diff --git a/content/24h2-nt-exploit/index.md b/content/24h2-nt-exploit/index.md
index 0f9f6fb..fad2c58 100644
--- a/content/24h2-nt-exploit/index.md
+++ b/content/24h2-nt-exploit/index.md
@@ -54,6 +54,8 @@ _24H2_
 
 As shown above, the change to treating the attribute as volatile results in what was previously a single dereference being replaced with two separate dereferences.
 
+A proof-of-concept for this bug is [available on GitHub](https://github.com/exploits-forsale/CVE-2024-26218).
+
 ### CVE-2024-21345: Double-Fetch in NtQueryInformationThread Leads to Arbitrary Write
 
 This bug is similar to the previous one in that it is once again double-fetching a length field in code that previously only contained a single fetch. In contrast to the previous bug this bug does not lead to a buffer overflow, but rather to the bypass of the probe of a user provided address. Bypassing a probe allows a user to specify a completely arbitrary address, including a kernel address, to be written to.
@@ -76,6 +78,8 @@ As the code above shows, by having `BytesToRead` in user mode be a non-zero valu
 
 Because the TEB resides in user mode memory, the contents of it are also controllable. By writing to the TEB and then triggering this vulnerability to read from the TEB it is possible to write entirely controlled data anywhere in kernel mode memory.
 
+A proof-of-concept for this bug is [available on GitHub](https://github.com/exploits-forsale/CVE-2024-21345).
+
 ## KASLR in 24H2
 
 In previous Windows versions defeating KASLR has been trivial due to a number of syscalls including kernel pointers in their output. In 24H2 however, as documented by Yarden Shafir in a [blog post analyzing the change](https://windows-internals.com/kaslr-leaks-restriction/), these kernel address leaks are no longer available to unprivileged callers.