Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time
May 3, 2021 19:51

Linux Kernel Exploitation

A collection of links related to Linux kernel security and exploitation.

Updated bimonthly. Pull requests are welcome as well.

Follow @andreyknvl on Twitter to be notified of updates.

Subscribe to @linkersec on Telegram, Twitter, or Reddit for highlights.





2014: "Android Hacker's Handbook" by Joshua J. Drake [book]

2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani [book] [materials]



2022: "FUSE for Linux Exploitation 101" [article]

2022: "Kernel Exploit Recipes" [brochure]

2022: "pipe_buffer arbitrary read write" by Jayden R [article]

2022: "Joy of exploiting the Kernel" [slides]

2022: "An exploit primitive in the Linux kernel inspired by DirtyPipe" [article]

2022: "Pawnyable: Linux Kernel Exploitation" by ptr-yudai [articles]

2022: "DirtyCred: Escalating Privilege in Linux Kernel" [paper] [slides] [artifacts]

2022: "DirtyCred: Cautious! A New Exploitation Method! No Pipe but as Nasty as Dirty Pipe" [slides] [artifacts]

2022: "CoRJail: From Null Byte Overflow To Docker Escape Exploiting poll_list Objects In The Linux Kernel" [article]

2022: "Reviving Exploits Against Cred Structs - Six Byte Cross Cache Overflow to Leakless Data-Oriented Kernel Pwnage" [article]

2022: "USMA: Share Kernel Code With Me" by Yong Liu, Jun Yao, and Xiaodong Wang [slides] [paper] [article]

2022: "Linux kernel heap feng shui in 2022" by Michael S and Vitaly Nikolenko [article]

2022: "LiKE: A Series on Linux Kernel Exploitation" by sam4k [article] [modprobe_path]

2022: "Racing against the clock -- hitting a tiny kernel race window" by Jann Horn [article]

2022: "Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability" [paper] [artifacts]

2022: "Learning Linux kernel exploitation" by 0x434b [article] [part 2]

2021: "ExpRace: Exploiting Kernel Races through Raising Interrupts" at USENIX [paper] [slides] [video]

2021: "Utilizing msg_msg Objects for Arbitrary Read and Arbitrary Write in the Linux Kernel" [article] [part2]

2021: "Linux Kernel Exploitation Technique: Overwriting modprobe_path" [article]

2021: "Learning Linux Kernel Exploitation" [article] [part 2] [part 3]

2020: "Exploiting Kernel Races Through Taming Thread Interleaving" [slides] [video]

2020: "Locating the kernel PGD on Android/aarch64" by Vitaly Nikolenko [article]

2020: "A Systematic Study of Elastic Objects in Kernel Exploitation" [paper] [video]

2020: "Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers" [slides] [paper] [video]

2020: "BlindSide: Speculative Probing: Hacking Blind in the Spectre Era" [paper]

2020: "Linux Kernel Stack Smashing" by Silvio Cesare [article]

2020: "Structures that can be used in kernel exploits" [article]

2019: "Hands Off and Putting SLAB/SLUB Feng Shui in Blackbox" by Yueqi (Lewis) Chen at Black Hat Europe [slides] [code]

2019: "SLAKE: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel" by Yueqi (Lewis) Chen and Xinyu Xing [slides] [paper]

2019: "Exploiting Race Conditions Using the Scheduler" by Jann Horn at Linux Security Summit EU [slides] [video]

2019: "Kepler: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities" [slides] [video] [paper]

2019: "Leak kernel pointer by exploiting uninitialized uses in Linux kernel" by Jinbum Park [slides]

2019: "Kernel IDT priviledge escalation" [article]

2018: "FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities" [slides] [paper]

2018: "Linux Kernel universal heap spray" by Vitaly Nikolenko [article]

2018: "Linux-Kernel-Exploit Stack Smashing" [article]

2018: "Entering God Mode  -  The Kernel Space Mirroring Attack" [article]

2018: "Mirror Mirror: Rooting Android 8 with a Kernel Space Mirroring Attack" by Wang Yong at HitB [slides]

2018: "KSMA: Breaking Android kernel isolation and Rooting with ARM MMU features" by Wang Yong at BlackHat [slides]

2018: "Still Hammerable and Exploitable: on the Effectiveness of Software-only Physical Kernel Isolation" [paper]

2018: "linux kernel pwn notes" [article]

2018: "Use of timer_list structure in linux kernel exploit" [article]

2017: "Escalating Privileges in Linux using Fault Injection" by Niek Timmers and Cristofaro Mune [slides] [video] [paper]

2017: "Kernel Driver mmap Handler Exploitation" by Mateusz Fruba [paper]

2017: "Linux kernel addr_limit bug / exploitation" by Vitaly Nikolenko [video]

2017: "The Stack Clash" by Qualys Research Team [article]

2017: "New Reliable Android Kernel Root Exploitation Techniques" [slides]

2017: "Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying" [paper]

2017: "Breaking KASLR with perf" by Lizzie Dixon [article]

2017: "Linux kernel exploit cheetsheet" [article]

2016: "Getting Physical Extreme abuse of Intel based Paging Systems" by Nicolas Economou and Enrique Nissim [slides]

2016: "Linux Kernel ROP - Ropping your way to # (Part 1)" by Vitaly Nikolenko [article] [exercise]

2016: "Linux Kernel ROP - Ropping your way to # (Part 2)" by Vitaly Nikolenko [article]

2016: "Exploiting COF Vulnerabilities in the Linux kernel" by Vitaly Nikolenko at Ruxcon [slides]

2016: "Using userfaultfd" by Lizzie Dixon [article]

2016: "Direct Memory Attack the Kernel" by Ulf Frisk at DEF CON [video]

2016: "Randomization Can't Stop BPF JIT Spray" by Elena Reshetova at Black Hat [slides] [video] [paper]

2015: "Kernel Data Attack is a Realistic Security Threat" [paper]

2015: "From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel" [paper]

2015: "Modern Binary Exploitation: Linux Kernel Exploitation" by Patrick Biernat [slides] [exercise]

2013: "Hacking like in the Movies: Visualizing Page Tables for Local Exploitation" at Black Hat

2013: "Exploiting linux kernel heap corruptions" by Mohamed Channam [article]

2012: "Writing kernel exploits" by Keegan McAllister [slides]

2012: "Understanding Linux Kernel Vulnerabilities" by Richard Carback [slides]

2012: "A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator" by Dan Rosenberg [paper]

2012: "Attacking hardened Linux systems with kernel JIT spraying" by Keegan McAllister [article] [code 1] [code 2]

2012: "The Linux kernel memory allocators from an exploitation perspective" by Patroklos Argyroudis [article]

2012: "The Stack is Back" by Jon Oberheide [slides]

2012: "Stackjacking" by Jon Oberheide and Dan Rosenberg [slides]

2011: "Stackjacking Your Way to grsec/PaX Bypass" by Jon Oberheide [article]

2010: "Much ado about NULL: Exploiting a kernel NULL dereference" [article]

2010: "Exploiting Stack Overflows in the Linux Kernel" by Jon Oberheide [article]

2010: "Linux Kernel Exploitation: Earning Its Pwnie a Vuln at a Time" by Jon Oberheide at SOURCE Boston [slides]

2009: "There's a party at ring0, and you're invited" by Tavis Ormandy and Julien Tinnes at CanSecWest [slides]

2007: "Kernel-mode exploits primer" by Sylvester Keil and Clemens Kolbitsch [paper]

2007: "Attacking the Core : Kernel Exploiting Notes" [article]

2007: "The story of exploiting kmalloc() overflows" [article]

2007: "Linux 2.6 Kernel Exploits" by Stephane Duverger [slides]

2005: "Large memory management vulnerabilities" by Gael Delalleau at CancSecWest [slides]

2005: "The story of exploiting kmalloc() overflows" [article]

Protection Bypasses

2022: "A Dirty Little History: Bypassing Spectre Hardware Defenses to Leak Kernel Data" [slides]

2022: "Tetragone: A Lesson in Security Fundamentals" by Pawel Wieczorkiewicz and Brad Spengler [article]

