Remember, you might not be finding bugs this week - but at least you aren't watching your arch nemesis accept an award while the entire audience sings an unflattering double entendre about you. Life could be worse. Annnnnnyways 👇

In Case You Missed It...

• Bootstrapping Computing - We aren't sponsored, paid, or even asked to say that you should potentially pre-order this book. But we think @leotyped put it best...it's nice to see people put care into the things they build.
• (the root of the root and the bud of the bud) - @daveaitel penned some thoughts on the parallels between fuzzing and LLMs.

Resources And Write-Ups From This Week:

• TRAVERTINE (CVE-2025-24118) - When a post starts with "This is the craziest kernel bug I have ever reported"...you know you are probably in for a ride. This new post from @0xjprx covers a race condition he found in XNU, and its full of a hole bunch of fun stuff. In order to understand the vulnerability, jprx takes you through the three technologies that are important to understand - Safe Memory Reclamation, Read-Only pages in XNU, and Per-thread credentials. He then details the bug, which is a results from an instance of these 3 things not playing nicely together - specifically a non-atomic function is used to modify an SMR pointer in a read-only object used for managing sensitive information. Its a fascinating read.
• Mali-cious Intent: Exploiting GPU Vulnerabilities (CVE-2022-22706 / CVE-2021-39793) - Star Labs released a write-up on two bugs they identified in the Mali GPU kernel which allowed LPE from an untrusted app context. The post starts with an RCA of the bugs - mismanagement of permission flags in the driver leads to the ability to write read-only memory. The post spends its remainder discussing how to use this primitive to obtain a root reverse shell. Specifically, the exploit is able to bypass SELinux and load an arbitrary kernel module by using a 6 step process in which that Mali write primitive is used 4 times, each helping to hop from context to context and obtain additional needed permissions.
• AMD: Microcode Signature Verification Vulnerability - Google set their sights on AMD Zen 1 through Zen 4 CPUs and was able to demonstrate a "AMD Microcode Signature Verification Vulnerability." The bug, as the title indicates, arises from improper signature verification, which "may allow an attacker with local administrator privileges to load malicious CPU microcode." Oh, and they accidentally leaked the patch ahead of time.
• Hacking the 22€ BLE Smart Ring that has a Display inside - Who doesn't love some cheap consumer device hacking? @atc1441 posted a video on YouTube this week of him doing a teardown and some hardware reversing of a BLE smart ring. The goal? To flash some custom firmware onto the device. While he wasn't able to find a useable debug interface on the device, he figured out that he could develop the firmware on a development board and then flash it directly from the mobile application. If you aren't in the video-watching mood, there is a short write-up on hackster.io as well.
• Accidentally uncovering a seven years old vulnerability in the Linux kernel - Don't you just hate it when you accidentally find bugs? Yeah, us too. Allele Security released a write-up this week about a similar scenario happening to them. They were perusing the syzkaller dashboard (as we all do), when they came across what appeared to be a race condition in KCM. However, as they narrowed down the reproducer, they started to notice something interesting...it didn't appear to be interacting with KCM at all...in fact, the module for the KCM protocol wasn't even enabled on their test machine. Further exploration revealed that the crash they were triggering was actually a KASAN refcount warning in the TCP subsystem which had been around for almost 7 years. The post goes on to determine the refcount issue could lead to a UAF, though they do not explore potential exploitability.
• V8 Sandbox Bypass: with Shared Function Info - A good looking V8 Sandbox bypass from @__suto and @lanleft_. And by that, we mean we actually understand whats going on without being a browser wizard. There is a controllable length field, which is used for a stack pop, resulting in the ability to "manipulate the stack address to anywhere we want". From there, they were able to get PC control.
• Endless Exploits: The Saga of a macOS Vulnerability Struck Nine Times - How many patches will it take Apple to get rid of this specific bug class? Well - we think LeBron said it best. The answer, as it turns out is 9. In this new blog from @patch1t, he details his work over the last few years looking for SIP bypasses with PackageKit. The post stats with an overview of SIP and the package kit framework, before detailing a bug from 2022 - leveraging a symlink to trick the shove process into shoving the payload contents into the restricted directory. What follows is 8 additional patches, and how each of them were bypassed over the course of the next 3 years. Also, theres a Timothy Chalamet Bob Dylan reference.
• Disassembling a binary: linear sweep and recursive traversal - If you were intrigued by the disassembly conversation last week, but not sure where to get started in your own research...wellll fear not because @nicolodev has come through with the perfect resource for you. This new post talks about building a command line disassembler for the PE format in Rust. It starts with a brief overview about how to actually find the code section of the file, and then jumps into an overview of two different potential algorithms to use: linear sweep and recursive traversal. It notes the shortcomings and the strengths of each, and rounds out with some notes on additional approaches and further reading.
• Some Windows Goodies - We have a confession...we didn't make it to these Windows write-ups this week. But, we figured quite a few of you would be interested in it, so the links have been included below.
  • Windows Bug Class: Accessing Trapped COM Objects with IDispatch from Project Zero
  • Windows Exploitation Tricks: Trapping Virtual Memory Access (2025 Update) - from Project Zero
  • Exploit Development: Investigating Kernel Mode Shadow Stacks on Windows - From @33y0re...probably the most popular VR post all week, so we will come back for you Connor!

Interesting Job Postings:

• Security Researcher / Cryptographer @ Intel (Remote)
• Security Researcher II @ Microsoft (Remote
• Senior Vulnerability Researcher @ Research Innovations Incorporated (On-Site: St Pete Beach, FL)
• Vulnerability Researcher Intern (2025) @ Nightwing (On-Site: Palm Bay, FL)
• Reverse Engineer @ CrowdStrike (Remote)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory!

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️