Skip to content

A collection of links related to Linux kernel security and exploitation

License

Notifications You must be signed in to change notification settings

wechicken456/Linux-kernel-resources

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 

Repository files navigation

Linux Kernel Exploitation

A collection of links related to Linux kernel security and exploitation.

Updated bimonthly. Pull requests are welcome as well.

Follow @andreyknvl on Twitter or @[email protected] on Mastodon to be notified of updates.

Subscribe to @linkersec on Telegram, Twitter, Mastodon, or Reddit for highlights.

Trainings

See xairy.io/trainings/.

Contents

Books

2014: "Android Hacker's Handbook" by Joshua J. Drake [book]

2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani [book] [materials]

Concepts

io_uring

Authors' paper

(Examples of usage)[https://unixism.net/2020/04/io-uring-by-example-part-1-introduction/]

https://chomp.ie/Blog+Posts/Put+an+io_uring+on+it+-+Exploiting+the+Linux+Kernel

https://anatomic.rip/cve-2023-2598/#poc

Techniques

Exploitation

2024: "Binary Exploitation Notes: Kernel" by Andrej Ljubic [articles]

2024: "Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation" [paper]

2024: "GhostRace: Exploiting and Mitigating Speculative Race Conditions" [paper]

2024: "K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel" [paper]

2024: "Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems" [paper]

2023: "No Tux Given: Diving Into Contemporary Linux Kernel Exploitation" by sam4k [slides]

2023: "Linux Kernel Exploitation series" by santaclz [article] [part2] [part 3]

2023: "RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections" [paper]

2023: "Understanding Dirty Pagetable - m0leCon Finals 2023 CTF Writeup" [article]

2023: "Abusing RCU callbacks with a Use-After-Free read to defeat KASLR" [article]

2023: "Evils in the Sparse Texture Memory: Exploit Kernel Based on Undefined Behaviors of Graphic APIs" [slides] [abstract]

2023: "Breaking Hardware-Assisted Kernel Control-Flow Integrity with Page-Oriented Programming" by Seunghun Han [slides]

2023: "Make KSMA Great Again: The Art of Rooting Android devices by GPU MMU features" by Yong Wang [video] [slides]

2023: "A new method for container escape using file-based DirtyCred" by Choo Yi Kai [article]

2023: "prctl anon_vma_name: An Amusing Linux Kernel Heap Spray" by Cherie-Anne Lee [article]

2023: "Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel" by Nicolas Wu [article]

2023: "Exploit Engineering – Attacking the Linux Kernel" by Alex Plaskett and Cedric Halbronn [slides] [video]

2023: "Algorithmic Heap Layout Manipulation in the Linux Kernel" by Max Ufer and Daniel Baier [paper] [artifacts]

2023: "The Return of Stack Overflows in the Linux Kernel" by Davide Ornaghi [slides] [video]

2023: "Exploiting null-dereferences in the Linux kernel" by Seth Jenkins [article]

2023: "PSPRAY: Timing Side-Channel based Linux Kernel Heap Exploitation Technique" [paper] [video]

2023: "Linux Kernel PWN | 06 DirtyCred" [article]

2023: "Linux Kernel PWN | 05 ret2dir" [article]

2022: "Ret2page: The Art of Exploiting Use-After-Free Vulnerabilities in the Dedicated Cache" [slides] [video]

2022: "Devils Are in the File Descriptors: It Is Time To Catch Them All" by Le Wu [slides] [video]

2022: "FUSE for Linux Exploitation 101" [article]

2022: "Kernel Exploit Recipes" [brochure]

2022: "pipe_buffer arbitrary read write" by Jayden R [article]

2022: "Joy of exploiting the Kernel" [slides]

2022: "An exploit primitive in the Linux kernel inspired by DirtyPipe" [article]

2022: "DirtyCred: Escalating Privilege in Linux Kernel" [paper] [slides] [artifacts]

2022: "DirtyCred: Cautious! A New Exploitation Method! No Pipe but as Nasty as Dirty Pipe" [slides] [artifacts]

2022: "CoRJail: From Null Byte Overflow To Docker Escape Exploiting poll_list Objects In The Linux Kernel" [article]

2022: "Reviving Exploits Against Cred Structs - Six Byte Cross Cache Overflow to Leakless Data-Oriented Kernel Pwnage" [article]

2022: "USMA: Share Kernel Code With Me" by Yong Liu, Jun Yao, and Xiaodong Wang [slides] [paper] [article]

2022: "Linux kernel heap feng shui in 2022" by Michael S and Vitaly Nikolenko [article]

2022: "LiKE: A Series on Linux Kernel Exploitation" by sam4k [article] [modprobe_path]

2022: "Racing against the clock -- hitting a tiny kernel race window" by Jann Horn [article]

2022: "Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability" [paper] [artifacts]

2022: "Learning Linux kernel exploitation" by 0x434b [article] [part 2]

2021: "ExpRace: Exploiting Kernel Races through Raising Interrupts" at USENIX [paper] [slides] [video]

2021: "Utilizing msg_msg Objects for Arbitrary Read and Arbitrary Write in the Linux Kernel" [article] [part2]

2021: "Linux Kernel Exploitation Technique: Overwriting modprobe_path" [article]

2021: "Learning Linux Kernel Exploitation" [article] [part 2] [part 3]

2020: "PTMA (Page Table Manipulation Attack): Attacking the core of memory permission" [slides]

2020: "Exploiting Kernel Races Through Taming Thread Interleaving" [slides] [video]

2020: "Locating the kernel PGD on Android/aarch64" by Vitaly Nikolenko [article]

2020: "A Systematic Study of Elastic Objects in Kernel Exploitation" [paper] [video]

2020: "Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers" [slides] [paper] [video]

2020: "BlindSide: Speculative Probing: Hacking Blind in the Spectre Era" [paper]

2020: "Linux Kernel Stack Smashing" by Silvio Cesare [article]

2020: "Structures that can be used in kernel exploits" [article]

2019: "The Route to Root: Container Escape Using Kernel Exploitation" by Nimrod Stoler [article]

2019: "Linux Kernel: the ROP Exploit of Stack Overflow in Android Kernel" [article]

2019: "Hands Off and Putting SLAB/SLUB Feng Shui in Blackbox" by Yueqi (Lewis) Chen at Black Hat Europe [slides] [code]

2019: "SLAKE: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel" by Yueqi (Lewis) Chen and Xinyu Xing [slides] [paper]

2019: "Exploiting Race Conditions Using the Scheduler" by Jann Horn at Linux Security Summit EU [slides] [video]

2019: "Kepler: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities" [slides] [video] [paper]

2019: "Leak kernel pointer by exploiting uninitialized uses in Linux kernel" by Jinbum Park [slides]

2019: "Kernel IDT priviledge escalation" [article]

2018: "FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities" [slides] [paper]

2018: "Linux Kernel universal heap spray" by Vitaly Nikolenko [article]

2018: "Linux-Kernel-Exploit Stack Smashing" [article]

2018: "Entering God Mode  -  The Kernel Space Mirroring Attack" [article]

2018: "Mirror Mirror: Rooting Android 8 with a Kernel Space Mirroring Attack" by Wang Yong at HitB [slides]

2018: "KSMA: Breaking Android kernel isolation and Rooting with ARM MMU features" by Wang Yong at BlackHat [slides]

2018: "Still Hammerable and Exploitable: on the Effectiveness of Software-only Physical Kernel Isolation" [paper]

2018: "linux kernel pwn notes" [article]

2018: "Use of timer_list structure in linux kernel exploit" [article]

2018: "Entering God Mode — The Kernel Space Mirroring Attack" [article]

2017: "Escalating Privileges in Linux using Fault Injection" by Niek Timmers and Cristofaro Mune [slides] [video] [paper]

2017: "Kernel Driver mmap Handler Exploitation" by Mateusz Fruba [paper]

2017: "Linux kernel addr_limit bug / exploitation" by Vitaly Nikolenko [video]

2017: "The Stack Clash" by Qualys Research Team [article]

2017: "New Reliable Android Kernel Root Exploitation Techniques" [slides]

2017: "Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying" [paper]

2017: "Breaking KASLR with perf" by Lizzie Dixon [article]

2017: "Linux kernel exploit cheetsheet" [article]

2016: "Getting Physical Extreme abuse of Intel based Paging Systems" by Nicolas Economou and Enrique Nissim [slides]

2016: "Linux Kernel ROP - Ropping your way to # (Part 1)" by Vitaly Nikolenko [article] [exercise]

2016: "Linux Kernel ROP - Ropping your way to # (Part 2)" by Vitaly Nikolenko [article]

2016: "Exploiting COF Vulnerabilities in the Linux kernel" by Vitaly Nikolenko at Ruxcon [slides]

2016: "Using userfaultfd" by Lizzie Dixon [article]

2016: "Direct Memory Attack the Kernel" by Ulf Frisk at DEF CON [video]

2016: "Randomization Can't Stop BPF JIT Spray" by Elena Reshetova at Black Hat [slides] [video] [paper]

2015: "Kernel Data Attack is a Realistic Security Threat" [paper]

2015: "From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel" [paper]

2015: "Modern Binary Exploitation: Linux Kernel Exploitation" by Patrick Biernat [slides] [exercise]

2013: "Hacking like in the Movies: Visualizing Page Tables for Local Exploitation" at Black Hat

2013: "Exploiting linux kernel heap corruptions" by Mohamed Channam [article]

2012: "Writing kernel exploits" by Keegan McAllister [slides]

2012: "Understanding Linux Kernel Vulnerabilities" by Richard Carback [slides]

2012: "A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator" by Dan Rosenberg [paper]

2012: "Attacking hardened Linux systems with kernel JIT spraying" by Keegan McAllister [article] [code 1] [code 2]

2012: "The Linux kernel memory allocators from an exploitation perspective" by Patroklos Argyroudis [article]

2012: "The Stack is Back" by Jon Oberheide [slides]

2012: "Stackjacking" by Jon Oberheide and Dan Rosenberg [slides]

2011: "Stackjacking Your Way to grsec/PaX Bypass" by Jon Oberheide [article]

2010: "Much ado about NULL: Exploiting a kernel NULL dereference" [article]

2010: "Exploiting Stack Overflows in the Linux Kernel" by Jon Oberheide [article]

2010: "Linux Kernel Exploitation: Earning Its Pwnie a Vuln at a Time" by Jon Oberheide at SOURCE Boston [slides]

2009: "There's a party at ring0, and you're invited" by Tavis Ormandy and Julien Tinnes at CanSecWest [slides]

2007: "Kernel-mode exploits primer" by Sylvester Keil and Clemens Kolbitsch [paper]

2007: "Attacking the Core : Kernel Exploiting Notes" [article]

2007: "The story of exploiting kmalloc() overflows" [article]

2007: "Linux 2.6 Kernel Exploits" by Stephane Duverger [slides]

2005: "Large memory management vulnerabilities" by Gael Delalleau at CancSecWest [slides]

2005: "The story of exploiting kmalloc() overflows" [article]

Protection Bypasses

2024: "TikTag: Breaking ARM's Memory Tagging Extension with Speculative Execution" by Juhee Kim et al. [paper] [code]

2023: "Leaky Address Masking: Exploiting Unmasked Spectre Gadgets with Noncanonical Address Translation" [paper]

2023: "MTE As Implemented, Part 3: The Kernel" by Mark Brand [article]

2023: "Breaking Hardware-Assisted Kernel Control-Flow Integrity with Page-Oriented Programming" by Seunghun Han [slides]