2021: "A General Approach to Bypassing Many Kernel Protections and its Mitigation" by Yueqi Chen [slides] [video]

2021: "Attacking Samsung RKP" by Alexandre Adamski [article]

2020: "Things not to do when using an IOMMU" by Ilja van Sprundel and Joseph Tartaro [video]

2020: "SELinux RKP misconfiguration on Samsung S20 devices" by Vitaly Nikolenko [article]

2020: "TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs" [paper]

2020: "Weaknesses in Linux Kernel Heap Hardening" by Silvio Cesare [article]

2020: "An Analysis of Linux Kernel Heap Hardening" by Silvio Cesare [article]

2020: "PAN: Another day, another broken mitigation" by Siguza [article]

2019: "KNOX Kernel Mitigation Bypasses" by Dong-Hoon You at PoC [slides]

2017: "Lifting the (Hyper) Visor: Bypassing Samsung’s Real-Time Kernel Protection" by Gal Beniamini [article]

2016: "Linux Kernel x86-64 bypass SMEP - KASLR - kptr_restric" [article]

2016: "Practical SMEP bypass techniques on Linux" by Vitaly Nikolenko at KIWICON [slides]

2016: "Micro architecture attacks on KASLR" by Anders Fogh" [article]

2016: "Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR" by Dmitry Evtyushkin, Dmitry Ponomarev and Nael Abu-Ghazaleh [slides]

2016: "Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR" by Daniel Gruss, Clementine Maurice, Anders Fogh, Moritz Lipp and Stefan Mangard at CCS [video]

2016: "Using Undocumented CPU Behavior to See Into Kernel Mode and Break KASLR in the Process" at Black Hat [video]

2016: "Breaking KASLR with Intel TSX" Yeongjin Jang, Sangho Lee and Taesoo Kim at Black Hat [slides] [video]

2016: "Breaking KASLR with micro architecture" by Anders Fogh [article]

2015: "Effectively bypassing kptr_restrict on Android" by Gal Beniamini [article]

2014: "ret2dir: Deconstructing Kernel Isolation" by Vasileios P. Kemerlis, Michalis Polychronakis and Angelos D. Keromytis at Black Hat Europe [paper] [video]

2013: "A Linux Memory Trick" by Dan Rosenberg [article]

2011: "SMEP: What is It, and How to Beat It on Linux" by Dan Rosenberg [article]

2009: "Bypassing Linux' NULL pointer dereference exploit prevention (mmap_min_addr)" [article]


Project Zero bug reports

Linux Kernel CVEs

Assorted advisories by Gyorgy Miru and kutyacica


2022: "EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)" [article] [CVE-2022-4543]

2022: "Yet another bug into Netfilter" by Arthur Mongodin [article] [CVE-2022-1972]

2022: "The AMD Branch (Mis)predictor: Just Set it and Forget it!" by Pawel Wieczorkiewicz [article] [Spectre]

2022: "The AMD Branch (Mis)predictor Part 2: Where No CPU has Gone Before (CVE-2021-26341)" by Pawel Wieczorkiewicz [article] [Spectre]

2021: "Samsung S10+/S9 kernel 4.14 (Android 10) Kernel Function Address (.text) and Heap Address Information Leak" [article] [CVE-TBD]

2021: "Linux Kernel /proc/pid/syscall information disclosure vulnerability" [article] [CVE-2020-28588]

2021: "Spectre exploits in the "wild"" [article]

2021: "VDSO As A Potential KASLR Oracle" by Philip Pettersson and Alex Radocea [article]

2020: "PLATYPUS: Software-based Power Side-Channel Attacks on x86" [paper]

2019: "CVE-2018-3639 / CVE-2019-7308 - Analysis of Spectre Attacking Linux Kernel ebpf" [article] [CVE-2018-3639, CVE-2019-7308]

2019: "From IP ID to Device ID and KASLR Bypass (Extended Version)" [paper]

2018: "Kernel Memory disclosure & CANVAS Part 1 - Spectre: tips & tricks" [article] [Spectre]

2018: "Kernel Memory disclosure & CANVAS Part 2 - CVE-2017-18344 analysis & exploitation notes" [article] [CVE-2017-18344]

2018: "CVE-2017-18344: Exploiting an arbitrary-read vulnerability in the Linux kernel timer subsystem" by Andrey Konovalov [article] [CVE-2017-18344]

2017: "Linux kernel 2.6.0 to 4.12-rc4 infoleak due to a data race in ALSA timer" by Alexander Potapenko [announcement] [CVE-2017-1000380]

2017: "The Infoleak that (Mostly) Wasn't" by Brad Spengler [article] [CVE-2017-7616]

2016: "Exploiting a Linux Kernel Infoleak to bypass Linux kASLR" [article]

2010: "Linux Kernel pktcdvd Memory Disclosure" by Jon Oberheide [article] [CVE-2010-3437]

2009: "Linux Kernel x86-64 Register Leak" by Jon Oberheide [article] [CVE-2009-2910]

2009: "Linux Kernel getname() Stack Memory Disclosures" by Jon Oberheide [article] [CVE-2009-3001]


2023: "Pwning the all Google phone with a non-Google bug" [article]

2022: "Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg" by Sergi Martinez [article] [CVE-2022-32250]

2022: "Exploiting CVE-2022-42703 - Bringing back the stack attack" by Seth Jenkins [article] [CVE-2022-42703]

2022: "CVE-2022-2602: DirtyCred File Exploitation applied on an io_uring UAF" [article] [CVE-2022-2602]

2022: "DirtyCred Remastered: how to turn an UAF into Privilege Escalation" [article] [CVE-2022-2602]

2022: "Exploiting cross table object reference in Linux Netfilter table (NFT) module" [slides] [CVE-2022-2078] [CVE-2022-2586]

2022: "Linux Kernel n-day exploit development" [article] [CVE-2020-27786]

2022: "Linux Kernel Exploit Development: 1day case study" by Alessandro Groppo [article] [CVE-2020-27786]

2022: "[CVE-2022-1786] A Journey To The Dawn" [article] [CVE-2022-1786]

2022: "A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain" by Maddie Stone [article] [CVE-2021-25369] [CVE-2021-25370]

2022: "Attacking the Android kernel using the Qualcomm TrustZone" by Tamir Zahavi-Brunner [article] [video] [CVE-2021-1961]

2022: "SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)" [article] [slides] [video] [CVE-2022-32250]

2022: "Linux Kernel Exploit (CVE-2022-32250) with mqueue" [article] [CVE-2022-32250]

2022: "N-day exploit for CVE-2022-2586: Linux kernel nft_object UAF" by Alejandro Guerrero [article] [CVE-2022-2586]

2022: "Monitoring Surveillance Vendors: A Deep Dive into In-the-Wild Android Full Chains in 2021" [slides] [CVE-2021-0920]

2022: "CVE-2022-29582: An io_uring vulnerability" by Awarau and David Bouman [article] [CVE-2022-29582]

2022: "Linux kernel io_uring module pbuf_ring vulnerability and privilege escalation 0day" [article]

2022: "Corrupting memory without memory corruption" by Man Yue Mo [article] [CVE-2022-20186]

2022: "[CVE-2022-34918] A crack in the Linux firewall" by Arthur Mongodin [article] [CVE-2022-34918] [exploit]

2022: "CVE-2022-34918: netfilter analysis notes" [article] [CVE-2022-34918]

2022: "Practice of USMA-based Kernel Universal EXP Writing Ideas on CVE-2022-34918" [article] [CVE-2022-34918]

2022: "The Android kernel mitigations obstacle race" by Man Yue Mo [article] [CVE-2022-22057]

2022: "io_uring - new code, new bugs, and a new exploit technique" by Lam Jun Rong [article] [CVE-2021-41073]

2022: "Exploration of the Dirty Pipe Vulnerability (CVE-2022-0847)" by lolcads [article] [CVE-2022-0847]

2022: "DirtyPipe-Android/" by polygraphene [article] [CVE-2022-0847]

2022: "Weaponizing dirtypipe on android" by Giovanni Rocca [slides] [exploit] [CVE-2022-0847]

2022: "How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables" by David Bouman [CVE-2022-1015] [CVE-2022-1016]

