A full walkthrough of CVE-2024-27398, a race-induced use-after-free in the Linux 6.8 Bluetooth SCO subsystem. The exploit races two connect() threads on the same SCO socket to orphan a delayed-work timer, reclaims the freed sock with add_key(), forges a valid DEBUG_SPINLOCK pattern in the spray payload, and uses an xchg eax, esp ; ret gadget to pivot the kernel stack into userspace — bypassing SMEP with pure ROP and overwriting modprobe_path to get root.
A walkthrough of klezVirus’ “Callback hell” — a technique that hides callback frames from stack inspectors by combining tail-calls, forward and backward proxy frames, and a chained thread-pool dispatcher, while still recovering the callee’s return value via a MOV [REG], RAX gadget. Published under CC BY 4.0 and republished here in full, with all original figures, assembly listings, and the POC video.
Between 2025 and 2026, BYOVD attacks completed a fundamental paradigm shift: from exploiting known-vulnerable drivers to abusing legitimately-signed drivers and certificates themselves. This English rewrite of the Ghost Wolf Lab research walks through dual-driver campaigns, single-byte signature-preserving hash flips, independent certificate abuse, and Microsoft’s March 2026 cross-signed trust removal.
Mysk research details CVE-2026-28910 — a chain of three macOS design flaws that turns the built-in Archive Utility plus a single drag-and-drop into a sandbox-escaping, TCC-bypassing, app-hijacking primitive. The pb2au proof of concept compromises Notes, Messages, Mail, Safari, WhatsApp, Telegram, Signal Desktop and 1Password in under 30 seconds with no root, no password, and no special permissions. Patched in macOS 26.4 (March 2026); all earlier macOS Tahoe builds remained exposed for ~5 months.
Fox-IT (NCC Group) details RemotePE, a North-Korean Lazarus in-memory RAT delivered through a three-stage chain — DPAPILoader (environmentally-keyed first-stage), RemotePELoader (HellsGate / ETW-patched HTTP beacon) and RemotePE itself, which never touches disk. The writeup walks AES-GCM C2, MSZIP-compressed command batches, the IConsole / IFileExplorer / IProcess command surface, infrastructure, MITRE ATT&CK mapping, and a full IOC set spanning July 2023 — May 2026.
A heap use-after-free in NASM’s response-file parser (CVE-2026-6068) sounds boring — until the dangling pointer is reused as a filename for fopen(). Project SEKAI’s breakingbad turns it into a deterministic, supply-chain-style persistent RCE that overwrites the victim’s ~/.bashrc through a 120-character heap-spray label, a shipped symlink, and the unescaped shell metacharacters in NASM’s Makefile-style dependency output. No ASLR, NX, PIE, RELRO or stack-canary bypass needed. Still unpatched at disclosure.
CVE-2025-49113 is a critical authenticated remote-code-execution flaw in Roundcube webmail — the default in cPanel, Plesk, and many hosting stacks — caused by insufficient validation of the _from upload parameter that lets attackers inject malicious PHP-serialized objects into session storage. The bug went undetected for nearly a decade and reportedly exposes more than 53 million hosts across all Roundcube 1.1.0–1.6.10 builds.
TREVEX is a post-silicon black-box CPU fuzzer from CISPA designed to discover data-flow transient execution vulnerabilities without needing RTL access, an ISA emulator, or a leakage contract. The framework runs across 20 microarchitectures from Intel, AMD, and Zhaoxin and uncovers a new TEA — Floating Point Divider State Sampling (FP-DSS, CVE-2025-54505) — on AMD Zen and Zen+, a new FPVI variant on AMD that does not need denormal inputs, three instances of Zero-at-ret on Intel, and FPVI on Zhaoxin. The authors weaponise FP-DSS from native code, the Linux kernel, and a Chrome JavaScript exploit.
{“_yoast_wpseo_title”: “TREVEX: Black-Box CPU Fuzzer Finds FP-DSS (CVE-2025-54505)”, “_yoast_wpseo_metadesc”: “TREVEX black-box CPU fuzzer (CISPA, S&P 2026) finds FP-DSS (CVE-2025-54505), new FPVI variants, and Zero-at-ret across 20 Intel, AMD, Zhaoxin microarchitectures.”, “rank_math_title”: “TREVEX: Black-Box CPU Fuzzer Finds FP-DSS (CVE-2025-54505)”, “rank_math_description”: “TREVEX black-box CPU fuzzer (CISPA, S&P 2026) finds FP-DSS (CVE-2025-54505), new FPVI variants, and Zero-at-ret across 20 Intel, AMD, Zhaoxin microarchitectures.”}
CVE-2025-54539 is a deserialization policy bypass in Apache.NMS.AMQP (≤ 2.3.0) that lets a single 290-byte AMQP message reach BinaryFormatter inside an unsuspecting .NET client and execute arbitrary commands.
A tiny funny FASM program for Windows where BX generously shares its value with AX using mov ax, bx, turning a simple register copy into a dramatic love story with a MessageBox punchline.
