2025-Dec-16

Welcome to the new Project Zero Blog

2025-Dec-16

Thinking Outside The Box [dusted off draft from 2017]

2025-Dec-16

Windows Exploitation Techniques: Winning Race Conditions with Path Lookups

2025-Dec-12

A look at an Android ITW DNG exploit

2025-Nov-03

Defeating KASLR by Doing Nothing at All

2025-Sep-26

Pointer leaks through pointer-keyed data structures

2025-Aug-08

From Chrome renderer code exec to kernel with MSG_OOB

2025-Jul-29

Policy and Disclosure: 2025 Edition

2025-May-28

The Windows Registry Adventure #8: Practical exploitation of hive memory corruption

2025-May-23

The Windows Registry Adventure #7: Attack surface analysis

2025-May-09

Breaking the Sound Barrier Part I: Fuzzing CoreAudio with Mach Messages

2025-Apr-16

The Windows Registry Adventure #6: Kernel-mode objects

2025-Mar-26

Blasting Past Webp

2025-Jan-30

Windows Exploitation Tricks: Trapping Virtual Memory Access (2025 Update)

2025-Jan-30

Windows Bug Class: Accessing Trapped COM Objects with IDispatch

2024-Dec-19

The Windows Registry Adventure #5: The regf file format

2024-Dec-15

The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit

2024-Dec-12

Windows Tooling Updates: OleView.NET

2024-Nov-21

Simple macOS kernel extension fuzzing in userspace with IDA and TinyInst

2024-Nov-01

From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code

2024-Oct-25

The Windows Registry Adventure #4: Hives and the registry layout

2024-Oct-03

Effective Fuzzing: A Dav1d Case Study

2024-Jun-27

The Windows Registry Adventure #3: Learning resources

2024-Jun-20

Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models

2024-Jun-13

Driving forward in Android drivers

2024-Apr-18

The Windows Registry Adventure #2: A brief history of the feature

2024-Apr-18

The Windows Registry Adventure #1: Introduction and research results

2023-Nov-03

First handset with MTE on the market

2023-Oct-13

An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit

2023-Sep-19

Analyzing a Modern In-the-wild Android Exploit

2023-Aug-02

Summary: MTE As Implemented

2023-Aug-02

MTE As Implemented, Part 3: The Kernel

2023-Aug-02

MTE As Implemented, Part 2: Mitigation Case Studies

2023-Aug-02

MTE As Implemented, Part 1: Implementation Testing

2023-Apr-24

Release of a Technical Report into Intel Trust Domain Extensions

2023-Mar-16

Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems

2023-Jan-19

Exploiting null-dereferences in the Linux kernel

2023-Jan-12

DER Entitlements: The (Brief) Return of the Psychic Paper

2022-Dec-08

Exploiting CVE-2022-42703 - Bringing back the stack attack

2022-Nov-22

Mind the Gap

2022-Nov-04

A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain

2022-Nov-02

Gregor Samsa: Exploiting Java's XML Signature Verification

2022-Oct-27

RC4 Is Still Considered Harmful

2022-Aug-10

The quantum state of Linux kernel garbage collection CVE-2021-0920 (Part I)

2022-Jun-30

2022 0-day In-the-Wild Exploitation…so far

2022-Jun-23

The curious tale of a fake Carrier.app

2022-Jun-14

An Autopsy on a Zombie In-the-Wild 0-day

2022-May-10

Release of Technical Report into the AMD Security Processor

2022-Apr-19

The More You Know, The More You Know You Don’t Know

2022-Apr-14

CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers

2022-Apr-07

CVE-2021-30737, @xerub's 2021 iOS ASN.1 Vulnerability

2022-Mar-31

FORCEDENTRY: Sandbox Escape

2022-Mar-24

Racing against the clock -- hitting a tiny kernel race window

2022-Feb-10

A walk through Project Zero metrics

2022-Jan-18

Zooming in on Zero-click Exploits

2021-Dec-15

A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution

2021-Dec-01

This shouldn't have happened: A vulnerability postmortem

2021-Oct-20

Windows Exploitation Tricks: Relaying DCOM Authentication

2021-Oct-20

Using Kerberos for Authentication Relay Attacks

2021-Oct-19

How a simple Linux kernel memory corruption bug can lead to complete system compromise

2021-Sep-14

Fuzzing Closed-Source JavaScript Engines with Coverage Feedback

2021-Aug-19

Understanding Network Access in Windows AppContainers

2021-Jun-29

An EPYC escape: Case-study of a KVM breakout

2021-May-20

Fuzzing iOS code on macOS at native speed

2021-Apr-22

Designing sockfuzzer, a network syscall fuzzer for XNU

2021-Apr-15

Policy and Disclosure: 2021 Edition

2021-Apr-01

Who Contains the Containers?

