upvote
Thanks for testing, we currently only tested it on Pixel 10, but there are a few people on our repo creating PR to support other devices, you can take a look here https://github.com/NebuSec/CyberMeowfia
reply
Can you please provide a `Dockerfile` to build the POC/exploit?
reply
I've been noodling with porting the kernel exploit to other devices, and the exploit is very sensitive to how the compiler happens to lay out stack frames, which varies between kernel builds. Once you figure out the right "stamp method" and offsets for a particular kernel build though, it's fairly reliable.
reply
Would be amazing if this was used to root so-far unrootable android devices. Any suggestions.
reply
Wonder if it were possible to use this to (finally) jailbreak DJIs original RC that came with the Mini 3 Pro.

It doesn't have a web browser or, virtually, anything of use... but I think it supports enough of a web browser to log in into wifi captive portals.

reply
Root for these RCs has been available under the guise of “FCC hack” for a really long time now; different groups have different exploits (it’s DJI so there are plenty) that work on different firmware versions.

This would almost surely work there too, though.

reply
What can you do with a jailbroken drone rc?
reply
Mostly they’re used to enable illegal RF parameters in Europe (FCC hack); DJI disabled strict geofencing in most of the “west” several years ago and that was also enforced in the drone anyway.
reply
If you don't mind going to jail and/or paying a fine, flying in restricted/illegal areas.
reply
Makes sense
reply
So I took the risk and ran it on a Samsung S26 Ultra - I will confirm the full details once I have `adb` installed and running.

The exploit/POC (call it what you want) ran or appeared to have executed because:

1. I saw output on the Firefox tab when I navigated to <https://rootme.nebusec.io/b9e3f1a4-7c82-4d6e-9a51-2f8c4b3e0d...>.

2. I saw some output from the execution of the POC.

However, after I went to <https://rootme.nebusec.io/b9e3f1a4-7c82-4d6e-9a51-2f8c4b3e0d...> the phone froze and refused to respond to any input. The only thing that worked was restarting, which I wonder how it works given the, I think, the kernel has hung. Does anyone know how the kernel is able to respond to events whilst the system has hung? The screen remains on with the partial output of the execution of the POC until the screen saver kicks in ...

reply
The kernel is not a single-threaded process - a "kernel hang" is not a very specific description and you don't have a way to know that it happened anyway. The screen timing out is evidence that the kernel was largely working, actually. Of course if some data structure got corrupted it could have affected a specific essential part of the system, such as the touchscreen driver or the display compositor.
reply
I've created an issue in GitHub, please see https://github.com/NebuSec/CyberMeowfia/issues/46 (Samsung SM-S948B (S26 Ultra)).

It would be nice to get a `Dockerfile` to build the exploit/POC.

reply
fwiw, the firefox vulnerability seems to be CVE-2026-10702 (type confusion in the ionmonkey jit compiler): https://www.sentinelone.com/vulnerability-database/cve-2026-...
reply
Severity score of 4.3 seems low considering the click2pwn in this thread. Though Firefox on Android is uniquely bad because of the lack of sandboxing.
reply
What Android devices did you test on exactly?

I take it you did NOT unlock the bootloader?

> Two boot looped, I had to enter recovery and the other just powered off [0].

Absolutely crazy that it is possible to brick someone's phone via an exploit but ... hey.

After the power off what happened? Do things seem normal?

When it entered recovery mode where you able to get the phone in a clean state again? I take it that you did?

I'd really like to run this but I, ideally, do not want to run something random from the internet. It's a shame there is no `Dockerfile` to build this exploit/POC. All I want is LPE to `root` on a Samsung (Snapdragon) phone.

reply
Originally tested on non personal devices

Honor 10 - Moto G04 - Poco X3

Poco is unlocked.

There is no brick on any, they're boot loader bugs and unrelated to the exploit. Recovery "reboot" was used.

You need to modify it to root, the example only crashes the kernel.

reply