2022: "The Discovery and Exploitation of CVE-2022-25636" by Nick Gregory [article] [CVE-2022-25636]

2022: "CVE-2022-27666: Exploit esp6 modules in Linux kernel" by ETenal [article] [CVE-2022-27666]

2022: "Put an io_uring on it: Exploiting the Linux Kernel" by Valentina Palmiotti [article] [CVE-2021-41073]

2022: "The Dirty Pipe Vulnerability" by Max Kellermann [article] [CVE-2022-0847]

2022: "CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers" [article] [CVE-2022-0185]

2022: "CVE-2022-0185: Linux kernel slab out-of-bounds write: exploit and writeup" by Alejandro Guerrero [article] [CVE-2022-0185]

2022: "CVE-2022-0185: A Case Study" [article] [CVE-2022-0185]

2022: "CVE-2022-0185: Analysis and utilization and thinking and practice of new primitives for pipe" [article] [CVE-2022-0185]

2022: "Linux kernel Use-After-Free (CVE-2021-23134) PoC" [article] [CVE-2021-23134]

2022: "Exploiting CVE-2021-26708 (Linux kernel) with ssh" [article] [CVE-2021-26708]

2022: "exploiting CVE-2019-2215" by cutesmilee [article] [CVE-2019-2215]

2021: "Your Trash Kernel Bug, My Precious 0-day" by Zhenpeng Lin [slides] [CVE-2021-3715]

2021: "[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver" [article] [CVE-2021-42008]

2021: "PWN2OWN Local Escalation of Privilege Category, Ubuntu Desktop Exploit" [article] [CVE-TBD]

2021: "Reversing and Exploiting Samsung's NPU" by Maxime Peterlin [article] [part 2] slides

2021: "Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver" by Man Yue Mo [article] [CVE-2021-1940, CVE-2021-1968, CVE-2021-1969]

2021: "Exploiting CVE-2021-43267" by Blasty [article] [CVE-2021-43267]

2021: "How a simple Linux kernel memory corruption bug can lead to complete system compromise" by Jann Horn [article] [CVE-TBD]

2021: "SuDump: Exploiting suid binaries through the kernel" by Itai Greenhut [article] [CVE-TBD]

2021: "CVE-2021-34866 Writeup" by HexRabbit [article] [CVE-2021-34866]

2021: "Kernel Pwning with eBPF: a Love Story" by Valentina Palmiotti [article] [CVE-2021-3490]

2021: "The Art of Exploiting UAF by Ret2bpf in Android Kernel" by Xingyu Jin and Richard Neal [article] [slides] [video] [CVE-2021-0399]

2021: "Internal of the Android kernel backdoor vulnerability" [article] [CVE-2021-28663]

2021: "Escape from chrome sandbox to root" [article] [CVE-2020-0423]

2021: "CVE-2017-11176" by Maher Azzouzi [article] [CVE-2017-11176]

2021: "Sequoia: A deep root in Linux's filesystem layer (CVE-2021-33909)" by Qualys Research Team [article] [CVE-2021-33909]

2021: "CVE-2021-22555: Turning \x00\x00 into 10000$" by Andy Nguyen [CVE-2021-22555, article]

2021: "Exploitation of a double free vulnerability in Ubuntu shiftfs driver (CVE-2021-3492)" by Vincent Dehors [article] [CVE-2021-3492]

2021: "CVE-2021-20226 a reference counting bug which leads to local privilege escalation in io_uring" [article] [CVE-2021–20226]

2021: "CVE-2021-32606: CAN ISOTP local privilege escalation" [article] [CVE-2021-32606]

2021: "CVE-2021-3609: CAN BCM local privilege escalation" [article] [announcement] [CVE-2021-3609]

2021: "Blue Klotski (CVE-2021-3573) and the story for fixing" by f0rm2l1n [article] [announcement] [CVE-2021-3573]

2021: "ZDI-20-1440: An Incorrect Calculation Bug in the Linux Kernel eBPF Verifier" by Lucas Leong [article]

2021: "ZDI-20-1440 Writeup" by HexRabbit [article]

2021: "SSD Advisory – OverlayFS PE" [article] [CVE-2021-3493]

2021: "[BugTales] A Nerve-Racking Bug Collision in Samsung's NPU Driver" by Gyorgy Miru [article] [CVE-2020-28343, SVE-2020-18610]

2021: "CVE-2021-20226: A Reference-Counting Bug in the Linux Kernel io_uring Subsystem" by Lucas Leong [article] [CVE-2021-20226]

2021: "One day short of a full chain: Part 1 - Android Kernel arbitrary code execution" by Man Yue Mo [article] [GHSL-2020-375]

2021: "New Old Bugs in the Linux Kernel" [article] [CVE-2021-27365, CVE-2021-27363, CVE-2021-27364]

2021: "Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel" [article] [slides] [video] [CVE-2021-26708]

2021: "Improving the exploit for CVE-2021-26708 in the Linux kernel to bypass LKRG" by Alexander Popov [article] [slides] [video]

2021: "Gaining root access in Linux using the CVE-2021-26708 vulnerability" by Markel Azpeitia Loiti [paper]

2021: "CVE-2014-3153" by Maher Azzouzi [article] [CVE-2014-3153]

2021: "The curious case of CVE-2020-14381" [article] [CVE-2020-14381]

2021: "Galaxy's Meltdown - Exploiting SVE-2020-18610" [article] [CVE-2020-28343, SVE-2020-18610]

2021: "In-the-Wild Series: Android Exploits" by Mark Brand [article]

2021: "Exploiting CVE-2014-3153 (Towelroot)" by Elon Gliksberg [article] [CVE-2014-3153]

2021: "CVE-2014-3153" by Maher Azzouzi [article] [CVE-2014-3153]

2020: "An iOS hacker tries Android" by Brandon Azad [article] [CVE-2020-28343, SVE-2020-18610]

2020: "Exploiting a Single Instruction Race Condition in Binder" [article] [CVE-2020-0423]

2020: "Three Dark clouds over the Android kernel" by Jun Yao [slides] [CVE-2020-3680]

2020: "Kernel Exploitation With A File System Fuzzer" [slides] [video] [CVE-2019-19377]

2020: "Finding and exploiting a bug (LPE) in an old Android phone" by Brandon Falk [stream] [part 2] [summary]

2020: "CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel" by Or Cohen [article] [CVE-2020-14386]

2020: "Attacking the Qualcomm Adreno GPU" by Ben Hawkes [article] [CVE-2020-11179]

2020: "TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices" by Guang Gong at Black Hat [slides] [paper] [CVE-2019-10567]

2020: "Binder - Analysis and exploitation of CVE-2020-0041" by Jean-Baptiste Cayrou [article] [CVE-2020-0041]

2020: "Binder IPC and its vulnerabilities" by Jean-Baptiste Cayrou at THCON [slides] [CVE-2019-2215, CVE-2019-2025, CVE-2019-2181, CVE-2019-2214, CVE-2020-0041]

2020: "Exploiting CVE-2020-0041 - Part 2: Escalating to root" by Eloi Sanfelix and Jordan Gruskovnjak [article] [CVE-2020-0041]

2020: "A bug collision tale" by Eloi Sanfelix at OffensiveCon [slides] [video] [CVE-2019-2025]

2020: "CVE-2020-8835: Linux Kernel Privilege Escalation via Improper eBPF Program Verification" by Manfred Paul [article] [CVE-2020-8835]

2020: "Mitigations are attack surface, too" by Jann Horn [article]

2020: "CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem" by Alexander Popov [article] [slides] [CVE-2019-18683]

2020: "Multiple Kernel Vulnerabilities Affecting All Qualcomm Devices" by Tamir Zahavi-Brunner [article] [CVE-2019-14040, CVE-2019-14041]

2019: "CVE-2017-16995 Analysis - eBPF Sign Extension LPE" by senyuuri [article] [CVE-2017-16995]

2019: "Kernel Research / mmap handler exploitation" by deshal3v[article] [CVE-2019-18675]

2019: "Bad Binder: Android In-The-Wild Exploit" by Maddie Stone [article] [CVE-2019-2215]