2021-Mar-18

In-the-Wild Series: October 2020 0-day discovery

2021-Feb-03

Déjà vu-lnerability

2021-Jan-28

A Look at iMessage in iOS 14

2021-Jan-21

Windows Exploitation Tricks: Trapping Virtual Memory Access

2021-Jan-19

The State of State Machines

2021-Jan-14

Hunting for Bugs in Windows Mini-Filter Drivers

2021-Jan-12

Introducing the In-the-Wild Series

2021-Jan-12

In-the-Wild Series: Windows Exploits

2021-Jan-12

In-the-Wild Series: Chrome Infinity Bug

2021-Jan-12

In-the-Wild Series: Chrome Exploits

2021-Jan-12

In-the-Wild Series: Android Post-Exploitation

2021-Jan-12

In-the-Wild Series: Android Exploits

2020-Dec-21

An iOS hacker tries Android

2020-Dec-01

An iOS zero-click radio proximity exploit odyssey

2020-Nov-13

Oops, I missed it again!

2020-Oct-06

Enter the Vault: Authentication Issues in HashiCorp Vault

2020-Oct-01

Announcing the Fuzzilli Research Grant Program

2020-Sep-08

Attacking the Qualcomm Adreno GPU

2020-Sep-01

JITSploitation II: Getting Read/Write

2020-Sep-01

JITSploitation III: Subverting Control Flow

2020-Sep-01

JITSploitation I: A JIT Bug

2020-Aug-12

MMS Exploit Part 5: Defeating Android ASLR, Getting RCE

2020-Aug-06

Exploiting Android Messengers with WebRTC: Part 3

2020-Aug-05

Exploiting Android Messengers with WebRTC: Part 2

2020-Aug-04

MMS Exploit Part 4: MMS Primer, Completing the ASLR Oracle

2020-Aug-03

Exploiting Android Messengers with WebRTC: Part 1

2020-Jul-31

The core of Apple is PPL: Breaking the XNU kernel's kernel

2020-Jul-30

One Byte to rule them all

2020-Jul-29

Root Cause Analyses for 0-day In-the-Wild Exploits

2020-Jul-29

Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019

2020-Jul-28

MMS Exploit Part 3: Constructing the Memory Corruption Primitives

2020-Jul-23

MMS Exploit Part 2: Effective Fuzzing of the Qmage Codec

2020-Jul-16

MMS Exploit Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface

2020-Jul-09

How to unc0ver a 0-day in 4 hours or less

2020-Jun-17

FF Sandbox Escape (CVE-2020-12388)

2020-Jun-11

A survey of recent iOS kernel exploits

2020-Apr-28

Fuzzing ImageIO

2020-Apr-21

You Won't Believe what this One Line Change Did to the Chrome Sandbox

2020-Apr-02

TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln

2020-Feb-15

Escaping the Chrome Sandbox with RIDL

2020-Feb-12

Mitigations are attack surface, too

2020-Feb-11

A day^W^W Several months in the life of Project Zero - Part 2: The Chrome exploit of suffering

2020-Feb-11

A day^W^W Several months in the life of Project Zero - Part 1: The Chrome bug of suffering

2020-Jan-30

Part II: Returning to Adobe Reader symbols on macOS

2020-Jan-09

Remote iPhone Exploitation Part 3: From Memory Corruption to JavaScript and Back -- Gaining Code Execution

2020-Jan-09

Remote iPhone Exploitation Part 2: Bringing Light into the Darkness -- a Remote ASLR Bypass

