Good thing that absolutely no drama whatsoever took place for US vuln research firms this week...annnnnyways 👇

In Case You Missed It...

• OffensiveCon CFP - Closes March 1st, 2026 so let the procrastination begin!
• RE//Verse CFP - These need to be in by November 14th, so a bit less procrastinating.
• PwnDbg Update - Better kernel debugging , mach-o and objective-C support and more!

Resources And Write-Ups From This Week:

• Denial of Fuzzing: Rust in the Windows kernel - What do you get when you fuzz GDI? Well, if you are Check Point Research, you get bugs. In their newest post, the team walks through how they targeted the Widows subsystem, specifically focusing on the parsing of EMF's younger brother, EMF+. After generating an initial crash, the post then walks through everyone's favorite fuzzing challenge...failing to repro. The team was able to troubleshoot this by manually saving individual mutations to more closely key in on the pattern that led to the vulnerability. Next, the post looks into an RCA of the bug, determining the kernel panic is actually the result of some newly introduced Rust code that identifies an out-of-memory access and triggers a fatal exception. Microsoft called this Rust working the way Rust is supposed to work...Check Point said a BSOD and a potential system DOS from a userland program = bad.
• yIKEs (WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242) - Watchtowr returns with their usual antics of embarrassing vendors. This week, they set their sights on WatchGuard's Fireware OS, the OS powering WatchGuard's network security applications. Specifically, the team decided to dig into a recent pre-auth RCE vuln disclosed as CVE-2025-9242. To identify this alleged OOB write, the team first started with a bit of patch diffing, quickly zeroing in on a suspicious function change in the iked binary. After a brief detour to describe IKEv2, the post returns to do a thorough RCA, identifying a classic stack based buffer overflow, and generating a trigger. From there, they are able to rop to a shell because there are just...no mitigations at all. Very nice.
• Pwn2Own 2025: Pwning Lexmark’s Postscript Processor - What's worse than not finding a bug for P20? Finding a bug, only for it to be patched a week before the competition. Well, @boredpentester's pain is our gain, because this week we got an early write-up for a printer bug that almost made it to competition day. The post starts with a bit of background on the target and how Mr. pentester was able to get the initial shell on the device. Next, we turn our attention to Lexmark's Postscript stack, a relatively scrutinized part of the tech stack, and the subject of a HITB talk from NCC Group back in 2023. During code review, Josh spotted a bug related to parsing Compact Font Format data that resulted in an arb r/w primitive. With more RE, some dynamic debugging, and trial and error, the post carefully walks through how this prim could be turned into system call...with a 7 character argument. ZDI didn't love that, so Josh went back to the drawing board, rethinking the exploit strategy, and eventually getting it to work on a 32-bit older model. However, while trying to port it to the competition device, the test printer he had broke and THEN Lexmark patched the bug. A saga worthy of a reality TV show
• Dissecting a 1-Day Vulnerability in Linux’s XFRM Subsystem - If you aren't familiar with @streypaws, well it's time you get acquainted. These days, it seems like he at least once a month he is putting out juicy Android and kernel posts to break down bugs, deep-dive subsystems, and provide some unique insights. In his catalog just since summer we have gotten posts on Android kernel debugging, Qualcomm DSP internals , and Linux POSIX CPU Timer Subsystem vuln breakdown. NOW, he has returned to break down a 1-day in the Linux’s XFRM Subsystem which was used in kCTF. The post dives into the subsystem, takes a look at the patch, and RCAs the UAF (which is deep in a call chain). Next, we move to setting up a Linux Kernel Emulation Environment, before finally putting together a trigger.
• Blu-ray Disc Java Sandbox Escape via two vulnerabilities - When we say "Playstation hacker", your mind probably goes to two things...1. a pretty bad diss-track and 2. @theflow0. Good news for you...one of those things has returned this week with a nice 2 bug Sandbox escape chain. Publicly disclosed on H1, the chain combines two vulnerabilities that allow for method invocation in a privileged context. Using these two invocations, one can set the security manager to null, disabling the Java sandbox.
• Dolby Unified Decoder: Out of bounds write in evolution parsing - Ah, Android 0-click vulns as a result of some random 3rd party dep that parses random media on its reception. We have seen P0 researcher @natashenka interested in these types of attack surfaces for many years now, and her most recent disclosure is no different. Specifically, the Dolby's DDPlus Unified Decoder had an OOB write that could be triggered while processing an audio message. This was the result of an integer wrap, leading to a very small allocated buffer and an insufficient size check.

Interesting Job Postings:

• Senior Software Engineer @ Autonomous Cyber (Remote: US)
• Vulnerability Researcher - Assessments & Exercises @ JPMorganChase (On-Site: DE | NJ | TX | NY | IL | OH | GA)
• Vulnerability Researcher Vice President @ JPMorganChase (On-Site: London, UK)
• Senior Vulnerability Researcher @ RII (On-Site: San Antonio, TX)
• Senior Vulnerability Researcher @ DEFION Security (Hybrid: Zoetermeer, South Holland, Netherlands)

Wrapping Up:

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Want to support us? Buy us a coffee ☕️

Don't forget to check out https://bug.directory!

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️