Critical Thinking - Bug Bounty Podcast Episode 157: Crushing Pwn2Own & H1 with Kernel Driver Exploits
7 snips
Jan 15, 2026 Joining the discussion is Hyprdude (Hypr), a notable security researcher and exploit developer acclaimed for his kernel driver research on MediaTek. He shares insights on exploiting a MediaTek Wi-Fi driver vulnerability, detailing the technical nuances of heap overflow and chaining primitives for successful exploits. Hypr recounts his experiences at Pwn2Own, highlighting the pressure of live demonstrations and the challenges of navigating bug bounty programs. He encourages other hackers to explore IoT, where low-level bugs abound, emphasizing the practical skills gained from real-world exploit development.
AI Snips
Chapters
Transcript
Episode notes
Ioctl Handlers Are High-Risk Kernel Surface
- Ioctl handlers let user space send structured messages directly to kernel drivers without many guards.
- Unchecked size fields in those structures commonly enable heap overflows in proprietary drivers.
Built Kernel Exploit Largely Without A Debugger
- Hyprdude developed a kernel exploit against a Netgear router while largely 'blind' with no kernel debugger attached.
- He iterated by reading source and trial-and-error, rebooting the device many times to observe crashes and traces.
Heap Metadata Corruption Yields Arbitrary Allocations
- Small out-of-bounds writes can corrupt slab free-list pointers and create controlled allocations.
- Overwriting a free chunk's next pointer lets a later allocation return memory at an attacker-chosen address.