A day^W^W Several months in the life of Project Zero - Part 2: The Chrome exploit of suffering

Posted by Sergei Glazunov and Mark Brand, Project Zero Introduction After we’d understood how the bug worked, and had passed on those details to Chrome to help them get started on a fix, we went back to our other projects. This bug remained a topic of discussion, and eventually we ran out of...

A day^W^W Several months in the life of Project Zero - Part 1: The Chrome bug of suffering

Posted by Sergei Glazunov and Mark Brand, Project Zero Introduction It was a normal week in the Project Zero office when we got an interesting email from the Chrome team — they’d been looking into a serious crash that was happening occasionally on Android builds of Chrome, but hadn’t made much...

Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege

Posted by James Forshaw, Project Zero Previously I presented a technique to exploit arbitrary directory creation vulnerabilities on Windows to give you read access to any file on the system. In the upcoming Spring Creators Update RS4 the abuse of mount points to link to files as I exploited in th...

Windows Drivers are True’ly Tricky

Posted by James Forshaw, Driving for Bugs Auditing a product for security vulnerabilities can be a difficult challenge, and there’s no guarantee you’ll catch all vulnerabilities even when you do. This post describes an issue I identified in the Windows Driver code for Truecrypt, which has already...

Announcing Project Zero

Posted by Chris Evans, Researcher Herder Security is a top priority for Google. We’ve invested a lot in making our products secure, including strong SSL encryption by default for Search, Gmail and Drive, as well as encrypting data moving between our data centers. Beyond securing our own products,...

MMS Exploit Part 2: Effective Fuzzing of the Qmage Codec

Posted by Mateusz Jurczyk, Project Zero This post is the second of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. New posts will be published ...

Detecting Kernel Memory Disclosure – Whitepaper

Posted by Mateusz Jurczyk, Project Zero Since early 2017, we have been working on Bochspwn Reloaded – a piece of dynamic binary instrumentation built on top of the Bochs IA-32 software emulator, designed to identify memory disclosure vulnerabilities in operating system kernels. Over the course of...

Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices

Posted by Gal Beniamini, Project Zero In this blog post we’ll complete our goal of achieving remote kernel code execution on the iPhone 7, by means of Wi-Fi communication alone. After developing a Wi-Fi firmware exploit in the previous blog post, we are left with the task of using our newly...

Racing MIDI messages in Chrome

This is a guest blog post by Oliver Chang from the Chrome Security team. This post is about an exceptionally bad use after free bug in Chrome’s browser process that affected Linux, Chrome OS and OS X. What makes this bug interesting is the fact that it could be directly triggered from the web...

Mac OS X and iPhone sandbox escapes

Posted by Chris Evans, Finder of None Of These As part of our launch manifesto, we committed to openness and transparency, including sharing full details of our research. About a month ago, Apple released two security advisories which fixed some Project Zero findings. Today, we’re releasing the...

Breaking the Sound Barrier, Part II: Exploiting CVE-2024-54529

Posted by Dillon Franke, Google Information Security Engineering, 20% time on Project Zero In the first part of this series, I detailed my journey into macOS security research, which led to the discovery of a type confusion vulnerability CVE-2024-54529 and a double-free vulnerability CVE-2025-312...

A look at an Android ITW DNG exploit

Posted by Benoît Sevens, Google Threat Intelligence Group Introduction Between July 2024 and February 2025, 6 suspicious image files were uploaded to VirusTotal. Thanks to a lead from Meta, these samples came to the attention of Google Threat Intelligence Group. Investigation of these images show...

Android Messaging: A Few Bugs Short of a Chain

Posted by Natalie Silvanovich, Project Zero About a year and a half ago, I did some research into Android messaging and mail clients. At the time, I didn’t blog about it, because though I found bugs, I wasn’t able to assemble them into a credible attack. However, in the spirit of writing about...

Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read

Posted by James Forshaw, Project Zero For the past couple of months I’ve been presenting my “Introduction to Windows Logical Privilege Escalation Workshop” at a few conferences. The restriction of a 2 hour slot fails to do the topic justice and some interesting tips and tricks I would like to...

Exploiting Recursion in the Linux Kernel

Posted by Jann Horn, Google Project Zero On June 1st, I reported an arbitrary recursion bug in the Linux kernel that can be triggered by a local user on Ubuntu if the system was installed with home directory encryption support. If you want to see the crasher, the exploit code and the shorter bug...

Effective Fuzzing: A Dav1d Case Study

Guest post by Nick Galloway, Senior Security Engineer, 20% time on Project Zero Late in 2023, while working on a 20% project with Project Zero, I found an integer overflow in the dav1d AV1 video decoder. That integer overflow leads to an out-of-bounds write to memory. Dav1d 1.4.0 patched this, an...

Windows Exploitation Tricks: Abusing the User-Mode Debugger

Posted by James Forshaw, Google Project Zero I've recently been adding native user-mode debugger support to NtObjectManager. Whenever I add new functionality I have to do some research and reverse engineering to better understand how it works. In this case I wondered what access you need to debug...

