This article uses the espintcp vulnerability (CVE-2026-23239) as a case study to look at the structure in which the Out-of-Cancel bug class shows up, and to walk through how combining complex kernel interleavings makes the bug actually exploitable.
A step-by-step guide to exploiting a 20-year-old bug in the Linux kernel to achieve full privilege escalation and container escape, plus a cool bug-hunting heuristic.
Walking through the exploit development process of the Chronomaly exploit for CVE-2025-38352.
Improving the PoC from the part 1 by extending the race window from userland.
Analyzing and writing a PoC for CVE-2025-38352.
We used AI agents to reverse engineer Windows kernel drivers to find zero-days. It worked better than expected. Which is bad.
In this part we'll use our case study to explore how the Linux kernel maps private anonymous memory.
In this series we'll explore the Linux kernel's memory management subsystem, using a simple userspace program as our starting point.
This time we're going to build on that and introduce another memory allocator found within the Linux kernel, the slab allocator, and it's various flavours. So buckle up as we dive into the exciting world of SLABs, SLUBs and SLOBs.
I know you've all been waiting for it, that's right, we're going to be taking a dive into another exciting aspect of Linux internals: memory allocators!
In this part of our journey into virtual memory in Linux, we cover the mystical kernel memory map and all it entails.
We continue our journey to understand virtual memory in Linux, as we take a closer look at the user virtual address space.
Recently I discovered a vulnerability in the Linux kernel that's been lurking there since 4.8 (July 2016)! CVE-2022-0435 is a remotely and locally exploitable stack overflow in the TIPC networking module of the Linux kernel
Alright, let's get stuck into some Linternals! As the title suggests, this post will be exploring the ins and outs of virtual memory with regards to modern Linux systems.
Follow me on my journey moving my virtualisation workflow as a Linux security researcher from Linux x86_64 to MacOS aarch64.
Welcome to the second part of my totally-wasn't-meant-to-be-a-one-part Linux internals post on the modern boot process!
What more appropriate way to kick off a series on Linux internals than figuring out how we actually get those internals running in the first place? This post is going to cover the process that takes us from pressing a power button, to a fully usable Linux operating system.
This post explores attacking page tables as a Linux kernel exploitation technique for gaining powerful read/write primitives.
In this post I discuss a vulnerability which allows a local, or remote attacker, to trigger a use-after-free in the TIPC networking stack on affected installations of the Linux kernel.
Let's explore the modern kernel heap exploitation meta and how the new RANDOM_KMALLOC_CACHES tries to address it.