From Chrome renderer code exec to kernel with MSG_OOB

Project Zero's writeup describes a use-after-free in Linux stream-oriented UNIX domain socket out-of-band (MSG_OOB) handling (CVE-2025-38236), the root cause and patches, and a detailed exploit chain that demonstrates escalating from native code execution in a Chrome renderer sandbox to kernel memory corruption and privilege escalation. The author explains the bug's conditions, the derived semi-arbitrary read primitive via copy_to_user(), how to reallocate the freed sk_buff page as a stack/pipe/page-table target, techniques to slow usercopy, and how to abuse CONFIG_RANDOMIZE_KSTACK_OFFSET to reliably align stack frames; the post also discusses mitigation implications for Chrome sandbox policies and kernel usercopy hardening.