2023: "MTE As Implemented, Part 3: The Kernel" by Mark Brand [article]

2023: "EPF: Evil Packet Filter" by Di Jin, Vaggelis Atlidakis, and Vasileios P. Kemerlis [paper]

2023: "Bypassing SELinux with init_module" by Sean Pesce [article]

2023: "Finding Gadgets for CPU Side-Channels with Static Analysis Tools" by Jordy Zomer and Alexandra Sandulescu [article]

2023: "Linux Kernel: Spectre-v1 gadgets" by Jordy Zomer and Alexandra Sandulescu [article]

2023: "Linux Kernel: Spectre v2 SMT mitigations problem" by Eduardo Vela [article]

2022: "A Dirty Little History: Bypassing Spectre Hardware Defenses to Leak Kernel Data" [slides]

2022: "Tetragone: A Lesson in Security Fundamentals" by Pawel Wieczorkiewicz and Brad Spengler [article]

2021: "Characterizing, Exploiting, and Detecting DMA Code Injection Vulnerabilities in the Presence of an IOMMU" [paper]

2021: "A General Approach to Bypassing Many Kernel Protections and its Mitigation" by Yueqi Chen [slides] [video]

2021: "Attacking Samsung RKP" by Alexandre Adamski [article]

2020: "Things not to do when using an IOMMU" by Ilja van Sprundel and Joseph Tartaro [video]

2020: "SELinux RKP misconfiguration on Samsung S20 devices" by Vitaly Nikolenko [article]

2020: "TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs" [paper]

2020: "Weaknesses in Linux Kernel Heap Hardening" by Silvio Cesare [article]

2020: "An Analysis of Linux Kernel Heap Hardening" by Silvio Cesare [article]

2020: "PAN: Another day, another broken mitigation" by Siguza [article]

2019: "KNOX Kernel Mitigation Bypasses" by Dong-Hoon You at PoC [slides]

2017: "Lifting the (Hyper) Visor: Bypassing Samsung’s Real-Time Kernel Protection" by Gal Beniamini [article]

2016: "Linux Kernel x86-64 bypass SMEP - KASLR - kptr_restric" [article]

2016: "Practical SMEP bypass techniques on Linux" by Vitaly Nikolenko at KIWICON [slides]

2016: "Micro architecture attacks on KASLR" by Anders Fogh" [article]

2016: "Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR" by Dmitry Evtyushkin, Dmitry Ponomarev and Nael Abu-Ghazaleh [slides]

2016: "Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR" by Daniel Gruss, Clementine Maurice, Anders Fogh, Moritz Lipp and Stefan Mangard at CCS [video]

2016: "Using Undocumented CPU Behavior to See Into Kernel Mode and Break KASLR in the Process" at Black Hat [video]

2016: "Breaking KASLR with Intel TSX" Yeongjin Jang, Sangho Lee and Taesoo Kim at Black Hat [slides] [video]

2016: "Breaking KASLR with micro architecture" by Anders Fogh [article]

2015: "Effectively bypassing kptr_restrict on Android" by Gal Beniamini [article]

2014: "ret2dir: Deconstructing Kernel Isolation" by Vasileios P. Kemerlis, Michalis Polychronakis and Angelos D. Keromytis at Black Hat Europe [paper] [video]

2013: "A Linux Memory Trick" by Dan Rosenberg [article]

2011: "SMEP: What is It, and How to Beat It on Linux" by Dan Rosenberg [article]

2009: "Bypassing Linux' NULL pointer dereference exploit prevention (mmap_min_addr)" [article]

Vulnerabilities

Project Zero bug reports

Linux Kernel CVEs

Assorted advisories by Gyorgy Miru and kutyacica

Info-leaks

2024: "Out of the kernel, into the tokens" by Max Ammann and Emilio Lopez [article]

2023: "The code that wasn’t there: Reading memory on an Android device by accident" by Man Yue Mo [article] [CVE-2022-25664]

2023: "EntryBleed: A Universal KASLR Bypass against KPTI on Linux" [paper] [CVE-2022-4543]

2022: "EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)" [article] [CVE-2022-4543]

2022: "Yet another bug into Netfilter" by Arthur Mongodin [article] [CVE-2022-1972]

2022: "The AMD Branch (Mis)predictor: Just Set it and Forget it!" by Pawel Wieczorkiewicz [article] [Spectre]

2022: "The AMD Branch (Mis)predictor Part 2: Where No CPU has Gone Before (CVE-2021-26341)" by Pawel Wieczorkiewicz [article] [Spectre]

2021: "Samsung S10+/S9 kernel 4.14 (Android 10) Kernel Function Address (.text) and Heap Address Information Leak" [article] [CVE-TBD]

2021: "Linux Kernel /proc/pid/syscall information disclosure vulnerability" [article] [CVE-2020-28588]

2021: "Spectre exploits in the "wild"" [article]

2021: "VDSO As A Potential KASLR Oracle" by Philip Pettersson and Alex Radocea [article]

2020: "PLATYPUS: Software-based Power Side-Channel Attacks on x86" [paper]

2019: "CVE-2018-3639 / CVE-2019-7308 - Analysis of Spectre Attacking Linux Kernel ebpf" [article] [CVE-2018-3639, CVE-2019-7308]

2019: "From IP ID to Device ID and KASLR Bypass (Extended Version)" [paper]

2018: "Kernel Memory disclosure & CANVAS Part 1 - Spectre: tips & tricks" [article] [Spectre]

2018: "Kernel Memory disclosure & CANVAS Part 2 - CVE-2017-18344 analysis & exploitation notes" [article] [CVE-2017-18344]

2018: "CVE-2017-18344: Exploiting an arbitrary-read vulnerability in the Linux kernel timer subsystem" by Andrey Konovalov [article] [CVE-2017-18344]

2017: "Linux kernel 2.6.0 to 4.12-rc4 infoleak due to a data race in ALSA timer" by Alexander Potapenko [announcement] [CVE-2017-1000380]

2017: "The Infoleak that (Mostly) Wasn't" by Brad Spengler [article] [CVE-2017-7616]

2016: "Exploiting a Linux Kernel Infoleak to bypass Linux kASLR" [article]

2010: "Linux Kernel pktcdvd Memory Disclosure" by Jon Oberheide [article] [CVE-2010-3437]

2009: "Linux Kernel x86-64 Register Leak" by Jon Oberheide [article] [CVE-2009-2910]

2009: "Linux Kernel getname() Stack Memory Disclosures" by Jon Oberheide [article] [CVE-2009-3001]

LPE

2024: "Driving forward in Android drivers" by Seth Jenkins [article] [video] [CVE-2023-32837] [CVE-2023-32832]

2024: "Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938" by Eugene Rodionov, Zi Fan Tan, and Gulshan Singh [article] [CVE-2023-20938]

2024: "How to Fuzz Your Way to Android Universal Root: Attacking Android Binder" by Eugene Rodionov and Zi Fan Tan [slides] [video] [CVE-2023-20938]

2024: "Linux Kernel nft_validate_register_store Integer Overflow Privilege Escalation" [article] [CVE-UNKNOWN]

2024: "Game of Cross Cache: Let's win it in a more effective way!" by Le Wu [slides] [CVE-2023-21400]

2024: "LinkDoor: A Hidden Attack Surface in the Android Netlink Kernel Modules" by Chao Ma et al. [slides] [CVE-2023-32878] [CVE-2023-32882]

2024: "Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques" by notselwyn [article] [exploit] [CVE-2024-1086]

2024: "64 bytes and a ROP chain – A journey through nftables" by Davide Ornaghi [article] [part 2] [exploit] [CVE-2023-0179]

2024: "Mind the Patch Gap: Exploiting an io_uring Vulnerability in Ubuntu" by Oriol Castejon [CVE-2024-0582]

2024: "CVE-2022-2586 Writeup" [article] [CVE-2022-2586]

2024: "n_gsm_exploit" [article]

2024: "The tale of a GSM Kernel LPE" [article] [exploit] [notes] [discussion]

2024: "Gaining kernel code execution on an MTE-enabled Pixel 8" by Man Yue Mo [article] [exploit] [CVE-2023-6241]

2024: "Mali GPU Kernel LPE: Android 14 kernel exploit for Pixel7/8 Pro" by Mohamed Ghannam [article] [CVE-2023-26083]

2023: "Linux Kernel GSM Multiplexing Race Condition Local Privilege Escalation Vulnerability (CVE-2023-6546)" by Nassim Asrir [CVE-2023-6546]

2023: "Conquering the memory through io_uring - Analysis of CVE-2023-2598" [article] [exploit] [CVE-2023-2598]

2023: "Conquering a Use-After-Free in nf_tables: Detailed Analysis and Exploitation of CVE-2022-32250" by Yordan Stoychev [article] [CVE-2022-32250]

2023: "One shot, Triple kill: Pwning all three Google kernelCTF instances with a single 1-day Linux vulnerability" [slides] [abstract] [CVE-2023-3390]

2023: "Exploiting a bug in the Linux kernel with Zig" by Richard Palethorpe [article] [video] [CVE-2023-0461]

2023: "Escaping the Google kCTF Container with a Data-Only Exploit" by h0mbre [article] [CVE-2022-3910]

2023: "Analyzing a Modern In-the-wild Android Exploit" by Seth Jenkins [article] [CVE-2023-0266] [CVE-2023-26083]

2023: "Google: Security Research: CVE-2023-3390 [article] [CVE-2023-3390]

2023: "Google: Security Research: CVE-2023-0461 [article] [CVE-2023-0461]

2023: "Old bug, shallow bug: Exploiting Ubuntu at Pwn2Own Vancouver 2023" by Tanguy Dubroca [article] [CVE-2023-35001]

2023: "Linux Kernel Exploit (CVE-2022–32250) with mqueue" [article] [CVE-2022–32250]

2023: "Bad io_uring: A New Era of Rooting for Android" by Zhenpeng Lin [slides] [video] [CVE-2022-20409]

2023: "CVE-2023-3389 - LinkedPoll" by Querijn Voet [article] [CVE-2023-3389]

2023: "GameOver(lay): Easy-to-exploit local privilege escalation vulnerabilities in Ubuntu Linux" by Sagi Tzadik and Shir Tamari [article] [CVE-2023-2640] [CVE-2023-32629]

2023: "StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability" by Ruihan Li [article] [CVE-2023-3269]

2023: "No CVE for this. It has never been in the official kernel" [article]

2023: "CVE-2020-27786 exploitation userfaultfd + patching file struct etc passwd" [article] [CVE-2020-27786]

2023: "Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability" by Vu Thi Lan [article] [CVE-2023-1829]

2023: "CVE-2023-2008 - Analyzing and exploiting a bug in the udmabuf driver" [article] [CVE-2023-2008]

2023: "Rooting with root cause: finding a variant of a Project Zero bug" by Man Yue Mo [article] [CVE-2022-46395]

2023: "Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel" by Moshe Kol [article] [slides] [video] [exploit] [CVE-2022-20421]

2023: "Two bugs with one PoC: Roo2ng Pixel 6 from Android 12 to Android 1" by Yong Wang [slides] [CVE-2021-28664]

2023: "The OverlayFS vulnerability CVE-2023-0386: Overview, detection, and remediation" [article] [CVE-2023-0386]

2023: "Pwning Pixel 6 with a leftover patch" by Man Yue Mo [article] [GHSL-2023-005]

2023: "Revisiting CVE-2017-11176" by Nils Ole Timm [article] [CVE-2017-11176]