Return to libstagefright: exploiting libutils on Android

Posted by Mark Brand, Invalidator of Unic�o�d�e I’ve been investigating different fuzzing approaches on some Android devices recently, and this turned up the following rather interesting bug CVE 2016-3861 fixed in the most recent Android Security Bulletin, deep in the bowels of the usermode Andro...

pwn4fun Spring 2014 - Safari - Part I

Posted by Ian Beer Back in March this year I entered the pwn4fun hacking contest at CanSecWest http://www.pwn2own.com/2014/03/pwning-lulzand-charity/ targeting Safari running on a brand new MacBook Air. In this first post I’ll detail how I got code execution within the Safari renderer sandbox usi...

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge

Posted by Ivan Fratric, Project Zero With Windows 10 Creators Update, Microsoft introduced a new security mitigation in Microsoft Edge: Arbitrary Code Guard ACG. When ACG is applied to a Microsoft Edge Content Process, it makes it impossible to allocate new executable memory within a process or...

Attacking the Windows NVIDIA Driver

Posted by Oliver Chang Modern graphic drivers are complicated and provide a large promising attack surface for EoPs and sandbox escapes from processes that have access to the GPU e.g. the Chrome GPU process. In this blog post we’ll take a look at attacking the NVIDIA kernel mode Windows drivers,...

Raising the Dead

Posted by James Forshaw, your Friendly Neighbourhood Necromancer. It’s a bit late for Halloween but the ability to resurrect the dead processes that is is an interesting type of security issue when dealing with multi-user Windows systems such as Terminal Servers. Specifically this blog is about...

Policy and Disclosure: 2020 Edition

Posted by Tim Willis, Project Zero At Project Zero, we spend a lot of time discussing and evaluating vulnerability disclosure policies and their consequences for users, vendors, fellow security researchers, and software security norms of the the larger industry. We're very happy with how well our...

Adventures in Video Conferencing Part 5: Where Do We Go from Here?

Posted by Natalie Silvanovich, Project Zero Overall, our video conferencing research found a total of 11 bugs in WebRTC, FaceTime and WhatsApp. The majority of these were found through less than 15 minutes of mutation fuzzing RTP. We were surprised to find remote bugs so easily in code that is so...

Adventures in Video Conferencing Part 4: What Didn't Work Out with WhatsApp

Posted by Natalie Silvanovich, Project Zero Not every attempt to find bugs is successful. When looking at WhatsApp, we spent a lot of time reviewing call signalling hoping to find a remote, interaction-less vulnerability. No such bugs were found. We are sharing our work with the hopes of saving...

Announcing the Project Zero Prize

Posted by Natalie Silvanovich, Exploit Enthusiast Despite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests. Hoping to continue the stream of great bugs, we’ve decided to star...

From inter to intra: gaining reliability

Posted by Chris Evans, avoider of crossing heap lines. Part 2 of 4. In the first post in this series, we concluded with a traditional exploit for Adobe Flash bug 324, and noted that it could never be 100% reliable. We also challenged ourselves to do better! Is there some way we can leverage the...

Simple macOS kernel extension fuzzing in userspace with IDA and TinyInst

Posted by Ivan Fratric, Google Project Zero Recently, one of the projects I was involved in had to do with video decoding on Apple platforms, specifically AV1 decoding. On Apple devices that support AV1 video format starting from Apple A17 iOS / M3 macOS, decoding is done in hardware. However,...

Trashing the Flow of Data

Posted by Stephen Röttger In this blog post I want to present crbug.com/944062, a vulnerability in Chrome’s JavaScript compiler TurboFan that was discovered independently by Samuel saelo@ via fuzzing with fuzzilli, and by myself via manual code auditing. The bug was found in beta and was fixed...

Drawing Outside the Box: Precision Issues in Graphic Libraries

By Mark Brand and Ivan Fratric, Google Project Zero In this blog post, we are going to write about a seldom seen vulnerability class that typically affects graphic libraries though it can also occur in other types of software. The root cause of such issues is using limited precision arithmetic in...

Analysis and Exploitation of an ESET Vulnerability

Do we understand the risk vs. benefit trade-offs of security software? Tavis Ormandy, June 2015 Introduction Many antivirus products include emulation capabilities that are intended to allow unpackers to run for a few cycles before signatures are applied. ESET NOD32 uses a minifilter or kext to...

Project Zero Patch Tuesday roundup, November 2014

Posted by Chris Evans, Registrar of Bugs It’s been about a week since Patch Tuesday, and the Project Zero reports mentioned in the various advisories are now public. We won’t always be writing a Patch Tuesday roundup, but we often will when we believe there is a sufficiently varied and interestin...

Bypassing Administrator Protection by Abusing UI Access

Posted by James Forshaw In my last blog post I introduced the new Windows feature, Administrator Protection and how it aimed to create a secure boundary for UAC where one didn’t exist. I described one of the ways I was able to bypass the feature before it was released. In total I found 9 bypasses...

