https://frederik353.github.io/writeups/tags/uaf/ Recent content in Uaf on Frederik353 Hugo -- gohugo.io en © 2026 Frederik Tokle Negård Sat, 25 Apr 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/umd-26/velvet-table/ Sat, 25 Apr 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/umd-26/velvet-table/ Glibc 2.32+ heap note manager wrapped in heavy XOR obfuscation. An inverted size check in the cashout handler turns the dev’s careful tcache bookkeeping into a free UAF, with a slightly longer smallbin attack waiting behind it as the intended path. https://frederik353.github.io/writeups/ctfs/0xfunctf-26/phantom/ Sat, 14 Feb 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/0xfunctf-26/phantom/ Physical page UAF in a kernel module: reclaim the freed page as a PMD, forge 2MB huge page entries for arbitrary physical memory R/W, and overwrite modprobe_path to read the flag.