goo.gle/bigsleep now with even more bugs. Also great to see the first ones getting fixed, including in v8, ANGLE and imagemagick.

🔺iPhone models announced today include Memory Integrity Enforcement, the culmination of an unprecedented design and engineering effort that we believe represents the most significant upgrade to memory safety in the history of consumer operating systems. security.apple.com/blog/memory-in…

If you're keeping an eye on the Big Sleep issue tracker (goo.gle/bigsleep) you might have noticed that the detailed reports for some bugs (e.g. issuetracker.google.com/issues/4351567…) are now public. Note however that all reports are lovingly crafted by a human and not AI-generated.

I've derestricted 3 unfixed issues in the Google BigWave driver - these bugs are reachable from media decoding contexts on Pixel devices. E.g. project-zero.issues.chromium.org/issues/4265679…

Oh also this, which is technically WAI but has the unfortunate side effect (because of linear map non-randomization) that instead of bypassing KASLR, you can just use 0xffffff8000010000 as your kernel base instead.... project-zero.issues.chromium.org/issues/4342697…

In isolation, project-zero.issues.chromium.org/issues/4342697… and project-zero.issues.chromium.org/issues/4342084… might not appear very critical. However, together they mean KASLR on Pixel is broken :(. Both of these issues have been declared "working as intended" by the respective vendors :(

Super cool potential ASLR leak via dictionary hashing by Jann Horn - [email protected]! googleprojectzero.blogspot.com/2025/09/pointe…

A new Project Zero blogpost by Jann Horn - [email protected] in which he writes about an interesting and little-known bug class that affected web browses, Linux and, most recently, macOS. The bug class can also be used for leaking pointer tag information in some scenarios.

I reported an arbitrary code execution in Unity Runtime, which affects all versions starting from Unity 2017.1. As the vulnerability can be exploited without specific usage, I strongly encourage developers to patch. Technical details below: flatt.tech/research/posts…

Really excited to finally announce CodeMender! As part of this we've already submitted and upstreamed several patches to OSS projects via OSS-Fuzz. Check out our post at: deepmind.google/discover/blog/… There will be more technical details and exciting announcements to come!

Serious bugs often occur in third-party components integrated by other software. Ivan Fratric 💙💛 and I found this vulnerability in the Dolby Unified Decoder. It affects Android, iOS and Windows among other platforms, sometimes 0-click. project-zero.issues.chromium.org/issues/4280754…

A fun fact about this bug is that we only had an (entirely internally imposed) ~ 8 hour deadline to find it. Looking forward to sharing more info about it.

“I have [...] extreme fear because once things hit this level, you never know what’s going to happen”. Well I guess now he knows how his victims feel.

We derestricted crbug.com/382005099 today which might just be my favorite bug of the last few years: bad interaction between WebAudio changing the CPU's handling of floats and V8 not expecting that. See crbug.com/382005099#comm… for a PoC exploit. Also affected other browsers

We really should be talking about this more....KASLR is just not working properly on Android right now, and it hasn't for a long time. googleprojectzero.blogspot.com/2025/11/defeat…

New Project Zero blog post, Defeating KASLR by Doing Nothing at All

Great news for browser security (and not just because it cites my XSLT research :)). A lot of younger folks don't even know this feature exists, yet is/was the default attack surface in all major web browsers with a history of exploitation. developer.chrome.com/docs/web-platf…