May 1, 2026

If people are really curious about https://t.co/zJqjRZkKcD, @5unKn0wn is the GOATed researcher who is responsible! https://t.co/pKODZo3G5t

— tylerni7 (@tylerni7) April 29, 2026

Copy Fail — CVE-2026-31431

CVE-2026-31431. 100% Reliable Linux LPE — no race, no per-distro offsets, page-cache write that bypasses on-disk file-integrity tools and crosses containers. Found by Xint Code.

My theory on how it ended up like this, courtesy of ChatGPT: pic.twitter.com/2eSQFoOcDd

— Brad Spengler (@spendergrsec) April 21, 2026

Our second blog post is out here: https://t.co/mUjTMFpVqN ! We managed to install arbitrary APKs on the Samsung Galaxy S25 from an app without install permissions. For this, @SachaKozma did most of the work, but it was great looking into Samsung's cloud gaming component with him

— Chai Yichen (@Hacker_Chai) April 30, 2026

Here We Go Again: A Five-Bug Chain to Arbitrary APK Install on Samsung S25 | Bugscale SA

This post breaks down a bug chain we found in Samsung Galaxy Store that leads to arbitrary local APK install on the Samsung S25, using weak signature verification, an unprotected exported receiver, path traversal, predictable randomness, and a denial-of-service bug.

Do not design systems assuming privilege escalation is hard. It never was. Anything local can become root. Every OS has had trivial privesc bugs, and any serious attacker keeps a few. Treat user separation as hygiene; not security. Disposable instances, minimal persistence.

— Juliano Rizzo (@julianor) April 30, 2026

Full article: Russia’s low-level agents: characteristics, roles and organisational structure of covert operatives in Europe, 2022–2025 https://t.co/zdYEpz1Fd6

— Covert Intel and Operations (@covert_intel) April 30, 2026

He began by replicating Mythos findings with his specialized harness.

Then went on to find more critical novel zero days in open source code that he can't share yet because they're not fixed.

TL;DR - harnesses are where the magic is. https://t.co/e8jhbktBKQ

— Matt Johansen (@mattjay) April 30, 2026

Finding Zero-Days with Any Model

Vulnerability discovery is an orchestration problem, not a frontier-model problem.

Mad at your favorite software for requiring you to upload a photo of your ID??

Get revenge by uploading a photo of your credit card instead

Welcome to PCI DSS, bitch

— rekdt (@rekdt) April 30, 2026

Glad this is being discussed.
We have lost so much https://t.co/FgnbxeYeeo pic.twitter.com/WB5RM4OE7d

— 𝗠𝗮𝘁𝘁 𝗖 ² (@mattcrotts) May 1, 2026

There's a common misconception that Brutalist buildings were unpainted, but thanks to microscopic analysis of the exteriors we can now recreate what they looked like in their prime. pic.twitter.com/P2AW49BONS

— Cairo Smith (@cairoasmith) May 1, 2026

I've been seeing posts all over about the state of CTFs post-LLM. I've seen many attempts to explain why this is just a new evolution of CTFs, but I fundamentally disagree. I believe the original spirit is gone and I've written why in my blog.https://t.co/tgUZOGkhGV

— Kabir Acharya (@Kabir4charya) May 1, 2026

“It's always worst to be raided by an agency you didn't even know had armed agents. An FBI raid could be whatever, but if the Marine Mammal Protection Commission is raiding your office it's because they know, without a shadow of a doubt, what you did to that walrus."

— god’s favorite contractor (@ceqtarian) April 29, 2026

Entire bug bounty market being repriced to the average cost of the tokens needed to find the bugs... https://t.co/H1c8Km5kXp

— Dave Aitel (@daveaitel) April 30, 2026

Wow, these "two NSA officials" sound like they're really super-involved in and well-informed about this research. https://t.co/4L2wu6LVDe pic.twitter.com/khQK2daH65

— Brian in Pittsburgh (@arekfurt) April 30, 2026

Finding Zero-Days with Any Model https://t.co/Z0eeCbyo2F

— Ionut Popescu (@NytroRST) April 30, 2026

Finding Zero-Days with Any Model

Vulnerability discovery is an orchestration problem, not a frontier-model problem.

Reading @NielsProvos research of how he's finding zero days with pre-Mythos models (even Sonnet 4.6)

This absolute legendary line buried in here about him replicating the Mythos OpenBSD bug.

Meant a lot to him because ...he wrote the bug in 1998 pic.twitter.com/g4KNjXt6Bh

— Matt Johansen (@mattjay) April 30, 2026

We investigated a CN #APT that targeted multiple governments and companies with government contracts in Asia. In half of the targets we found a second group with different malware toolkit but sharing the infection vector and some post-exploitation tools https://t.co/IN12VBv5k4 pic.twitter.com/Jbs8HqUqPK

— Daniel Lunghi (@thehellu) April 30, 2026

Big changes to Android and Chrome VRP:

- focus on high-impact, reproducible bugs with low/no reward for lower impact
- big prizes for full chains with some annual limits
- PoCs required

It’s the end of an era, but the start of a new one.https://t.co/LiW6qTktvE

— Natalie Silvanovich (@natashenka) April 30, 2026

Blog: Evolving the Android & Chrome VRPs for the AI Era

We are announcing changes to the Chrome & Android Vulnerability Reward Programs (VRP) which take effect immediately and are focused on adjusting our reward amounts and bonuses to reflect the types of reports and bug categories that provide the most value to security today.

to celebrate the release of Copy Fail and the professional way the embargo and disclosure was handled by all involved parties i have sacrificed my lunchbreak to do a quick C port (with aarch64 support and some other small things) of the original PoChttps://t.co/M08QEqVEwo

— blasty (@bl4sty) April 30, 2026

goodcopy.c · GitHub

goodcopy.c. GitHub Gist: instantly share code, notes, and snippets.

goodcopy.c · GitHub

goodcopy.c. GitHub Gist: instantly share code, notes, and snippets.

source: blasty (@bl4sty)

Cybersecurity is just software engineering’s PvP mode

— solst/ICE of Astarte (@IceSolst) April 29, 2026

Convicted former Harvard scientist rebuilds brain computer lab in China - banger of a story by @DavidKirton_ https://t.co/r4Q8Kq0iBp

— Laurie Chen (@lauriechenwords) April 30, 2026