2020-Jan-09

Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641

2020-Jan-07

Policy and Disclosure: 2020 Edition

2019-Dec-17

Calling Local Windows RPC Servers from .NET

2019-Dec-10

SockPuppet: A Walkthrough of a Kernel Exploit for iOS 12.4

2019-Nov-21

Bad Binder: Android In-The-Wild Exploit

2019-Oct-28

KTRW: The journey to build a debuggable iPhone

2019-Oct-08

The story of Adobe Reader symbols

2019-Sep-25

Windows‌ ‌Exploitation‌ ‌Tricks:‌ ‌Spoofing‌ ‌Named‌ ‌Pipe‌ ‌Client‌ ‌PID‌

2019-Aug-29

JSC Exploits

2019-Aug-29

In-the-wild iOS Exploit Chain 5

2019-Aug-29

In-the-wild iOS Exploit Chain 4

2019-Aug-29

In-the-wild iOS Exploit Chain 3

2019-Aug-29

In-the-wild iOS Exploit Chain 2

2019-Aug-29

In-the-wild iOS Exploit Chain 1

2019-Aug-29

Implant Teardown

2019-Aug-29

A very deep dive into iOS Exploit chains found in the wild

2019-Aug-22

The Many Possibilities of CVE-2019-8646

2019-Aug-13

Down the Rabbit-Hole...

2019-Aug-07

The Fully Remote Attack Surface of the iPhone

2019-May-10

Trashing the Flow of Data

2019-Apr-16

Windows Exploitation Tricks: Abusing the User-Mode Debugger

2019-Apr-11

Virtually Unlimited Memory: Escaping the Chrome Sandbox

2019-Apr-01

Splitting atoms in XNU

2019-Mar-14

Windows Kernel Logic Bug Class: Access Mode Mismatch in IO Manager

2019-Mar-07

Android Messaging: A Few Bugs Short of a Chain

2019-Feb-05

The Curious Case of Convexity Confusion

2019-Feb-01

Examining Pointer Authentication on the iPhone XS

2019-Jan-29

voucher_swap: Exploiting MIG reference counting in iOS 12

2019-Jan-17

Taking a page from the kernel's book: A TLB issue in mremap()

2018-Dec-19

On VBScript

2018-Dec-18

Searching statically-linked vulnerable library functions in executable code

2018-Dec-13

Adventures in Video Conferencing Part 5: Where Do We Go from Here?

2018-Dec-12

Adventures in Video Conferencing Part 4: What Didn't Work Out with WhatsApp

2018-Dec-11

Adventures in Video Conferencing Part 3: The Even Wilder World of WhatsApp

2018-Dec-05

Adventures in Video Conferencing Part 2: Fun with FaceTime

2018-Dec-04

Adventures in Video Conferencing Part 1: The Wild World of WebRTC

2018-Nov-30

Injecting Code into Windows Protected Processes using COM - Part 2

2018-Oct-24

Heap Feng Shader: Exploiting SwiftShader in Chrome

2018-Oct-18

Deja-XNU

2018-Oct-16

Injecting Code into Windows Protected Processes using COM - Part 1

2018-Oct-04

365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools

2018-Sep-26

A cache invalidation bug in Linux memory management

2018-Sep-10

OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB

2018-Aug-16

The Problems and Promise of WebAssembly

2018-Aug-14

Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege

2018-Aug-02

Adventures in vulnerability reporting

2018-Jul-26

Drawing Outside the Box: Precision Issues in Graphic Libraries

2018-Jun-21

Detecting Kernel Memory Disclosure – Whitepaper

2018-May-10

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge

2018-Apr-18

Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege

2018-Jan-03

Reading privileged memory with a side-channel

2017-Dec-18

aPAColypse now: Exploiting Windows 10 in a Local Network with WPAD/PAC and JScript

2017-Oct-11

Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices

2017-Oct-05

Using Binary Diffing to Discover Windows Kernel Memory Disclosure Bugs

2017-Oct-03

Over The Air - Vol. 2, Pt. 2: Exploiting The Wi-Fi Stack on Apple Devices

2017-Sep-28

Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices

2017-Sep-21

The Great DOM Fuzz-off of 2017

2017-Aug-23

Bypassing VirtualBox Process Hardening on Windows

2017-Aug-08

Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read

2017-Jul-24

Trust Issues: Exploiting TrustZone TEEs

2017-May-10

Exploiting the Linux kernel via packet sockets

2017-Apr-28

Exploiting .NET Managed DCOM

2017-Apr-18

Exception-oriented exploitation on iOS

2017-Apr-11

Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)

2017-Apr-10

Notes on Windows Uniscribe Fuzzing

2017-Apr-07

Pandavirtualization: Exploiting the Xen hypervisor

2017-Apr-04

Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1)