2019: "Analyzing Android's CVE-2019-2215 (/dev/binder UAF)" [article] [CVE-2019-2215]

2019: "Stream Cut: Android Kernel Exploitation with Binder Use-After-Free (CVE-2019-2215)" [video] [CVE-2019-2215]

2019: "CVE-2019-2215 - Android kernel binder vulnerability analysis" [article] [CVE-2019-2215]

2019: "Deep Analysis of Exploitable Linux Kernel Vulnerabilities" by Tong Lin and Luhai Chen at Linux Security Summit EU [video] [CVE-2017-16995, CVE-2017-10661]

2019: "Tailoring CVE-2019-2215 to Achieve Root" by Grant Hernandez [article] [CVE-2019-2215]

2019: "From Zero to Root: Building Universal Android Rooting with a Type Confusion Vulnerability" by Wang Yong [slides] [CVE-2018-9568, WrongZone]

2019: "KARMA takes a look at offense and defense: WrongZone from exploitation to repair" [article] [CVE-2018-9568, WrongZone]

2019: "Android Binder: The Bridge To Root" by Hongli Han and Mingjian Zhou [slides] [CVE-2019-2025]

2019: "The ‘Waterdrop’ in Android: A Binder Kernel Vulnerability" by Hongli Han [article] [CVE-2019-2025]

2019: "An Exercise in Practical Container Escapology" by Nick Freeman [article] [CVE-2017-1000112]

2019: "Taking a page from the kernel's book: A TLB issue in mremap()" by Jann Horn [article] [CVE-2018-18281]

2019: "CVE-2018-18281 - Analysis of TLB Vulnerabilities in Linux Kernel" [article]

2019: "Analysis of Linux xfrm Module Cross-Border Read-Write Escalation Vulnerability (CVE-2017-7184)" [article] [CVE-2017-7184]

2019: "Analysis of Escalation Vulnerability Caused by Integer Extension of Linux ebpf Module (CVE-2017-16995)" [article] [CVE-2017-16995]

2019: "Linux kernel 4.20 BPF integer overflow vulnerability analysis" [article]

2019: "Attacking DRM subsystem to gain kernel privilege on Chromebooks" by Di Shen [slides] [video] [CVE-2019-16508]

2018: "Linux kernel 4.20 BPF integer overflow-heap overflow vulnerability and its exploitation" [article]

2018: "CVE-2017-11176: A step-by-step Linux Kernel exploitation [article] [CVE-2017-11176]

2018: "A cache invalidation bug in Linux memory management" by Jann Horn [article] [CVE-2018-17182]

2018: "Dissecting a 17-year-old kernel bug" by Vitaly Nikolenko at beVX [slides] [CVE-2018-6554, CVE-2018-6555]

2018: "SSD Advisory – IRDA Linux Driver UAF" [article] [CVE-2018-6554, CVE-2018-6555]

2018: "Integer overflow in Linux's create_elf_tables()" [announcement] [CVE-2018-14634]

2018: "MMap Vulnerabilities – Linux Kernel" [article] [CVE-2018-8781]

2018: "Ubuntu kernel eBPF 0day analysis" [article] [CVE-2017-16995]

2018: "eBPF and Analysis of the get-rekt-linux-hardened.c Exploit for CVE-2017-16995" [article] [CVE-2017-16695]

2017: "Challenge Impossible -- Multiple Exploit On Android" by Hanxiang Wen and Xiaodong Wang [slides] [CVE-2017-0437]

2017: "CVE-2017-1000112: Exploiting an out-of-bounds bug in the Linux kernel UFO packets" by Andrey Konovalov [article] [CVE-2017-1000112]

2017: "Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112" by Krishs Patil [article] [CVE-2017-1000112]

2017: "Adapting the POC for CVE-2017-1000112 to Other Kernels" [article] [CVE-2017-1000112]

2017: "The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel" by Di Shen [slides] [CVE-2017-0403, CVE-2016-6787] [video]

2017: "Exploiting CVE-2017-5123 with full protections. SMEP, SMAP, and the Chrome Sandbox!" by Chris Salls [article] [CVE-2017-5123]

2017: "Exploiting CVE-2017-5123" by Federico Bento [article] [CVE-2017-5123]

2017: "Escaping Docker container using waitid() – CVE-2017-5123" by Daniel Shapira [article] [CVE-2017-5123]

2017: "LKE v4.13.x - waitid() LPE" by HyeongChan Kim [article] [CVE-2017-5123]

2017: "Exploiting on CVE-2016-6787" [article] [CVE-2016-6787]

2017: "Race For Root: The Analysis Of The Linux Kernel Race Condition Exploit" by Alexander Popov [video] [CVE-2017-2636]

2017: "Race For Root: The Analysis Of The Linux Kernel Race Condition Exploit" by Alexander Popov [slides] [CVE-2017-2636]

2017: "CVE-2017-2636: exploit the race condition in the n_hdlc Linux kernel driver bypassing SMEP" by Alexander Popov [article] [CVE-2017-2636]

2017: "CVE-2017-2636: local privilege escalation flaw in n_hdlc" by Alexander Popov [announcement] [CVE-2017-2636]

2017: "Dirty COW and why lying is bad even if you are the Linux kernel" [article] [CVE-2016-5195]

2017: "NDAY-2017-0103: Arbitrary kernel write in sys_oabi_epoll_wait" by Zuk Avraham [article] [CVE-2016-3857]

2017: "NDAY-2017-0106: Elevation of Privilege in NVIDIA nvhost-vic driver" by Zuk Avraham [article] [CVE-2016-2434]

2017: "PWN2OWN 2017 Linux kernel privilege escalation analysis" [article] [CVE-2017-7184]

2017: "Exploiting the Linux kernel via packet sockets" by Andrey Konovalov [article] [CVE-2017-7308]

2017: "NDAY-2017-0105: Elevation of Privilege Vulnerability in MSM Thermal Drive" by Zuk Avraham [article] [CVE-2016-2411]

2017: "NDAY-2017-0102: Elevation of Privilege Vulnerability in NVIDIA Video Driver" by Zuk Avraham [article] [CVE-2016-2435]

2017: "CVE-2017-6074: Exploiting a double-free in the Linux kernel DCCP sockets" by Andrey Konovalov [article] [CVE-2017-6074]

2016: "CVE-2016-8655 Linux af_packet.c race condition (local root)" by Philip Pettersson [announcement] [CVE-2016-8655]

2016: "Rooting Every Android From Extension To Exploitation" by Di Shen and James Fang at Black Hat [slides] [article] [CVE-2015-0570, CVE-2016-0820, CVE-2016-2475, CVE-2016-8453]

2016: "Talk is Cheap, Show Me the Code" by James Fang, Di Shen and Wen Niu [slides] [CVE-2015-1805]

2016: "CVE-2016-3873: Arbitrary Kernel Write in Nexus 9" by Sagi Kedmi [article] [CVE-2016-3873]

2016: "Exploiting Recursion in the Linux Kernel" by Jann Horn [article] [CVE-2016-1583]

2016: "ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728)" By Perception Point Research Team [article] [CVE-2016-0728]

2016: "CVE20160728 Exploit Code Explained" by Shilong Zhao [article] [CVE-2016-0728]

2016: "CVE-2016-0728 vs Android" by Collin Mulliner [article] [CVE-2016-0728]

2016: "Notes about CVE-2016-7117" by Lizzie Dixon [article] [CVE-2016-7117]

2016: "CVE-2016-2384: exploiting a double-free in the usb-midi linux kernel driver" by Andrey Konovalov [article] [CVE-2016-2384]

2016: "CVE-2016-6187: Exploiting Linux kernel heap off-by-one" by Vitaly Nikolenko [article] [CVE-2016-6187]

2016: "CVE-2014-2851 group_info UAF Exploitation" by Vitaly Nikolenko [article] [CVE-2014-2851]

2016: "Perf: From Profiling To Kernel Exploiting" by Wish Wu at HITB Ams [slides] [video] [CVE-2016-0819]

2016: "QUADROOTER: NEW VULNERABILITIES AFFECTING OVER 900 MILLION ANDROID DEVICES" [article] [CVE-2016-2503, CVE-2106-2504, CVE-2016-2059, CVE-2016-5340]