2023: "Rooting the FiiO M6" by Jack Maginnes [article] [part 2] [video]

2023: "Exploiting CVE-2021-3490 for Container Escapes" by Karsten Kyonig [article] [CVE-2021-3490]

2023: "Pwning the all Google phone with a non-Google bug" [article] [CVE-2022-38181]

2022: "CVE-2022-1015: A validation flaw in Netfilter leading to Local Privilege Escalation" by Yordan Stoychev [article] [CVE-2022-1015]

2022: "CVE-2022-22265: Samsung NPU device driver double free in Android" by Xingyu Jin [article] [CVE-2022-22265]

2022: "Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg" by Sergi Martinez [article] [CVE-2022-32250]

2022: "Exploiting CVE-2022-42703 - Bringing back the stack attack" by Seth Jenkins [article] [CVE-2022-42703]

2022: "CVE-2022-2602: DirtyCred File Exploitation applied on an io_uring UAF" [article] [CVE-2022-2602]

2022: "DirtyCred Remastered: how to turn an UAF into Privilege Escalation" [article] [CVE-2022-2602]

2022: "Exploiting cross table object reference in Linux Netfilter table (NFT) module" [slides] [CVE-2022-2078] [CVE-2022-2586]

2022: "Linux Kernel n-day exploit development" [article] [CVE-2020-27786]

2022: "Linux Kernel Exploit Development: 1day case study" by Alessandro Groppo [article] [CVE-2020-27786]

2022: "[CVE-2022-1786] A Journey To The Dawn" [article] [CVE-2022-1786]

2022: "A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain" by Maddie Stone [article] [CVE-2021-25369] [CVE-2021-25370]

2022: "Attacking the Android kernel using the Qualcomm TrustZone" by Tamir Zahavi-Brunner [article] [video] [CVE-2021-1961]

2022: "SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)" [article] [slides] [video] [CVE-2022-32250]

2022: "Linux Kernel Exploit (CVE-2022-32250) with mqueue" [article] [CVE-2022-32250]

2022: "N-day exploit for CVE-2022-2586: Linux kernel nft_object UAF" by Alejandro Guerrero [article] [CVE-2022-2586]

2022: "Monitoring Surveillance Vendors: A Deep Dive into In-the-Wild Android Full Chains in 2021" [slides] [CVE-2021-0920]

2022: "CVE-2022-29582: An io_uring vulnerability" by Awarau and David Bouman [article] [CVE-2022-29582]

2022: "Linux kernel io_uring module pbuf_ring vulnerability and privilege escalation 0day" [article]

2022: "Corrupting memory without memory corruption" by Man Yue Mo [article] [CVE-2022-20186]

2022: "[CVE-2022-34918] A crack in the Linux firewall" by Arthur Mongodin [article] [CVE-2022-34918] [exploit]

2022: "CVE-2022-34918: netfilter analysis notes" [article] [CVE-2022-34918]

2022: "Practice of USMA-based Kernel Universal EXP Writing Ideas on CVE-2022-34918" [article] [CVE-2022-34918]

2022: "The Android kernel mitigations obstacle race" by Man Yue Mo [article] [CVE-2022-22057]

2022: "io_uring - new code, new bugs, and a new exploit technique" by Lam Jun Rong [article] [CVE-2021-41073]

2022: "Exploration of the Dirty Pipe Vulnerability (CVE-2022-0847)" by lolcads [article] [CVE-2022-0847]

2022: "DirtyPipe-Android/TECHNICAL-DETAILS.md" by polygraphene [article] [CVE-2022-0847]

2022: "Weaponizing dirtypipe on android" by Giovanni Rocca [slides] [exploit] [CVE-2022-0847]

2022: "How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables" by David Bouman [CVE-2022-1015] [CVE-2022-1016]

2022: "The Discovery and Exploitation of CVE-2022-25636" by Nick Gregory [article] [CVE-2022-25636]

2022: "CVE-2022-27666: Exploit esp6 modules in Linux kernel" by ETenal [article] [CVE-2022-27666]

2022: "Put an io_uring on it: Exploiting the Linux Kernel" by Valentina Palmiotti [article] [CVE-2021-41073]

2022: "The Dirty Pipe Vulnerability" by Max Kellermann [article] [CVE-2022-0847]

2022: "CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers" [article] [CVE-2022-0185]

2022: "CVE-2022-0185: Linux kernel slab out-of-bounds write: exploit and writeup" by Alejandro Guerrero [article] [CVE-2022-0185]

2022: "CVE-2022-0185: A Case Study" [article] [CVE-2022-0185]

2022: "CVE-2022-0185: Analysis and utilization and thinking and practice of new primitives for pipe" [article] [CVE-2022-0185]

2022: "Linux kernel Use-After-Free (CVE-2021-23134) PoC" [article] [CVE-2021-23134]

2022: "Exploiting CVE-2021-26708 (Linux kernel) with ssh" [article] [CVE-2021-26708]

2022: "exploiting CVE-2019-2215" by cutesmilee [article] [CVE-2019-2215]

2022: "Linux Kernel PWN | 02 CVE-2009-1897" [article] [CVE-2009-1897]

2021: "Your Trash Kernel Bug, My Precious 0-day" by Zhenpeng Lin [slides] [CVE-2021-3715]

2021: "[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver" [article] [CVE-2021-42008]

2021: "PWN2OWN Local Escalation of Privilege Category, Ubuntu Desktop Exploit" [article] [CVE-TBD]

2021: "Reversing and Exploiting Samsung's NPU" by Maxime Peterlin [article] [part 2] slides

2021: "Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver" by Man Yue Mo [article] [CVE-2021-1940, CVE-2021-1968, CVE-2021-1969]

2021: "Exploiting CVE-2021-43267" by Blasty [article] [CVE-2021-43267]

2021: "How a simple Linux kernel memory corruption bug can lead to complete system compromise" by Jann Horn [article] [CVE-TBD]

2021: "SuDump: Exploiting suid binaries through the kernel" by Itai Greenhut [article] [CVE-TBD]

2021: "CVE-2021-34866 Writeup" by HexRabbit [article] [CVE-2021-34866]

2021: "Kernel Pwning with eBPF: a Love Story" by Valentina Palmiotti [article] [CVE-2021-3490]

2021: "The Art of Exploiting UAF by Ret2bpf in Android Kernel" by Xingyu Jin and Richard Neal [article] [slides] [video] [CVE-2021-0399]

2021: "Internal of the Android kernel backdoor vulnerability" [article] [CVE-2021-28663]

2021: "Escape from chrome sandbox to root" [article] [CVE-2020-0423]

2021: "CVE-2017-11176" by Maher Azzouzi [article] [CVE-2017-11176]

2021: "Sequoia: A deep root in Linux's filesystem layer (CVE-2021-33909)" by Qualys Research Team [article] [CVE-2021-33909]

2021: "CVE-2021-22555: Turning \x00\x00 into 10000$" by Andy Nguyen [CVE-2021-22555, article]

2021: "Exploitation of a double free vulnerability in Ubuntu shiftfs driver (CVE-2021-3492)" by Vincent Dehors [article] [CVE-2021-3492]

2021: "CVE-2021-20226 a reference counting bug which leads to local privilege escalation in io_uring" [article] [CVE-2021–20226]

2021: "CVE-2021-32606: CAN ISOTP local privilege escalation" [article] [CVE-2021-32606]

2021: "CVE-2021-3609: CAN BCM local privilege escalation" [article] [announcement] [CVE-2021-3609]

2021: "Blue Klotski (CVE-2021-3573) and the story for fixing" by f0rm2l1n [article] [announcement] [CVE-2021-3573]

2021: "ZDI-20-1440: An Incorrect Calculation Bug in the Linux Kernel eBPF Verifier" by Lucas Leong [article]

2021: "ZDI-20-1440 Writeup" by HexRabbit [article]

2021: "SSD Advisory – OverlayFS PE" [article] [CVE-2021-3493]

2021: "[BugTales] A Nerve-Racking Bug Collision in Samsung's NPU Driver" by Gyorgy Miru [article] [CVE-2020-28343, SVE-2020-18610]

2021: "CVE-2021-20226: A Reference-Counting Bug in the Linux Kernel io_uring Subsystem" by Lucas Leong [article] [CVE-2021-20226]

2021: "One day short of a full chain: Part 1 - Android Kernel arbitrary code execution" by Man Yue Mo [article] [GHSL-2020-375]

2021: "New Old Bugs in the Linux Kernel" [article] [CVE-2021-27365, CVE-2021-27363, CVE-2021-27364]

2021: "Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel" [article] [slides] [video] [CVE-2021-26708]

2021: "Improving the exploit for CVE-2021-26708 in the Linux kernel to bypass LKRG" by Alexander Popov [article] [slides] [video]

2021: "Gaining root access in Linux using the CVE-2021-26708 vulnerability" by Markel Azpeitia Loiti [paper]

2021: "CVE-2014-3153" by Maher Azzouzi [article] [CVE-2014-3153]

2021: "The curious case of CVE-2020-14381" [article] [CVE-2020-14381]

2021: "Galaxy's Meltdown - Exploiting SVE-2020-18610" [article] [CVE-2020-28343, SVE-2020-18610]

2021: "In-the-Wild Series: Android Exploits" by Mark Brand [article]

2021: "Exploiting CVE-2014-3153 (Towelroot)" by Elon Gliksberg [article] [CVE-2014-3153]

2021: "CVE-2014-3153" by Maher Azzouzi [article] [CVE-2014-3153]

2020: "An iOS hacker tries Android" by Brandon Azad [article] [CVE-2020-28343, SVE-2020-18610]

2020: "Exploiting a Single Instruction Race Condition in Binder" [article] [CVE-2020-0423]

2020: "Three Dark clouds over the Android kernel" by Jun Yao [slides] [CVE-2020-3680]

2020: "Kernel Exploitation With A File System Fuzzer" [slides] [video] [CVE-2019-19377]

2020: "Finding and exploiting a bug (LPE) in an old Android phone" by Brandon Falk [stream] [part 2] [summary]

2020: "CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel" by Or Cohen [article] [CVE-2020-14386]

2020: "Attacking the Qualcomm Adreno GPU" by Ben Hawkes [article] [CVE-2020-11179]

2020: "TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices" by Guang Gong at Black Hat [slides] [paper] [CVE-2019-10567]

2020: "Binder - Analysis and exploitation of CVE-2020-0041" by Jean-Baptiste Cayrou [article] [CVE-2020-0041]

2020: "Binder IPC and its vulnerabilities" by Jean-Baptiste Cayrou at THCON [slides] [CVE-2019-2215, CVE-2019-2025, CVE-2019-2181, CVE-2019-2214, CVE-2020-0041]

2020: "Exploiting CVE-2020-0041 - Part 2: Escalating to root" by Eloi Sanfelix and Jordan Gruskovnjak [article] [CVE-2020-0041]

2020: "A bug collision tale" by Eloi Sanfelix at OffensiveCon [slides] [video] [CVE-2019-2025]

2020: "CVE-2020-8835: Linux Kernel Privilege Escalation via Improper eBPF Program Verification" by Manfred Paul [article] [CVE-2020-8835]

2020: "Mitigations are attack surface, too" by Jann Horn [article]

2020: "CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem" by Alexander Popov [article] [slides] [CVE-2019-18683]

2020: "Multiple Kernel Vulnerabilities Affecting All Qualcomm Devices" by Tamir Zahavi-Brunner [article] [CVE-2019-14040, CVE-2019-14041]

