nadsec // original research // exploit analysis // reverse engineering // threat intel //

Original research

Research & Analysis

Deep-dive security research by NadSec. Exploit chain teardowns, malware reverse engineering, and threat intelligence writeups - all based on original work.

Author: NadSec4 Posts

April 2026

CVE-2026-31413BPFContainer EscapeLinux Kernelmodprobe_path

CVE-2026-31413: One Byte in the BPF Verifier to Container Escape

A soundness bug in the Linux BPF verifier's maybe_fork_scalars() - one +1 causes the verifier to skip an ALU instruction on a forked path. For BPF_OR, arbitrary kernel R/W, vtable hijack, modprobe_path overwrite, and full container escape to host root. One-character fix merged by Alexei Starovoitov.

Read full post

March 2026

iOSExploit ChainReverse EngineeringWebKitPAC Bypass

Inside Coruna: Reverse Engineering a Nation-State iOS Exploit Kit From JavaScript

How I reverse-engineered 28 JavaScript modules recovered from b27.icu - a watering-hole domain serving a Safari exploit chain targeting iOS 16.0-17.2. Covers WebKit RCE, PAC bypass, JIT cage escape, and the PACDB rolling hash forgery algorithm.

Read full post

March 2026

Technical AnalysisMach-OARM64JITYARAIOCs

Coruna: A Complete Technical Teardown of a State-Grade iOS/macOS Watering-Hole Exploit Chain

6,596-line static reverse engineering of 16 recovered JavaScript modules. Full XOR string decryption, WebAssembly extraction, ARM64 gadget scanner reconstruction, and complete class taxonomy of every exploitation primitive.

Read full post

March 2026

Kernel ExploitCVE-2023-41974IOSurfaceRootARM64dump.bin

CORUNA Kernel Exploit: Static Analysis of dump.bin (CVE-2023-41974)

Reverse engineering of the kernel exploitation stage - a 2MB ARM64 DYLIB targeting IOSurfaceRoot. 649 functions, 265 imported symbols, Corellium anti-analysis, multi-SoC support, and full kill chain integration.

Read full post