2017-Mar-29

Project Zero Prize Conclusion

2017-Feb-14

Attacking the Windows NVIDIA Driver

2017-Feb-08

Lifting the (Hyper) Visor: Bypassing Samsung’s Real-Time Kernel Protection

2016-Dec-14

Chrome OS exploit: one byte overflow and symlinks

2016-Dec-01

BitUnmap: Attacking Android Ashmem

2016-Nov-29

Breaking the Chain

2016-Oct-25

task_t considered harmful

2016-Sep-13

Announcing the Project Zero Prize

2016-Sep-07

Return to libstagefright: exploiting libutils on Android

2016-Aug-16

A Shadow of our Former Self

2016-Jul-01

A year of Windows kernel font fuzzing #2: the techniques

2016-Jun-28

How to Compromise the Enterprise Endpoint

2016-Jun-27

A year of Windows kernel font fuzzing #1: the results

2016-Jun-20

Exploiting Recursion in the Linux Kernel

2016-Mar-28

Life After the Isolated Heap

2016-Mar-22

Race you to the kernel!

2016-Mar-21

Exploiting a Leaked Thread Handle

2016-Feb-29

The Definitive Guide on Win32 to NT Path Conversion

2016-Feb-04

Racing MIDI messages in Chrome

2016-Jan-12

Raising the Dead

2015-Dec-15

FireEye Exploitation: Project Zero’s Vulnerability of the Beast

2015-Dec-04

Between a Rock and a Hard Link

2015-Nov-18

Windows Sandbox Attack Surface Analysis

2015-Nov-02

Hack The Galaxy: Hunting Bugs in the Samsung Galaxy S6 Edge

2015-Oct-15

Windows Drivers are True’ly Tricky

2015-Sep-28

Revisiting Apple IPC: (1) Distributed Objects

2015-Sep-22

Kaspersky: Mo Unpackers, Mo Problems.

2015-Sep-16

Stagefrightened?

2015-Sep-14

Enabling QR codes in Internet Explorer, or a story of a cross-platform memory disclosure

2015-Aug-25

Windows 10^H^H Symbolic Link Mitigations

2015-Aug-21

One font vulnerability to rule them all #4: Windows 8.1 64-bit sandbox escape exploitation

2015-Aug-19

Three bypasses and a fix for one of Flash's Vector.<*> mitigations

2015-Aug-17

Attacking ECMAScript Engines with Redefinition

2015-Aug-13

One font vulnerability to rule them all #3: Windows 8.1 32-bit sandbox escape exploitation

2015-Aug-06

One font vulnerability to rule them all #2: Adobe Reader RCE exploitation

2015-Jul-31

One font vulnerability to rule them all #1: Introducing the BLEND vulnerability

2015-Jul-20

One Perfect Bug: Exploiting Type Confusion in Flash

2015-Jul-16

Significant Flash exploit mitigations are live in v18.0.0.209

2015-Jul-10

From inter to intra: gaining reliability

2015-Jul-07

When ‘int’ is the new ‘short’

2015-Jun-26

What is a "good" memory corruption vulnerability?

2015-Jun-23

Analysis and Exploitation of an ESET Vulnerability

2015-Jun-19

Owning Internet Printing - A Case Study in Modern Software Exploitation

2015-Jun-15

Dude, where’s my heap?

2015-May-04

In-Console-Able

2015-Apr-13

A Tale of Two Exploits

2015-Mar-19

Taming the wild copy: Parallel Thread Corruption

2015-Mar-09

Exploiting the DRAM rowhammer bug to gain kernel privileges Rowhammer blog post (draft)

2015-Feb-13

Feedback and data-driven updates to Google’s disclosure policy

2015-Feb-12

(^Exploiting)\s*(CVE-2015-0318)\s*(in)\s*(Flash$)

2015-Feb-09

A Token’s Tale

2015-Jan-22

Exploiting NVMAP to escape the Chrome sandbox - CVE-2014-5332

2015-Jan-02

Finding and exploiting ntpd vulnerabilities

2014-Dec-01

Internet Explorer EPM Sandbox Escape CVE-2014-6350

2014-Nov-24

pwn4fun Spring 2014 - Safari - Part II

2014-Nov-19

Project Zero Patch Tuesday roundup, November 2014

2014-Oct-20

Did the “Man With No Name” Feel Insecure?

2014-Oct-01

More Mac OS X and iPhone sandbox escapes and kernel bugs

2014-Sep-23

Exploiting CVE-2014-0556 in Flash

2014-Aug-25

The poisoned NUL byte, 2014 edition

2014-Aug-21

What does a pointer look like, anyway?

2014-Jul-30

Mac OS X and iPhone sandbox escapes

2014-Jul-24

pwn4fun Spring 2014 - Safari - Part I

2014-Jul-15

Announcing Project Zero