L4ys

A bit late, but here's the talk I gave last year at CODE BLUE and HITCON, about the 20+ Trend Micro Apex One LPE that @0x000050 and I disclosed. github.com/TrapaSecurity/…

Early this week, @brucedang and I had a meeting at Apple Park in Cupertino. While there, we also shared with Apple our latest vulnerability research report: the first public macOS kernel memory corruption exploit on M5 silicon, surviving MIE. It was laser printed, in honor of our hacker friends. We wanted to report it in person, instead of getting buried in the submission flood that some unfortunate Pwn2Own participants just experienced. Most respected hackers avoid human interaction whenever possible, so this physical strategy may give us a slight edge in the eternal race for five minutes of fame and glory on Twitter. This is the story of the exploit and our field trip. Full technical details will be shared after Apple fixes the vulnerabilities and attack path. Hopefully it won’t take our beloved company too long. We only budgeted one year of domain registration fees for this attack. This is our strongest research yet, led by @justdionysus, @blacktop__ and @brucedang. It is really dope. Full story: blog.calif.io/p/first-public…

Confirmed! Orange Tsai (@orange_8361) of DEVCORE Research Team (@d3vc0r3) chained 4 logic bugs to achieve a sandbox escape on Microsoft Edge, earning $175,000 and 17.5 Master of Pwn points. Full win! #Pwn2Own #P2OBerlin

A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens projectzero.google/2026/05/pixel-…

I've watched @orange_8361 work on this target for a long time, even during our trip to Antarctica. A real hacker. Congratulations!

XSS2RCE in Edge + Microsoft Store (2022). Forgotten Web APIs enabled RCE on any signed-in device; all now retired. jinmo.github.io/blog/2026/05/1…

Two more zerodays - deadeclipse666.blogspot.com/2026/05/two-mo…

I feel the traditional "responsible disclosure" concept has been broken since its inception. you can argue that forcing everyone's hand by dropping (weaponized) bugs/exploits is reckless/harmful behavior or blablabla but I feel you have to keep in mind everyone's stakes/motivation in the game are different. one thing I guess we can agree on: people sit on bugs/exploits all the time. sometimes because ZDI promises a big bag of money at the end of the rainbow that magically evaporates and sometimes because they don't want to disclose these things and use them tactfully for their own advantage/goals. I've always felt forcing this acceleration will (hopefully) get the software landscape in better shape, faster. albeit in a messy way. the noise it creates however could be a good signal for people to get an idea of the overall security posture of a piece of software, as well as get a good idea of how a vendor handles disclosures that don't follow their made up fairytale non-enforceable policies. (that typically don't come with any kind of silver lining) back then, you could be damn sure that another horde of teenagers grep'd the same src tree for memcpy and was probably also sitting on an exploit. today the same applies, anyone can out-slop you producing the next linux LPE after brad tweets out a commit ID remember: as a researcher you don't own the vendor anything. you don't own the public anything either. if you did this work for free its yours to publish in whatever way suits your needs, agenda or overall quirkiness. :)

Static Devirtualization of Themida/CodeVirtualizer. The techniques in this article apply to pretty much every virtual machine obfuscator with minor modifications. back.engineering/blog/09/05/202… Original Program & Devirtualized Output github.com/backengineerin…

0days doesn't seem cool enough anymore. what should real hackers be doing now?

💥 Introducing "Dirty Frag" A universal Linux LPE chaining two vulns in xfrm-ESP and RxRPC. A successor class to Dirty Pipe & Copy Fail. No race, no panic on failure, fully deterministic. ~9 years latent. Ubuntu / RHEL / Fedora / openSUSE / CentOS / AlmaLinux, and more. Even if you've applied the "Copy Fail" mitigation, your Linux is still vulnerable to "Dirty Frag". Apply the Dirty Frag mitigation. Details: dirtyfrag.io

my new idea: prompt2own like pwn2own, but teams can only submit prompts

Our second blog post is out here: bugscale.ch/blog/here-we-g… ! We managed to install arbitrary APKs on the Samsung Galaxy S25 from an app without install permissions. For this, @SachaKozma did most of the work, but it was great looking into Samsung's cloud gaming component with him

TAPOcalypse Now: Exploiting TP-Link Smart Devices From Anywhere labs.taszk.io/articles/post/… Details exploitation via LAN, through browser, and against the cloud account. Some of the reported vulnerabilities are fixed, for others the vendor didn't provide a fix by embargo expiry.

Patch your Linux boxes! Copy.Fail is a trivially exploitable logic bug in Linux, reachable on all major distros released in the last 9 years. A small, portable python script gets root on all platforms. Found by the teams at @theori_io and @xint_official More details below xint.io/blog/copy-fail…

🚨 BREAKING: Wiz Research discovered Remote Code Execution on GitHub.com with a single git push The flaw in @github allowed unauthorized access to millions of repositories belonging to other users and organizations 🤯

Ghost Bits is a brilliant research: i.blackhat.com/Asia-26/Presen… Now you can reproduce CVE-2025-41242 in Vulhub, Spring/Jetty Path traversal caused by Ghost Bits: github.com/vulhub/vulhub/… This issue exists in spring-boot-starter-jetty <= 3.2.4 with zero configuration

[1/2] CVE-2026-32223: heap overflow in usbprint.sys (IOCTL 0x220064). Malformed USB descriptor, Named Pipe spray + Ghost Chunk for kernel leak, forged IRP, SYSTEM. Writeup: enki.co.kr/en/media-cente… #CVE_2026_32223 #WindowsKernel #LPE #vulnresearch

The biggest problem for me about the currently-super-hot “ai bug hunting” topic is that folks use AI as a “magic box” or “crystal ball” to find bugs, but few explains how it works under the hood to “find bugs” (or do AIs really have that capability of reasoning). This isn’t in the spirit of hacking or research. In the true spirit of hacking, you figure out every piece of data and every instruction moving through the process — and understand exactly why it behaves that way. Another problem is that everyone plays with the same, centralized, cloud-based AI which acts like the SkyNet. If in future hackings look like this, that’s quite disappointing isn’t it. Well, al least, that’s how I currently feel about.. the thing.:)