Dissecting and Exploiting Linux LPE Variant: DirtyClone (CVE-2026-43503)

Dissecting and Exploiting Linux LPE Variant: DirtyClone (CVE-2026-43503)

DirtyClone (CVE-2026-43503) is a high-severity Linux LPE in the DirtyFrag family. A dropped SKBFL_SHARED_FRAG flag during __pskb_copy_fclone() skb cloning lets in-place IPsec decryption write into file-backed page cache. With CAP_NET_ADMIN from an unprivileged user namespace, an attacker patches /usr/bin/su in memory and gets root — no disk changes, no logs. JFrog research with PoC.

CVE-2020-1027: Windows CSRSS Heap Buffer Overflow and Sandbox Escape

CVE-2020-1027: Windows CSRSS Heap Buffer Overflow and Sandbox Escape

CVE-2020-1027 is a heap buffer overflow in the Windows CSRSS SxS assembly component. A missing bounds check on UNICODE_STRING.MaximumLength in an ALPC IPC handler allows any process, including browser sandboxes, to trigger a fully controlled memcpy with attacker-supplied source, destination, and length. Actively exploited in the wild paired with CVE-2020-6418 as a Chrome sandbox escape chain. Root cause analysis by Google Project Zero.

From context_handle to type confusion: A Type Confusion Pattern in Windows RPC Servers

From context_handle to type confusion: A Type Confusion Pattern in Windows RPC Servers

Many Windows RPC servers expose several context-handle types under one interface. When the IDL marks a handle as FC_BIND_CONTEXT (0x70) instead of FC_SUPPLEMENT (0x75), rpcrt4 skips context-ID validation and indexes the object directly — so a missing in-interface type check turns a cross-type handle into type confusion. k0shl’s research walks the pattern through CVE-2025-48815, CVE-2025-53143 and CVE-2025-54104.

A 27-Year-Old Authentication Bypass in OpenBSD's PPP Stack (CVE-2026-55706)

A 27-Year-Old Authentication Bypass in OpenBSD’s PPP Stack (CVE-2026-55706)

A length-confusion bug in OpenBSD’s PAP handler let an unauthenticated attacker on the same broadcast domain pass authentication with zero-length credentials — and trigger a heap over-read. The flaw rode along in the kernel for 27 years. Here’s the root cause, the PPPoE attack path, a proof of concept, and the one-line-pattern fix (CVE-2026-55706).

Squidbleed (CVE-2026-47729): A 29-Year-Old Heap Over-Read Leaks Cleartext HTTP in Squid

Squidbleed (CVE-2026-47729): A 29-Year-Old Heap Over-Read Leaks Cleartext HTTP in Squid

Squidbleed (CVE-2026-47729) is a heap buffer over-read in the Squid proxy’s FTP gateway, rooted in a missing NUL-terminator check before strchr() that has sat in the code since January 1997. An authorized proxy user who points Squid at a hostile FTP server can leak fragments of other users’ in-flight cleartext HTTP requests — credentials, cookies, and session tokens. Here is how the bug works, how it is exploited, and why “patched” depends on the guard in FtpGateway.cc, not the version string.

CVE-2026-41096: Heap Overflow in the Windows DNS Client

CVE-2026-41096: Heap Overflow in the Windows DNS Client

CVE-2026-41096 is a remotely-triggerable heap overflow in dnsapi.dll. A single crafted UDP DNS response with QDCOUNT=0 corrupts 604 bytes past a heap allocation in any process that calls DnsQueryRaw. This post walks the patch diff with ghidriff, decompiles the vulnerable DnsRawTruncateMessageForUdp in Ghidra, derives the exact overflow arithmetic, and ships a working Python + C PoC.

Autonomous Vulnerability Hunting with MCP: Inside a Self-Improving 0-Day Pipeline

Autonomous Vulnerability Hunting with MCP: Inside a Self-Improving 0-Day Pipeline

Andy Gill’s ZephrSec write-up of an autonomous vulnerability hunting system built around Claude Code and the Model Context Protocol: 8 MCP servers, 300+ tools, a 5-VM Proxmox hunt range, a four-gate hallucination bin, a FAISS-backed RAG knowledge loop, and a bounty-intelligence ROI scorer. Already produced two assigned Go standard-library CVEs (CVE-2026-33809 in x/image/tiff, CVE-2026-33812 in x/image/font/sfnt), a four-stage OEM update-service chain ending in SYSTEM code execution on Windows 11 25H2, and two macOS findings, with multiple Windows LPEs/RCEs/UAFs in progress. Faithful walkthrough with all source assets reproduced.