Animated terminal demo of the FreeBSD setcred CVE-2026-45250 LPE exploit landing a root shell

Calif’s AI Audit of FreeBSD: 15 Kernel Bugs (3 RCEs, 5 LPEs, 1 bhyve Escape) and Three Public CVE Writeups

by Exploit DevelopmentReverse EngineeringVulnerability Analysis

Calif’s AI-assisted security team published a write-up of their FreeBSD kernel engagement: “15 bugs total” — 3 RCEs, 5 LPEs, 1 bhyve guest-to-host escape, plus memory disclosures and DoS — reported privately to FreeBSD with public PoCs released for three: CVE-2026-45250 (setcred sizeof confusion → stack overflow), CVE-2026-45253 (ptrace PT_SC_REMOTE missing bounds check → sysent OOB), and CVE-2026-45251 (procdesc UAF → arbitrary kernel-pointer writes via TAILQ_REMOVE on stale pd_selinfo). The exploits and writeups were generated by AI (OpenAI / Anthropic) and verified by humans before release. The remaining twelve bugs stay private until FreeBSD ships fixes.

CVE-2025-61622: PyFory Insecure Pickle Deserialization to RCE

CVE-2025-61622: PyFory Insecure Pickle Deserialization to Remote Code Execution

by Exploit DevelopmentReverse EngineeringVulnerability Analysis

CVE-2025-61622 is an unauthenticated remote code execution in PyFory (formerly PyFury) 0.12.0–0.12.2 reachable through the library’s fallback path for unregistered types: “handle_unsupported_read()” instantiates a bare “pickle.Unpickler” with no “find_class” override and calls “.load()” on the attacker’s buffer, executing whatever “__reduce__” tuple they crafted. The attacker doesn’t even need PyFory installed — a stock “cloudpickle” payload pushed over a TCP socket is enough. Fixed in 0.12.3 by removing the pickle fallback entirely.

CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED)

CVE-2026-20182: Unauthenticated vHub Bypass in the Cisco Catalyst SD-WAN Controller

by Exploit DevelopmentNetworkVulnerability Analysis

CVE-2026-20182 (CVSS 10.0, CWE-287) is a critical authentication bypass in the Cisco Catalyst SD-WAN Controller’s vdaemon DTLS service (UDP 12346). By presenting “device_type = 2” (vHub) during the CHALLENGE_ACK phase, an unauthenticated remote attacker hits a fall-through in “vbond_proc_challenge_ack()” that unconditionally sets “authenticated = 1” — from there it’s a short hop to “MSG_VMANAGE_TO_PEER” SSH-key injection into “/home/vmanage-admin/.ssh/authorized_keys” and full NETCONF control of the SD-WAN fabric. Discovered by Rapid7’s Stephen Fewer and Jonah Burgess; a Metasploit module ships with this post. Cisco has fixed it — upgrade now.

Windows Kernel EoP vulnerability CVE-2026-40369

CVE-2026-40369: Arbitrary Kernel Address Increment via NtQuerySystemInformation

by Exploit DevelopmentkernelPrivilege Escalationwindows

CVE-2026-40369 is a Windows kernel bug in “nt!ExpGetProcessInformation” that lets any unprivileged process — including one inside Chrome’s renderer sandbox — increment three DWORDs at an attacker-chosen kernel address per syscall, with no race condition, no heap spray, and 100% determinism. This deep dive walks Ori Nimron’s full exploit chain: KASLR via the prefetch side-channel, arbitrary kernel “read” via “CmpLayerVersions” type confusion (built on the Windows UTF-8 conversion path), token-privilege bitmask increment to grant SeDebugPrivilege, code injection into a SYSTEM process, and a clean restore of “CmpLayerVersionCount” at the end. Rewritten from the canonical pwn2nimron.com writeup with all original IDA decompilations and the PoC reproduced verbatim.

