exploits.club Weekly Newsletter 88 - kCTF RCAs, Tesla Shells, Remote Pointer Leaks, And More

We hope everyone is enjoying their new t swizzle album with a pumpkin spice latte on the side...annnnnyways 👇
In Case You Missed It...
- ZeroDay Cloud - AWS, GCP, and Azure have teamed up to put on an OSS 0-day competition. Find bugs in the targets, demo them on stage, get paid...sound familiar? Check it out!
- Android September Security Bulletin - Adjacent zero clicks and some targeted ITW bugs patched in this one...fun.
Resources And Write-Ups From This Week:
- Technical Advisory: Tesla Telematics Control Unit: ADB Auth Bypass - NCC Group dropped a Tesla bug earlier this week that let them gain root access to the car's TCU unit via a arbitrary file read / write. The technical advisory walks through how the unit attempts to restrict adb access when plugged in, but does not prevent pull, push, or forward commands. Because of this misconfiguration, the team was able to abuse the uevent_helper / hotplug sysfs kernel subsystem, pointing the uevent_helper at a custom script that spawned telnetd and forwarded it over a specific port.
- Breaking down the patch for CVE-2025-43400 - A quick hitter as a X thread from @clearbluejar . A recent Apple patch noted that macOS Tahoe had been affected by an OOB write as the result of a malicious font. The thread on X breaks down the core vulnerability, pointing out that it was a classic integer overflow, where things like the "encoding count" provided by the font would result in a wrap around and a subsequent tiny buffer allocation. Taking a look at the patch diff, the post goes on to point out how the "improved bounds checking" touted by Apple was actually implemented.
- Analysing a 1-day Vulnerability in the Linux Kernel's TLS Subsystem - @farazsth98 recently ventured into the Linux kernel space and well...needless to say they're picking it up quite quickly. In this new blog post, we get an analysis of a recent kernelCTF submission, starting from the patch commit and working backwards. The post starts with a review of the actual diff and the description before taking a short detour into setting up a research environment. From there, it's off to the races. We get a short overview of some previous research on the kTLS subsystem and the relevant information needed to understand how the attack surface can be reached. Next, we turn back to the patch to better understand the affected functions and where they sit within the theoretical call stack, tracing down to RCA the OOB access on the frags array. Next we look into reaching the buggy code path, working to craft a PoC to trigger the bug and encountering quite a few hurdles along the way. The post rounds out with some thoughts on exploitation....which luckily 👇
- Analyze Linux Kernel 1-day 0aeb54ac - Where the previous research ended, we have a bit of additional info from @u1f383 who also decided to look at the same bug. This post retraces some of the same steps, covering the RCA and the trigger, but then pushes the research a bit further looking at how the issue can be exploited. It walks through spraying pagetables, overwriting the PTE, and reading out the flag. The full exploit is also available so between the two posts and the full PoC, you should have plenty kCTF content to sink your teeth into.
- CodeQL zero to hero part 5: Debugging queries - Over the last 2+ years, GitHub has been adding entries to their CodeQL Zero To Hero series. This week saw the newest entry into the line-up, with a new tutorial going over the best way to debug your queries. The post uses real questions and examples from users as a guide to show some of the common issues you may bump up against and how they can be troubleshot using some of the built in CodeQL tooling. It demonstrates how to use "Quick Evaluation" and the AST viewer to quickly see what values are (or are not) being identified, using a demonstrative Python program where a taint tracking query is not working as expected.
- Pointer leaks through pointer-keyed data strPctures - New Project Zero post from Jann Horn last week, so you know we had to jump on that. The research presented was initially spawned by the question "how can we get remote leaks on Apple devices?" and concluded with an interesting artificial test case / example. The post then starts with a bit of background on hashDos, originally presented in 2011, and how that served as an inspiration with the takeaway: "When pointers are used as the basis for object hash codes, this can leak pointers through side channels in keyed data structures". The post then moves into an artificial test case, with the goal of getting a leaked pointer into a shared cache through
NSKeyedUnarchiver.unarchivedObjectOfClasses
, which will deserialize an attacker supplied object graph, reserialize it, and write back the data. The post gives you background on the building blocks of this attack, and then walks you through the actual trigger with a theoretical example program. Pretty sweet. - Security through Transparency: Tales from the RP2350 Hacking Challenge - This one is in our backlog...we haven't gotten to it yet, but we encourage you to beat us to the punch. A paper that showcases not one, not two, not three...but 5 different attacks that break the secure boot guarantees of a locked down RP2350 chip. We covered the RP2350 competition in January of this year, and it is cool to see the researchers come together to release a much more detailed report
Interesting Job Postings:
- Offensive Security Researcher @ NVIDIA (On-Site: Seattle, WA)
- Mid-level Vulnerability Researcher @ Battelle (On-Site: Columbus, OH)
- Senior Security Researcher @ Malwarebytes (On-Site: Bilbao, Basque Country, Spain)
- Anti-Cheat Engineer @ Electronic Arts (On-Site: Austin, TX)
- Senior Product Security Engineer @ Bose Corporation (Hybrid: Atlanta, GA)
Wrapping Up:
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.
Follow us on X - we occasionally Tweet poor attempts at memes
Want to support us? Buy us a coffee ☕️
Don't forget to check out https://bug.directory!

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx
Same time next week? See you then 🏴☠️
