An independent PoC reliably bug-checks Windows 11 25H2 (26100.8655) by spraying malformed batched virtualisation-mapping messages at bindflt.sys, faulting inside BfValidateShortName at +0x23783. Walk-through, full source code, root-cause analysis, and a hardening checklist.
CVE-2025-8088 — Russia-Linked APTs Are Still Pwning Unpatched WinRAR Installs in Ukraine
Eleven months after RarLab shipped WinRAR 7.13 to fix CVE-2025-8088, two Russia-aligned APT clusters (Earth Dahu / Gamaredon and SHADOW-EARTH-066 / UAC-0226) are still building fresh exploit samples for the path-traversal-via-NTFS-ADS bug. The two groups share an initial access vector and nothing else — one ships memory-resident compiled C++ stealers, the other pushes HTA+VBScript through Cloudflare Workers proxies — and both rely on the same structural failure: WinRAR has no auto-update and isn’t covered by enterprise patch management.
Vulnerabilities in Enterprise Audiovisual Hardware — Aver Cameras and Crestron TSW-1060 Tablets
Meeting-room cameras and conference-room tablets are some of the least-monitored, most insecurely-configured attack surfaces in an enterprise. Spaceraccoon (Eugene Lim) walks through an unauthenticated RCE in Aver PTC320UV2 cameras (CVE-2026-26461), a command injection in the Crestron TSW-1060 console’s undocumented HDCP2XLOAD handler, a hardcoded Gingco app password leading to local file disclosure, and a weak DES-crypt admin-password scheme cracked in two seconds with Hashcat.
Factoring “Short-Sleeve” RSA Keys with Polynomials
Trail of Bits and the badkeys project found hundreds of RSA and DSA keys in the wild whose moduli have regularly spaced blocks of zero bits (“short-sleeve” keys). A new polynomial-based factorization technique recovers the private factors instantly, and the root cause is a type-mismatch bug in CompleteFTP’s RNG path.
CVE-2026-40369: Twelve Bytes to Escape the Browser Sandbox
CVE-2026-40369 is an unprivileged arbitrary 12-byte kernel write in nt!ExpGetProcessInformation, reachable from Chrome/Edge/Firefox renderer sandboxes via NtQuerySystemInformation. A walk through the unchecked ProbeForWrite path and a five-phase LPE that forges a SYSTEM token with NtCreateToken.
CVE-2018-8611 — Exploiting the Windows Kernel Transaction Manager (Part 1/5: Introduction)
CVE-2018-8611 is a race-condition LPE in the Windows Kernel Transaction Manager (KTM), originally caught in the wild by Kaspersky’s AEP in October 2018 and patched in December 2018. This first instalment lays the KTM foundation — transaction managers, resource managers, transactions, enlistments — that the rest of the series builds on.
CuSafe — Catching Memory Corruption on Commodity NVIDIA GPUs (USENIX Security ’26)
CuSafe is a GPU memory sanitizer for off-the-shelf NVIDIA hardware. It combines pointer tagging with in-band buffer bounds via an LLVM 21 transform pass, ships in a 2 964–line implementation, catches every spatial and temporal bug in the authors’ 33-program test suite, and incurs an average 13% slowdown on 44 GPU workloads — including LLaMA2-7B and LLaMA3-8B inference — against compute-sanitizer’s 15× baseline.
Exploiting CVE-2024-1065 via the Page Cache — A Physical-Page UAF in the ARM Mali GPU Driver
CVE-2024-1065 is a physical-page use-after-free in the ARM Mali GPU kernel driver. Because the freed page lands in MIGRATE_MOVABLE, Dirty Pagetable and Dirty Cred do not apply — so this writeup uses a page-cache spray to swap the freed page into the in-memory copy of /usr/bin/passwd and gets root via execve() without touching disk.
Overcoming Space Restrictions with Egghunters in Windows Exploit Development — Savant Web Server 3.1, Syscall & SEH Egghunters, Heap Staging
When a Windows stack overflow gives you ~250 bytes of crash-buffer space but a useful Meterpreter payload is 400+ bytes, the answer is an egghunter. This walkthrough takes Savant Web Server 3.1 from initial crash to NT-level shell: partial overwrite to defeat the savant.exe null-byte module base, POP EAX RET gadget, a 7-byte conditional jump that exploits pre-zeroed memory, two independent buffers (URL path + HTTP body), then both classic egghunters — syscall-based on Windows 10 (with the NEG trick to encode 0x1C8 null-free) and the OS-agnostic SEH-based variant with a custom dispatcher handler.
Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1732): Walkthrough of the ConsoleControl Offset Confusion
CVE-2021-1732 is a Win32k local privilege escalation in win32kfull.sys. By flipping the 0x800 bit on tagWND with NtUserConsoleControl and returning a fake value from a user-mode callback inside xxxClientAllocWindowClassExtraBytes, an attacker turns the cbWndExtra length into a controllable kernel write offset and walks the token to NT AUTHORITY SYSTEM. End-to-end Metasploit PoC against Windows 10 20H2.









