CVE-2018-8611 is a race-condition LPE in the Windows Kernel Transaction Manager (KTM), originally caught in the wild by Kaspersky’s AEP in October 2018 and patched in December 2018. This first instalment lays the KTM foundation — transaction managers, resource managers, transactions, enlistments — that the rest of the series builds on.
CVE-2024-1065 is a physical-page use-after-free in the ARM Mali GPU kernel driver. Because the freed page lands in MIGRATE_MOVABLE, Dirty Pagetable and Dirty Cred do not apply — so this writeup uses a page-cache spray to swap the freed page into the in-memory copy of /usr/bin/passwd and gets root via execve() without touching disk.
CVE-2021-1732 is a Win32k local privilege escalation in win32kfull.sys. By flipping the 0x800 bit on tagWND with NtUserConsoleControl and returning a fake value from a user-mode callback inside xxxClientAllocWindowClassExtraBytes, an attacker turns the cbWndExtra length into a controllable kernel write offset and walks the token to NT AUTHORITY SYSTEM. End-to-end Metasploit PoC against Windows 10 20H2.
A defender-side surface map of Windows kernel/user-mode covert channels — mailslots and ALPC, firmware-table providers and WNF, dispatch tables and writable .data pointers, KernelCallbackTable, MDL-backed mailboxes, GPU/DXGK primitives, page-guard signals, EPT/MMIO, DMA cards, and visual capture. Covers the six-plane channel grammar, PatchGuard exposure classes, and a production detection program with baselines, cross-view validation, and false-positive control.
Walk-through of Lukas Maar’s page-level use-after-free in the Linux kernel’s QAIC (Qualcomm AI Accelerator) DRM driver: the missing VMA boundary check in qaic_gem_object_mmap leaves stale page-table entries pointing at compound-page memory the kernel has already freed; reclaim the underlying order-3 page as a pipe_buffer slab and the dangling user mapping turns into an arbitrary kernel-physical read/write primitive, which the exploit chains via init_task lookup into a clean root.
A walk-through of zolutal’s revival of the 2017 Project Zero “native_write_cr4” trick on a modern Linux kernel with CR Pinning enabled. The post identifies a tiny window between the CR4 write and the fixup, uses KProbes to land inside it via a control-flow hijack, and chains two arbitrary-call primitives to register a probe and trigger it — ending in user-mode-style shellcode running in ring 0.
CVE-2026-40369 is a Windows kernel bug in “nt!ExpGetProcessInformation” that lets any unprivileged process — including one inside Chrome’s renderer sandbox — increment three DWORDs at an attacker-chosen kernel address per syscall, with no race condition, no heap spray, and 100% determinism. This deep dive walks Ori Nimron’s full exploit chain: KASLR via the prefetch side-channel, arbitrary kernel “read” via “CmpLayerVersions” type confusion (built on the Windows UTF-8 conversion path), token-privilege bitmask increment to grant SeDebugPrivilege, code injection into a SYSTEM process, and a clean restore of “CmpLayerVersionCount” at the end. Rewritten from the canonical pwn2nimron.com writeup with all original IDA decompilations and the PoC reproduced verbatim.
A full walkthrough of CVE-2024-27398, a race-induced use-after-free in the Linux 6.8 Bluetooth SCO subsystem. The exploit races two connect() threads on the same SCO socket to orphan a delayed-work timer, reclaims the freed sock with add_key(), forges a valid DEBUG_SPINLOCK pattern in the spray payload, and uses an xchg eax, esp ; ret gadget to pivot the kernel stack into userspace — bypassing SMEP with pure ROP and overwriting modprobe_path to get root.
A Windows kernel research technique that uses Microsoft PDB symbols to resolve offsets dynamically, avoiding hardcoded values and manual WinDBG work across builds.
A hands-on guide to building a basic Windows EDR with a kernel driver, callbacks, static analysis, DLL injection, and hooks to detect remote shellcode injection.
