STAR Labs is a Singapore-based offensive security firm specializing in vulnerability research and advanced cybersecurity training. We identify critical weaknesses in widely used software, collaborate with vendors to remediate them, and equip defenders with the mindset and techniques of real-world attackers. Our expertise is demonstrated through success at Pwn2Own and a strong track record of responsible vulnerability disclosures to Microsoft, Google, and enterprise clients across Asia.
From product audits to red team engagements, our services are run by the same people who find bugs in browsers, kernels, and firmware.
Licensed pentesting in Singapore (CS/PTS/C-2022-0106). Web, mobile, network, cloud, and infrastructure assessments run by researchers who also find 0-days.
Learn more →Adversary-emulation engagements that test whether your detection & response actually work when a capable attacker is inside.
Learn more →Targeted research on your product, supply chain, or key third-party software. Reverse engineering, fuzzing, and manual review to surface pre-disclosure vulnerabilities.
Learn more →Manual code review by researchers who've found critical bugs in the Linux kernel, Chromium, Windows, and IoT firmware.
Learn more →Hands-on offensive-security training for blue teams, developers, and researchers-in-training. Delivered by instructors with real exploit chains to their name.
Learn more →Strategic guidance for CISOs and product teams navigating secure-by-design, SDLC, and incident response.
Learn more →CVE: CVE-2025-55336 Affected Versions: Windows 10 (21H2, 22H2, 1809), Windows 11 (22H2, 23H2, 24H2, 25H2), Windows Server 2019, 2022, 2022 …
A missing OBJ_FORCE_ACCESS_CHECK flag in vhdmp.sys allows a low-privileged local attacker to write arbitrary data to any file on the system …
A use-after-free in tls_sw_recvmsg arises when a zero-length decrypted TLS record causes darg.skb (strp->anchor) to be queued into rx_list …
CVE: CVE-2025-50170 Affected Versions: Windows 10 (1809, 21H2, 22H2), Windows 11 (22H2, 23H2, 24H2), Windows Server 2019, 2022, 2025 …
Insufficient validation of the TRACE_ENABLE_FLAG_EXTENSION offset in Windows Event Tracing allows a local attacker to corrupt flag extension …
An unchecked 32-bit reference counter overflow in the Windows ETW provider traits tree allows a local attacker to trigger a use-after-free …
TL;DR In January 2026, the Chrome Releases blog announced several security fixes across different Chrome components. One entry caught our attention: CVE-2026-0899, an Out-of-Bounds …
A single-byte integer overflow in Cisco's EUQ RPC protocol chains into Python pickle deserialization, achieving unauthenticated RCE with a single HTTP request against Cisco Secure …
Eight years ago today, I started STAR Labs by hiring several fresh grads with no working experiences. Today, I stand here with a different group of faces. Some of you were there …
Every vulnerability we find goes through a structured disclosure process. Here are some of the vendors we've worked with.
Pwn2Own is a computer hacking contest held annually by Trend Micro’s Zero Day Initiative - ZDI. Contestants are challenged to exploit widely used software …
Pwn2Own is a computer hacking contest held annually by Trend Micro’s Zero Day Initiative - ZDI. Contestants are challenged to exploit widely used software …
SpiriCyber is a Capture the Flag (CTF) competition held in Singapore, focused on offensive security and vulnerability research challenges. At SpiriCyber 2024, …
Drop us a line. We'll scope a pentest, red team, or code audit tailored to your stack.
Contact STAR Labs