2019: "CVE-2017-16995 Analysis - eBPF Sign Extension LPE" by senyuuri [article] [CVE-2017-16995]

2019: "Kernel Research / mmap handler exploitation" by deshal3v [article] [CVE-2019-18675]

2019: "Bad Binder: Android In-The-Wild Exploit" by Maddie Stone [article] [CVE-2019-2215]

2019: "Analyzing Android's CVE-2019-2215 (/dev/binder UAF)" [article] [CVE-2019-2215]

2019: "Stream Cut: Android Kernel Exploitation with Binder Use-After-Free (CVE-2019-2215)" [video] [CVE-2019-2215]

2019: "CVE-2019-2215 - Android kernel binder vulnerability analysis" [article] [CVE-2019-2215]

2019: "Deep Analysis of Exploitable Linux Kernel Vulnerabilities" by Tong Lin and Luhai Chen at Linux Security Summit EU [video] [CVE-2017-16995, CVE-2017-10661]

2019: "Tailoring CVE-2019-2215 to Achieve Root" by Grant Hernandez [article] [CVE-2019-2215]

2019: "From Zero to Root: Building Universal Android Rooting with a Type Confusion Vulnerability" by Wang Yong [slides] [CVE-2018-9568, WrongZone]

2019: "KARMA takes a look at offense and defense: WrongZone from exploitation to repair" [article] [CVE-2018-9568, WrongZone]

2019: "Android Binder: The Bridge To Root" by Hongli Han and Mingjian Zhou [slides] [CVE-2019-2025]

2019: "The ‘Waterdrop’ in Android: A Binder Kernel Vulnerability" by Hongli Han [article] [CVE-2019-2025]

2019: "An Exercise in Practical Container Escapology" by Nick Freeman [article] [CVE-2017-1000112]

2019: "Taking a page from the kernel's book: A TLB issue in mremap()" by Jann Horn [article] [CVE-2018-18281]

2019: "CVE-2018-18281 - Analysis of TLB Vulnerabilities in Linux Kernel" [article]

2019: "Analysis of Linux xfrm Module Cross-Border Read-Write Escalation Vulnerability (CVE-2017-7184)" [article] [CVE-2017-7184]

2019: "Analysis of Escalation Vulnerability Caused by Integer Extension of Linux ebpf Module (CVE-2017-16995)" [article] [CVE-2017-16995]

2019: "Linux kernel 4.20 BPF integer overflow vulnerability analysis" [article]

2019: "Attacking DRM subsystem to gain kernel privilege on Chromebooks" by Di Shen [slides] [video] [CVE-2019-16508]

2018: "Linux kernel 4.20 BPF integer overflow-heap overflow vulnerability and its exploitation" [article]

2018: "CVE-2017-11176: A step-by-step Linux Kernel exploitation [article] [CVE-2017-11176]

2018: "A cache invalidation bug in Linux memory management" by Jann Horn [article] [CVE-2018-17182]

2018: "Dissecting a 17-year-old kernel bug" by Vitaly Nikolenko at beVX [slides] [CVE-2018-6554, CVE-2018-6555]

2018: "SSD Advisory – IRDA Linux Driver UAF" [article] [CVE-2018-6554, CVE-2018-6555]

2018: "Integer overflow in Linux's create_elf_tables()" [announcement] [CVE-2018-14634]

2018: "MMap Vulnerabilities – Linux Kernel" [article] [CVE-2018-8781]

2018: "Ubuntu kernel eBPF 0day analysis" [article] [CVE-2017-16995]

2018: "eBPF and Analysis of the get-rekt-linux-hardened.c Exploit for CVE-2017-16995" [article] [CVE-2017-16695]

2017: "Challenge Impossible -- Multiple Exploit On Android" by Hanxiang Wen and Xiaodong Wang [slides] [CVE-2017-0437]

2017: "CVE-2017-1000112: Exploiting an out-of-bounds bug in the Linux kernel UFO packets" by Andrey Konovalov [article] [CVE-2017-1000112]

2017: "Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112" by Krishs Patil [article] [CVE-2017-1000112]

2017: "Adapting the POC for CVE-2017-1000112 to Other Kernels" [article] [CVE-2017-1000112]

2017: "The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel" by Di Shen [slides] [CVE-2017-0403, CVE-2016-6787] [video]

2017: "Exploiting CVE-2017-5123 with full protections. SMEP, SMAP, and the Chrome Sandbox!" by Chris Salls [article] [CVE-2017-5123]

2017: "Exploiting CVE-2017-5123" by Federico Bento [article] [CVE-2017-5123]

2017: "Escaping Docker container using waitid() – CVE-2017-5123" by Daniel Shapira [article] [CVE-2017-5123]

2017: "LKE v4.13.x - waitid() LPE" by HyeongChan Kim [article] [CVE-2017-5123]

2017: "Exploiting on CVE-2016-6787" [article] [CVE-2016-6787]

2017: "Race For Root: The Analysis Of The Linux Kernel Race Condition Exploit" by Alexander Popov [video] [CVE-2017-2636]

2017: "Race For Root: The Analysis Of The Linux Kernel Race Condition Exploit" by Alexander Popov [slides] [CVE-2017-2636]

2017: "CVE-2017-2636: exploit the race condition in the n_hdlc Linux kernel driver bypassing SMEP" by Alexander Popov [article] [CVE-2017-2636]

2017: "CVE-2017-2636: local privilege escalation flaw in n_hdlc" by Alexander Popov [announcement] [CVE-2017-2636]

2017: "Dirty COW and why lying is bad even if you are the Linux kernel" [article] [CVE-2016-5195]

2017: "NDAY-2017-0103: Arbitrary kernel write in sys_oabi_epoll_wait" by Zuk Avraham [article] [CVE-2016-3857]

2017: "NDAY-2017-0106: Elevation of Privilege in NVIDIA nvhost-vic driver" by Zuk Avraham [article] [CVE-2016-2434]

2017: "PWN2OWN 2017 Linux kernel privilege escalation analysis" [article] [CVE-2017-7184]

2017: "Exploiting the Linux kernel via packet sockets" by Andrey Konovalov [article] [CVE-2017-7308]

2017: "Solving a post exploitation issue with CVE-2017-7308" [article] [CVE-2017-7308]

2017: "NDAY-2017-0105: Elevation of Privilege Vulnerability in MSM Thermal Drive" by Zuk Avraham [article] [CVE-2016-2411]

2017: "NDAY-2017-0102: Elevation of Privilege Vulnerability in NVIDIA Video Driver" by Zuk Avraham [article] [CVE-2016-2435]

2017: "CVE-2017-6074: Exploiting a double-free in the Linux kernel DCCP sockets" by Andrey Konovalov [article] [CVE-2017-6074]

2016: "CVE-2016-8655 Linux af_packet.c race condition (local root)" by Philip Pettersson [announcement] [CVE-2016-8655]

2016: "Rooting Every Android From Extension To Exploitation" by Di Shen and James Fang at Black Hat [slides] [article] [CVE-2015-0570, CVE-2016-0820, CVE-2016-2475, CVE-2016-8453]

2016: "Talk is Cheap, Show Me the Code" by James Fang, Di Shen and Wen Niu [slides] [CVE-2015-1805]

2016: "CVE-2016-3873: Arbitrary Kernel Write in Nexus 9" by Sagi Kedmi [article] [CVE-2016-3873]

2016: "Exploiting Recursion in the Linux Kernel" by Jann Horn [article] [CVE-2016-1583]

2016: "ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728)" By Perception Point Research Team [article] [CVE-2016-0728]

2016: "CVE20160728 Exploit Code Explained" by Shilong Zhao [article] [CVE-2016-0728]

2016: "CVE-2016-0728 vs Android" by Collin Mulliner [article] [CVE-2016-0728]

2016: "Notes about CVE-2016-7117" by Lizzie Dixon [article] [CVE-2016-7117]

2016: "CVE-2016-2384: exploiting a double-free in the usb-midi linux kernel driver" by Andrey Konovalov [article] [CVE-2016-2384]

2016: "CVE-2016-6187: Exploiting Linux kernel heap off-by-one" by Vitaly Nikolenko [article] [CVE-2016-6187]

2016: "CVE-2014-2851 group_info UAF Exploitation" by Vitaly Nikolenko [article] [CVE-2014-2851]

2016: "Perf: From Profiling To Kernel Exploiting" by Wish Wu at HITB Ams [slides] [video] [CVE-2016-0819]

2016: "QUADROOTER: NEW VULNERABILITIES AFFECTING OVER 900 MILLION ANDROID DEVICES" [article] [CVE-2016-2503, CVE-2106-2504, CVE-2016-2059, CVE-2016-5340]

2016: "STUMPING THE MOBILE CHIPSET: New 0days from down under" by Adam Donenfeld at DEF CON [slides] [CVE-2016-2503, CVE-2106-2504, CVE-2016-2059, CVE-2016-5340]

2015: "Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)" by Gal Beniamini [article] [CVE-2014-4322]

2015: "Exploiting "BadIRET" vulnerability" by Rafal Wojtczuk [article] [CVE-2014-9322]

2015: "Follow-up on Exploiting "BadIRET" vulnerability (CVE-2014-9322)" by Adam Zabrocki [article] [CVE-2014-9322]

2015: "Ah! Universal Android Rooting Is Back" by Wen Xu at Black Hat [slides] [video] [paper] [CVE-2015-3636]

2015: "When is something overflowing" by Keen Team [slides]

2015: "Exploiting the DRAM rowhammer bug to gain kernel privileges" by Mark Seaborn and Thomas Dullien [article] [Rowhammer]

2015: "CVE-2014-4943 - PPPoL2TP DoS Analysis" by Vitaly Nikolenko [article] [CVE-2014-4943]

2015: "CVE-2015-0568: Use-After-Free Vulnerability in the Camera Driver of Qualcomm MSM 7x30" [article] [CVE-2015-0568]

2014: "Exploiting CVE-2014-0196 a walk-through of the Linux pty race condition PoC" by Samuel Gross [article] [CVE-2014-0196]

2014: "CVE-2014-4014: Linux Kernel Local Privilege Escalation "exploitation"" by Vitaly Nikolenko [article] [CVE-2014-4014]

2014: "CVE-2014-4699: Linux Kernel ptrace/sysret vulnerability analysis" by Vitaly Nikolenko [article] [CVE-2014-4699]

2014: "How to exploit the x32 recvmmsg() kernel vulnerability CVE 2014-0038" by Samuel Gross [article] [CVE-2014-0038]

2014: "Exploiting the Futex Bug and uncovering Towelroot" [article] [CVE-2014-3153]

2014: "CVE-2014-3153 Exploit" by Joel Eriksson [article] [CVE-2014-3153]

2013: "Privilege Escalation Kernel Exploit" by Julius Plenz [article] [CVE-2013-1763]

2013: "A closer look at a recent privilege escalation bug in Linux (CVE-2013-2094)" by Joe Damato [article] [CVE-2013-2094]

2012: "Linux Local Privilege Escalation via SUID /proc/pid/mem Write" by Jason Donenfeld [article] [CVE-2012-0056]

2011: "Kernel Exploitation Via Uninitialized Stack" by Kees Cook at DEF CON [slides] [video] [CVE-2010-2963]

2010: "CVE-2010-2963 v4l compat exploit" by Kees Cook [article] [CVE-2010-2963]

2010: "Exploiting large memory management vulnerabilities in Xorg server running on Linux" by Rafal Wojtczuk [article] [CVE-2010-2240]

