May 12, 2026

        May 12, 2026

May 12, 2026

        May 12, 2026

scary rumours circulating rn pic.twitter.com/ocRAm0x780
— London New Liberals (@LondonNewLibs) May 11, 2026

The last cinephile in the world is a guy on the crew of a shadow fleet vessel compiling the perfect film list to fraternize with the US commandos seizing the shiphttps://t.co/vFasZGJTO2 pic.twitter.com/UK5brqzjw6
— Alan Smithee (@AlanSmithee1987) May 10, 2026

            https://www.ft.com/content/e3f2767a-1da1-4669-ae8c-fe47b7a42896?syn-25a6b1a6=1    

I met Juliano online in 2008. We were competing at CodeGate CTF on different teams. Both of us failed a crypto challenge by @defendtheworld, but afterward we realized we were both obsessed with crypto and started talking.

We were heavily inspired by @tqbf, @chriseng, Nate… https://t.co/eBpP50YGmc
— thaidn (@XorNinja) May 9, 2026

                                        ASP.NET Core, an open-source web development framework | .NET
                                    Build web apps and services that run on Windows, Linux, and macOS using C#, HTML, CSS, and JavaScript. Get started for free on Windows, Linux, or macOS.

Lately I've been thinking about how AI is changing vulnerability research and reverse engineering. VR and RE are some of the hardest workflows to parallelize. Even with great knowledge transfer and team practices, you usually default to one person per vuln or RE task. The work is… pic.twitter.com/SYsVJ0dSJb
— Alex Matrosov (@matrosov) May 10, 2026

Going to present an unconventional exploit ;)

By corrupting a GPU stack pointer register as part of the TBDR pipeline and some blackbox work, GPU hardware may write vertex / pixel shader to arbitrary pages. Ultimately, the hardware can patch AP kernel back~ https://t.co/Bd9YjqHMM1
— 1ce0ear (@1ce0ear) May 10, 2026

Another sign that over time AI will sift out the shallow-medium depth bugs, and devs will just fix them as a matter of course. This will shift the VRP market substantially. If you're a bug bounty platform or a VRP researcher, refocus your time and energy. If you're a defender,… https://t.co/wXCF9NTvqq
— Heather Adkins - Ꜻ - Spes consilium non est (@argvee) May 9, 2026

How about macOS? Why there's no working LPE exploit on M5... https://t.co/oLAdKqhxKI
— thaidn (@XorNinja) May 9, 2026

Since when did the rejected term “responsible disclosure” come back into favor?
— thaddeus e. grugq (@thegrugq) May 11, 2026

We got the email too.

We had a working RCE on Oracle Autonomous AI Database ready to demonstrate live at #Pwn2Own Berlin next week. ZDI confirmed they're at maximum capacity and can't add extra contest days.

AI is now generating offensive capability faster than the institutions… https://t.co/BG33gnOJu5 pic.twitter.com/sLsbna06jR
— FuzzingLabs (@FuzzingLabs) May 11, 2026

PoCs for Apache Tomcat Unauth RCE (CVE-2026-34486) and Apache httpd Pre-auth RCE (CVE-2026-23918) are now public on our Github.

Tomcat exploit is fully reliable. httpd chain works in a controlled lab setup with a known info leak.https://t.co/D3dg5iTuwPhttps://t.co/2zyr1ds4Mo
— striga (@striga_ai) May 11, 2026

                                        GitHub - striga-ai/CVE-2026-34486: Apache Tomcat Tribes EncryptInterceptor fail-open bypass, unauthenticated RCE PoC · GitHub
                                    Apache Tomcat Tribes EncryptInterceptor fail-open bypass, unauthenticated RCE PoC - striga-ai/CVE-2026-34486

                                        GitHub - striga-ai/CVE-2026-23918: Apache httpd mod_http2 double-free, pre-auth RCE PoC · GitHub
                                    Apache httpd mod_http2 double-free, pre-auth RCE PoC - striga-ai/CVE-2026-23918

striga-ai/CVE-2026-34486 (49 stars, Java)
  Apache Tomcat Tribes EncryptInterceptor fail-open bypass, unauthenticated RCE PoC
source: striga (@striga_ai)

striga-ai/CVE-2026-23918 (16 stars, Python)
  Apache httpd mod_http2 double-free, pre-auth RCE PoC
source: striga (@striga_ai)

Opus 4.6 tested on 435 real vulnerabilities from production CVEs. Result is 28.5% CVE recall with extensive prompting and a verification agent. The false positive problem is severe. 38–51% of patched, clean functions got flagged.  https://t.co/gREfZ2xRSN
— Lukasz Olejnik (@lukOlejnik) May 11, 2026

                                        GitHub - ZeroPathAI/opus-benchmark: Code for our opus 4.6 vulnerability detection benchmark · GitHub
                                    Code for our opus 4.6 vulnerability detection benchmark - ZeroPathAI/opus-benchmark

ZeroPathAI/opus-benchmark (12 stars, Python)
  Code for our opus 4.6 vulnerability detection benchmark
source: Lukasz Olejnik (@lukOlejnik)

Counterpoint: if you throw a rock in a random direction at Defcon or Blackhat you will hit someone with a blue belt or above in BJJ https://t.co/sCytZtAD3L
— Dave Aitel (@daveaitel) May 11, 2026

Google Threat Intelligence Group is dropping our latest AI Threat Tracker report today, which covers several threats we are watching through a variety of means. The report includes some details of the first 0day exploit we've found developed with AI. 1/x https://t.co/klvOrX31xv
— John Hultquist (@JohnHultquist) May 11, 2026

                                        Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access | Google Cloud Blog
                                    Explore GTIG's 2026 report on how adversaries leverage AI for zero-day exploits, autonomous malware, and industrial-scale cyber operations.

                                Don't miss what's next. Subscribe to the grugq's newsletter:

            Email address (required)

          Add a comment:

                Share this email:

                                Share on Twitter

                                Share on Hacker News

                                Share via email

                                Share on Mastodon

                                Share on Bluesky