PatchLeaks

Presented at DEF CON 33 (2025), Aug. 9, 2025, 2 p.m. (45 minutes).

When vulnerabilities are disclosed, security teams face the task of developing exploits to identify compromised assets. Public exploits aren’t always available, which is why teams scroll through hundreds of patches to identify the relevant one. Traditional methods like grepping might fasten the process, but mostly come out ineffective against modern codebases where context-aware analysis is required. We present PatchLeaks tool that transforms the messy patch analysis process into efficient vulnerability discovery. Unlike regex-based static analysis tools, it locates relevant patches with vulnerable code based on CVE id only, doesn’t require any rules, has ability to identify logical vulnerabilities, and analyzes even corrupt files.

Presenters:

• Huseyn "Khatai" Gadashov
  Huseyn is a web application security specialist whose experience includes security roles at multiple financial institutions where he conducted web penetration testing, vulnerability assessments, and developed exploit automation tools. In his free time, he analyzes security patches to craft private exploits and uses them in his technical publications. Using his offensive security experience, he explores how machine learning can revolutionize the identification of hidden vulnerabilities within security patches.

Similar Presentations:

• DEF CON 18 (2010) / ExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches Automatically