2010: "CVE-2007-4573: The Anatomy of a Kernel Exploit" by Nelson Elhage [article] [CVE-2007-4573]

2010: "Linux Kernel CAN SLUB Overflow" by Jon Oberheide [article] [CVE-2010-2959]

2010: "af_can linux kernel overflow" by Ben Hawkes [article] [CVE-2010-2959]

2010: "linux compat vulns (part 1)" by Ben Hawkes [article] [CVE-2010-3081]

2010: "linux compat vulns (part 2)" by Ben Hawkes [article] [CVE-2010-3301]

2010: "Some Notes on CVE-2010-3081 Exploitability" [article] [CVE-2010-3081]

2010: "Anatomy of an exploit: CVE-2010-3081" [article] [CVE-2010-3081]

2010: "CVE-2010-4258: Turning denial-of-service into privilege escalation" by Nelson Elhage [article] [CVE-2010-4258]

2009: "Linux NULL pointer dereference due to incorrect proto_ops initializations (CVE-2009-2692)" [article] [CVE-2009-2692]

2009: "Even when one byte matters" [article] [CVE-2009-1046]

2009: "CVE-2008-0009/CVE-2008-0010: Linux kernel vmsplice(2) Privilege Escalation" [article] [CVE-2008-0009, CVE-2008-0010]

2008: "vmsplice(): the making of a local root exploit" by Jonathan Corbet [article] [CVE-2008-0600]

2004: "Linux kernel do_mremap VMA limit local privilege escalation vulnerability" [article] [CVE-2004-0077]

RCE

2023: "Abusing Linux In-Kernel SMB Server to Gain Kernel Remote Code Execution" by Guillaume Teissier and Quentin Minster [video] [CVE-2022-47943] [CVE-2023-2593]

2022: "Writing a Linux Kernel Remote in 2022" by Samuel Page [article] [slides] [CVE-2022-0435]

2022: "Zenith: Pwn2Own TP-Link AC1750 Smart Wi-Fi Router Remote Code Execution Vulnerability" by Axel Souchet [article] [CVE-2022-24354]

2021: "BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution" by Andy Nguyen: BadChoice, BadKarma, BadVibes [article] [CVE-2020-12352, CVE-2020-12351, CVE-2020-24490]

2017: "Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)" by Gal Beniamini [article] [CVE-2017-0569]

2017: "BlueBorn: The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks" [paper] [CVE-2017-1000251]

2016: "CVE Publication: CVE 2016-8633" by Eyal Itkin [article] [CVE-2016-8633]

2011: "Owned Over Amateur Radio: Remote Kernel Exploitation in 2011" at DEF CON [slides] [video] [CVE-2011-1493]

2009: "When a "potential D.o.S." means a one-shot remote kernel exploit: the SCTP story" [article] [CVE-2009-0065]

Other

2024: "Race condition in 9p file system" [article]

2024: "Notes about ZDI-24-195 in ksmbd" [thread] [ZDI-24-195]

2024: "PowerVR GPU - GPU Firmware may overwrite arbitrary kernel pages by RGXCreateFreeList" [report]

2024: "PowerVR GPU - UAF race conditon by DevmemIntPFNotify and DevmemIntCtxRelease" [report]

2023: "Ubuntu Shiftfs: Unbalanced Unlock Exploitation Attempt" by Jean-Baptiste Cayrou [slides] [CVE-2023-2612]

2023: "Attacking NPUs of Multiple Platforms" [slides] [CVE-2022-22265] [CVE-2020-28343] [SVE-2021-20204] [CVE-2023-42483] [CVE-2023-45864]

2023: "Deep Dive: Qualcomm MSM Linux Kernel & ARM Mali GPU 0-day Exploit Attacks of October 2023" by Alisa Esage [article] [CVE-2023-33063] [CVE-2023-33106] [CVE-2023-33107] [CVE-2022-22071] [CVE-2023-4211]

2023: "Unleashing ksmbd: remote exploitation of the Linux kernel (ZDI-23-979, ZDI-23-980)" by notselwyn [article] [CVE-2023-3866] [CVE-2023-3865] [exploits]

2023: "CVE-2023-4273: a vulnerability in the Linux exFAT driver" by Maxim Suhanov [article] [CVE-2023-4273]

2023: "Linux IPv6 'Route of Death' 0day" by Max VA [article] [CVE-2023-2156]

2022: "Linux Kernel: Infoleak in Bluetooth L2CAP Handling" [advisory] [CVE-2022-42895]

2022: "Linux Kernel: UAF in Bluetooth L2CAP Handshake" [advisory] [CVE-2022-42896]

2022: "Vulnerability Details for CVE-2022-41218" [article] [CVE-2022-41218]

2022: "Racing Cats to the Exit: A Boring Linux Kernel Use-After-Free" [article]

2022: "Android Universal Root: Exploiting xPU Drivers" [slides] [CVE-2022-20122] [CVE-2021-39815]

2022: "The quantum state of Linux kernel garbage collection CVE-2021-0920 (Part I)" by Xingyu Jin [article] [CVE-2021-0920]

2022: "Finding bugs in the Linux Kernel Bluetooth Subsystem" by Itay Iellin [article] [part 2]

2022: "CVE-2022-0435: A Remote Stack Overflow in The Linux" by Samuel Page [article] [CVE-2022-0435]

2022: "CVE-2021-45608 | NetUSB RCE Flaw in Millions of End User Routers" by Max Van Amernngen [article] [CVE-2021-45608]

2021: "CVE-2021-1048: refcount increment on mid-destruction file" by Jann Horn [article] [CVE-2021-1048]

2021: "Achieving Linux Kernel Code Execution Through a Malicious USB Device" by Martijn Bogaard and Dana Geist [slides] [CVE-2016-2384]

2021: "SLUB overflow CVE-2021-42327" [article] [CVE-2021-42327]

2021: "CVE-2021-44733: Fuzzing and exploitation of a use-after-free in the Linux kernel TEE subsystem" by pjlantz [article] [poc] [CVE-2021-44733]

2021: "CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution" by Max Van Amerongen [article] [CVE-2021-43267]

2021: "An EPYC escape: Case-study of a KVM breakout" by Felix Wilhelm [article] [CVE-2021-29657]

2021: "CVE-2021-1905: Qualcomm Adreno GPU memory mapping use-after-free" by Ben Hawkes [article] [CVE-2021-1905]

2021: "A foray into Linux kernel exploitation on Android" by Ayaz Mammadov [article]

2020: "CVE-2020-16119" [article] [CVE-2020-16119]

2020: "The short story of 1 Linux Kernel Use-After-Free bug and 2 CVEs (CVE-2020-14356 and CVE-2020-25220)" by Adam Zabrocki [article] [CVE-2020-14356, CVE-2020-25220]

2020: "Curiosity around 'exec_id' and some problems associated with it" by Adam Zabrocki [article]

2020: "The never ending problems of local ASLR holes in Linux" [article] [CVE-2019-11190]

2019: "Reverse-engineering Broadcom wireless chipsets" by Hugues Anguelkov [article] [CVE-2019-9503, CVE-2019-9500]

2019: "CVE-2019-2000 - Android kernel binder vulnerability analysis" [article] [CVE-2019-2000]

2019: "Linux: virtual address 0 is mappable via privileged write() to /proc/*/mem" [article] [CVE-2019-9213]

2019: "CVE-2019-9213 - Analysis of Linux Kernel User Space 0 Virtual Address Mapping Vulnerability" [article] [CVE-2019-9213]

2018: "IOMMU-resistant DMA attacks" by Gil Kupfer [thesis]

2017: "initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection" [article] [CVE-2017-1000363]

2016: "Motorola Android Bootloader Kernel Cmdline Injection Secure Boot Bypass" [article] [CVE-2016-10277]

2015: "Vulnerability in the Linux Crypto API that allows unprivileged users to load arbitrary kernel modules" by Mathias Krause [annnouncement]

Finding Bugs

2024: "So You Wanna Find Bugs In The Linux Kernel?" by Sam Page [slides]

2024: "A bug hunter's reflections on fuzzing" by Alexander Popov [slides] [video]

2024: "To Boldly Go Where No Fuzzer Has Gone Before: Finding Bugs in Linux’ Wireless Stacks through VirtIO Devices" by Sonke Huster et al. [paper] [code]

2024: "Your NVMe Had Been Syz’ed: Fuzzing NVMe-oF/TCP Driver for Linux with Syzkaller" by Alon Zavahi [article] [slides] [video]

2024: "Structure-Aware linux kernel Fuzzing with libFuzzer" [article]

2024: "Enhancing Kernel Bug Discovery with Large Language Models" by Zahra Tarkhani [slides] [video]

2024: "SyzRisk: A Change-Pattern-Based Continuous Kernel Regression Fuzzer" [paper]

2024: "SyzBridge: Bridging the Gap in Exploitability Assessment of Linux Kernel Bugs in the Linux Ecosystem" [paper]

2024: "SyzRetrospector: A Large-Scale Retrospective Study of Syzbot" [paper]

2023: "KernelGPT: Enhanced Kernel Fuzzing via Large Language Models" [paper]

2023: "SyzDirect: Directed Greybox Fuzzing for Linux Kernel" [paper]

2023: "Using ASAN and KASAN and then Interpreting their shadow memory reports" by Kaiwan N Billimoria [article]

2023: "GWP-ASan: Sampling-Based Detection of Memory-Safety Bugs in Production" [paper]

2023: "Tickling ksmbd: fuzzing SMB in the Linux kernel" by notselwyn [article]

2023: "DDRace: Finding Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing" [paper] [slides]

2023: "BoKASAN: Binary-only Kernel Address Sanitizer for Effective Kernel Fuzzing" [paper] [slides] [artifacts]

2023: "FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules [paper] [slides]

2023: "ACTOR: Action-Guided Kernel Fuzzing" [paper] [slides] [artifacts]

2023: "UNCONTAINED: Uncovering Container Confusion in the Linux Kernel" by Jakob Koschel, Pietro Borrello, et al. [paper]

2023: "KIT: Testing OS-Level Virtualization for Functional Interference Bugs" [paper]

2023: "SyzDescribe: Principled, Automated, Static Generation of Syscall Descriptions for Kernel Drivers" [paper] [slides]

2023: "Precise Detection of Kernel Data Races with Probabilistic Lockset Analysis" [paper]

2023: "No Grammar, No Problem: Towards Fuzzing the Linux Kernel without System-Call Descriptions" [paper]

2023: "FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules" [paper]

2022: "Event-based Fuzzing, Patch-based Research, and Comment Police: Finding Bugs Through a Bug" [slides] [video]

2022: "Breaking the Glass Sandbox - Find Linux Kernel Bugs and Escape" by Valentina Palmiotti at REcon [slides] [video]

2022: "Sanitizing the Linux kernel: On KASAN and other Dynamic Bug-finding Tools" by Andrey Konovalov [slides] [video] [article]

2022: "PrIntFuzz: Fuzzing Linux Drivers via Automated Virtual Device Simulation" [paper]

2022: "KSG: Augmenting Kernel Fuzzing with System Call Specification Generation" [paper]

2022: "Demystifying the Dependency Challenge in Kernel Fuzzing" [paper]

2022: "Hunting for Linux kernel public vulnerabilities" [article]

2022: "DangZero: Efficient Use-After-Free Detection via Direct Page Table Access" [paper]

2022: "How I started chasing speculative type confusion bugs in the kernel and ended up with 'real' ones" by Jakob Koschel [slides] [video]

2022: "Technical analysis of syzkaller based fuzzers: It's not about VaultFuzzer!" [article]

