macOS malware often (ab)uses APIs such as NSCreateObjectFileImageFromMemory, NSLinkModule etc) to execute in-memory payloads. Apple has recently updated dyld3 (+these APIs), such that the in-memory payload is now first/always written out to disk 💾 See: github.com/apple-oss-dist…

While preparing documentation for a kernelCTF submission, I took several notes on SLAB_VIRTUAL. After fixing some(actually a lot) errors, I finally submitted my pull request. Feel free to check it if interested. github.com/nightuhu/secur…

inotify_rm_watch() race with umount() can lead to superblock-related UAF project-zero.issues.chromium.org/issues/3796678…

CVE-2025-24118 is an absolutely crazy race condition I found in the macOS / XNU kernel. Safe memory reclamation, read-only objects, memcpy implementation details, and a race condition- oh my! jprx.io/cve-2025-24118

🚀 Technical Analysis! Just published my analysis of how a faulty GIF leads to a DoS condition in Apple’s iWork Suite on macOS and iOS—breaking down a couple of benign bugs in Apple's ImageIO & TSKit Frameworks 🐞 jamesd4.github.io/imageio-tskit-…

ICYMI, #Pwn2Own will have an AI category this year! Looks like our team has already pwned 2 of these targets👀 Ollama CVE-2024-37032: wiz.io/blog/probllama… NVIDIA Container Toolkit CVE-2024-0132: wiz.io/blog/nvidia-ai… Maybe we should look at the rest of the targets too😎

I've published a write-up on reversing and analyzing Samsung's H-Arx hypervisor architecture for Exynos devices, which has had a lot of changes in recent years and pretty interesting design. Hope you all enjoy :) dayzerosec.com/blog/2025/03/0…

Clownpertino - A simple macOS debugger detection trick Pretty sure someone using this one since it’s so easy but I haven’t seen it in the wild. Just some Monday lulz read while the stock markets burn :P reverse.put.as/2025/04/04/clo…

About to celebrate Easter with your family but don't know what to talk about at the table? Then don't lose time and read our new article about RPAC! blog.epsilon-sec.com/cve-2025-31201…

`CVE-2025-24203`: hierarchy of vm_object_t when changing `MAP_SHARED` to `MAP_PRIVATE`. The topmost object has its own physical page.

After 6 months of responsible disclosure, proud to announce our team discovered 13 (mostly exploitable) vulnerabilities in Samsung Exynos processors! Kudos to Billy, Ramdhan, [email protected] & rainbowpigeon CVE-2025-23095 to CVE-2025-23107 📍 semiconductor.samsung.com/support/qualit…

When life gives you tangerines🍊 Intern Lin Ze Wei's task: Port a 2-bug exploit to Pixel 6 Pro Problem: One bug "doesn't work" Solution: Make it work with 1 bug Sometimes the best research comes from working with what you think you have starlabs.sg/blog/2025/06-s…

Apple T1 debug There is an internal macOS Sierra build in the wild (Phoenix A1708.dmg) Load AppleAstrisGpioProbe kext from there for SWD "eoshutil" can do reset/DFU UART goes to Intel chipset and available in /dev ipwndfu & checkm8_bootkit for pwn, demotion and loading iBoot

Here is our 0day for kernelCTF🩸 - 82k bounty - quickest submission ever - all instances pwned😎 syst3mfailure.io/rbtree-family-… Disclaimer: We apologize for abusing the red black tree family. Turning grandparents against grandchildren is only acceptable in the context of pwn😤

Just finished a new blog sharing an interesting example demonstrating the power of cross-operating system vulnerability variant analysis! Check it out here: github.com/wangtielei/Sli… Hope you like it.

Reverse engineering Google's undocumented DSP pays off! Our co-workers Billy & [email protected] found the first public vuln in Pixel 8's DSP → kernel takeover MTE? What MTE? 😎 Their talk got accepted at HITCON hitcon.org/2025/en-US/age…

✅ Just wrapped up my deep-dive on exploiting an unfused Qualcomm QCM2150 POS device (BootROM → root). hhj4ck.github.io/qualcomm/2025/… Flying to Vegas in the morning stress-free for #BHUSA & #DEFCON33. Catch me in the hallways!

From kernel oops to kernel exploit: How two little bugs (CVE-2025-23330, CVE-2025-23280) in #NVIDIA open GPU #Linux driver can lead to full system compromise. Full technical breakdown inside, #vmalloc exploitation technique included! blog.quarkslab.com/nvidia_gpu_ker…

Our newest Dataflow Security blog post is live, thanks to Tomi from Dataflow Forensics for putting this together :-) blog.dfsec.com/ios/2025/10/14…

Top researchers do their best to exploit bugs. "Something from Nothing - Exploiting Memory Zeroing in XNU": objectivebythesea.org/v8/talks/OBTS_…