An original English rewrite of Alexandre Adamski’s 2021 Impalabs deep dive into Samsung’s Real-time Kernel Protection (RKP). The post walks through three independent vulnerabilities — CVE-2021-25415, CVE-2021-25416 and CVE-2021-25417 — that let a kernel-level attacker remap hypervisor memory as writable, sneak executable kernel pages through the “dynamic load” interface, and modify RKP-protected read-only kernel memory. All credit for the research belongs to the original author and Impalabs.
A full walkthrough of CVE-2024-27398, a race-induced use-after-free in the Linux 6.8 Bluetooth SCO subsystem. The exploit races two connect() threads on the same SCO socket to orphan a delayed-work timer, reclaims the freed sock with add_key(), forges a valid DEBUG_SPINLOCK pattern in the spray payload, and uses an xchg eax, esp ; ret gadget to pivot the kernel stack into userspace — bypassing SMEP with pure ROP and overwriting modprobe_path to get root.
A walkthrough of klezVirus’ “Callback hell” — a technique that hides callback frames from stack inspectors by combining tail-calls, forward and backward proxy frames, and a chained thread-pool dispatcher, while still recovering the callee’s return value via a MOV [REG], RAX gadget. Published under CC BY 4.0 and republished here in full, with all original figures, assembly listings, and the POC video.
A heap use-after-free in NASM’s response-file parser (CVE-2026-6068) sounds boring — until the dangling pointer is reused as a filename for fopen(). Project SEKAI’s breakingbad turns it into a deterministic, supply-chain-style persistent RCE that overwrites the victim’s ~/.bashrc through a 120-character heap-spray label, a shipped symlink, and the unescaped shell metacharacters in NASM’s Makefile-style dependency output. No ASLR, NX, PIE, RELRO or stack-canary bypass needed. Still unpatched at disclosure.
CVE-2025-54539 is a deserialization policy bypass in Apache.NMS.AMQP (≤ 2.3.0) that lets a single 290-byte AMQP message reach BinaryFormatter inside an unsuspecting .NET client and execute arbitrary commands.
A walkthrough of “APC Tandem”, a stealth Windows process-injection technique that replaces WriteProcessMemory, CreateRemoteThread and VirtualAllocEx with a chain of less-watched primitives — thread description smuggling, paired GetThreadDescription/RtlMoveMemory APCs, and a Special User APC for execution.
The article shows how Claude Code plus MCP can automate vulnerability hunting with RE, fuzzing, RAG, bounty scoring, and strict validation gates to reduce LLM hallucinations and confirm real bugs.
The article shows Claude turning a Phrack rsync exploit write-up into a faster working ARM64 RCE, rebuilding missing pieces, debugging without GDB, and even helping audit patched code for variants.
BlueHammer shows how Microsoft Defender’s update workflow can be abused to redirect privileged file access to a Volume Shadow Copy. By exploiting filesystem races and NT namespace tricks, the technique leaks the SAM hive, extracts NTLM hashes, and enables privilege escalation to SYSTEM.
PoisonX is a Bring Your Own Vulnerable Driver (BYOVD) research tool that leverages a signed Microsoft kernel driver to terminate any Windows process — including PP (Protected Processes) and PPL (Protected Process Light) processes such as EDR/AV services.
