A deep dive into CVE-2021-21735 on the ZTE ZXHN H168N home gateway, where two unauthenticated wizard endpoints (wizard_pppoe_lua.lua and wizard_wlan_config_lua.lua) leaked PPPoE identifiers, SSID data, and Wi-Fi passphrases — converting a “low-severity” information disclosure into a full administrative and WLAN takeover path. Includes the root-cause analysis, request/response patterns, the disclosure timeline, and the ZTE vs. NVD severity split.
Deep-dive writeup on a Linux kernel use-after-free in “fs/eventpoll.c”. A 2023 optimisation traded a global “epmutex” for per-instance reference counting in epoll’s graph-walking code, but left the walkers running under “rcu_read_lock()” while “ep_free()” kept calling plain “kfree(ep)” with no RCU deferral — opening a same-CPU preemption race that yields a constrained write through a freed “struct eventpoll”. Fixed in commit “07712db80857″by switching to “kfree_rcu(ep, rcu)”. Affects Linux 6.6+ including Android (Pixel 10 tested).
The 2017 Windows research demo that flipped page protections so a shellcode region was non-executable at scan time and executable only during brief work windows. The 2026 refresh keeps the original Win32/x86 proof of concept central, adds x64, ARM64, and ARM64EC sibling demonstrations, fixes a subtle “SetWaitableTimer” “SleepEx” APC validation error, and reframes the whole exercise as a measurement problem about temporal memory state rather than a hiding trick.
STAR Labs’ advisory on CVE-2026-41873 in Apache Pony Mail by Li Jiantao and Tevel Sho (disclosed 28 April 2026). Two independent bugs reach the same outcome — full admin takeover — without any authentication. In the modern Foal (Python) build, an attacker-supplied “oauth_token” URL drives a blind SSRF against the local Elasticsearch SQL endpoint, leaking the admin session cookie character-by-character (CVSS 9.1). In the legacy Lua build (now retired, no patch), a single unescaped query parameter in “email.lua” lets the attacker inject CRLF bytes into the Elasticsearch HTTP request and smuggle a second request that creates an admin account outright.
CNX Software write-up on the OpenTrafficMap project — a €20 open-source ESP32-C5 receiver board that taps the 5.9 GHz 802.11p ITS-G5 V2X stack used by European traffic lights, buses, trams, trucks and connected vehicles, decodes CAM/DENM/SPATEM/MAPEM messages, and publishes them to a public map via NATS. Twenty units already deployed; group-buy of 450 boards shipping. Includes the original board photos, the deployment shot with a Mikrotik 4G uplink, the pole-mount enclosure, and the Graz Linux Days 2026 talk video.
Disclosure of CVE-2026-5426: an ASP.NET ViewState deserialization RCE in Digital Knowledge’s KnowledgeDeliver LMS, caused by identical hardcoded “machineKey values” shipped to every customer. Pre-Feb-24-2026 deployments are exploitable as a zero-day. Mandiant observed BLUEBEAM (Godzilla-class) in-memory web shells, JavaScript tampering for follow-on social engineering, and Cobalt Strike BEACON keyed to the victim’s name — with Application Event ID 1316 (code 4009) as the primary detection signal.
Open-source FPGA recreation of Intel’s 80386 that runs the original recovered Intel microcode rather than re-implementing instruction behaviour from scratch. The result is an 8 K-line, 18 K-ALUT, 85 MHz core that boots DOS, runs DOS/4GW and DOS/32A extenders, and plays Doom and Doom II — with detailed comparison against 486 and a clear silicon-archaeology angle relevant to reverse engineers and hardware security researchers.
An English rewrite of Denis Laskov’s “Eye on Cyber” pointer to a USENIX Security 2025 paper by Onishi et al. The research shows that MEMS microphones, because of their PDM (Pulse Density Modulation) digital interface, radiate unintended EM signals that still carry the original audio. With nothing more than copper-foil-tape antennas, the authors recovered enough signal through a 25 cm concrete wall at 2 m to hit 93% speaker-recognition accuracy — a TEMPEST-class result for cheap consumer mics.
An English rewrite of Jean-Luc Aufranc’s May 25, 2026 CNX Software piece on V2X2MAP — an MIT-licensed Android app by Peter Holzhauser (Pit711) that pairs with a cheap Waveshare ESP32-C5 dual-band Wi-Fi board to receive the European ITS-G5 / 802.11p V2X stack and plot CAM, DENM, SPATEM and MAPEM messages on a live map. Includes the legal disclaimer carried inside the app and a defenders’ view of the privacy and detection implications.
A long-form tutorial on Windows malware development for offensive operators. It walks from dynamic API resolution and IAT hooking through process hollowing, DLL injection (LoadLibrary, reflective, syscall-level), Early Bird APC injection with AES-encrypted shellcode (driving VirusTotal from 27/72 down to 5/72), and into a full Windows driver: IRP dispatch, kernel-mode DLL injection via image-load callbacks, DKOM process and driver hiding, token stealing from PsInitialSystemProcess, and kernel callbacks for blocking EDR. Hardcoded Windows 10 build 19041+ offsets included.