2016: "STUMPING THE MOBILE CHIPSET: New 0days from down under" by Adam Donenfeld at DEF CON [slides] [CVE-2016-2503, CVE-2106-2504, CVE-2016-2059, CVE-2016-5340]

2015: "Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)" by Gal Beniamini [article] [CVE-2014-4322]

2015: "Exploiting "BadIRET" vulnerability" by Rafal Wojtczuk [article] [CVE-2014-9322]

2015: "Follow-up on Exploiting "BadIRET" vulnerability (CVE-2014-9322)" by Adam Zabrocki [article] [CVE-2014-9322]

2015: "Ah! Universal Android Rooting Is Back" by Wen Xu at Black Hat [slides] [video] [paper] [CVE-2015-3636]

2015: "When is something overflowing" by Keen Team [slides]

2015: "Exploiting the DRAM rowhammer bug to gain kernel privileges" by Mark Seaborn and Thomas Dullien [article] [Rowhammer]

2015: "CVE-2014-4943 - PPPoL2TP DoS Analysis" by Vitaly Nikolenko [article] [CVE-2014-4943]

2015: "CVE-2015-0568: Use-After-Free Vulnerability in the Camera Driver of Qualcomm MSM 7x30" [article] [CVE-2015-0568]

2014: "Exploiting CVE-2014-0196 a walk-through of the Linux pty race condition PoC" by Samuel Gross [article] [CVE-2014-0196]

2014: "CVE-2014-4014: Linux Kernel Local Privilege Escalation "exploitation"" by Vitaly Nikolenko [article] [CVE-2014-4014]

2014: "CVE-2014-4699: Linux Kernel ptrace/sysret vulnerability analysis" by Vitaly Nikolenko [article] [CVE-2014-4699]

2014: "How to exploit the x32 recvmmsg() kernel vulnerability CVE 2014-0038" by Samuel Gross [article] [CVE-2014-0038]

2014: "Exploiting the Futex Bug and uncovering Towelroot" [article] [CVE-2014-3153]

2014: "CVE-2014-3153 Exploit" by Joel Eriksson [article] [CVE-2014-3153]

2013: "Privilege Escalation Kernel Exploit" by Julius Plenz [article] [CVE-2013-1763]

2013: "A closer look at a recent privilege escalation bug in Linux (CVE-2013-2094)" by Joe Damato [article] [CVE-2013-2094]

2012: "Linux Local Privilege Escalation via SUID /proc/pid/mem Write" by Jason Donenfeld [article] [CVE-2012-0056]

2011: "Kernel Exploitation Via Uninitialized Stack" by Kees Cook at DEF CON [slides] [video] [CVE-2010-2963]

2010: "CVE-2010-2963 v4l compat exploit" by Kees Cook [article] [CVE-2010-2963]

2010: "Exploiting large memory management vulnerabilities in Xorg server running on Linux" by Rafal Wojtczuk [article] [CVE-2010-2240]

2010: "CVE-2007-4573: The Anatomy of a Kernel Exploit" by Nelson Elhage [article] [CVE-2007-4573]

2010: "Linux Kernel CAN SLUB Overflow" by Jon Oberheide [article] [CVE-2010-2959]

2010: "af_can linux kernel overflow" by Ben Hawkes [article] [CVE-2010-2959]

2010: "linux compat vulns (part 1)" by Ben Hawkes [article] [CVE-2010-3081]

2010: "linux compat vulns (part 2)" by Ben Hawkes [article] [CVE-2010-3301]

2010: "Some Notes on CVE-2010-3081 Exploitability" [article] [CVE-2010-3081]

2010: "Anatomy of an exploit: CVE-2010-3081" [article] [CVE-2010-3081]

2010: "CVE-2010-4258: Turning denial-of-service into privilege escalation" by Nelson Elhage [article] [CVE-2010-4258]

2009: "Linux NULL pointer dereference due to incorrect proto_ops initializations (CVE-2009-2692)" [article] [CVE-2009-2692]

2009: "Even when one byte matters" [article] [CVE-2009-1046]

2009: "CVE-2008-0009/CVE-2008-0010: Linux kernel vmsplice(2) Privilege Escalation" [article] [CVE-2008-0009, CVE-2008-0010]

2008: "vmsplice(): the making of a local root exploit" by Jonathan Corbet [article] [CVE-2008-0600]

2004: "Linux kernel do_mremap VMA limit local privilege escalation vulnerability" [article] [CVE-2004-0077]


2022: "Writing a Linux Kernel Remote in 2022" by Samuel Page [article] [slides] [CVE-2022-0435]

2022: "Zenith: Pwn2Own TP-Link AC1750 Smart Wi-Fi Router Remote Code Execution Vulnerability" by Axel Souchet [article] [CVE-2022-24354]

2021: "BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution" by Andy Nguyen: BadChoice, BadKarma, BadVibes [article] [CVE-2020-12352, CVE-2020-12351, CVE-2020-24490]

2017: "Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)" by Gal Beniamini [article] [CVE-2017-0569]

2017: "BlueBorn: The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks" [paper] [CVE-2017-1000251]

2016: "CVE Publication: CVE 2016-8633" by Eyal Itkin [article] [CVE-2016-8633]

2011: "Owned Over Amateur Radio: Remote Kernel Exploitation in 2011" at DEF CON [slides] [video] [CVE-2011-1493]

2009: "When a "potential D.o.S." means a one-shot remote kernel exploit: the SCTP story" [article] [CVE-2009-0065]


2022: "Linux Kernel: Infoleak in Bluetooth L2CAP Handling" [advisory] [CVE-2022-42895]

2022: "Linux Kernel: UAF in Bluetooth L2CAP Handshake" [advisory] [CVE-2022-42896]

2022: "Vulnerability Details for CVE-2022-41218" [article] [CVE-2022-41218]

2022: "Racing Cats to the Exit: A Boring Linux Kernel Use-After-Free" [article]

2022: "Android Universal Root: Exploiting xPU Drivers" [slides] [CVE-2022-20122] [CVE-2021-39815]

2022: "The quantum state of Linux kernel garbage collection CVE-2021-0920 (Part I)" by Xingyu Jin [article] [CVE-2021-0920]

2022: "Finding bugs in the Linux Kernel Bluetooth Subsystem" by Itay Iellin [] [article] [part 2]

2022: "CVE-2022-0435: A Remote Stack Overflow in The Linux" by Samuel Page [article] [CVE-2022-0435]

2022: "CVE-2021-45608 | NetUSB RCE Flaw in Millions of End User Routers" by Max Van Amernngen [article] [CVE-2021-45608]

2021: "CVE-2021-1048: refcount increment on mid-destruction file" by Jann Horn [article] [CVE-2021-1048]

2021: "Achieving Linux Kernel Code Execution Through a Malicious USB Device" by Martijn Bogaard and Dana Geist [slides] [CVE-2016-2384]

2021: "SLUB overflow CVE-2021-42327" [article] [CVE-2021-42327]

2021: "CVE-2021-44733: Fuzzing and exploitation of a use-after-free in the Linux kernel TEE subsystem" by pjlantz [article] [poc] [CVE-2021-44733]

2021: "CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution" by Max Van Amerongen [article] [CVE-2021-43267]

2021: "An EPYC escape: Case-study of a KVM breakout" by Felix Wilhelm [article] [CVE-2021-29657]

2021: "CVE-2021-1905: Qualcomm Adreno GPU memory mapping use-after-free" by Ben Hawkes [article] [CVE-2021-1905]

2021: "A foray into Linux kernel exploitation on Android" by Ayaz Mammadov [article]

2020: "CVE-2020-16119" [article] [CVE-2020-16119]

2020: "The short story of 1 Linux Kernel Use-After-Free bug and 2 CVEs (CVE-2020-14356 and CVE-2020-25220)" by Adam Zabrocki [article] [CVE-2020-14356, CVE-2020-25220]

2020: "Curiosity around 'exec_id' and some problems associated with it" by Adam Zabrocki [article]

2020: "The never ending problems of local ASLR holes in Linux" [article] [CVE-2019-11190]

