Android In-The-Wild: Unexpectedly Excavating a Kernel Exploit
Seth Jenkins
OffensiveCon 2025 · Day 2 · Main
Starting from nothing but a set of kernel panic logs recovered from a Serbian activist's phone — logs that implicated Cellebrite's UFED tool and the Qualcomm ADSPRPC driver — Google Project Zero researcher Seth Jenkins found five new vulnerabilities in the driver over two and a half months, then reconstructed a plausible exploitation strategy that matches the in-the-wild crash artifacts with striking fidelity. The most likely in-the-wild bug is a use-after-free in `fast_rpc_mmap` structures caused by a handle/buffer reference-count mismatch, and the spray primitive appears to be `inotify_event_info` objects whose overlaid fields produce the anomalous timestamp-valued channel IDs seen in the original logs. ---
AI review
Jenkins reverse-engineering a commercial exploit chain from nothing but kernel panic logs is exactly the kind of forensic detective work that OffensiveCon should platform — the inotify epoch-timestamp artifact as a forensic fingerprint of the UAF spray primitive is genuinely clever. Five new ADSPRPC vulnerabilities in 2.5 months, with the in-the-wild candidate correctly identified, makes this both technically solid and politically important. The 100–260 day patch supply chain data alone is worth keeping in the program.