IntroductionIn november 2025 I started a fuzzing campaign against cryptodev-linux as part of a school project. I found +10 bugs (UAF, NULL pointer dereferences and integer overflows) and among all of these bugs one was surprisingly suitable for a privilege escalation. For a little bit of background, according to their github page: This is a /dev/crypto device driver, equivalent to those in OpenBSD or FreeBSD. The main idea is to access existing ciphers in kernel space from userspa...

MemoBasic networking management: 12echo "10.0.2.2" | doas tee /etc/mygate # default qemu gatewayecho "inet autoconf" | doas tee /etc/hostname.em0 # dhclient for em0 vm management: 123vmctl create -s 10G "qcow2:openbsd.img"vmctl start -c -t syzkaller -b /bsd.rd -d openbsd.img -d install78.img syzkaller-1 # dont forget to include the setsvmctl stop -w syzkaller-1 shutdown: 1shutdown -p now

IntroductionIn my last article I implemented a basic harness for the XHCI VirtualBox device. I wasn’t satisfied with the coverage so I kept trying to improve the harness (and made slight changes in the KVM / qemu code) to be able to fuzz both of the fast and slow path at the same time. The code material is available here. Issues due to the design of VirtualBox devicesEach VirtualBox device has a fast path and a slow path.The fast path is handled directly in kernel land (ring-0), right af...

IntroductionIn 2025 I completed an internship at Out of bounds leveraging me to research for roughly 5 months for bugs in the VirtualBox USB stack (xHCI). In this blogpost I will explain mu workflow and how I managed to fuzz this subsystem by using kAFL/nyx. xHCIeXtensible Host Controller Interface (xHCI) is the latest standard for USB host controller devices. It is backward compatible for both USB 1.0 and 2.0 protocols. The xHCI controller is implemented in VirtualBox as a cross-platfor...