2019: "Reverse-engineering Broadcom wireless chipsets" by Hugues Anguelkov [article] [CVE-2019-9503, CVE-2019-9500]

2019: "CVE-2019-2000 - Android kernel binder vulnerability analysis" [article] [CVE-2019-2000]

2019: "Linux: virtual address 0 is mappable via privileged write() to /proc/*/mem" [article] [CVE-2019-9213]

2019: "CVE-2019-9213 - Analysis of Linux Kernel User Space 0 Virtual Address Mapping Vulnerability" [article] [CVE-2019-9213]

2018: "IOMMU-resistant DMA attacks" by Gil Kupfer [thesis]

2017: "initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection" [article] [CVE-2017-1000363]

2016: "Motorola Android Bootloader Kernel Cmdline Injection Secure Boot Bypass" [article] [CVE-2016-10277]

2015: "Vulnerability in the Linux Crypto API that allows unprivileged users to load arbitrary kernel modules" by Mathias Krause [annnouncement]

Finding Bugs

2022: "Sanitizing the Linux kernel: On KASAN and other Dynamic Bug-finding Tools" by Andrey Konovalov [slides] [video] [article]

2022: "PrIntFuzz: Fuzzing Linux Drivers via Automated Virtual Device Simulation" [paper]

2022: "KSG: Augmenting Kernel Fuzzing with System Call Specification Generation" [paper]

2022: "Demystifying the Dependency Challenge in Kernel Fuzzing" [paper]

2022: "Hunting for Linux kernel public vulnerabilities" [article]

2022: "DangZero: Efficient Use-After-Free Detection via Direct Page Table Access" [paper]

2022: "How I started chasing speculative type confusion bugs in the kernel and ended up with 'real' ones" by Jakob Koschel [slides] [video]

2022: "Technical analysis of syzkaller based fuzzers: It's not about VaultFuzzer!" [article]

2022: "GREBE: Unveiling Exploitation Potential for Linux Kernel Bugs" [paper]

2022: "An In-depth Analysis of Duplicated Linux Kernel Bug Reports" [paper]

2022: "Looking for Remote Code Execution bugs in the Linux kernel" by Andrey Konovalov [article]

2022: "Demystifying the Dependency Challenge in Kernel Fuzzing" [paper]

2022: "Progressive Scrutiny: Incremental Detection of UBI bugs in the Linux Kernel" [paper]

2022: "Syzkaller diving 01: Learn basic KCOV and how fuzzer adopts it" by f0rm2l1n [article]

2022: "Syzkaller diving 02: How syzkaller describe syscalls" by f0rm2l1n [article]

2022: "Syzkaller diving 03: What is the remote KCOV?" by f0rm2l1n [article]

2022: "Case Studies of Fuzzing with Xen" by Tamas K Lengyel at OffensiveCon [slides]

2021: "Rtkaller: State-aware Task Generation for RTOS Fuzzing" [paper]

2021: "BSOD: Binary-only Scalable fuzzing Of device Drivers" by Fabian Toepfer and Dominik Maier [paper]

2021: "LinKRID: Vetting Imbalance Reference Counting in Linux kernel with Symbolic Execution" at USENIX [paper] [slides]

2021: "An Analysis of Speculative Type Confusion Vulnerabilities in the Wild" at USENIX [paper] [slides] [video]

2021: "SyzVegas: Beating Kernel Fuzzing Odds with Reinforcement Learning" at USENIX [paper] [slides] [video]

2021: "Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking" at USENIX [paper] [slides] [video]

2021: "Ruffling the penguin! How to fuzz the Linux kernel" by Andrey Konovalov and [article]

2021: "CoLaFUZE: Coverage-Guided and Layout-Aware Fuzzing for Android Drivers" [paper]

2021: "CVEHound: Audit Kernel Sources for Missing CVE Fixes" by Denis Efremov [slides] [video]

2021: "Finding Multiple Bug Effects for More Precise Exploitability Estimation" by Zhenpeng Lin and Yueqi Chen [slides] [video]

2021: "Triaging Kernel Out-Of-Bounds Write Vulnerabilities" by Weiteng Chen [slides] [video]

2021: "SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs" by Xiaochen Zou [paper] [slides] [video] [lwn article]

2021: "HEALER: Relation Learning Guided Kernel Fuzzing" [paper]

2021: "Snowboard: Finding Kernel Concurrency Bugs through Systematic Inter-thread Communication Analysis" [paper]

2021: "Detecting semantic bugs using differential fuzzing" by Mara Mihali [slides] [video]

2021: "Fuzzing Linux with Xen" by Tamas K Lengyel [slides] [video]

2021: "Variant analysis of the ‘Sequoia’ bug" by Jordy Zomer [article]

2021: "KMSAN, a look under the hood" by Alexander Potapenko [slides] [video]

2021: "Detecting Kernel Memory Leaks in Specialized Modules with Ownership Reasoning" [paper]

2021: "Understanding and Detecting Disordered Error Handling with Precise Function Pairing" [paper]

2021: "KFENCE - Detecting memory bugs in production kernels" [article]

2021: "Fuzzing the Linux Kernel" by Andrey Konovalov [slides] [video]

2021: "Dynamic program analysis for fun and profit" by Dmitry Vyukov [slides] [video]

2020: "RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization" [paper] [tool]

2020: "Fuzzing a Pixel 3a Kernel with Syzkaller" by senyuuri [article]

2020: "Fuzzing the Berkeley Packet Filter" by Benjamin Curt Nilsen [thesis]

2020: "syzkaller: Adventures in Continuous Coverage-guided Kernel Fuzzing" by Dmitry Vyukov at BlueHat IL [video]

2020: "syzkaller / sanitizers: status update" by Dmitry Vyukov at Linux Plumbers [slides] [video]

2020: "Fuzzing for eBPF JIT bugs in the Linux kernel" by Simon Scannell [article]

2020: "Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel" [paper]

2020: "Eliminating bugs in BPF JITs using automated formal verification" by Luke Nelson [video] [slides]

2020: "Fuzzing the Linux kernel (x86) entry code, Part 1 of 3" by Vegard Nossum [article]

2020: "Fuzzing the Linux kernel (x86) entry code, Part 2 of 3" by Vegard Nossum [article]

2020: "Fuzzing the Linux kernel (x86) entry code, Part 3 of 3" by Vegard Nossum [article]

2020: "Data-race detection in the Linux kernel" by Marco Elver at Linux Plumbers [slides] [video]

2020: "harbian-qa: State-based target directed fuzzer based on syzkaller" [article]

2020: "Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints" [paper] [slides] [video] [code]

2020: "Using syzkaller, part 1: Fuzzing the Linux kernel" by Andre Almeida [article]

2020: "Using syzkaller, part 2: Detecting programming bugs in the Linux kernel" by Andre Almeida [article]

2020: "Using syzkaller, part 3: Fuzzing your changes" by Andre Almeida [article]

2020: "Using syzkaller, part 4: Driver fuzzing" by Andre Almeida [article]

2020: "Effective Detection of Sleep-in-atomic-context Bugs in the Linux Kernel" [paper]

2020: "KRACE: Data Race Fuzzing for Kernel File Systems" [paper] [video]

2020: "USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation" by Hui Peng and Mathias Payer [paper]

2020: "HFL: Hybrid Fuzzing on the Linux Kernel" [paper]

2020: "KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities" [paper]

2020: "Analyzing the Linux Kernel in Userland with AFL and KLEE" [article]

2020: "Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison" [paper] [slides] [video]

2020: "Finding Race Conditions in Kernels: from Fuzzing to Symbolic Execution" by Meng Xu [thesis]

2020: "A Hybrid Interface Recovery Method for Android Kernels Fuzzing" [paper]

2019: "perf fuzzer: Exposing Kernel Bugs by Detailed Fuzzing of a Specific System Call (2019 Update)" by Vincent M. Weaver and Dave Jones [paper]

2019: "Industry Practice of Coverage-Guided Enterprise Linux Kernel Fuzzing" [paper]

2019: "Effective Static Analysis of Concurrency Use-After-Free Bugs in Linux Device Drivers" [paper]

2019: "A gentle introduction to Linux Kernel fuzzing" by Marek Majkowski [article]

