🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

Learn how Man Yue Mo dug his way out of the Chrome sandbox using a credit card as a shovel! "The fugitive in Java: Escaping to Java to escape the Chrome sandbox" github.co/3AY6Uw6

Go dumpster diving for arbitrary code execution in v8's garbage collector with Man Yue Mo in his Chrome vulnerability RCA for CVE-2021-37975 github.co/3pjp3RY

In this post I'll go through 3 bugs in the Qualcomm NPU driver that I reported, which allowed me to execute arbitrary kernel code from the untrusted app domain in Android, disable SELinux and bypass task cred protection to gain root on a Samsung phone: securitylab.github.com/research/qualc…

This is probably the most complex exploit I've done so far. A UAF in Android kernel freed by kfree_rcu (introduces a delay) in a tight race + kCFI + Samsung RKP. Yet its still possible to gain arbitrary kernel RW, disable SE and root from untrusted app. github.blog/2022-06-16-the…

In this post Man Yue Mo goes through the details of CVE-2022-1134, a type confusion in Chrome, and shows how to gain remote code execution in the Chrome renderer using this bug. github.co/3Oys62x

This might be the best bug I found. Never thought I'd be writing a kernel exploit as reliable, clean and fast as a browser exploit. For a while I actually used this to root my research phone when can't be bothered to patch the rom: github.blog/2022-07-27-cor…

CVE-2022-25664 is one of the most interesting bug I've reported. It's "only" an info leak, but a very powerful one that allows an untrusted Android app to read pages of memory from the kernel or other apps any number of times. github.blog/2023-02-23-the…

In this post I'll look at a patching issue that leaves Pixel 6 vulnerable to an already fixed bug for more than 5 months. This allows arbitrary kernel code execution and root from an untrusted app and shows some potential problems with backporting: github.blog/2023-04-06-pwn…

This time I'll look at CVE-2022-46395, an Arm Mali GPU driver UAF I found by analysing Jann Horn's CVE-2022-36449. I'll also use a technique of Jann Horn to win a very tight race to gain arbitrary kernel code execution and root from untrusted Android app. github.blog/2023-05-25-roo…

In this post I'll use CVE-2023-3420, an incorrect side effect modelling bug in the JIT compiler that I reported to Chrome, to gain a sandboxed remote code execution in the renderer: github.blog/2023-09-26-get…

In this post I'll use CVE-2023-4069, a type confusion bug in the Maglev JIT compiler of Chrome that I reported in July, to gain RCE in the Chrome renderer sandbox: github.blog/2023-10-17-get…

In this post I'll use CVE-2023-6241, a vulnerability in the Arm Mali GPU that I reported last November to gain arbitrary kernel code execution from an untrusted app on a Pixel 8 with MTE enabled. github.blog/2024-03-18-gai…

In this post I'll use CVE-2024-3833, a type confusion in v8 to gain remote code execution in the Chrome renderer sandbox: github.blog/2024-06-26-att…

I founded a new company: @xbow. XBOW brings AI to offensive security, augmenting the productivity of pentesters, bug hunters and security researchers.

In this post I'll use CVE-2024-5830, a bug in object transitions in Chrome to gain RCE in the Chrome renderer sandbox: github.blog/security/vulne…