The epoll UAF: A Same-CPU Preemption Race in fs/eventpoll.c on Linux 6.6+

The epoll UAF: A Same-CPU Preemption Race in fs/eventpoll.c on Linux 6.6+

by Exploit Developmentkernel-modeLinuxReverse EngineeringSecurity

Deep-dive writeup on a Linux kernel use-after-free in “fs/eventpoll.c”. A 2023 optimisation traded a global “epmutex” for per-instance reference counting in epoll’s graph-walking code, but left the walkers running under “rcu_read_lock()” while “ep_free()” kept calling plain “kfree(ep)” with no RCU deferral — opening a same-CPU preemption race that yields a constrained write through a freed “struct eventpoll”. Fixed in commit “07712db80857″by switching to “kfree_rcu(ep, rcu)”. Affects Linux 6.6+ including Android (Pixel 10 tested).

A restrained technical diagram of memory regions, stack frames, and control flow for Gargoyle

Gargoyle, A Decade Later: Josh Lospinoso’s Memory-Scanning Evasion Idea, Refreshed for 2026

by APCEDR EvasionExploit DevelopmentMalware DevelopmentMemory Managementwindows

The 2017 Windows research demo that flipped page protections so a shellcode region was non-executable at scan time and executable only during brief work windows. The 2026 refresh keeps the original Win32/x86 proof of concept central, adds x64, ARM64, and ARM64EC sibling demonstrations, fixes a subtle “SetWaitableTimer” “SleepEx” APC validation error, and reframes the whole exercise as a measurement problem about temporal memory state rather than a hiding trick.

Google Threat Intelligence website banner

CVE-2026-5426: Mandiant Catches ViewState RCE Against KnowledgeDeliver LMS in Japan

by Exploit DevelopmentThreat Intelligence

Disclosure of CVE-2026-5426: an ASP.NET ViewState deserialization RCE in Digital Knowledge’s KnowledgeDeliver LMS, caused by identical hardcoded “machineKey values” shipped to every customer. Pre-Feb-24-2026 deployments are exploitable as a zero-day. Mandiant observed BLUEBEAM (Godzilla-class) in-memory web shells, JavaScript tampering for follow-on social engineering, and Cobalt Strike BEACON keyed to the victim’s name — with Application Event ID 1316 (code 4009) as the primary detection signal.

VirusTotal scan showing 5 out of 72 detections after AES encryption and Early Bird APC injection

Malware Development Essentials for Operators: From PEB Walking to Kernel-Mode DKOM

by Exploit DevelopmentMalware Development

A long-form tutorial on Windows malware development for offensive operators. It walks from dynamic API resolution and IAT hooking through process hollowing, DLL injection (LoadLibrary, reflective, syscall-level), Early Bird APC injection with AES-encrypted shellcode (driving VirusTotal from 27/72 down to 5/72), and into a full Windows driver: IRP dispatch, kernel-mode DLL injection via image-load callbacks, DKOM process and driver hiding, token stealing from PsInitialSystemProcess, and kernel callbacks for blocking EDR. Hardcoded Windows 10 build 19041+ offsets included.

EDR-Freeze and PPL EDR bypass concept illustration

PPL Abuse: How Attackers Turn Windows’ Own Trust Anchors Into EDR Killers

by Exploit DevelopmentThreat Intelligence

An original English rewrite of Ghost Wolf Lab’s 2026-05-25 article on Protected Process Light (PPL) abuse. The piece maps Windows’ PPL trust hierarchy, walks three production techniques that turn WinTcb-Light binaries (WerFaultSecure, ClipUp, WaaSMedicSvc) into EDR-disabling primitives, and lays out a four-phase attack chain — BYOVD kernel kills, EDR-Freeze race condition, ClipUp-as-PPL-proxy, and unsigned WDAC policies — that defenders are seeing in the wild against Defender and Chinese antivirus stacks (360, Kingsoft, Tencent). Includes the original PPL inspection C program and a working Sigma rule.