TheFloW discloses *potential* PS5 Kernel Exploit, believed to be working up to Firmware 10.40
PlayStation hacker TheFloW has disclosed a new PS5 Kernel vulnerability via bug bounty platform HackerOne. This is a full disclosure (albeit without actual PoC code), so assuming matching usermode exploits eventually get discovered, this could lead to a bright future for PS5 owners looking for a Jailbreak. Due to the submission date of the vulnerability, it is believed to work up to Firmware 10.40 included, but this remains to be confirmed.
With all of this being said, some hackers on the scene are advising to keep our expectations low for this, stating it might not actually be exploitable.
PS5 Kernel exploit incoming for firmware 10.40 ?
The PS4 and PS5 have been “stuck” with Jailbreaks being only available on fairly old firmwares for quite some time now. Although this seems to be the rule now on PlayStation devices (and, as such, the advice to buy a console early and keep it on a low firmware from Day 1 remains the most valid piece of advice one can give in the PlayStation scene), this has understandably left a lot of users frustrated.
We’ve had significant movement recently for firmwares up to 7.61 thanks to the umtx exploit and recent ports of etaHEN to those “somewhat recent” firmwares. But anything above 7.61 was pretty much out of luck… until now.
TheFloW submitted a vulnerability report for a Kernel exploit on PS5, back in December 2024, roughly 4 months ago. Although it is up to PlayStation and the hacker to conjointly decide whether to ultimately disclose an exploit or not, in the past TheFloW (and, to their credit, PlayStation) has been keen to share his work with the scene. It goes without saying that by the time the bug is revealed, the most recent PS5 firmware will have been patched.
Scene veteran Zecoxao estimates that, considering the submission date of 2024/12/15, Firmware 10.40 (and all firmwares below) might be impacted, while 10.60 could have the patch fixing the vulnerability.
10.40 is the limit of this use after free, since 10.60 was released on January 23 2025 and TheFlow disclosed to sony on 14 December 2025
— Jose Coixao (@notnotzecoxao) April 18, 2025
PS5 Kernel Vulnerability in sys_fsc2h_ctrl
It is possible to cause a kernel stack free in the syscall sys_fsc2h_ctrl.Consider 4 threads:Thread 1: The command CMD_WAIT (0x10001) in sys_fsc2h_ctrl waits for path 1.Thread 2: The command CMD_WAIT (0x10001) in sys_fsc2h_ctrl waits for path 2.Thread 3: The command CMD_RESOLVE (0x20005) in sys_fsc2h_ctrl sets the pointer of path 2 to a local stack buffer and sleeps.Thread 4: The command CMD_COMPLETE (0x20003) in sys_fsc2h_ctrl writes data into that local stack buffer and wakes up the thread 3.Thread 2: This thread wakes up before thread 3 and it will free path 2. However, that is not a malloc() allocation, but it is actually a pointer to kernel stack.Impact
Privilege escalation.
Is HackerOne a blessing or a curse for the PS4/PS5 scene?
People have taken to Twitter to say that HackerOne is damaging the scene, in particular since we’re at the mercy of Sony’s security team to decide whether an exploit will be disclosed or not. I personally think this situation benefits both the scene and professional hackers. As much as some people want to believe it, there is no way the scene could collectively gather enough money to consistently pay a $10’000 bounty for a Jailbreak. In my almost 20 years of experience in the scene now, I have seen countless attempts at gathering money to fund the efforts of security researchers: gathering more than $1000 for a very promising lead is the exception, not the norm. $10’000 would be a massive undertaking, not even mentioning the legality aspects of it.
It is true that the PlayStation hacking scene is much less lively than in the PSP/PS3 days, but in my opinion this is mostly the result of:
- security of the new devices being significantly improved meaning a much higher entry barrier for people interested in tinkering
- more and more devices (e.g. phones) services (e.g. Epic, GOG, …), and the rise of the free-to-play gaming model allow people to play a lot of games for practically nothing nowadays, meaning (IMO) some of the appeal of playing emulators or pirated games (I know, shocking) on consoles is fading away fast
- the PS4 and PS5 are very similar to regular computer hardware and architecture. Some hackers such as FailOverfl0w have indicated that this impacted their motivation to work on the consoles.
In my opinion, HackerOne is a blessing in disguise because I believe it keeps some hackers such as TheFloW interested, if only because it gives some “professional street cred” varnish to the hacking effort, for people who are already professionals in the field.
What’s next for the PS5 Jailbreak status?
At the point the only thing we can do is stay put. It is likely that some people will be working on figuring out if this can lead to an exploit, and if so, how to weaponize this into a Jailbreak. Additional entry points (aka usermode exploits such as webkit vulnerabilities) will also be needed for the impacted firmwares.
With that being said, some folks on the PS5 Homebrew discord have shown doubt that this could lead to a workable exploit. SpecterDev in particular is advising people to lower their expectations:
It is true that PlayStation have paid a $10’000 bounty for this bug, but it could simply be that they recognize the potential impact of such a bug, even without definitive proof that it can lead to a Jailbreak. Conversely, it is possible TheFloW has a whole exploit chain leveraging this particular vulnerability.
TheFloW is expected to talk at the upcoming TyphoonCon 2025, and some people expect he could reveal a bit more about this particular vulnerability. But to be honest the talk seems to be more about his career than particular hacks, so I personally doubt details on a new kernel exploit would be revealed there:
As always, wait and see.
source: HackerOne
I agree that we should keep our expectations low, Ps5 has been a beast to hack so far and $ony has not been allowing full disclosure from it’s bounty recipients.
Very nice! Thanks to TheFlow and everyone else working on and for the scene!
Specter is so wrong, theflow reported the bug to sony and is saying it can be used for privilege escalation and sony paid him 10k for it which is the same amount as many other exploits he reported and led to jailbreak, if theflow say it’s exploitable then it is. if sony pays then it is confirmed 100% to be useful for jailbreaking.
I agree that this could probably be turned into an exploit but that doesn’t mean the information needed to release this exploit gets shared.
You can do it sensei
Nice to see a new article :).
Hopefully this is actually exploitable and leads to something.
There’s a lot of talk about PS5 exploits, but things are still pretty silent on PS4 jailbreak, despite the fact that the platform is slowly losing its support, with less new games getting released on it and with attention towards it lowered.
Could you please share in an upcoming blog, which consoles come with firmware 10.20 or lower, I’m not quite sure what version of the system the current PS5s come factory with. The Slim for example or the PS5 Pro.
I had also read that to run all this you need the bluray unit and therefore on consoles that the bluray unit is not active, it will not work. Remember that the bluray unit is now activated only by updating the PS5 to the latest version.
Correct me if I am wrong.
And what The Flow is something totally unbelievable this guy is already at another level, I really hope a full release of the PS5 system versions 10, and as in PS4 a stable GoldHen as happens in the PS4, 9.00 or 11.00. Thanks for the info