CVE-2026-34007 and CVE-2026-34008 expose a systemic pattern in QNAP QTS: header injection into shell_exec, hand-rolled SQL escaping, and unremapped container namespaces that turn a single pre-auth request into host root. The bugs are symptoms of platform architecture, not individual developer mistakes.
Pack2TheRoot (CVE-2026-41651): Local Root on Linux via a PackageKit Race Condition
Pack2TheRoot (CVE-2026-41651) is a high-severity local privilege escalation flaw in PackageKit that lets any unprivileged user win a race condition during InstallFiles and gain root on default Linux installs. Here is how it works, how it is exploited, and how to defend against it.
Dissecting and Exploiting Linux LPE Variant: DirtyClone (CVE-2026-43503)
DirtyClone (CVE-2026-43503) is a high-severity Linux LPE in the DirtyFrag family. A dropped SKBFL_SHARED_FRAG flag during __pskb_copy_fclone() skb cloning lets in-place IPsec decryption write into file-backed page cache. With CAP_NET_ADMIN from an unprivileged user namespace, an attacker patches /usr/bin/su in memory and gets root — no disk changes, no logs. JFrog research with PoC.
From context_handle to type confusion: A Windows RPC Vulnerability Pattern
A walkthrough of a recurring type-confusion pattern in Windows RPC servers: when an interface accepts an FC_BINDING_CONTEXT handle without checking its object type, attackers can feed one context-handle type where another is expected. The pattern yielded CVE-2025-48815 (ssdpsrv), CVE-2025-53143 (MQQM) and CVE-2025-54104 (mpssvc).
CVE-2020-1027: Windows CSRSS Heap Buffer Overflow and Sandbox Escape
CVE-2020-1027 is a heap buffer overflow in the Windows CSRSS SxS assembly component. A missing bounds check on UNICODE_STRING.MaximumLength in an ALPC IPC handler allows any process, including browser sandboxes, to trigger a fully controlled memcpy with attacker-supplied source, destination, and length. Actively exploited in the wild paired with CVE-2020-6418 as a Chrome sandbox escape chain. Root cause analysis by Google Project Zero.
From context_handle to type confusion: A Type Confusion Pattern in Windows RPC Servers
Many Windows RPC servers expose several context-handle types under one interface. When the IDL marks a handle as FC_BIND_CONTEXT (0x70) instead of FC_SUPPLEMENT (0x75), rpcrt4 skips context-ID validation and indexes the object directly — so a missing in-interface type check turns a cross-type handle into type confusion. k0shl’s research walks the pattern through CVE-2025-48815, CVE-2025-53143 and CVE-2025-54104.
A 27-Year-Old Authentication Bypass in OpenBSD’s PPP Stack (CVE-2026-55706)
A length-confusion bug in OpenBSD’s PAP handler let an unauthenticated attacker on the same broadcast domain pass authentication with zero-length credentials — and trigger a heap over-read. The flaw rode along in the kernel for 27 years. Here’s the root cause, the PPPoE attack path, a proof of concept, and the one-line-pattern fix (CVE-2026-55706).
Squidbleed (CVE-2026-47729): A 29-Year-Old Heap Over-Read Leaks Cleartext HTTP in Squid
Squidbleed (CVE-2026-47729) is a heap buffer over-read in the Squid proxy’s FTP gateway, rooted in a missing NUL-terminator check before strchr() that has sat in the code since January 1997. An authorized proxy user who points Squid at a hostile FTP server can leak fragments of other users’ in-flight cleartext HTTP requests — credentials, cookies, and session tokens. Here is how the bug works, how it is exploited, and why “patched” depends on the guard in FtpGateway.cc, not the version string.
Autonomous Vulnerability Hunting with MCP: Inside a Self-Improving 0-Day Pipeline
Andy Gill’s ZephrSec write-up of an autonomous vulnerability hunting system built around Claude Code and the Model Context Protocol: 8 MCP servers, 300+ tools, a 5-VM Proxmox hunt range, a four-gate hallucination bin, a FAISS-backed RAG knowledge loop, and a bounty-intelligence ROI scorer. Already produced two assigned Go standard-library CVEs (CVE-2026-33809 in x/image/tiff, CVE-2026-33812 in x/image/font/sfnt), a four-stage OEM update-service chain ending in SYSTEM code execution on Windows 11 25H2, and two macOS findings, with multiple Windows LPEs/RCEs/UAFs in progress. Faithful walkthrough with all source assets reproduced.










