Paolo Stagno (VoidSec)

I originally prepared this bug for Pwn2Own Berlin. A few days before the contest, a CVE got assigned. So, here is my technical analysis and exploitation strategy for CVE-2026-40369: a 12-byte kernel increment, exploitable both as an LPE and SBX. voidsec.com/cve-2026-40369…

@aionescu Was a nice bug though

This information class was added only a few years ago. In the age of trillion dollar spending on AI code reviews and security, codeQL, KASAN and more, the world’s leading operating system kernel still added code to increment an arbitrary user controlled pointer in a system call

@f_roncari @justandrijana @offensive_con Lol, cannot resist this incredible offer

@Void_Sec @justandrijana @offensive_con I can give it to you…. Special offer 1 sword x 2 0days 👀

Had a really great time at @offensive_con this year, wonderful people, talks and parties! Thank you for making it so incredible! See you next year with even better gifts 🧡 FYI I guess the brain works best on Sunday morning, after the last day to solve the games! Sword 🗡️

@TheRaildex1 @justandrijana @offensive_con Thanks, appreciated!

@Void_Sec @justandrijana @offensive_con Not OP but it’s this one! I also enjoyed it as well amazon.com/BePuzzled-Lege…

@cogitoergor00t @justandrijana @offensive_con Than I failed miserably xD

@Void_Sec @justandrijana @offensive_con What if getting the puzzle was part of the puzzle itself?

@justandrijana @offensive_con @f_roncari 😮

@Void_Sec @offensive_con Stole it from @f_roncari 😉 But he got it from Radiant party!

@orinimron123 @M4x_1997 Ah man, we collided on this one. Was a great vuln while it lasted :/

@M4x_1997 4/4: Last but not least CVE-2026-40369 - Windows Kernel Arbitrary Increment primitive reachable from any browser sandbox renderer process This one was rejected from Pwn2Own and closed anyway yesterday :( My exploit is here - blogpost will be soon: github.com/orinimron123/C…

1/n: Yesterday was a good day, got credited for 7 CVEs: 3 Intel datacenter GPU vulnerabilities which allowed ESXi VM sandbox escape: - CVE-2026-20794 - CVE-2026-20879 - CVE-2026-20751 intel.com/content/www/us…

@conduit0x00 @S1r1u5_ @udunadan @malltos92 100%

@S1r1u5_ @udunadan @malltos92 P2o mostly being a place to show off your firm’s technical capability to build a brand rather than a realistic full time end goal for all work product

0 chrome submissions(?), 3 firefox renderer, 1 edge, 2 safari renderer, and exchange/sharepoint each. devcore still showing up with multiple submissions in the hard targets, including exchange, sharepoint, and edge, from known names. so why are we not seeing a huge amount of submissions? i think, either: 1. defense got stronger with llms, and software like chrome/firefox is fixing a ton of bugs before they ever reach pwn2own or 2. hacking of complex software is still bottlenecked by a small number of top-tier researchers. i would guess it’s the latter(?). there is no denying the fact that, llms are probably closing some defense gap, but i think that doesn’t mean the asymmetry moved to the defense side and making defense stronger, i still think it’s the usual attacker-favored game. and looking at pwn2own submissions, it seems pretty obvious to me that llms are still only as good as the operator using them. there are only a few people good enough to point them at hard targets properly and use them to actually accelerate research. cuz, if llms were actually giving everyone exploit superpowers to "anyone", you’d expect more people showing up with chrome/exchange/browser-class bugs. instead, what we’re seeing is still mostly people with skin in the game hitting the hard targets. zerodayinitiative.com/blog/2026/5/13…

@S1r1u5_ The monetary incentives for p2o are pretty bad compared to the bonuses any VR boutique will compensate the researcher for a Chrome RCE

@DrapGreg It is, the focus was only for vuln research. The automation that can be done with it are innegable.

@Void_Sec I agree with your article but I think it focuses only on security research. One aspect of LLM is the possibility to automate part of pentests which is quite interesting.

423 Firefox bugs fixed in a month with AI. Impressive throughput. But I've seen this pattern before. It's the fuzzer era all over again. Here's why:

@SYNLabs_SG That's my expectation and also what I hope, to be honest :)

Humans will continue to lead the process of vulnerability research.

@uglybyte Thx, appreciated

well written @Void_Sec! and I also expect to see a drop towards the baseline, perhaps slightly increased if models keep up. The parallel to fuzzers makes a ton of sense, and I believe that once we’ll exhaust the pool of what LLMs can find in major codebases, then it’ll be back to writing (LLM-powered) harnesses for that codebase :-) @InsiderPhD

@malltos92 If we had scheduled them, we couldn’t have done any better. Always interesting to read your takeaways on the industry

Bug count != exploitable bug. Finding != chaining. LLMs are exceptional at pattern recognition on known bug classes. They are not reasoning about novel failure modes in complex multi-component systems. The hard bugs still require humans. voidsec.com/ai-vulnerabili…

The wait is over! mona v3 is now available. Supports Python 2 & 3, 32- and 64-bit targets, WinDBG/WinDBGX. Faster, leaner, broader built for modern Windows debugging and exploit development. #mona #corelan github.com/corelan/mona3 Sharing is caring 💛

100%, true experience

Red team friends, show some love!

@Her0_IT Yay!

@Void_Sec Got mine too bud :D

Ooh, guardrails have been lifted!