2022: "GREBE: Unveiling Exploitation Potential for Linux Kernel Bugs" [paper]

2022: "An In-depth Analysis of Duplicated Linux Kernel Bug Reports" [paper]

2022: "Looking for Remote Code Execution bugs in the Linux kernel" by Andrey Konovalov [article]

2022: "Demystifying the Dependency Challenge in Kernel Fuzzing" [paper]

2022: "Progressive Scrutiny: Incremental Detection of UBI bugs in the Linux Kernel" [paper]

2022: "Syzkaller diving 01: Learn basic KCOV and how fuzzer adopts it" by f0rm2l1n [article]

2022: "Syzkaller diving 02: How syzkaller describe syscalls" by f0rm2l1n [article]

2022: "Syzkaller diving 03: What is the remote KCOV?" by f0rm2l1n [article]

2022: "Case Studies of Fuzzing with Xen" by Tamas K Lengyel at OffensiveCon [slides]

2021: "Rtkaller: State-aware Task Generation for RTOS Fuzzing" [paper]

2021: "BSOD: Binary-only Scalable fuzzing Of device Drivers" by Fabian Toepfer and Dominik Maier [paper]

2021: "LinKRID: Vetting Imbalance Reference Counting in Linux kernel with Symbolic Execution" at USENIX [paper] [slides]

2021: "An Analysis of Speculative Type Confusion Vulnerabilities in the Wild" at USENIX [paper] [slides] [video]

2021: "SyzVegas: Beating Kernel Fuzzing Odds with Reinforcement Learning" at USENIX [paper] [slides] [video]

2021: "Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking" at USENIX [paper] [slides] [video]

2021: "Ruffling the penguin! How to fuzz the Linux kernel" by Andrey Konovalov and xakep.ru [article]

2021: "CoLaFUZE: Coverage-Guided and Layout-Aware Fuzzing for Android Drivers" [paper]

2021: "CVEHound: Audit Kernel Sources for Missing CVE Fixes" by Denis Efremov [slides] [video]

2021: "Finding Multiple Bug Effects for More Precise Exploitability Estimation" by Zhenpeng Lin and Yueqi Chen [slides] [video]

2021: "Triaging Kernel Out-Of-Bounds Write Vulnerabilities" by Weiteng Chen [slides] [video]

2021: "SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs" by Xiaochen Zou [paper] [slides] [video] [lwn article]

2021: "HEALER: Relation Learning Guided Kernel Fuzzing" [paper]

2021: "Snowboard: Finding Kernel Concurrency Bugs through Systematic Inter-thread Communication Analysis" [paper]

2021: "Detecting semantic bugs using differential fuzzing" by Mara Mihali [slides] [video]

2021: "Fuzzing Linux with Xen" by Tamas K Lengyel [slides] [video]

2021: "Variant analysis of the ‘Sequoia’ bug" by Jordy Zomer [article]

2021: "KMSAN, a look under the hood" by Alexander Potapenko [slides] [video]

2021: "Detecting Kernel Memory Leaks in Specialized Modules with Ownership Reasoning" [paper]

2021: "Understanding and Detecting Disordered Error Handling with Precise Function Pairing" [paper]

2021: "KFENCE - Detecting memory bugs in production kernels" [article]

2021: "Fuzzing the Linux Kernel" by Andrey Konovalov [slides] [video]

2021: "Dynamic program analysis for fun and profit" by Dmitry Vyukov [slides] [video]

2020: "UBITect: A Precise and Scalable Method to Detect Use-before-Initialization Bugs in Linux Kernel" [paper]

2020: "RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization" [paper] [tool]

2020: "Fuzzing a Pixel 3a Kernel with Syzkaller" by senyuuri [article]

2020: "Fuzzing the Berkeley Packet Filter" by Benjamin Curt Nilsen [thesis]

2020: "syzkaller: Adventures in Continuous Coverage-guided Kernel Fuzzing" by Dmitry Vyukov at BlueHat IL [video]

2020: "syzkaller / sanitizers: status update" by Dmitry Vyukov at Linux Plumbers [slides] [video]

2020: "Fuzzing for eBPF JIT bugs in the Linux kernel" by Simon Scannell [article]

2020: "Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel" [paper]

2020: "Eliminating bugs in BPF JITs using automated formal verification" by Luke Nelson [video] [slides]

2020: "Fuzzing the Linux kernel (x86) entry code, Part 1 of 3" by Vegard Nossum [article]

2020: "Fuzzing the Linux kernel (x86) entry code, Part 2 of 3" by Vegard Nossum [article]

2020: "Fuzzing the Linux kernel (x86) entry code, Part 3 of 3" by Vegard Nossum [article]

2020: "Data-race detection in the Linux kernel" by Marco Elver at Linux Plumbers [slides] [video]

2020: "harbian-qa: State-based target directed fuzzer based on syzkaller" [article]

2020: "Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints" [paper] [slides] [video] [code]

2020: "Using syzkaller, part 1: Fuzzing the Linux kernel" by Andre Almeida [article]

2020: "Using syzkaller, part 2: Detecting programming bugs in the Linux kernel" by Andre Almeida [article]

2020: "Using syzkaller, part 3: Fuzzing your changes" by Andre Almeida [article]

2020: "Using syzkaller, part 4: Driver fuzzing" by Andre Almeida [article]

2020: "Effective Detection of Sleep-in-atomic-context Bugs in the Linux Kernel" [paper]

2020: "KRACE: Data Race Fuzzing for Kernel File Systems" [paper] [video]

2020: "USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation" by Hui Peng and Mathias Payer [paper]

2020: "HFL: Hybrid Fuzzing on the Linux Kernel" [paper]

2020: "KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities" [paper]

2020: "Analyzing the Linux Kernel in Userland with AFL and KLEE" [article]

2020: "Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison" [paper] [slides] [video]

2020: "Finding Race Conditions in Kernels: from Fuzzing to Symbolic Execution" by Meng Xu [thesis]

2020: "A Hybrid Interface Recovery Method for Android Kernels Fuzzing" [paper]

2019: "perf fuzzer: Exposing Kernel Bugs by Detailed Fuzzing of a Specific System Call (2019 Update)" by Vincent M. Weaver and Dave Jones [paper]

2019: "Industry Practice of Coverage-Guided Enterprise Linux Kernel Fuzzing" [paper]

2019: "Effective Static Analysis of Concurrency Use-After-Free Bugs in Linux Device Drivers" [paper]

2019: "A gentle introduction to Linux Kernel fuzzing" by Marek Majkowski [article]

2019: "Unicorefuzz: On the Viability of Emulation for Kernelspace Fuzzing" [paper]

2019: "Case study: Searching for a vulnerability pattern in the Linux kernel" by Alexander Popov [article]

2019: "Razzer: Finding Kernel Race Bugs through Fuzzing" [video] [paper]

2019: "Fuzzing File Systems via Two-Dimensional Input Space Exploration" [paper] [fuzzer]

2019: "PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary" [paper]

2019: "Hourglass Fuzz: A Quick Bug Hunting Method" [slides]

2019: "Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences" [paper] [slides]

2019: "Automatically Identifying Security Checks for Detecting Kernel Semantic Bugs" [paper]

2018: "FastSyzkaller: Improving Fuzz Efficiency for Linux Kernel Fuzzing" [paper]

2018: "Writing the worlds worst Android fuzzer, and then improving it" by Brandon Falk [article]

2018: "From Thousands of Hours to a Couple of Minutes: Towards Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities" [slides] [paper]

2018: "MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation" [paper] [code]

2018: "Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking" by Mateusz Jurczyk [paper]

2018: "New Compat Vulnerabilities In Linux Device Drivers" at BlackHat [slides]

2018: "Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels" [paper]

2018: "Concolic Testing for Kernel Fuzzing and Vulnerability Discovery" by Vitaly Nikolenko at OffensiveCon [video]

2018: "K-Miner: Uncovering Memory Corruption in Linux" [paper]

2017: "KernelMemorySanitizer (KMSAN)" by Alexander Potapenko [slides]

2017: "The android vulnerability discovery in SoC" by Yu Pan and Yang Dai [slides]

2017: "Evolutionary Kernel Fuzzing" by Richard Johnson at Black Hat USA [slides]

2017: "DIFUZE: Interface Aware Fuzzing for Kernel Drivers" [slides] [paper]

2017: "SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits" at CCS [paper]

2017: "kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels" at USENIX [paper]

2017: "How Double-Fetch Situations turn into DoubleFetch Vulnerabilities: A Study of Double Fetches in the Linux Kernel" at USENIX [paper]

2017: "DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers" at USENIX [paper]

2016: "Using Static Checking To Find Security Vulnerabilities In The Linux Kernel" by Vaishali Thakkar [slides]

2016: "UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages" [paper]

2016: "An Analysis on the Impact and Detection of Kernel Stack Infoleaks" [paper]

2016: "Syzkaller, Future Developement" by Dmitry Vyukov at Linux Plumbers [slides]

2016: "Coverage-guided kernel fuzzing with syzkaller" [article]

2016: "Filesystem Fuzzing with American Fuzzy Lop" by Vegard Nossum and Quentin Casasnovas [slides]

2016: "Project Triforce: AFL + QEMU + kernel = CVEs! (or) How to use AFL to fuzz arbitrary VMs" at ToorCon [slides]

2015: "KernelAddressSanitizer (KASan): a fast memory error detector for the Linux kernel" by Andrey Konovalov at LinuxCon North America [slides]

2015: "Introduction to USB and Fuzzing" by Matt DuHarte at DEF CON [video]

2015: "Don't Trust Your USB! How to Find Bugs in USB Device Drivers" by Sergej Schumilo, Ralf Spenneberg, and Hendrik Schwartke at Black Hat [video]

2012: "Comprehensive Kernel Instrumentation via Dynamic Binary Translation" [paper]

2010: "Automatic Bug-finding Techniques for Linux Kernel" by Jiri Slaby [paper]

2009: "Opensource Kernel Auditing and Exploitation" by Silvio Cesare at DEF CON [video]

Defensive

"Linux Kernel Defence Map" by Alexander Popov

2024: "On Kernel's Safety in the Spectre Era (And KASLR is Formally Dead)" by Davide Davoli et al. [paper]

2024: "Challenges and innovations towards safer flexible arrays in the Linux Kernel" by Gustavo A. R. Silva [slides]

2024: "Mitigating Integer Overflow in C" by Kees Cook [slides] [video]

2024: "Gaining bounds-checking on trailing arrays in the Upstream Linux Kernel" by Gustavo A. R. Silva [slides]

2024: "A Hybrid Alias Analysis Framework and Its Application to Protecting the Linux Kernel" by Guoren Li [video]

2024: "Hardening the kernel against heap-spraying attacks" by Jonathan Corbet [article]

2024: "Notes on the 'slab: Introduce dedicated bucket allocator' series" by Julien Voisin [article]

2023: "Exploring Linux's New Random Kmalloc Caches" by sam4k [article]

2023: "Toolchain security features status update" [slides] [video]

2023: "Enable MTE on Pixel 8" by Kees Cook [article]

2023: "Gaining bounds-checking on trailing arrays in the Upstream Linux Kernel" by Gustavo A. R. Silva [slides] [video]

2023: "CONSTIFY: Fast Defenses for New Exploits" by Mathias Krause [article]

2023: "Mitigating Security Risks in Linux with KLAUS: A Method for Evaluating Patch Correctness" [paper] [slides]