2019: "Unicorefuzz: On the Viability of Emulation for Kernelspace Fuzzing" [paper]

2019: "Case study: Searching for a vulnerability pattern in the Linux kernel" by Alexander Popov [article]

2019: "Razzer: Finding Kernel Race Bugs through Fuzzing" [video] [paper]

2019: "Fuzzing File Systems via Two-Dimensional Input Space Exploration" [paper] [fuzzer]

2019: "PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary" [paper]

2019: "Hourglass Fuzz: A Quick Bug Hunting Method" [slides]

2019: "Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences" [paper] [slides]

2019: "Automatically Identifying Security Checks for Detecting Kernel Semantic Bugs" [paper]

2018: "FastSyzkaller: Improving Fuzz Efficiency for Linux Kernel Fuzzing" [paper]

2018: "Writing the worlds worst Android fuzzer, and then improving it" by Brandon Falk [article]

2018: "From Thousands of Hours to a Couple of Minutes: Towards Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities" [slides] [paper]

2018: "MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation" [paper] [code]

2018: "Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking" by Mateusz Jurczyk [paper]

2018: "New Compat Vulnerabilities In Linux Device Drivers" at BlackHat [slides]

2018: "Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels" [paper]

2018: "Concolic Testing for Kernel Fuzzing and Vulnerability Discovery" by Vitaly Nikolenko at OffensiveCon [video]

2018: "K-Miner: Uncovering Memory Corruption in Linux" [paper]

2017: "KernelMemorySanitizer (KMSAN)" by Alexander Potapenko [slides]

2017: "The android vulnerability discovery in SoC" by Yu Pan and Yang Dai [slides]

2017: "Evolutionary Kernel Fuzzing" by Richard Johnson at Black Hat USA [slides]

2017: "DIFUZE: Interface Aware Fuzzing for Kernel Drivers" [slides] [paper]

2017: "SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits" at CCS [paper]

2017: "kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels" at USENIX [paper]

2017: "How Double-Fetch Situations turn into DoubleFetch Vulnerabilities: A Study of Double Fetches in the Linux Kernel" at USENIX [paper]

2017: "DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers" at USENIX [paper]

2016: "Using Static Checking To Find Security Vulnerabilities In The Linux Kernel" by Vaishali Thakkar [slides]

2016: "UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages" [paper]

2016: "An Analysis on the Impact and Detection of Kernel Stack Infoleaks" [paper]

2016: "Syzkaller, Future Developement" by Dmitry Vyukov at Linux Plumbers [slides]

2016: "Coverage-guided kernel fuzzing with syzkaller" [article]

2016: "Filesystem Fuzzing with American Fuzzy Lop" by Vegard Nossum and Quentin Casasnovas [slides]

2016: "Project Triforce: AFL + QEMU + kernel = CVEs! (or) How to use AFL to fuzz arbitrary VMs" at ToorCon [slides]

2015: "KernelAddressSanitizer (KASan): a fast memory error detector for the Linux kernel" by Andrey Konovalov at LinuxCon North America [slides]

2015: "Introduction to USB and Fuzzing" by Matt DuHarte at DEF CON [video]

2015: "Don't Trust Your USB! How to Find Bugs in USB Device Drivers" by Sergej Schumilo, Ralf Spenneberg, and Hendrik Schwartke at Black Hat [video]

2012: "Comprehensive Kernel Instrumentation via Dynamic Binary Translation" [paper]

2010: "Automatic Bug-finding Techniques for Linux Kernel" by Jiri Slaby [paper]

2009: "Opensource Kernel Auditing and Exploitation" by Silvio Cesare at DEF CON [video]


"Linux Kernel Defence Map" by Alexander Popov

2022: "Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse" by Mathias Krause [article] [reference exploits]

2022: "Making Linux Kernel Exploit Cooking Harder" [article] [reference exploits] [proposed mitigations]

2022: "Where are we on security features?" [slides] [video]

2022: "Control-Flow Integrity Kernel Support" [slides] [video]

2022: "HotBPF - An On-demand and On-the-fly Memory Protection for the Linux Kernel" [video]

2022: "Mind The Gap - The Linux Ecosystem Kernel Patch Gap" by Jakob Lell & Regina Biro [video]

2022: "The exploit recon 'msg_msg' and its mitigation in VED" [article]

2022: "Return to sender: Detecting kernel exploits with eBPF" by Guillaume Fournier at Black Hat USA [slides] [code]

2022: "Meaningful Bounds Checking in the Linux Kernel" by Kees Cook [slides]

2022: "Compilers: The Old New Security Frontier" by Brad Spengler [slides]

2022: "In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication" [paper] [slides]

2022: "Preventing Kernel Hacks with HAKC" [paper]

2022: "Mitigating Processor Vulnerabilities by Restructuring the Kernel Address Space" by Sebastian Eydam [slides]

2022: "Meaningful Bounds Checking in the Linux Kernel" by Kees Cook at Linux Conf AU [slides] [video]

2022: "Mitigating kernel risks on 32-bit ARM" by Ard Biesheuvel [article]

2022: "Kernel Hardening for 32-bit Arm Processors" by Keith Packard at Linux Conf AU [video]

2021: "Mitigating Linux kernel memory corruptions with Arm Memory Tagging" by Andrey Konovalov [slides] [video]

2021: "Attack surface analysis of the Linux kernel based on complexity metrics" by Stefan Bavendiek [thesis]

2021: "Midas: Systematic Kernel TOCTTOU Protection" at USENIX [paper] [slides]

2021: "Undo Workarounds for Kernel Bugs" at USENIX [paper] [slides] [video]

2021: "SHARD: Fine-Grained Kernel Specialization with Context-Aware Hardening" at USENIX [slides] [video]

2021: "Mitigation of Kernel Memory Corruption Using Multiple Kernel Memory Mechanism" [paper]

2021: "Hardware-Assisted Fine-Grained Control-Flow Integrity: Adding Lasers to Intel's CET/IBT" by Joao Moreira [slides] [video]

2021: "Kernel Self-Protection Project" by Kees Cook [slides] [video]

2021: "Compiler Features for Kernel Security" by Kees Cook [slides] [video]

2021: "A proof-carrying approach to building correct and flexible in-kernel verifiers" [slides] [video]

2021: "How AUTOSLAB Changes the Memory Unsafety Game" by Zhenpeng Lin [article]

2021: "security things in Linux vX.X" by Kees Cook [articles]

2021: "Undo Workarounds for Kernel Bugs" [paper]

2020: "Kernel Integrity Enforcement with HLAT In a Virtual Machine" by Chao Gao [slides] [video]

2020: "Linux kernel heap quarantine versus use-after-free exploits" by Alexander Popov [article]

2020: "State of Linux kernel security" by Dmitry Vyukov [slides] [video]

2020: "LKRG IN A NUTSHELL" by Adam Zabrocki at OSTconf [slides]

2020: "Following the Linux Kernel Defence Map" by Alexander Popov at Linux Plumbers [slides] [video]

2020: "Memory Tagging for the Kernel: Tag-Based KASAN" by Andrey Konovalov [slides] [video]

2020: "10 Years of Linux Security - A Report Card" by Bradley Spengler [slides] [video]

2020: "Control Flow Integrity in the Linux Kernel" by Kees Cook at [slides] [video]

2020: "Identification of Kernel Memory Corruption Using Kernel Memory Secret Observation Mechanism" [paper]

2019: "Camouflage: Hardware-assisted CFI for the ARM Linux kernel" [paper]

2019: "A New Proposal for Protecting Kernel Data Memory" by Igor Stoppa at Linux Security Summit EU [video]

2019: "Control-Flow Integrity for the Linux kernel: A Security Evaluation" by Federico Manuel Bento [thesis]

2019: "Kernel Self-Protection Project" by Kees Cook [slides]

2019: "Touch but don’t look - Running the Kernel in Execute-only memory" by Rick Edgecombe [slides]

2019: "Breaking and Protecting Linux Kernel Stack" by Elena Reshetova [video]

2019: "Making C Less Dangerous in the Linux Kernel" by Kees Cook [slides]

