Sam Sanoop

This is my first Linux kernel exploit for Google kCTF, and the patch commit is now public: git.kernel.org/pub/scm/linux/… Actually, this bug was found by AI while analyzing 1-day variants, I'd like to share my approach for these AI things to find bug, and exploitation write-up later.

MAD Bugs: RCE in Ladybird Blog: blog.calif.io/p/mad-bugs-rce… PoC: github.com/califio/public…

the real reason you feel so exhausted after coding with LLMs.

LLMs have gotten good enough at reverse engineering to recover source code from obfuscated binaries with real accuracy. So we asked the obvious next question: how fast and cheap is it to use one to build obfuscation specifically designed to beat it? We benchmarked Claude Opus 4.6 against the Tigress obfuscator across 20 targets first, to map its strengths and failure modes. 40% solve rate. Phase 3 multi-layer combos hit 0%, with cost explosions that killed the runs. Then we ran a dev/test/refine loop to build 3 purpose-built obfuscation variants targeting the same crackme, iterating directly against the model's known weaknesses. The finding: LLM-targeted obfuscation is fast and cheap to develop. Context windows, budget caps, and shortcut biases are all exploitable attack surfaces. The arms race just shifted.

Chinese LLMs can hack better than state-sponsored hackers with properly evolved harness - Kimi K2.5 managed to find and exploit 6 vulnerabilities in browsers: a single page view or an extension install by victims equal full system hijack. Check arxiv.org/abs/2604.20801

Cool exploit with @_0x999: He found that \x7F breaks Chrome's "Copy as cURL (cmd)" command parsing in Windows Console Host. In combination with a ", it allowed you to add any arguments to curl. With -o writing files is easy, but we need the username for the startup path... (1/2)

Mozilla says Mythos helped identify 271 vulnerabilities in Firefox 150. I went through the commits, CVEs, and bug links to see what that number really means. My takeaway: relax folks. xark.es/b/mythos-firef…

The RCE I've found in LiteLLM (x41-dsec.de/lab/advisories…) is a nice example of how AI agents can speed up security research. The issue was found during a project with high time constraints by me manually. So I had a Nemesis (@Persistent_Psi) backed AI agent do auto-triage and find a sandbox escape fully automated. After 20 minutes the job was done including a fully working exploit. This highlights again that the time to exploit and exploit creation and generation is decreasing dramatically. On the upside, this means that hiding details on advisories or sneakily releasing silent patches for security issues became less effective!

Language-level bug classes, stdlib pitfalls, Linux and Windows issues from usermode to kernel, seccomp sandbox escapes. One checklist, hundreds of checks. appsec.guide/docs/languages…

Took me almost a month, but it’s finally done. I completely rewrote the first chapter of linux-insides about the Linux kernel initialization process. Now it should be aligned with modern kernels (up to master). github.com/0xAX/linux-ins…

New post: Exploit Writing Tutorials series "on video" - collab with @wetw0rk7 : corelan.be/index.php/2026… #sharethelove

An automated N-day research pipeline at PwnFuzz. Ghidra + Ollama + n8n →Diffs Patch Tuesday binaries → LLM analyzes the output → Structured vuln reports, monthly AI-generated reports gets you oriented fast! Blog: ghostbyt3.github.io/blog/nday-rese… Repo: github.com/ghostbyt3/nday…

Reverse engineering large enterprise apps means wading through hundreds of vendor dependencies. We got tired of it, so we built Hyoketsu to fix it - open source, with a pre-calculated 13GB NuGet + Maven hash database. GitHub: github.com/assetnote/hyok…: slcyber.io/research-cente…

Our biggest open-source repos are getting overwhelmed by AI slop which literally makes Github unusable (~a new pull request every 3 minutes). Fun new challenges in an agentic world!

ZeroDayBench: Evaluating LLM Agents on Unseen Zero-Day Vulnerabilities for Cyberdefense arxiv.org/pdf/2603.02297

We achieved a guest-to-host escape by exploiting a QEMU 0-day where the bytes written out of bounds were uncontrolled. Full breakdown of the technique, glibc allocator behavior, and our heap spray/RIP-control primitive ↓

Over 700,000 repos ship crypto libraries that default to a static IV, creating widespread key reuse. We also released mquire, a Linux memory forensics tool, and added 12 new open-source Claude Code skills for security engineering. March Tribune: mailchi.mp/trailofbits/ma…

I almost fell into the AI trap... ChatGPT almost swallowed my brain too... If you rely too much on AI to do the hard work you aren't willing to do, you are basically screwed: - you lose your creativity - you give up on your expertise - you become less knowledgeable Our biggest asset as Security Researchers is our ability to understand a system. If we stop training it, it will atrophy. Stay sharp anon 🫡

They tell you training and running AI model costs billions. That's true for a few frontier labs. But for most real-world use cases? Dramatically lower than you think thanks to open-source. Real examples from @HuggingFace's latest analysis: - Fine-tune a text classification model: <$2k - Train a leading image embedding model: < $7k - Train Deepseek OCR: < $100k - Train a leading machine translation model: <$500k Compare that to GPT-4.5 training (~$300M est.) And the truth is that you don't need a Formula 1 car to pick up groceries. Most tasks are solved just as well by smaller, efficient, targeted models. The mistake everyone makes? Starting with "what's the best AI model?" instead of "what do I need to do?" The future of AI is not just bigger models. It's cheaper, more customized, open models solving specific problems. Explore 100+ real model costs of training and deployment yourself in the study!