Rendered at 14:23:54 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
etenal 2 days ago [-]
Read our technical walkthrough here to see how we won almost $10k bug bounty from a single Linux kernel 0-day -- GhostLock.
Chaining GhostLock with a Firefox 0-day, we managed to remote control any Android device (even the latest Android 17) from a simple URL click. We name this full-chain exploit "IonStack", because it's IonMonkey 0-day in Firefox and a StackOverflow in Linux kernel.
Wow. A universal, unprivileged local kernel stack use-after-free enabling ~97%-reliable privilege escalation and container escape via a constrained write primitive, control-flow hijack, and ROP
* Introduced in Linux 2.6.39 in 2011
* patched in 7.1 (April 2026)
valentynkit 21 hours ago [-]
The bug itself is almost boring - remove_waiter() clearing current's pi_blocked_on instead of the actual waiter's — which is exactly why it survived 15 years.
Chaining GhostLock with a Firefox 0-day, we managed to remote control any Android device (even the latest Android 17) from a simple URL click. We name this full-chain exploit "IonStack", because it's IonMonkey 0-day in Firefox and a StackOverflow in Linux kernel.
Our blog post -> https://nebusec.ai/research/ionstack-part-2/
Exploit Github -> https://github.com/NebuSec/CyberMeowfia
* Introduced in Linux 2.6.39 in 2011
* patched in 7.1 (April 2026)
so no mitigation except for kernel updates?