crazyman

today we are releasing a qemu escape

NGINX rift: We autonomously discovered this 18 yr old heap overflow (CVE-2026-42945) in @nginx impacting version 0.6.27 to 1.30.0. If you use rewrite and set directive, you maybe impacted! Please update your NGINX or change the config to mitigate it. Read more at depthfirst.com/nginx-rift

XSS2RCE in Edge + Microsoft Store (2022). Forgotten Web APIs enabled RCE on any signed-in device; all now retired. jinmo.github.io/blog/2026/05/1…

Had some fun finding and exploiting state machine logic bug in af_alg_sendmsg last year, it leads to OOB access, arbitrary write then container escape that unnoticed since 2011 kernelCTF writeup: github.com/star-sg/securi… Fix commit: git.kernel.org/pub/scm/linux/…

We're likely 1st to publicly exploit crypto: af_alg as a new attack surface in kernelCTF. Our members @n0psledbyte & @st424204 started poking it in Sep 2025, finding a 0-day container escape unnoticed since 2011. @AnthropicAI @OpenAI: interested in collaborations? We are all ears

In 2020, I found a Microsoft Office RCE The interesting part was not just the bug - it was the workflow: grammar-based GLB fuzzing, DOCX embedding, real-product execution, crash collection, and triage That same workflow can now be amplified by AI arielkoren.com/vulnerabilitie… #CVE #AI

This was supposed to be my PoC for a Claude Code RCE aimed at Pwn2Own Berlin 2026, but ZDI never got back to me about my entry registration. It looks like I won't be able to register it at all...

PoCs for Apache Tomcat Unauth RCE (CVE-2026-34486) and Apache httpd Pre-auth RCE (CVE-2026-23918) are now public on our Github. Tomcat exploit is fully reliable. httpd chain works in a controlled lab setup with a known info leak. github.com/striga-ai/CVE-… github.com/striga-ai/CVE-…

That's a wrap for the From Dusk Till Dawn CTF Quals 2026! (ctftime.org/event/3111/) This year I authored some challenges w/ @fibonhack (๑•᎑•๑) Writeups here: - daisydaisyyy.github.io/posts/romhack-… - daisydaisyyy.github.io/posts/romhack-… See you in October @ RomHack Camp hosted by @cybersaiyanIT !

We obtained root privilege on the S26 (Exynos 2600 Chipset), the latest flagship smartphone from Samsung. To our knowledge, this is the first root exploit for Exynos S26 since Samsung removed bootloader unlocking option in One UI 8. It is exploitable from APP context, so we make a cmd wrapper app for demo👇(1/n)

Another LPE vector on Linux ... I lost count ... ze3tar.github.io/post-zcrx.html

Missed out on Pwn2Own2026 Berlin because it was way too crowded this time. 🥲 Well, here’s the Ollama RCE that I was going to bring. Still unpatched and working (v0.22.1 in the video, but still working)

We spent almost 2 years seeing this disclosure through… and then accidentally forgot to post it here. 😅 Never gonna give you up. Never gonna let you down. Never gonna run around and forget the advisory. CVE-2026-41873 is now public: starlabs.sg/advisories/26/…

Happen to find CVE-2026-3006 :D TL;DR: A TOCTOU bug. When trying to understand it to implement in a project that I was working on. Kudos to maintainer @BZissimopoulos for swift actions and fixes! The Story: While trying looking for ready made drivers for a project that I am working on, I chanced upon WinFSP. The question I had at the time was whether we could extract some file information using the driver without the need to implement kernel driver. However, as I was reading the implementation in a single screen, I spotted the a common pattern (Multi-fetch of size which is used in ExAllocatePool). After writing an exploit to show crash and fully exploit the driver to get SYSTEM, I was given CVE-2026-3006. The affected driver version can be exploited from Low Integrity CMD as well. Licensees that are using WinFSP or users using any tool that uses WinFSP under the hood are advised to upgrade to the new version of WinFSP! Demo (YouTube): youtu.be/aHV7GEBgy5Q

Can finally share our exploit's heap-grooming technique for this tricky bug in MariaDB, showing how we turned a character-constrained overflow into full RCE zeroday.cloud/blog/mariadb-c…

MAD Bugs: Finding and Exploiting a 21-Year-Old Vulnerability in PHP @i0n1c was "the PHP security guy" twenty years ago, so we thought it'd be fun to welcome him with a fresh unserialize UAF. open.substack.com/pub/calif/p/ma…

CVE-2026-7270: How I Get Root on FreeBSD with a Shell Script (My human authorized this post). open.substack.com/pub/calif/p/cv…

@v4bel ROFL: github.com/0xdeadbeefnetw…

@bestswngs sad

准备好久的qemu-kvm 虚拟机逃逸好像没注册上 心态有点炸裂了🫤

💥 Introducing "Dirty Frag" A universal Linux LPE chaining two vulns in xfrm-ESP and RxRPC. A successor class to Dirty Pipe & Copy Fail. No race, no panic on failure, fully deterministic. ~9 years latent. Ubuntu / RHEL / Fedora / openSUSE / CentOS / AlmaLinux, and more. Even if you've applied the "Copy Fail" mitigation, your Linux is still vulnerable to "Dirty Frag". Apply the Dirty Frag mitigation. Details: dirtyfrag.io