Animated terminal demo of the FreeBSD setcred CVE-2026-45250 LPE exploit landing a root shell

Calif’s AI Audit of FreeBSD: 15 Kernel Bugs (3 RCEs, 5 LPEs, 1 bhyve Escape) and Three Public CVE Writeups

by Exploit DevelopmentReverse EngineeringVulnerability Analysis

Calif’s AI-assisted security team published a write-up of their FreeBSD kernel engagement: “15 bugs total” — 3 RCEs, 5 LPEs, 1 bhyve guest-to-host escape, plus memory disclosures and DoS — reported privately to FreeBSD with public PoCs released for three: CVE-2026-45250 (setcred sizeof confusion → stack overflow), CVE-2026-45253 (ptrace PT_SC_REMOTE missing bounds check → sysent OOB), and CVE-2026-45251 (procdesc UAF → arbitrary kernel-pointer writes via TAILQ_REMOVE on stale pd_selinfo). The exploits and writeups were generated by AI (OpenAI / Anthropic) and verified by humans before release. The remaining twelve bugs stay private until FreeBSD ships fixes.

CVE-2025-61622: PyFory Insecure Pickle Deserialization to RCE

CVE-2025-61622: PyFory Insecure Pickle Deserialization to Remote Code Execution

by Exploit DevelopmentReverse EngineeringVulnerability Analysis

CVE-2025-61622 is an unauthenticated remote code execution in PyFory (formerly PyFury) 0.12.0–0.12.2 reachable through the library’s fallback path for unregistered types: “handle_unsupported_read()” instantiates a bare “pickle.Unpickler” with no “find_class” override and calls “.load()” on the attacker’s buffer, executing whatever “__reduce__” tuple they crafted. The attacker doesn’t even need PyFory installed — a stock “cloudpickle” payload pushed over a TCP socket is enough. Fixed in 0.12.3 by removing the pickle fallback entirely.

Reverse Engineering For Beginners XOR encryption Windows x64

Reverse Engineering for Beginners: Defeating an XOR Crackme on Windows x64

by Reverse Engineeringwindows

A step-by-step walkthrough of reverse-engineering a Windows x64 crackme that XORs its input against a hard-coded 10-byte key before comparing it to an embedded array. Using x64dbg, we follow the password byte into RAX, find the XOR site at “0x40171E”, recover the key (“U V W X Y Z Q R S T”) from RBP-relative stack slots, then XOR the comparison array back through that key to recover the original password — “strongpass”. Source code is reproduced verbatim from the author’s GitHub.

Initial Ghidra interface before loading the shellcode sample

Ghidra Basics: Reverse-Engineering Cobalt Strike Shellcode and Extracting the C2 Server

by MalwareReverse Engineering

A practical walkthrough of using Ghidra and x32dbg to disassemble a Cobalt Strike beacon shellcode, identify the PUSH/CALL EBP hash-then-dispatch pattern, resolve API hashes such as “0x726774c” (LoadLibraryA), “0xa779563a” (InternetOpenA) and “0xc69f8957” (InternetConnectA), recognise ROR13 as the hashing algorithm, and extract the C2 IP “195.211.98[.]91” from the decoded calls. Original rewrite of Matthew’s tutorial on embeeresearch.io with all 56 original screenshots preserved.

The epoll UAF: A Same-CPU Preemption Race in fs/eventpoll.c on Linux 6.6+

The epoll UAF: A Same-CPU Preemption Race in fs/eventpoll.c on Linux 6.6+

by Exploit Developmentkernel-modeLinuxReverse EngineeringSecurity

Deep-dive writeup on a Linux kernel use-after-free in “fs/eventpoll.c”. A 2023 optimisation traded a global “epmutex” for per-instance reference counting in epoll’s graph-walking code, but left the walkers running under “rcu_read_lock()” while “ep_free()” kept calling plain “kfree(ep)” with no RCU deferral — opening a same-CPU preemption race that yields a constrained write through a freed “struct eventpoll”. Fixed in commit “07712db80857″by switching to “kfree_rcu(ep, rcu)”. Affects Linux 6.6+ including Android (Pixel 10 tested).

Doom II running on the z386 FPGA core

z386: An Open-Source FPGA 80386 Driven by the Original Intel Microcode

by HardwareReverse Engineering

Open-source FPGA recreation of Intel’s 80386 that runs the original recovered Intel microcode rather than re-implementing instruction behaviour from scratch. The result is an 8 K-line, 18 K-ALUT, 85 MHz core that boots DOS, runs DOS/4GW and DOS/32A extenders, and plays Doom and Doom II — with detailed comparison against 486 and a clear silicon-archaeology angle relevant to reverse engineers and hardware security researchers.

Header image — CVE-2024-27398 Linux Bluetooth SCO UAF article

CVE-2024-27398: Exploiting a Linux Bluetooth SCO Use-After-Free with SMEP Bypass

by EscalationExploit DevelopmentexploitationkernelLinuxPoCPrivilegeReverse EngineeringVulnerability Analysis

A full walkthrough of CVE-2024-27398, a race-induced use-after-free in the Linux 6.8 Bluetooth SCO subsystem. The exploit races two connect() threads on the same SCO socket to orphan a delayed-work timer, reclaims the freed sock with add_key(), forges a valid DEBUG_SPINLOCK pattern in the spray payload, and uses an xchg eax, esp ; ret gadget to pivot the kernel stack into userspace — bypassing SMEP with pure ROP and overwriting modprobe_path to get root.

Normal Callback call stack showing callback address visible in inspector

Callback Hell: Abusing Callbacks, Tail Calls, and Proxy Frames to Obfuscate the Stack

by BypassingEDREDR EvasionExploit DevelopmentRedTeamReverse Engineering

A walkthrough of klezVirus’ “Callback hell” — a technique that hides callback frames from stack inspectors by combining tail-calls, forward and backward proxy frames, and a chained thread-pool dispatcher, while still recovering the callee’s return value via a MOV [REG], RAX gadget. Published under CC BY 4.0 and republished here in full, with all original figures, assembly listings, and the POC video.

Diagram contrasting Windows user mode and kernel mode boundaries

BYOVD Attack Surface: From Vulnerability-Driven to Certificate Abuse

by BYOVDDriverEDRMalwareReverse EngineeringThreat Intelligence

Between 2025 and 2026, BYOVD attacks completed a fundamental paradigm shift: from exploiting known-vulnerable drivers to abusing legitimately-signed drivers and certificates themselves. This English rewrite of the Ghost Wolf Lab research walks through dual-driver campaigns, single-byte signature-preserving hash flips, independent certificate abuse, and Microsoft’s March 2026 cross-signed trust removal.