2023: "Progress On Bounds Checking in C and the Linux Kernel" by Kees Cook & Gustavo A. R. Silva [slides] [video]

2023: "Mobile Exploitation - The past, present, and the future" by Ki Chan Ahn [slides]

2023: "Bounded Flexible Arrays in C" by Kees Cook [article]

2022: "Survey of security mitigations and architectures, December 2022" by Saar Amar [article]

2022: "Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse" by Mathias Krause [article] [reference exploits]

2022: "Making Linux Kernel Exploit Cooking Harder" [article] [reference exploits] [proposed mitigations]

2022: "Where are we on security features?" [slides] [video]

2022: "Control-Flow Integrity Kernel Support" [slides] [video]

2022: "HotBPF - An On-demand and On-the-fly Memory Protection for the Linux Kernel" [video]

2022: "Mind The Gap - The Linux Ecosystem Kernel Patch Gap" by Jakob Lell & Regina Biro [video]

2022: "The exploit recon 'msg_msg' and its mitigation in VED" [article]

2022: "Return to sender: Detecting kernel exploits with eBPF" by Guillaume Fournier at Black Hat USA [slides] [code]

2022: "Meaningful Bounds Checking in the Linux Kernel" by Kees Cook [slides]

2022: "Compilers: The Old New Security Frontier" by Brad Spengler [slides]

2022: "In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication" [paper] [slides]

2022: "Preventing Kernel Hacks with HAKC" [paper]

2022: "Mitigating Processor Vulnerabilities by Restructuring the Kernel Address Space" by Sebastian Eydam [slides]

2022: "Meaningful Bounds Checking in the Linux Kernel" by Kees Cook at Linux Conf AU [slides] [video]

2022: "Mitigating kernel risks on 32-bit ARM" by Ard Biesheuvel [article]

2022: "Kernel Hardening for 32-bit Arm Processors" by Keith Packard at Linux Conf AU [video]

2021: "Mitigating Linux kernel memory corruptions with Arm Memory Tagging" by Andrey Konovalov [slides] [video]

2021: "Attack surface analysis of the Linux kernel based on complexity metrics" by Stefan Bavendiek [thesis]

2021: "Midas: Systematic Kernel TOCTTOU Protection" at USENIX [paper] [slides]

2021: "Undo Workarounds for Kernel Bugs" at USENIX [paper] [slides] [video]

2021: "SHARD: Fine-Grained Kernel Specialization with Context-Aware Hardening" at USENIX [slides] [video]

2021: "Mitigation of Kernel Memory Corruption Using Multiple Kernel Memory Mechanism" [paper]

2021: "Hardware-Assisted Fine-Grained Control-Flow Integrity: Adding Lasers to Intel's CET/IBT" by Joao Moreira [slides] [video]

2021: "Kernel Self-Protection Project" by Kees Cook [slides] [video]

2021: "Compiler Features for Kernel Security" by Kees Cook [slides] [video]

2021: "A proof-carrying approach to building correct and flexible in-kernel verifiers" [slides] [video]

2021: "How AUTOSLAB Changes the Memory Unsafety Game" by Zhenpeng Lin [article]

2021: "security things in Linux vX.X" by Kees Cook [articles]

2021: "Undo Workarounds for Kernel Bugs" [paper]

2020: "Kernel Integrity Enforcement with HLAT In a Virtual Machine" by Chao Gao [slides] [video]

2020: "Linux kernel heap quarantine versus use-after-free exploits" by Alexander Popov [article]

2020: "State of Linux kernel security" by Dmitry Vyukov [slides] [video]

2020: "LKRG IN A NUTSHELL" by Adam Zabrocki at OSTconf [slides]

2020: "Following the Linux Kernel Defence Map" by Alexander Popov at Linux Plumbers [slides] [video]

2020: "Memory Tagging for the Kernel: Tag-Based KASAN" by Andrey Konovalov [slides] [video]

2020: "10 Years of Linux Security - A Report Card" by Bradley Spengler [slides] [video]

2020: "Control Flow Integrity in the Linux Kernel" by Kees Cook at linux.conf.au [slides] [video]

2020: "Identification of Kernel Memory Corruption Using Kernel Memory Secret Observation Mechanism" [paper]

2019: "Camouflage: Hardware-assisted CFI for the ARM Linux kernel" [paper]

2019: "A New Proposal for Protecting Kernel Data Memory" by Igor Stoppa at Linux Security Summit EU [video]

2019: "Control-Flow Integrity for the Linux kernel: A Security Evaluation" by Federico Manuel Bento [thesis]

2019: "Kernel Self-Protection Project" by Kees Cook [slides]

2019: "Touch but don’t look - Running the Kernel in Execute-only memory" by Rick Edgecombe [slides]

2019: "Breaking and Protecting Linux Kernel Stack" by Elena Reshetova [video]

2019: "Making C Less Dangerous in the Linux Kernel" by Kees Cook [slides]

2019: "Mitigation for the Kernel Space Mirroring Attack (内核镜像攻击的缓解措施)" [article]

2018: "The State of Kernel Self Protection" by Kees Cook [slides]

2018: "Android Kernel Control Flow Integrity Analysis (分析)" [article]

2018: "Overview and Recent Developments: Kernel Self-Protection Project" by Kees Cook [slides]

2018: "The Last Man Standing: The Only Practical, Lightweight and Hypervisor-Based Kernel Protector Struggling with the Real World Alone" by Seunghun Han at beVX [video]

2018: "Linux Kernel Runtime Guard (LKRG) under the hood" by Adam Zabrocki at CONFidence [slides, video]

2018: "GuardION: Practical Mitigation of DMA-based Rowhammer Attacks on ARM" [paper]

2018: "kR^X: Comprehensive Kernel Protection Against Just-In-Time Code Reuse" at BlackHat [video]

2018: "KASR: A Reliable and Practical Approach to Attack Surface Reduction of Commodity OS Kernels" [paper]

2018: "The State of Kernel Self Protection" by Kees Cook at Linux Conf AU [slides]

2017: "kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse" [paper]

2017: "How STACKLEAK improves Linux kernel security" by Alexander Popov at Linux Piter [slides]

2017: "Shadow-Box: The Practical and Omnipotent Sandbox" by Seunghun Han at HitB [slides]

2017: "Towards Linux Kernel Memory Safety" [paper]

2017: "Proposal of a Method to Prevent Privilege Escalation Attacks for Linux Kernel" [slides]

2017: "Linux Kernel Self Protection Project" by Kees Cook [slides]

2017: "PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables" [paper] [slides] [video]

2017: "KASLR is Dead: Long Live KASLR" [paper]

2017: "Honey, I shrunk the attack surface – Adventures in Android security hardening" by Nick Kralevich [video]

2017: "Fine Grained Control-Flow Integrity for The Linux Kernel" by Sandro Rigo, Michalis Polychronakis, Vasileios Kemerlis [slides]

2016: "Thwarting unknown bugs: hardening features in the mainline Linux kernel" by Mark Rutland [slides]

2016: "Emerging Defense in Android Kernel" by James Fang [article]

2016: "Randomizing the Linux kernel heap freelists" by Thomas Garnier [article]

2015: "RAP: RIP ROP" [slides]

2015: "Protecting Commodity Operating Systems through Strong Kernel Isolation" by Vasileios Kemerlis [paper]

2014: "Kernel Self-Protection through Quantified Attack Surface Reduction" by Anil Kurmus [paper]

2014: "A Tale of Two Kernels: Towards Ending Kernel Hardening Wars with Split Kernel" by Anil Kurmus and Robby Zippel [paper]

2013: "KASLR: An Exercise in Cargo Cult Security" by Brad Spengler [article]

2012: "How do I mitigate against NULL pointer dereference vulnerabilities?" by RedHat [article]

2011: "Linux kernel vulnerabilities: State-of-the-art defenses and open problems" [paper]

2009: "Linux Kernel Heap Tampering Detection" by Larry Highsmith [article]

Exploits

Project Zero bug reports

https://github.com/bsauce/kernel-exploit-factory

https://www.exploit-db.com/search/?action=search&description=linux+kernel

https://github.com/offensive-security/exploit-database/tree/master/platforms/linux/local

http://vulnfactory.org/exploits/ [2010-2011]

https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs

https://github.com/ScottyBauer/Android_Kernel_CVE_POCs

https://github.com/f47h3r/hackingteam_exploits

https://github.com/xairy/kernel-exploits

https://github.com/milabs/kernel-exploits/blob/master/CVE-2017-1000112/poc.c (CVE-2017-1000112 exploit with LKRG bypass)

https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack

https://github.com/SecWiki/linux-kernel-exploits

https://grsecurity.net/~spender/exploits/

https://github.com/jiayy/android_vuln_poc-exp

https://github.com/marsyy/littl_tools/tree/master/bluetooth

https://github.com/nongiach/CVE/tree/master/CVE-2017-5123

http://seclists.org/fulldisclosure/2010/Sep/268

https://github.com/hardenedlinux/offensive_poc

https://github.com/brl/grlh

https://github.com/externalist/exploit_playground

https://github.com/ww9210/Linux_kernel_exploits [FUZE]

https://github.com/ww9210/kepler-cfhp [KEPLER]

https://github.com/yzimhao/godpock

https://github.com/packetforger/localroot

http://www.cs.columbia.edu/~vpk/research/ret2dir/

https://github.com/w0lfzhang/kernel_exploit

https://github.com/jinb-park/linux-exploit

https://github.com/bcoles/kernel-exploits

https://github.com/jollheef/lpe

https://github.com/tangsilian/android-vuln

https://github.com/grant-h/qu1ckr00t

https://github.com/kangtastic/cve-2019-2215

https://github.com/QuestEscape/exploit

https://github.com/duasynt/xfrm_poc

https://github.com/snorez/exploits/

https://github.com/saelo/cve-2014-0038

https://github.com/bluefrostsecurity/CVE-2020-0041/

https://github.com/chompie1337/s8_2019_2215_poc/

https://github.com/c3r34lk1ll3r/CVE-2017-5123

https://haxx.in/blasty-vs-ebpf.c

https://github.com/scannells/exploits/tree/master/CVE-2020-27194

https://github.com/lntrx/CVE-2021-28663

https://haxx.in/files/dirtypipez.c

https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit

https://github.com/polygraphene/DirtyPipe-Android

https://github.com/Bonfee/CVE-2022-25636

https://github.com/Bonfee/CVE-2022-0995

https://github.com/tr3ee/CVE-2022-23222

https://github.com/tr3ee/CVE-2021-4204

Linux Kernel SCTP FORWARD-TSN Chunk Memory Corruption Remote Exploit [CVE-2009-0065]

https://github.com/xkaneiki/CVE-2023-0386

https://www.openwall.com/lists/oss-security/2023/05/08/3 [CVE-2023-2598]

https://www.openwall.com/lists/oss-security/2023/05/15/5 [CVE-2023-32233]

https://github.com/Liuk3r/CVE-2023-32233

https://github.com/lanleft/CVE2023-1829

https://github.com/TurtleARM/CVE-2023-3338-DECPwn

https://github.com/kungfulon/nf-tables-lpe

https://github.com/ysanatomic/io_uring_LPE-CVE-2024-0582

https://github.com/YuriiCrimson/ExploitGSM/ [notes] [discussion]