Windows Exploitation Tricks: Trapping Virtual Memory Access (2025 Update)

Posted by James Forshaw, Google Project Zero Back in 2021 I wrote a blog post about various ways you can build a virtual memory access trap primitive on Windows. The goal was to cause a reader or writer of a virtual memory address to halt for a significant e.g. 1 or more seconds amount of time,...

Release of a Technical Report into Intel Trust Domain Extensions

Today, members of Google Project Zero and Google Cloud are releasing a report on a security review of Intel's Trust Domain Extensions TDX. TDX is a feature introduced to support Confidential Computing by providing hardware isolation of virtual machine guests at runtime. This isolation is achieved...

Release of Technical Report into the AMD Security Processor

Posted by James Forshaw, Google Project Zero Today, members of Project Zero and the Google Cloud security team are releasing a technical report on a security review of AMD Secure Processor ASP. The ASP is an isolated ARM processor in AMD EPYC CPUs that adds a root of trust and controls secure...

Kaspersky: Mo Unpackers, Mo Problems.

Posted by the notorious Tavis Ormandy. We’ve talked before about how we use Google scale to amplify our fuzzing efforts. I’ve recently been working on applying some of these techniques to Antivirus, a vast and highly privileged attack surface. Among the products I’m working on is Kaspersky...

When ‘int’ is the new ‘short’

Posted by Mark Brand, Truncator of Integers This is going to be a quick post, just describing a particularly interesting Chrome issue that I found last month; how I found it; and what is interesting about it… I was looking through some Chrome networking code; and I noticed an interesting API desi...

Dude, where’s my heap?

Guest posted by Ivan Fratric, spraying 1TB of memory The ability to place controlled content to a predictable location in memory can be an important primitive in exploitation of memory corruption vulnerabilities. A technique that is commonly used to this end in browser exploitation is heap...

Thinking Outside The Box [dusted off draft from 2017]

Posted by Jann Horn Preface Hello from the future! This is a blogpost I originally drafted in early 2017. I wrote what I intended to be the first half of this post about escaping from the VM to the VirtualBox host userspace process with CVE-2017-3558, but I never got around to writing the second...

The Curious Case of Convexity Confusion

Posted by Ivan Fratric, Google Project Zero Intro Some time ago, I noticed a tweet about an externally reported vulnerability in Skia graphics library used by Chrome, Firefox and Android, among others. The vulnerability caught my attention for several reasons: Firstly, I looked at Skia before...

Breaking the Chain

Posted by James Forshaw, Wielder of Bolt Cutters. Much as we’d like it to be true, it seems undeniable that we’ll never fix all security bugs just by looking for them. One of most productive ways to dealing with this fact is to implement exploit mitigations. Project Zero considers mitigation work...

In-Console-Able

Posted by James Forshaw, giving the security community a shoulder to cry on. TL;DR; this blog post describes an unfixed bug in Windows 8.1 which allows you to escape restrictive job objects in order to help to develop a sandbox escape chain in Chrome or similar sandboxes. If you’re trying to...

Bypassing Windows Administrator Protection

Posted by James Forshaw A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Control UAC with a more robust and importantly, securable system to allow a local user to access administrator privilege...

Three bypasses and a fix for one of Flash's Vector.<*> mitigations

Posted by Chris Evans, Cookie Monster With the release of Flash 18.0.0.209, two mitigations were introduced to combat abuse of Vector corruptions -- we covered these in a previous blog post. Flash 18.0.0.232 has just been released and it includes a change to the way one of the mitigations is...

A Deep Dive into the GetProcessHandleFromHwnd API

Posted by James Forshaw In my previous blog post I mentioned the GetProcessHandleFromHwnd API. This was an API I didn’t know existed until I found a publicly disclosed UAC bypass using the Quick Assist UI Access application. This API looked interesting so I thought I should take a closer look. I...

Defeating KASLR by Doing Nothing at All

Posted by Seth Jenkins, Project Zero Introduction I've recently been researching Pixel kernel exploitation and as part of this research I found myself with an excellent arbitrary write primitive…but without a KASLR leak. As necessity is the mother of all invention, on a hunch, I started researchi...

From Chrome renderer code exec to kernel with MSG_OOB

Posted by Jann Horn, Google Project Zero Introduction In early June, I was reviewing a new Linux kernel feature when I learned about the MSGOOB feature supported by stream-oriented UNIX domain sockets. I reviewed the implementation of MSGOOB, and discovered a security bug CVE-2025-38236 affecting...

Pointer leaks through pointer-keyed data structures

Posted by Jann Horn, Google Project Zero Introduction Some time in 2024, during a Project Zero team discussion, we were talking about how remote ASLR leaks would be helpful or necessary for exploiting some types of memory corruption bugs, specifically in the context of Apple devices. Coming from...

Policy and Disclosure: 2025 Edition

Posted by Tim Willis, Google Project Zero In 2021, we updated our vulnerability disclosure policy to the current "90+30" model. Our goals were to drive faster yet thorough patch development, and improve patch adoption. While we’ve seen progress, a significant challenge remains: the time it takes...