Met the CoR guys and lots of researchers at Hexacon 2025! I’ll never forget it!☺️

It's awesome that William made a stable exploit to get RCE through the Linux kernel SMB server (ksmbd). It is difficult, but he nailed it! You've got to read his post to see the tricks and strategies he used 😆.

Wrote a trigger for CVE-2025-38494/5 (an integer underflow in the HID subsystem) that leaks 64 KB of OOB memory over USB. Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels). https://t.co/4IvvqcVs4Q

Some of the things I was up to at @starlabs_sg...

My research on CVE-2025-38352 (posix-cpu-timers TOCTOU Race condition) which was released in @Android Sept 2025 Bulletin, covering the internals, the patch-fix, vulnerability analysis, and a demo of a PoC that caused a crash in the Android kernel. Blog:

Last weekend, I participated in corCTF and solved the Android Pwn challenge - corphone. It was a great challenge, and I learned a lot from it. Here's my write-up :) https://t.co/nFtkSjFzyW

That time when @tehjh was just reviewing a new Linux kernel feature, found a security vuln, then went on a journey to see if he could exploit it from inside the Chrome Linux Desktop renderer sandbox (spoiler: very yes) https://t.co/Atc6toEdAj

Our latest post details how we exploited Retbleed (a CPU vulnerability) to compromise a machine from a sandboxed process and VM! Curious? 👇 https://t.co/CSD8kdlBjD

Inspired by @__sethJenkins's cool research on the adsprpc driver in Android, I took a deep dive into the codebase and documented the internal workings of the @Qualcomm DSP Kernel Driver (FastRPC implementation). Blog:

Reverse engineering Google's undocumented DSP pays off! Our co-workers @st424204 & @Peterpan980927 found the first public vuln in Pixel 8's DSP → kernel takeover MTE? What MTE? 😎 Their talk got accepted at @HacksInTaiwan https://t.co/kAOAug43ya

Documented instructions for setting up KGDB on Pixel 8. Including getting kernel log over UART via USB-Cereal, building/flashing custom kernel, breaking into KGDB via /proc/sysrq-trigger or by sending SysRq-G over serial, dealing with watchdogs, etc. https://t.co/vb4mgLDJrl

corCTF 2025 is a little over a month away!🚩 This year, we have a prize pool worth over 10k, with 9k in cash prizes! 💵 As for the first teaser, we are introducing CoRPhone! Are you ready to pwn an Android kernel, exfiltrate chat logs, and save a 1 million dollar pigeon?👀

Here is our 0day for kernelCTF🩸 - 82k bounty - quickest submission ever - all instances pwned😎 https://t.co/0sb11m8ITD Disclaimer: We apologize for abusing the red black tree family. Turning grandparents against grandchildren is only acceptable in the context of pwn😤

This will be one of the few OSEE trainings held in Asia. Welcome to Taiwan :) https://t.co/7dTQH8RR4B

This post is also available on DEVCORE's blog. en: https://t.co/egE3MHIAUv zh-tw:

A bit late, but I just published my blog post on bypassing Ubuntu’s sandbox! Hope you enjoy it! https://t.co/Q9Nra9n6N0

🚨🚨🚨We just broke everyone’s favorite CTF PoW🚨🚨🚨 Our teammate managed to achieve a 20x SPEEDUP on kctf pow through AVX512 on Zen 5. Full details here: https://t.co/aCIU220IBf The Sloth VDF is dead😵 This is why kernelCTF no longer has PoW!

Billy again…

Our first confirmation of #Pwn2Own Berlin! Pumpkin (@u1f383) from DEVCORE Research Team used an integer overflow to escalate privs on Red Hat Linux. He earns $20,000 and 2 Master of Pwn points. #P2OBerlin

We are back😎 Say hello to our kernelCTF submission for CVE-2025-37752🩸 Who would have thought you could pwn a kernel with just a 0x0000 written 262636 bytes out of bounds? Read the full writeup at: https://t.co/GkpCjamlaZ 👀