๐ฅ Introducing "Januscape" (CVE-2026-53359)
A Guest-to-Host Escape in KVM/x86 exploiting a UAF in the shadow MMU. Triggerable on both Intel and AMD hosts. Threatens x86 public clouds (GCP, AWS) that expose nested virtualization.
"16 years" latent. Successfully used as a
I just released our kernelCTF VSock 0-day write-up with @_qwerty_po . (exp196/exp197, CVE-2024-50264)
github.com/google/securitโฆ
We made history by being the first to exploit VSock in kernelCTF, expanding its known attack vectors. ๐ฅณ
Itโs a pretty *simple* race condition, right?
Google kernelCTF LTS/COS 0-day WIN!
Successfully exploited an extremely complex race condition 0-day vuln on two instances without using namespaces ๐
work with @_qwerty_po
@_qwerty_po and I exploited a VSock 1-day in Google kernelCTF back in *February*, securing $71,337 ๐ฅณ (CVE-2025-21756, exp237/exp249)
And Iโve just published the write-up: github.com/google/securitโฆ
A kernel developer reviewing a patch for a separate VSock bug I submitted
๐จ New Linux Kernel vulnerability (CVE-2024-27394) discovered & patched by Theori!
๐ blog.theori.io/deep-dive-intoโฆ
Our researcher @v4bel at #Theori identified a critical #UAF vulnerability in TCP-AO caused by a race condition in the #RCU API. Using techniques from the ExpRace paper,
CVE-2025-38087: Linux Kernel Traffic Control TAPRIO Use-After-Free
This is a 64byte UAF write vuln I discovered for Pwn2Own.
However, I couldnโt reliably exploit it due to the extremely narrow race window, so I had no choice but to patch it ๐ฅ
git.kernel.org/pub/scm/linux/โฆ
We are very happy to announce the nominees for the 2025 Pwnie Awards!
As a reminder, we will be presenting the winners at DEF CON this year. Saturday the 9th, 10:00AM Main Stage.
Hope to see you there!
docs.google.com/document/d/1fyโฆ
Did you know that in Upstream, the conventional โoverwriting modprobe_pathโ technique doesnโt work anymore?
So, I developed a new technique that generally triggers modprobe_path.
It's a simple ideaโnothing fancy, but pretty useful ๐
๐ NEW RESEARCH: We've revived the modprobe_path privilege escalation technique in #Linux kernels.
How? Read out blog to find out: blog.theori.io/reviving-the-mโฆ
Remember, we will always find a new way!
BTW, This is a variant of CVE-2021-26708:
a13xp0p0v.github.io/2021/02/09/CVEโฆ
It was the first vuln analyzed after joining the company two years ago. Back then, I knew vvs still ended up as a dangling ptr even after the vuln was patched, but only recently succeeded in triggering the UAF. ๐ฅฒ