Binary Ninja 5.3 (Jotunheim) adds new architecture APIs for full function level lifting. We are already using them for upcoming TMS320C6x work, and plugin authors should be able to put them to good use too.
The fuzzer that found project-zero.issues.chromium.org/issues?q=com... (and a number of issues prior to that as well) is now open-source: crrev.com/c/7580844
It uses pkeys, trap-handling and single-stepping to intercept and mutate in-sandbox reads (see trap-fuzzer.h). Definitely had fun writing it!
[RSS] Slowburn: Looking through AMD Platform Configuration Blobs infrastructure
swarm.ptsecurity.com ->
Original->
Exploit code for a recently patched Chrome vulnerability has leaked online via a misconfigured server.
Security firm Breakglass believes the code is the work of a "professional exploit developer," and most intended for "sale or government use."
intel.breakglass.tech/post/cve-202...
"With Fabricked, we present a novel software-based attack that manipulates memory routing to compromise AMD SEV-SNP"
fabricked-attack.github.io
It's a huge release from #Microsoft and a larger one from #Adobe. @dustinchilds.bsky.social has some new tables to help tell the story and he breaks down a monstrous Patch Tuesday release. www.zerodayinitiative.com/blog/2026/4/...
The Pixel 10 smartphones released last year are the first phones to use Rust for its modem firmware in an attempt to narrow the phone's baseband attack surface
security.googleblog.com/2026/04/brin...
From left to right: Executive Director of Finance John Terrill and Executive Director and Chairman Mark Trumpbour onstage at SummerCon
The Summercon 2026 CFP is open.
We’re looking for original work. Things you’ve actually done. Things that worked, or didn’t.
Don't overthink it, the first step is submitting.
summercon.short.gy/CFP-2026
Spooler Alert: Remote Unauth'd RCE-to-root Chain in CUPS
heyitsas.im ->
More LLM bugs: CVE-2026-34980 and CVE-2026-34990
Original->
[RSS] Standardizing Rewards in Google VRP: Introducing Information Tiers and Action Criticality
bughunters.google.com ->
Original->
The AI lab's Project Glasswing will bring together Apple, Google, and more than 45 other organizations. They'll use the new Claude Mythos Preview model to test advancing AI cybersecurity capabilities. www.wired.com/story/anthro...
I've put up the slides from my Zer0Con 2026 presentation on Administrator Protection. github.com/tyranid/info...
xz security advisory (CVE-2026-34743):
tukaani.org ->
Who has the guts to update? :)
Original->
New Fortinet zero-day on Easter eve... precious timing
fortiguard.fortinet.com/psirt/FG-IR-...
There's a new unauth remote code execution bug in the CentOS Control Web Panel web hosting toolkit, tracked as CVE-2025-70951, that will need patching in the coming days
fenrisk.com/rce-centos-w...
AI found critical vulnerabilities in Microsoft software, autonomously.
XBOW identified 3 critical RCEs, including one of the most severe issues in March’s Patch Tuesday and two in Bing with potential SYSTEM-level impact.
No source code. Real environments. Real CVEs.
https://bit.ly/4bNBgWT
We have adjusted the scoring on the advisory to reflect server-side mitigations that the vendor described during the disclosure process.
Catch Christopher Domas’ keynote from RE//verse 2026! fail: jmp fail (everything I got wrong in RE and security research) gets into the dead ends, bad ideas, and wasted hours behind real progress in RE and security work. Watch now: youtu.be/iOq8O_phwbA?...
Ubiquiti patches 10/10 bug: community.ui.com/releases/Sec...
RE//verse 2026 videos are online
www.youtube.com ->
Original->
We decided to revisit an old research problem with some new LLM powered tooling. Check out our latest blog post to see how we approached this research, and the new Java deserialization gadget chains it discovered in just two days! www.atredis.com/blog/2026/3/12/findings-gadgets-like-its-2026
Check out the analysis by @cryptocat.me for CVE-2026-20127 in Cisco SD WAN. That other PoC posted last week exploits a totally different bug that doesn't match the reported IOCs (some kind of file upload due to path traversal in vManage maybe). We asses with high confidence this is CVE-2026-20127 🔥
Happy Patch Tuesday! The latest security patches from #Adobe and #Microsoft are here. Thankfully, no bugs are listed as being under attack, but there's still some interesting ones in the mix. Join @dustinchilds.bsky.social as he breaks down the March release www.zerodayinitiative.com/blog/2026/3/...
As per its stated policy, Kaspersky did not attribute Operation Triangulation.
Instead the company winked that it knew who made the tools when it chose the name and logo of the hacking campaign.
techcrunch.com/2026/03/09/a...
The Ctrl-Alt-Intel team has dumped the content of misconfigured command and control servers linked to the MuddyWater Iranian APT, aka Static Kitten, Mango Sandstorm, Earth Vetala, Seedworm, and TA450
ctrlaltintel.com/threat%20res...
phrack.org/issues/68/2#...
Another legend has crossed over. Thank you @fxv2.bsky.social for being your kind, brilliant self, whose contributions are too many to name, not just in hacking, but in being a superconnector who I now know is responsible for so many friendships & marriages. You are missed.
On a recent engagement, we exploited a previously disclosed privilege escalation bug in Tenable's Nessus Agent. No public PoC was available, so we made one; check it out here github.com/atredispartn...
In the final part of his blog series, @tiraniddo.dev tells the story of how a bug was introduced into a Windows API.
Code re-writes can improve security, but it’s important not to forget the security properties the code needs to enforce in the process.
projectzero.google/2026/02/gphf...