https://github.com/roddux/germy

https://github.com/renorobert/tagbleedvmm

Tools

Fuzzers

https://github.com/google/syzkaller

https://github.com/kernelslacker/trinity

http://web.eece.maine.edu/~vweaver/projects/perf_events/fuzzer/

https://github.com/nccgroup/TriforceLinuxSyscallFuzzer

https://github.com/oracle/kernel-fuzzing

https://github.com/rgbkrk/iknowthis

https://github.com/schumilo/vUSBf

https://github.com/ucsb-seclab/difuze

https://github.com/compsec-snu/razzer [race-condition]

https://github.com/fgsect/unicorefuzz

https://github.com/SunHao-0/healer

https://github.com/atrosinenko/kbdysch

https://github.com/intel/kernel-fuzzer-for-xen-project

https://github.com/IntelLabs/kAFL/

https://github.com/snorez/ebpf-fuzzer

https://github.com/SmoothHacker/LateRegistration

https://github.com/sslab-gatech/janus

https://github.com/google/buzzer

https://github.com/h0mbre/Lucid

Assorted

https://github.com/jonoberheide/ksymhunter

https://github.com/jonoberheide/kstructhunter

https://github.com/ngalongc/AutoLocalPrivilegeEscalation

https://github.com/PenturaLabs/Linux_Exploit_Suggester

https://github.com/jondonas/linux-exploit-suggester-2

https://github.com/mzet-/linux-exploit-suggester

https://github.com/spencerdodd/kernelpop

https://github.com/vnik5287/kaslr_tsx_bypass

http://www.openwall.com/lkrg/

https://github.com/IAIK/meltdown

https://github.com/nforest/droidimg

https://github.com/a13xp0p0v/kconfig-hardened-check

https://github.com/PaoloMonti42/salt

https://github.com/jollheef/out-of-tree

https://github.com/elfmaster/kdress

https://github.com/mephi42/ida-kallsyms/

Kernel Address Space Layout Derandomization (KASLD)

https://github.com/duasynt/gdb_scripts/

https://github.com/evdenis/cvehound

https://github.com/redplait/lkcd

https://github.com/Kyle-Kyle/pwning-toolset/blob/main/linux-kernel/fgkaslr_gadgets.py

https://github.com/vusec/kasper

https://github.com/martinradev/gdb-pt-dump

https://github.com/chompie1337/kernel_obj_finder

https://github.com/marin-m/vmlinux-to-elf

https://github.com/nccgroup/libslub

https://github.com/a13xp0p0v/kernel-hardening-checker

https://github.com/heki-linux

https://github.com/oswalpalash/linux-kernel-regression-tests

https://github.com/google/security-research/blob/master/analysis/kernel/heap-exploitation/README.md [CodeQL] [dashboard]

https://github.com/milabs/kiddy

https://github.com/androidoffsec/art-kernel-toolkit

https://github.com/notselwyn/get-sig

https://github.com/gsingh93/linux-exploit-dev-env

Practice

Workshops

2021: "Linux kernel exploit development" [workshop]

2020: "pwn.college: Module: Kernel Security" [workshop]

2020: "Android Kernel Exploitation" by Ashfaq Ansari [workshop] [video]

CTF Tasks

github.com/smallkirby/kernelpwn

github.com/MaherAzzouzi/LinuxKernelExploitation

github.com/AravGarg/kernel-hacking/ctf-challs

HackTheBox (knote): writeup

RWCTF 2024 (RIPTC): source, writeup, writeup 2

Imaginary CTF 2023 (Windows of Opportunity): writeup 1, writeup 2

corCTF 2023 (sysruption): writeup

corCTF 2023 (zeroday, kcipher): writeup

hxp CTF 2022 (one_byte): writeup

BFS Ekoparty 2022 (blunder): writeup

D^3CTF 2022 (d3bpf): writeup, writeup 2

zer0pts CTF 2022 (kRCE): writeup

HITCON CTF 2022 (fourchain-kernel): writeup and exploit

VULNCON CTF 2021 (IPS): writeup, writeup 2

N1 CTF 2021 (baby-guess): source, writeup

Balsn CTF 2021 (futex): source, writeup

TSG CTF 2021 (lkgit): writeup, writeup 2, writeup 3

Midnightsun Quals 2021 (BroHammer): writeup

0ctf2021 (kernote): source, exploit, and writeup, writeup 2

corCTF 2021 (fire-of-salvation): source, writeup

corCTF 2021 (wall-of-perdition): source, writeup

Google CTF 2021 (pwn-fullchain): source, writeup

Google CTF 2021 (pwn-ebpf): source, writeup

3kCTF 2021 (echo): source and exploit

3kCTF 2021 (klibrary): source, writeup

DEF CON CTF Qualifier 2021 (pza999): source and exploit

DiceCTF 2021 (HashBrown): writeup

hxp CTF 2020 (pfoten): source, writeup

hxp CTF 2020 (kernel-rop): writeup

CUCTF 2020 (Hotrod): writeup

SpamAndFlags 2020 (Secstore): writeup

BSidesTLV CTF 2020 (Kapara): writeup and exploit, video writeup

HITCON CTF 2020 (spark): source and exploit #1, writeup and exploit #2, exploit #3

HITCON CTF 2020 (atoms): source and exploit

N1 CTF 2020 (W2L): writeup

Seccon Online 2020 (Kstack): source, exploit, and writeup

TokyoWesterns CTF 2020 (EEBPF): source, writeup

r2con CTF 2020: source, exploit

ASIS CTF 2020 (Shared House): writeup

DEF CON CTF Qualifier 2020 (fungez): source, exploit and writeup

DEF CON CTF Qualifier 2020 (keml): source, exploit

zer0pts CTF 2020 (meow): writeup

De1CTF 2019 (Race): writeup and exploit

r2con CTF 2019: source, exploit, and writeup

HITCON CTF Quals 2019 (PoE): source and exploit

Balsn CTF 2019 (KrazyNote): exploit, writeup

TokyoWesterns CTF 2019 (gnote): writeup, video part 1, part 2

Security Fest 2019 (brainfuck64): writeup

Insomni'hack teaser 2019 (1118daysober): writeup 1, writeup 2

hxp CTF 2018 (Green Computing): writeup

WCTF 2018 (cpf): source, writeup, and exploit

SECT CTF 2018 (Gh0st): writeup

TWCTF 2018 (ReadableKernelModule): writeup

NCSTISC 2018 (babydriver): writeup, source and exploit

Sharif CTF 2018 (kdb): writeup, source and exploit

N1CTF 2018: writeup

Blaze2018 (blazeme): source and exploit 1, soure and exploit 2

QWB2018 (solid_core): writeup, exploit 1, exploit 2, exploit 3

0ctf2018: writeup 1, writeup 2

TCTF 2017 (cred_jar): writeup

0ctf2017: source and exploit 1, source and exploit 2

0ctf2016: writeup, exploit

Insomni’hack finals 2015: writeup, source and exploit

CSAW CTF 2015: writeup 1, writeup 2, source and exploit

CSAW CTF 2014: source and exploit

CSAW CTF 2013: writeup, source and exploit

PlaidCTF 2013 (Servr): writeup, source

CSAW CTF 2011: writeup, source

rwth2011 CTF (ps3game): writeup

CSAW CTF 2010: writeup, source, source and exploit

Other tasks

"Pawnyable: Linux Kernel Exploitation" by ptr-yudai [articles] [Holstein v3 writeup]

pwnable.kr tasks (syscall, rootkit, softmmu, towelroot, kcrc, exynos)

https://github.com/ReverseLab/kernel-pwn-challenge

https://github.com/R3x/How2Kernel

OffensiveCon 2023: bfsmatrix [task] [exploit]

Ekoparty 2022: blunder [task] [writeup 1] [writeup 2]

Playgrounds

https://github.com/Fuzion24/AndroidKernelExploitationPlayground

https://github.com/djrbliss/libplayground

https://github.com/a13xp0p0v/kernel-hack-drill

https://github.com/pr0cf5/kernel-exploit-practice

https://github.com/hardik05/Damn_Vulnerable_Kernel_Module

Kernel Read Write eXecute (KRWX) [slides] [playground]

Infrastructure

https://github.com/mncoppola/Linux-Kernel-CTF

https://github.com/crowell/old_blog/blob/source/source/_posts/2014-11-24-hosting-a-local-kernel-ctf-challenge.markdown

Other lists

grsecurity/PaX Citations in Academic Research

https://github.com/0xricksanchez/paper_collection

https://github.com/NetKingJ/awesome-android-security

https://github.com/0xor0ne/awesome-list/

Misc

2024: "silent syscall hooking on arm64 linux via patching svc handler" [article]

2024: "CVE-2021-4440: A Linux CNA Case Study" by Brad Spengler [article]

2024: "Make your own backdoor: CFLAGS code injection, Makefile injection, pkg-config" by Vegard Nossum [article]

2024: "Demo showing Claude Opus does not find CVE-2023-0266" by Sean Heelan [article]

2024: "Linux is a CNA" by Greg Kroah-Hartman [article]

2024: "An Investigation of Patch Porting Practices of the Linux Kernel Ecosystem" [paper]

2023: "Syzbot: 7 years of continuous kernel fuzzing" by Aleksandr Nogikh [slides] [video]

2023: "Operating system security: how to get into the subject" by Alexander Popov [video]

2023: "Demystifying the Linux kernel security process" by Greg Kroah-Hartman [slides] [video]

2023: "Rustproofing Linux" by Domen Puncer Kugler [article] [part 2] [part 3] [part 4]

2023: "What is a 'good' Linux Kernel bug?" by Ben Hawkes [article]

2023: "Analysing Linux Kernel Commits" [article]

2022: "Mind the Gap" by Ian Beer [article]

2022: "Designing subsystems for FUZZ-ability" by Dmitry Vyukov [slides] [video]

2022: "Making syzbot reports more developer-friendly" by Aleksandr Nogikh [slides] [video]

2022: "Peeking into the BPF verifier" by Shung-Hsi Yu [slides]

2022: "So You Wanna Pwn The Kernel?" by Samuel Page [article]

2022: "Automated RE of Kernel Configurations" by zznop [article]

2021: "An Investigation of the Android Kernel Patch Ecosystem" at USENIX [paper] [slides] [video]

2021: "The Complicated History of a Simple Linux Kernel API" [article]

2021: "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commit" [paper]

2020: "Checklist for when you get stuck with a Kernel Exploit" [article]

2020: "Android / Linux SLUB aliasing for general- and special-purpose caches" by Vitaly Nikolenko [video]

grsecurity CVE-Dataset [spreadsheet]

Syzkaller Coverage Dashboard

kernel vulns missing stable backports [source]

https://github.com/nccgroup/exploit_mitigations

https://github.com/bsauce/kernel-security-learning

https://github.com/hackedteam

https://forums.grsecurity.net/viewforum.php?f=7

https://github.com/jameshilliard/linux-grsec/

https://www.youtube.com/c/dayzerosec/videos

https://github.com/milabs/lkrg-bypass

https://github.com/V4bel/kernel-exploit-technique

https://github.com/mudongliang/reproduce_kernel_bugs

https://github.com/bata24/gef

https://github.com/PaoloMonti42/salt

https://github.com/davidmalcolm/antipatterns.ko

https://kernel.dance/

https://github.com/0xricksanchez/like-dbg

https://github.com/ameetsaahu/Kernel-exploitation

https://github.com/cmu-pasta/linux-kernel-enriched-corpus

https://github.com/niveb/NoCrypt

https://github.com/heki-linux

https://twitter.com/sirdarckcat/status/1681924752800366592

https://github.com/hardenedvault/ved-ebpf

https://github.com/thebabush/linux-russian-roulette

About

A collection of links related to Linux kernel security and exploitation

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published