New idea - let AI submit a different, buzzwordy talks to every CFP. What could go wrong? Annnnnnnnyways 👇

In Case You Missed It...

• 0-day Hunting Strategy with Eugene “Spaceraccoon” Lim - Following the release of his recent No Starch Press book, @spaceraccoonsec will be on tomorrow's Off By One security stream to talk all things methodology and bug hunting!
• RE//verse 2026 CFP Opens - After a great line-up last year, featuring the likes of @natashenka and @gaasedelen, you won't want to miss the opportunity to get your name in the hat.

Resources And Write-Ups From This Week:

• ksmbd - Fuzzing Improvements and Vulnerability Discovery - Wayyy back in January of this year, we covered @Doyensec's venture into ksmbd vulnerability research. In that initial post, the team extended syzkaller grammar and coverage for the Linux subsystem, and then triaged 3 bugs they ended up finding. In this new entry into the series, the team recaps their continued work in making the fuzzer better, applying different strategies and ultimately finding more bugs. To start, the team enabled as many different features as possible to expand the potential attack surface. Next, they made iterative improvements, including better session set-up, state-management, and protocol specific grammar. They also tried different fuzzing strategies, focusing in on under-covered areas and improving their corpus. The blog concludes with a table of the 23 bugs they reported.
• Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel - Earlier this year, we ALSO covered @a13xp0p0v's Kernel-Hack-Drill talk from Zer0Con. So those of you who are perpetually online reading others' research while avoiding your own would have gotten a sneak preview into the in-depth blog post he released this week. In it, he discusses CVE-2024-50264, a race condition in AF_VSOC sockets that results in a UAF. After walking through a RCA of the bug, the write-up then turns its attention to the main focus, the major constraints on exploitation. Specifically, the tight race window, a null deref side-effect, the kworker hang...it's pretty much a nightmare. After walking through a few ideas that proved to not work, he decided to target msg_msg. However, because of the fragility of the bug, he turned to kernel-hack-drill, a project he created and maintains that lets you practice different exploitation techniques. There, he was able to experiment with cross-cache attacks on a modern Ubuntu box, and take those learnings back to the real bug. After that it was on to finding an arb write, dirty pipe, KASLR bypass...all the kernel exploitation goodies
• Leave AI Slop out of CVE; Humans Make Mistakes Just Fine - An opinion piece, but we are all about opinions around here. Vulnerability historian @attritionorg took to the internet to discuss "can AI help CVE"? The blog quickly explains why the answer should be an emphatic no. For starters, he argues, CVE might not be savable in its current state as it is. However, looking to some of the recent AI-driven vuln intel companies, he points out that their implementation can cause more harm than good. Using a case study to illustrate the point, we are introduced to Transilience's product line, and all the times they have hallucinated CVE IDs (personal favorite). The post wraps up with some broader thoughts on the direction of the industry with the "enshitification" of many products, and discuses why humans are very much still needed for almost all infosec roles.
• The Intended Solution for LeakLess - A fun Windows kernel chal from HITCON with two vulnerabilities. The first is that the driver checks the validity of a user-supplied pointer. This can be used as a side-channel attack to figure out the kernel base address. The second is a double fetch, which can be exploited as a race condition to modify a pointer to an arbitrary kernel address, "resulting in an arbitrary increment primitive". Now look...it sounds like we are starting to brag a little (and maybe we are) but if you are reader of the newsletter, then you might already know what the intended solution could be. As they point out, and we so kindly covered last year, this arbitrary increment can be used to modify nt!SeDebugPrivilege to 0x17. From there, a normal user gains SeDebugPrivilege, giving them access to APIs that can leak addresses of objects. That allows for the recovery of the I/O ring address and then the arb increment primitive can be escalated to arb read and the flag can be recovered. Pretty slick.
• The Art of Vibe-Crashing - Shellphish released a new blog this week to discuss "DiscoveryGuy", the purely LLM-driven bug finding agent that served as part of their AIxCC entry. Essentially, DiscoveryGuy worked by taking functions initially flagged by a CodeQL or Semgrep scan, reviewing them, and then trying to write a python seed to hit the specific input. In fact, it was so simple that they described its secret sauce as "just grep". In phase 1, there is a harness selection - basically, "what is the easiest way for me to reach the vulnerable function?". Step 2 is vuln reasoning, essentially reviewing the static analysis finding, figuring out if it is a real vulnerability, and finding what would actually trigger it. Finally, step 3 took the info from the first two steps, and crafted a seed. Now, DiscoveryGuy wasn't always perfect, so if the generated seed did not crash initially, then the next step was to start fuzzing along that same path. During the competition it one-shot 20 different targets!
• Introduction to KVM & Hardware Virtualization - Did you wake up today and go...."wow, I really hope someone provides a good primer for KVM and Hardware emulation"? If you did, we might first suggest going outside and getting a little sunshine. But afterwards, we would point you towards Fuzzing Labs' recently released blog post where they help you with just that. The post starts with a primer on both hypervisors and virtualization techniques, covering full binary emulation, para-virtualization, and hardware virtualization. From there it dives more into the specifics of how hardware virtualization actually works, specifically detailing x86 & AMD’s SVM specifics. We then move to KVM, and put on our vuln research hats to look at it through an attack surface perspective. Apparently this will be a series, and we can look forward to future installments covering debugging and nested virtualization fuzzers.

Interesting Job Postings:

• Emerging Cyber Engineer @ RedLattice (On-Site: Arlington, VA)
• Offensive Security Researcher @ NVIDIA (On-Site: Redmond, WA)
• Senior Security Researcher @ Rapid7 (Hybrid: Prague, Prague, Czechia)
• IoT Cybersecurity Researcher @ Zealience RED (On-Site: Frankfurt, Germany)
• Research Tooling Engineer @ Apple (On-Site: New York City, NY)

Wrapping Up:

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Want to support us? Buy us a coffee ☕️

Don't forget to check out https://bug.directory!

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️