Wow, remote OS command injection (from the same network segment) in FreeBSD IPv6 stack via router advertisement packets: freebsd.org/security/advis… rtsold passes the unescaped domain search list option from the RA packet to the resolvconf shell script.

andrea-allievi.com/blog/new-year-… Anti-cheat evolution in Windows... New Year post while I am in vacation is ready!!! 🎉 Happy 2026!

Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices. projectzero.google/2026/01/pixel-…

Blog post: On the Coming Industrialisation of Exploit Generation with LLMs sean.heelan.io/2026/01/18/on-… TL;DR: I ran an experiment with GPT-5.2 and Opus 4.5 based agents to generate exploits for a zeroday QuickJS bug. They're pretty good at it. Code: github.com/SeanHeelan/ana…

No security feature is perfect. James Forshaw reviewed Windows’ new Administrator Protection and found several bypasses. projectzero.google/2026/26/window…

[453094710][reward: $250000] Out-of-bound read in the jmp table of ActiveMediaSessionController leads to sandbox escape. crbug.com/453094710

I am pleased to announce the publication of the sixth article in the Exploiting Reversing Series (ERS). Titled "A Deep Dive Into Exploiting a Minifilter Driver (N-day)", this 251-page article provides a comprehensive look at a past vulnerability in a mini-filter driver:

This year at RE//verse, we’re dropping something special, a project we’ve been heads-down on for a while that boosts semantic-level binary detection with reachability + taint analysis. Like CodeQL/Semgrep, but for binaries. VulHunt use cases: Vuln REsearch:

i built an entire x86 CPU emulator in CSS (no javascript) you can write programs in C, compile them to x86 machine code with GCC, and run them inside CSS

In the final part of his blog series, James Forshaw tells the story of how a bug was introduced into a Windows API. Code re-writes can improve security, but it’s important not to forget the security properties the code needs to enforce in the process. projectzero.google/2026/02/gphfh-…

One of our engineers just did a detailed writeup for one of his Google kCTF kernel exploits. The bug is 20 years old and has been there since Linux 2.6.12! open.substack.com/pub/calif/p/a-…

… and just a couple of months later Gezine managed to exploit the compiler process too! This completes the mast1c0re exploit chain for the first time, allowing for arbitrary native userland code execution on the latest PS4 / PS5 firmwares, without needing a kernel exploit

We’re proud to have TrendAI Zero Day Initiative return as Offensivecon's Diamond Sponsor! 💎 Their continued support means a lot to us, and we’re thrilled to once again host Pwn2Own in Berlin. Get ready for another amazing Offensivecon!

An analysis of CVE-2026-21236 - A heap based buffer overflow in the Microsoft Windows Kernel afd.sys - was just published by Emily L a recent secondment with my team EDG! Nice work for her first triage of a kernel memory corruption bug! nccgroup.com/research/vulne…

In collaboration with Lookout and Google (thank you 🙏) we have been working on tearing down and building detections for DarkSword - iOS exploit chain for iOS 18.4 - 18.7. Super excited for this research 🎉. Please update your iPhones. iverify.io/blog/darksword…

I discovered a race-based vulnerability class in the Linux kernel: "Out-of-Cancel" A structural flaw where cancel_work_sync() is used as a barrier for object lifetime management, causing UAF across multiple networking subsystems. I wrote an exploit for CVE-2026-23239

With worries about supply-chain attacks on the Python ecosystem, I wrote a few lines about my preferred development set-up, and how it adapts well to vibe-coding and mitigates many (if not all) risks.

DIRTYFREE (NDSS 2026): Linux kernel privilege exploitation via arbitrary free primitive leeyoochan.github.io/assets/pdf/Dir… #Linux #infosec