Reverse engineering, vulnerability research, Linux kernel work.
Every system keeps a few rooms the author never expected a visitor in.
Linux kernel & driver work
Upstream patches
- rtw89 USB TX flow control — fixed a mac80211 contract violation causing ~200× packet loss under monitor-mode and high-throughput conditions. Atomic in-flight URB tracking, six versions, merged to
rtw-next(commit 80119a77e5b0). - mt7921u TX power reporting — traced an
INT_MINpropagation bug through the mac80211 subsystem to a driver callback timing issue. Co-developed-by on the MediaTek maintainer’s v2 series. - mt76 RX bitrate reporting (mt792x) — populated
NL80211_STA_INFO_RX_BITRATEacross MT7921/MT7922/MT7925. Independently confirmed on Wi-Fi 7 hardware by a community tester. Lucid-Duck/mt76-rxrate, test request thread. - rtw89 USB 2 → USB 3 switch-mode gap — isolated a missing code path via source-level diff, built a cross-chipset test matrix across four adapters and three host platforms (Lucid-Duck/rtw89-usb3-gap).
- mt7921u active-monitor / evil-twin crash (morrownr/USB-WiFi#682) — reproduced across three distributions, posted a formal Tested-by on the upstream fix spanning Fedora, Kali, and Ubuntu with zero kernel warnings.
Stewardship
Co-maintainer on morrownr/mt76 — build infrastructure, install/uninstall tooling, multi-distro regression test lab covering Debian, Arch, Alpine, Kali, Ubuntu, and Fedora. Chipset comparison research at Lucid-Duck/wifi-pentest-comparisons.
Focus: USB Wi-Fi driver debugging, cross-layer analysis (USB ↔ kernel ↔ RF), reverse engineering undocumented hardware behaviour.
Security research & vulnerability discovery
Selected findings
All of the below discovered, proven, and reported inside three months: January, February, and March 2026.
One enterprise VPN client, three independent root-level LPEs in a single disclosure. Windows TOCTOU to SYSTEM via hardcoded 3DES extracted from the IPC protocol and an oplock-timed signature race. Linux IPC command injection to root in under two seconds. Linux symlink-follow chained to persistent system-wide RCE via /etc/ld.so.preload. Rewarded and vendor-confirmed.
Reconstructed a stripped VPN client from binaries alone, then weaponized it. Licensing blocked normal operation, so I rebuilt the XML profile schema from disassembly, patched unrelated binary bugs to reach vulnerable paths, and surfaced a command-injection route where user-controlled XML flows through snprintf() directly into system() as root.
Reverse-engineered a Linux security vendor’s proprietary IPC protocol, then used their own wire format against them. Quarantine bypass that lets malware survive detection indefinitely. Log injection that writes attacker-controlled events straight to the cloud admin console.
Stack-overflowed an endpoint-protection product with a single UDP packet. DNS parser in the Windows network filter service. 100% reproducible persistent DoS.
Carpet-bombed a network monitoring agent with a multi-finding chain. Sandbox escape via JavaScript runtime misconfiguration that lands true RCE on the agent host. Symlink LPE through a TOCTOU race. Arbitrary file read on the headless web-automation component via filesystem race condition. Three independent classes of vulnerability on one product.
Extracted a hardcoded CA private key identical across every deployment of a virtual gateway appliance worldwide. Built a working MITM proxy that forges trusted certificates for any installation on earth. Also surfaced a production private TLS key deployed as the default web cert on every boot.
Nation-wide telecom webmail account takeover — proved mass identity theft feasible on millions of users. Built a tool that cracked the one-time password in minutes and received a valid session token. Lockout hardcoded to zero. 2FA globally disabled. DOB validation non-functional. Any account vulnerable knowing nothing but the email address. Three accounts taken over end-to-end, including one belonging to the carrier’s own security team.
Fintech mobile app: deep bytecode RE + CDN bypass. Patched an open-source decompiler to handle a proprietary bytecode version it could not. Analysed the decompiled output, surfaced a dozen-plus vulnerability classes across auth, payments, identity verification, and fraud detection. Separately built a CDN bot-management bypass via rooted emulator, live memory dump at unreachable addresses, and TLS-fingerprint-spoofed replay for full authenticated API access.
Feature-flag platform security exfiltration. Extracted a production SDK key from compiled bytecode, dumped hundreds of feature flags, internal email addresses, and developer device IDs — a full map of which payment endpoints had fraud detection, which did not, and multiple paths to bypass identity verification.
Network camera: unauthenticated RCE via reverse-engineered binary event-condition serialization. Arbitrary command execution through user-controllable virtual inputs.
Vendor-confirmed CVEs in the disclosure pipeline
Four vendor-confirmed CVEs pending public advisory:
- Windows TOCTOU → SYSTEM on an enterprise VPN client
- Linux symlink-follow → root on the same enterprise VPN client
- DNS parser stack overflow on a Windows endpoint-protection service
- Symlink LPE on an enterprise network monitoring agent
Plus more that will never see daylight thanks to NDAs.
Direct CVE links posted here Q4 2026 – Q1 2027 as advisories go public.
What I do
- Linux kernel and wireless driver debugging, upstream contributions, repo maintenance
- Binary reverse engineering without source or documentation
- Mobile application RE (Android, React Native, JavaScript bytecode formats, native libraries)
- Vulnerability research in enterprise software (EDR, VPN, identity providers, telecom, network appliances)
- Exploit development and proof-of-concept creation
- Protocol analysis and proprietary format reconstruction
Open to remote contract work in kernel / driver development, vulnerability research, and embedded security.
Contact: lucid_duck@justthetip.ca