linux-kernel-with-kasan-how-to-use-it-whats-the-benefit/) [article]
		1091
		1092	[2024: "Finding Bugs in Kernel" by Slava Moskvin](https://slavamoskvin.com/finding-bugs-in-kernel.-part-1-crashing-a-vulnerable-driver-with-syzkaller/) [article] [[part 2](https://slavamoskvin.com/finding-bugs-in-kernel.-part-2-fuzzing-the-actual-kernel/)]
		1093
		1094	[2024: "OZZ: Identifying Kernel Out-of-Order Concurrency Bugs with In-Vivo Memory Access Reordering" by Dae R. Jeong et al.](https://dl.acm.org/doi/pdf/10.1145/3694715.3695944) [paper]
		1095
		1096	[2024: "Fuzzing the EBPF Subsystem" by Zac Ecob](https://www.youtube.com/watch?v=bww1HkBiYpA) [video]
		1097
1034	[2024: "Head First Reporting of Linux Kernel CVEs: Practical Use of the Kernel Fuzzer" by Yunseong Kim](https://static.sched.com/hosted_files/sosscdjapan2024/7a/Head%20First%20Reporting%20of%20Linux%20Kernel%20CVEs%20-%20sosscj24.pdf) [slides]	1098	[2024: "Head First Reporting of Linux Kernel CVEs: Practical Use of the Kernel Fuzzer" by Yunseong Kim](https://static.sched.com/hosted_files/sosscdjapan2024/7a/Head%20First%20Reporting%20of%20Linux%20Kernel%20CVEs%20-%20sosscj24.pdf) [slides]
1035		1099
1036	[2024: "Finding Bugs in Kernel. Part 1: Crashing a Vulnerable Driver with Syzkaller" by Vyacheslav Moskvin](https://www.linkedin.com/pulse/finding-bugs-kernel-part-1-crashing-vulnerable-driver-moskvin-4vwje/) [article]	1100	[2024: "Finding Bugs in Kernel. Part 1: Crashing a Vulnerable Driver with Syzkaller" by Vyacheslav Moskvin](https://www.linkedin.com/pulse/finding-bugs-kernel-part-1-crashing-vulnerable-driver-moskvin-4vwje/) [article]
@@ -1332,6 +1396,12 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
1332		1396
1333	["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map)	1397	["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map)
1334		1398
		1399	[2024: "Diving into Linux kernel security" by Alexander Popov](https://a13xp0p0v.github.io/img/Alexander_Popov-H2HC-2024.pdf) [slides]
		1400
		1401	[2024: "A Decade of Low-hanging Fruit in the Linux Kernel" by Kees Cook](https://outflux.net/slides/2024/bsidespdx/decade.pdf) [slides]
		1402
		1403	[2024: "An adventure with formal verification of Linux kernel code" by Julia Lawall](https://drive.google.com/file/d/1EWDPz9vUZF7qjk-f8fCP7lUMu4iSfstz/view) [slides] [[video](https://www.youtube.com/watch?v=n1Wqz1pQsY0)]
		1404
1335	[2024: "Diving into the kernel mitigations" by Breno Leitao](https://www.youtube.com/watch?v=srPeMl9FZI8) [video]	1405	[2024: "Diving into the kernel mitigations" by Breno Leitao](https://www.youtube.com/watch?v=srPeMl9FZI8) [video]
1336		1406
1337	[2024: "Security Features status update" by Kees Cook](https://lpc.events/event/18/contributions/1920/attachments/1547/3228/Security%20Features%20status%20update.pdf) [slides] [[video](https://www.youtube.com/watch?v=68PZz_9cPms)]	1407	[2024: "Security Features status update" by Kees Cook](https://lpc.events/event/18/contributions/1920/attachments/1547/3228/Security%20Features%20status%20update.pdf) [slides] [[video](https://www.youtube.com/watch?v=68PZz_9cPms)]
@@ -2014,6 +2084,18 @@ https://github.com/0xor0ne/awesome-list/
2014		2084
2015	## Misc	2085	## Misc
2016		2086
		2087	[2025: "Linux KASLR Entropy" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/02/linux-kaslr-entropy.html) [article]
		2088
		2089	[2024: "Approaches to determining the attack surface for fuzzing the Linux kernel" by Pavel Teplyuk and Aleksey Yakunin](https://www.e3s-conferences.org/articles/e3sconf/pdf/2024/61/e3sconf_uesf2024_03005.pdf) [paper]
		2090
		2091	[2024: "The Feasibility of Using Hardware Breakpoints To Extend the Race Window" by Pumpkin Chang](https://u1f383.github.io/linux/2024/12/29/the-feasibility-of-using-hardware-breakpoints-to-extend-the-race-window.html) [article]
		2092
		2093	[2024: "Linux Kernel Heap Spraying Over A Network Connection" by Pumpkin Chang](https://u1f383.github.io/linux/2024/06/20/linux-kernel-heap-spraying-over-a-network-connection.html) [article]
		2094
		2095	[2024: "Dashing Kernel Exploitation" by Eduardo Vela and Jordy Zomer](https://github.com/google/security-research/blob/master/analysis/kernel/slides/Dashing%20Kernel%20Exploitation-H2HC-2024.pdf) [slides] [[code](https://github.com/google/security-research/tree/master/analysis/kernel/dashboard)]
		2096
		2097	[2024: "Linux Kernel Attack Surface: beyond IOCTL. DMA-BUF" by Slava Moskvin](https://slavamoskvin.com/linux-kernel-attack-surface-beyond-ioctl.-dma-buf/) [article]
		2098
2017	[2024: "More Bang for Your Bug!" by Eduardo Vela and Space Meyer](https://docs.google.com/presentation/d/163DiKhThCTEb4Udv9FWfBQOiDtOXQHiCZ61pE-srBOw/present) [slides] [[video](https://www.youtube.com/watch?v=S0Wzy0Knw0M)]	2099	[2024: "More Bang for Your Bug!" by Eduardo Vela and Space Meyer](https://docs.google.com/presentation/d/163DiKhThCTEb4Udv9FWfBQOiDtOXQHiCZ61pE-srBOw/present) [slides] [[video](https://www.youtube.com/watch?v=S0Wzy0Knw0M)]
2018		2100
2019	[2024: "Linux Kernel CVEs, What Has Caused So Many to Suddenly Show Up?" by Greg Kroah-Hartman](https://git.sr.ht/~gregkh/presentation-security/blob/main/security-stuff.pdf) [slides] [[video](https://www.youtube.com/watch?v=Rg_VPMT0XXw)]	2101	[2024: "Linux Kernel CVEs, What Has Caused So Many to Suddenly Show Up?" by Greg Kroah-Hartman](https://git.sr.ht/~gregkh/presentation-security/blob/main/security-stuff.pdf) [slides] [[video](https://www.youtube.com/watch?v=Rg_VPMT0XXw)]