IntroductionIn november 2025 I started a fuzzing campaign against cryptodev-linux as part of a school project. I found +10 bugs (UAF, NULL pointer dereferences and integer overflows) and among all of these bugs one was surprisingly suitable for a privilege escalation. For a little bit of background, according to their github page: This is a /dev/crypto device driver, equivalent to those in OpenBSD or FreeBSD. The main idea is to access existing ciphers in kernel space from userspa...

IntroductionIn my last article I implemented a basic harness for the XHCI VirtualBox device. I wasn’t satisfied with the coverage so I kept trying to improve the harness (and made slight changes in the KVM / qemu code) to be able to fuzz both of the fast and slow path at the same time. The code material is available here. Issues due to the design of VirtualBox devicesEach VirtualBox device has a fast path and a slow path.The fast path is handled directly in kernel land (ring-0), right af...

IntroductionIn 2025 I completed an internship at Out of bounds leveraging me to research for roughly 5 months for bugs in the VirtualBox USB stack (xHCI). In this blogpost I will explain mu workflow and how I managed to fuzz this subsystem by using kAFL/nyx. xHCIeXtensible Host Controller Interface (xHCI) is the latest standard for USB host controller devices. It is backward compatible for both USB 1.0 and 2.0 protocols. The xHCI controller is implemented in VirtualBox as a cross-platfor...

window-of-opportunity window-of-opportunity (490 pts) - 11 solvesby Eth007 Description: Sometimes, there is a glimmer of hope, a spark of inspiration, a window of opportunity. Attachmentshttps://imaginaryctf.org/r/izYM0#opportunity_dist.zip nc window-of-opportunity.chal.imaginaryctf.org 1337 window-of-opportunity is a kernel exploitation challenge I did for the ImaginaryCTF 2023. We are given an arbitrary read primitive (and a stack buffer overflow but I didn’t use it), and the goal is basi...