Huntress reveals an unpatched Windows search: URI handler flaw that can leak Net-NTLMv2 hashes with a single link click. The bug mirrors a patched Snipping Tool CVE, but remains without CVE, fix, or clear servicing path.
The epoll UAF: A Same-CPU Preemption Race in fs/eventpoll.c on Linux 6.6+
Deep-dive writeup on a Linux kernel use-after-free in “fs/eventpoll.c”. A 2023 optimisation traded a global “epmutex” for per-instance reference counting in epoll’s graph-walking code, but left the walkers running under “rcu_read_lock()” while “ep_free()” kept calling plain “kfree(ep)” with no RCU deferral — opening a same-CPU preemption race that yields a constrained write through a freed “struct eventpoll”. Fixed in commit “07712db80857″by switching to “kfree_rcu(ep, rcu)”. Affects Linux 6.6+ including Android (Pixel 10 tested).
CVE-2026-41873: Apache Pony Mail OAuth SSRF + Lua CRLF Smuggling = Unauthenticated Account Takeover
STAR Labs’ advisory on CVE-2026-41873 in Apache Pony Mail by Li Jiantao and Tevel Sho (disclosed 28 April 2026). Two independent bugs reach the same outcome — full admin takeover — without any authentication. In the modern Foal (Python) build, an attacker-supplied “oauth_token” URL drives a blind SSRF against the local Elasticsearch SQL endpoint, leaking the admin session cookie character-by-character (CVSS 9.1). In the legacy Lua build (now retired, no patch), a single unescaped query parameter in “email.lua” lets the attacker inject CRLF bytes into the Elasticsearch HTTP request and smuggle a second request that creates an admin account outright.
About PCIe DMA Cheats: Protocol, IOMMU, Hardware, and Detection
External PCIe DMA cheats are hard because the cheat code runs on another PC. Detection must move to PCIe fingerprints, IOMMU faults, ACS topology, TPM attestation, VBS/HVCI, and layered trust checks.
Exploiting CVE-2024-32002: RCE via git clone
CVE-2024-32002 turns git clone –recursive into RCE on case-insensitive filesystems. A crafted submodule + symlink can plant a Git hook in .git and execute code before review.
Dirty Frag: A New Linux Page-Cache Privilege Escalation Class
Dirty Frag is a Linux kernel local privilege escalation class abusing zero-copy networking, skb fragments, and in-place crypto to corrupt page cache memory and gain root privileges.
A Step-by-Step Guide to Uncovering Vulnerabilities in a Mobile App
The article shows how APK decompilation with Jadx exposed Cordova JavaScript code, hardcoded database keys, CryptoJS-derived secrets, backend endpoints, and a critical LFI flaw.
BullFrog DNS Pipelining: Smuggling Data Past CI/CD Egress Filters
A parsing flaw in BullFrog’s DNS-over-TCP handling allows attackers to bypass CI/CD egress filtering by pipelining DNS queries. The filter validates only the first query, letting malicious queries slip through.
Recovery Mode Breakdown: Turning macOS Recovery Safari into Root Persistence
A macOS Recovery Mode Safari flaw allowed attackers to write arbitrary files to system partitions. By placing a malicious LaunchDaemon in /Library/LaunchDaemons, an attacker could achieve persistent root execution after reboot.
BlueHammer: Exploiting Microsoft Defender Update Workflow to Leak SAM and Escalate to SYSTEM
AntivirusattaksDefenderEscalationExploit DevelopmentexploitationPoCPrivilegeSecuritySecuritywinapiwinapiwindows
BlueHammer shows how Microsoft Defender’s update workflow can be abused to redirect privileged file access to a Volume Shadow Copy. By exploiting filesystem races and NT namespace tricks, the technique leaks the SAM hive, extracts NTLM hashes, and enables privilege escalation to SYSTEM.