diff --git a/pocs/linux/kernelctf/CVE-2023-52620_lts_cos_mitigation/docs/exploit.md b/pocs/linux/kernelctf/CVE-2023-52620_lts_cos_mitigation/docs/exploit.md
index 23028b38..b9f1f068 100644
--- a/pocs/linux/kernelctf/CVE-2023-52620_lts_cos_mitigation/docs/exploit.md
+++ b/pocs/linux/kernelctf/CVE-2023-52620_lts_cos_mitigation/docs/exploit.md
@@ -279,7 +279,7 @@ void rop_chain_256(uint64_t* data){
 
 For COS kernel, the ROP payload is stored in `chain->rules_gen_0[0]` allocated in `kmalloc-cg-192`.
 
-When `eval()` is called, `RBX` points to `kmalloc-cg-192+0x0`, which is the beginning of the `nft_rule` structure.
+When `eval()` is called, `RBX` points to `kmalloc-cg-192+0x0`, which is the beginning of the `nft_rule` structure. LTS kernel (v6.1.x) uses `struct nft_rule_blob`, while COS kernel (v5.15.x) uses a double pointer of `struct nft_rule`, which caused the difference. Also, it is not necessary to bypass the rcu protected section when performing ROP on the COS kernel.
 
 ```c
 void rop_chain(uint64_t* data){