2019: "Mitigation for the Kernel Space Mirroring Attack (内核镜像攻击的缓解措施)" [article]

2018: "The State of Kernel Self Protection" by Kees Cook [slides]

2018: "Android Kernel Control Flow Integrity Analysis (分析)" [article]

2018: "Overview and Recent Developments: Kernel Self-Protection Project" by Kees Cook [slides]

2018: "The Last Man Standing: The Only Practical, Lightweight and Hypervisor-Based Kernel Protector Struggling with the Real World Alone" by Seunghun Han at beVX [video]

2018: "Linux Kernel Runtime Guard (LKRG) under the hood" by Adam Zabrocki at CONFidence [slides, video]

2018: "GuardION: Practical Mitigation of DMA-based Rowhammer Attacks on ARM" [paper]

2018: "kR^X: Comprehensive Kernel Protection Against Just-In-Time Code Reuse" at BlackHat [video]

2018: "KASR: A Reliable and Practical Approach to Attack Surface Reduction of Commodity OS Kernels" [paper]

2018: "The State of Kernel Self Protection" by Kees Cook at Linux Conf AU [slides]

2017: "kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse" [paper]

2017: "How STACKLEAK improves Linux kernel security" by Alexander Popov at Linux Piter [slides]

2017: "Shadow-Box: The Practical and Omnipotent Sandbox" by Seunghun Han at HitB [slides]

2017: "Towards Linux Kernel Memory Safety" [paper]

2017: "Proposal of a Method to Prevent Privilege Escalation Attacks for Linux Kernel" [slides]

2017: "Linux Kernel Self Protection Project" by Kees Cook [slides]

2017: "PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables" [paper]

2017: "KASLR is Dead: Long Live KASLR" [paper]

2017: "Honey, I shrunk the attack surface – Adventures in Android security hardening" by Nick Kralevich [video]

2017: "Fine Grained Control-Flow Integrity for The Linux Kernel" by Sandro Rigo, Michalis Polychronakis, Vasileios Kemerlis [slides]

2016: "Thwarting unknown bugs: hardening features in the mainline Linux kernel" by Mark Rutland [slides]

2016: "Emerging Defense in Android Kernel" by James Fang [article]

2016: "Randomizing the Linux kernel heap freelists" by Thomas Garnier [article]

2015: "RAP: RIP ROP" [slides]

2015: "Protecting Commodity Operating Systems through Strong Kernel Isolation" by Vasileios Kemerlis [paper]

2014: "Kernel Self-Protection through Quantified Attack Surface Reduction" by Anil Kurmus [paper]

2014: "A Tale of Two Kernels: Towards Ending Kernel Hardening Wars with Split Kernel" by Anil Kurmus and Robby Zippel [paper]

2013: "KASLR: An Exercise in Cargo Cult Security" by Brad Spengler [article]

2012: "How do I mitigate against NULL pointer dereference vulnerabilities?" by RedHat [article]

2011: "Linux kernel vulnerabilities: State-of-the-art defenses and open problems" [paper]

2009: "Linux Kernel Heap Tampering Detection" by Larry Highsmith [article]


Project Zero bug reports [2010-2011] (CVE-2017-1000112 exploit with LKRG bypass) [FUZE] [KEPLER]

Linux Kernel SCTP FORWARD-TSN Chunk Memory Corruption Remote Exploit [CVE-2009-0065]


Fuzzers [race-condition]


Kernel Address Space Layout Derandomization (KASLD)



2021: "Linux kernel exploit development" [workshop]

2020: " Module: Kernel Security" [workshop]

2020: "Android Kernel Exploitation" by Ashfaq Ansari [workshop]

CTF Tasks

D^3CTF 2022 (d3bpf): writeup, writeup 2

zer0pts CTF 2022 (kRCE): writeup

VULNCON CTF 2021 (IPS): writeup, writeup 2

N1 CTF 2021 (baby-guess): source, writeup

Balsn CTF 2021 (futex): source, writeup

TSG CTF 2021 (lkgit): writeup, writeup 2, writeup 3

Midnightsun Quals 2021 (BroHammer): writeup

0ctf2021 (kernote): source, exploit, and writeup, writeup 2

corCTF 2021 (fire-of-salvation): source, writeup

corCTF 2021 (wall-of-perdition): source, writeup

Google CTF 2021 (pwn-fullchain): source, writeup

Google CTF 2021 (pwn-ebpf): source, writeup

3kCTF 2021 (echo): source and exploit

3kCTF 2021 (klibrary): source, writeup

DEF CON CTF Qualifier 2021 (pza999): source and exploit

DiceCTF 2021 (HashBrown): writeup

hxp CTF 2020 (pfoten): source, writeup

CUCTF 2020 (Hotrod): writeup

SpamAndFlags 2020 (Secstore): writeup

BSidesTLV CTF 2020 (Kapara): writeup and exploit, video writeup

HITCON CTF 2020 (spark): source and exploit #1, writeup and exploit #2, exploit #3

HITCON CTF 2020 (atoms): source and exploit

N1 CTF 2020 (W2L): writeup

Seccon Online 2020 (Kstack): source, exploit, and writeup

TokyoWesterns CTF 2020 (EEBPF): source, writeup

r2con CTF 2020: source, exploit

ASIS CTF 2020 (Shared House): writeup

DEF CON CTF Qualifier 2020 (fungez): source, exploit and writeup

DEF CON CTF Qualifier 2020 (keml): source, exploit

zer0pts CTF 2020 (meow): writeup

De1CTF 2019 (Race): writeup and exploit

r2con CTF 2019: source, exploit, and writeup

HITCON CTF Quals 2019 (PoE): source and exploit

Balsn CTF 2019 (KrazyNote): exploit, writeup

TokyoWesterns CTF 2019 (gnote): writeup, video part 1, part 2

Security Fest 2019 (brainfuck64): writeup

Insomni'hack teaser 2019 (1118daysober): writeup 1, writeup 2

hxp CTF 2018 (Green Computing): writeup

WCTF 2018 (cpf): source, writeup, and exploit

SECT CTF 2018 (Gh0st): writeup

TWCTF 2018 (ReadableKernelModule): writeup

NCSTISC 2018 (babydriver): writeup, source and exploit

Sharif CTF 2018 (kdb): writeup, source and exploit

N1CTF 2018: writeup

Blaze2018 (blazeme): source and exploit 1, soure and exploit 2

QWB2018 (solid_core): writeup, exploit 1, exploit 2, exploit 3

0ctf2018: writeup 1, writeup 2

TCTF 2017 (cred_jar): writeup

0ctf2017: source and exploit 1, source and exploit 2

0ctf2016: writeup, exploit

Insomni’hack finals 2015: writeup, source and exploit

CSAW CTF 2015: writeup 1, writeup 2, source and exploit

CSAW CTF 2014: source and exploit

CSAW CTF 2013: writeup, source and exploit

PlaidCTF 2013 (Servr): writeup, source

CSAW CTF 2011: writeup, source

rwth2011 CTF (ps3game): writeup

CSAW CTF 2010: writeup, source, source and exploit

Other tasks tasks (syscall, rootkit, softmmu, towelroot, kcrc, exynos)




2022: "Mind the Gap" by Ian Beer [article]

2022: "Designing subsystems for FUZZ-ability" by Dmitry Vyukov [slides] [video]

2022: "Making syzbot reports more developer-friendly" by Aleksandr Nogikh [slides] [video]

2022: "Peeking into the BPF verifier" by Shung-Hsi Yu [slides]

2022: "So You Wanna Pwn The Kernel?" by Samuel Page [article]

2022: "Automated RE of Kernel Configurations" by zznop [article]

2021: "An Investigation of the Android Kernel Patch Ecosystem" at USENIX [paper] [slides] [video]

2021: "The Complicated History of a Simple Linux Kernel API" [article]

2021: "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commit" [paper]

2020: "Checklist for when you get stuck with a Kernel Exploit" [article]

2020: "Android / Linux SLUB aliasing for general- and special-purpose caches" by Vitaly Nikolenko [video]

grsecurity CVE-Dataset [spreadsheet]


A collection of links related to Linux kernel security and exploitation








No releases published


No packages published