YYaaa News

One Click, Full Android Root: Nebula Chains Firefox JIT Into 15-Year-Old Linux Kernel Bug

TL;DR

Nebula's IonStack chain roots Android 17 Pixels in under a minute via a Firefox JIT bug and a 15-year-old Linux kernel flaw.

Nebula Security published a full Android root chain called IonStack: open one link in Firefox for Android and in under 60 seconds the device has an su binary written to disk and a persistent root shell. The demo box was a Google Pixel running Android 17. The clip ends with the attacker swapping the wallpaper for Nebula's cat mascot and dropping into a root adb session.

Two bugs carry the chain. CVE-2026-10702 is a JIT miscompilation in Firefox's JavaScript engine, reported by Nebula and patched by Mozilla on June 2 in Firefox 151.0.3. The handoff goes to GhostLock (CVE-2026-43499), a local privilege escalation that has sat inside the Linux kernel for 15 years untouched. Any logged-in user walks straight to root, on almost every unpatched Linux distro and on Android because Android rides the same kernel.

Nebula said the chain has no in-the-wild exploitation on record and framed the release as a defensive disclosure. The PoC is on GitHub with device-specific adaptation code included. Chinese security outlet Landian News reproduced the attack and confirmed every Pixel model they tested fell, Android 14 through 17, as long as Firefox was not updated. Researcher Alex Petrov wrote on the company blog that their internal AI agent surfaced both bugs in a single scan, "a browser JIT bug and a 15-year-old kernel flaw out of the same run."

Google has not assigned an Android-specific patch for CVE-2026-43499 yet. Pixel users can only close the entry point by updating Firefox; Chrome users are not exposed to this chain, but GhostLock is still a master key for anyone who already has a shell. The Hacker News quoted a Google Project Zero source saying the mainline kernel patch is in review and expected to land in stable by mid-July.

via Cyber Kendra / The Hacker News / Landian News
一次點擊拿下 Android Root|Nebula 用瀏覽器串 15 年前 Linux 核心洞打穿 Pixel