May 14, 2026

New Myths for Old - CERIAS - Purdue University

After the Buggy Whip - CERIAS - Purdue University

More Than the Code - CERIAS - Purdue University

My new blogpost is out! I can't think of another kernel bug quite as easy to exploit as this one 😭 Big shout out to @tehjh who said something along the lines of "Uh...Seth come check out this mmap handler" 😂https://t.co/07PQim2ysp

— Seth Jenkins (@__sethJenkins) May 13, 2026

A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens - Project Zero

We recently published an exploit chain for the Google Pixel 9 that demonstrated it was possible t...

Re: Mythos
SATAN, patch-diffing, metasploit, all had ppl screaming about an impending apocalypse.

Impactful, but not world ending.

Mainly they remind me of 2 diff quotes:

1) “when the tide goes out.. you discover who's been swimming naked” - Buffet

2) “your cyber systems…

— haroon meer (@haroonmeer) May 13, 2026

A leak has provided an unprecedented glimpse into the internal operations of the ransomware-as-a-service group known as "The Gentlemen". The group operated with a relatively small core team and recruited technical affiliates. Operators communicated via Tox protocol in addition to… https://t.co/a9dKIod1An

— Costin Raiu (@craiu) May 14, 2026

Rocket.Chat | Secure CommsOS™ for Mission-Critical Operations

Centralize real-time messaging, voice, video, AI, and apps for secure, reliable and unified communication among internal and external stakeholders.

"The Gentlemen" ran a tight RaaS operation.
Then they got breached.

CPR analyzed the full leak: org structure, access brokers, active CVEs, victim comms, and financials.

Real operators, real tradecraft, fully exposed.https://t.co/DJC7ks1Omi

— Check Point Research (@_CPResearch_) May 13, 2026

Thus Spoke…The Gentlemen - Check Point Research

Key Points Introduction The Gentlemen ransomware‑as‑a‑service (RaaS) operation is a relatively new group that emerged around mid‑2025. Its operators advertise the service across multiple underground forums, promoting their ransomware platform and inviting penetration testers and other technically skilled actors to join as affiliates. In 2026, based on victims listed on the data leak site (DLS), […]

I have to say, you’d never expect a full browser exploit chain made up entirely of logic bugs. Of course it had to be Orange 🫡🍊 https://t.co/vPrLrSNqAY

— HexRabbit (@h3xr4bb1t) May 14, 2026

To exploit this to RCE you need:

1. ASLR disabled (or some way to leak info)
2. The nginx server configuration to have a "set" + "rewrite" directives. The rewrite has to have '?' in its replacement rule (second arg)

So the attack surface is probably much less than what it… https://t.co/bh0IhE2LO2

— Yanir Tsarimi (@Yanir_) May 14, 2026

The DEVCORE team is the most craziest this year, and even excited more to see legendary Orange Tsai navigating himself from server side to client side browser exploit scene. https://t.co/umNyPbUqe6

— Toan Pham (@__suto) May 13, 2026

the fast16 malware was almost certainly targeting spherical implosion simulations.

left: unmodified LS-DYNA 970
right: LS-DYNA 970 modified with the relevant portions of fast16.sys

both running a spherical implosion deck pic.twitter.com/6KYLEU2Vic

— hanlon’s mortola razr (@rhizomaticthot) May 13, 2026

it hooks the SUEOS and EOS methods (setup/run Equation of State). the floating point sabotage only triggers when there is:
A: three nested shells
B: a dramatic increase in energy between EOS cycles which only really occurs with mach stems or explosive lensing. pic.twitter.com/A7QhgQRXKN

— hanlon’s mortola razr (@rhizomaticthot) May 13, 2026

P2O
no entries - pgvector, dynamo, llama.cpp; container category; kvm, macos, win rdp, office, chrome;

11 LPE (rhel+win)
11 Coding Agents (just 2 bugs in cursor??)
7 inference
7 nvidia https://t.co/vej8B6ouQo

— metnew (@v_metnew) May 13, 2026

yeah, Tom, my same thoughts about Office working exploit: tough (due to no scripting env), but not impossible.

But for the #pwn2own, I've made my point before and I'm going to say it again: it's because the rules are not realistic/reasonable. Let me be specific..…

— Haifei Li (@HaifeiLi) May 14, 2026

A lot of people have been wondering about Mythos, Glasswing, and the vulns we / our partners are fixing. Today, I’m excited for us to start sharing more. (For context, I lead Glasswing @AnthropicAI.)

Two independent evaluations this week—from XBOW and the UK AISI—confirm what… https://t.co/WhIAjHcoQ5

— Logan Graham (@logangraham) May 13, 2026

XBOW - Mythos for Offensive Security: XBOW's Evaluation

We received early access to Mythos Preview for early capability testing a few weeks back. Today, we can finally share what we found.

How fast is autonomous AI cyber capability advancing? | AISI Work

The length of tasks frontier models can autonomously complete in our narrow cyber suite has been doubling every few months. This doubling rate has become faster over time, and recent models exceeded our previous trends.

Enough with the big bug burn panic. https://t.co/5DeosOdqdQ

— thaddeus e. grugq (@thegrugq) May 13, 2026

We’ve been ignoring the security technical debt for too long hoping the payday will never come because finding all those insecure bugs (and features) demanded far more hackers than we had. That has now changed and it’s time to face the music. https://t.co/AASyfeAFvd

— Volodymyr Styran 🇺🇦 (@arunninghacker) May 13, 2026

Mythos on Curl: Once my curl security team fellows and I had poked on the this short list for a number of hours and dug into the details, we had trimmed the list down and were left with one confirmed vulnerability. The other four were three false positives (they highlighted… https://t.co/ok7mtrsFsE

— Teri Radichel #cybersecurity #pentesting (@TeriRadichel) May 11, 2026

I’d throw it out there that of the deep technical industry leads I know of a significant number of them used to be epic blackhats. If you have an incentive structure of being deeply motivated by administrating small African micro nations versus getting accepted to talk at Black… https://t.co/clDOWK2PXg

— Nate (@nnwakelam) May 12, 2026

Wow how could the Chinese have come to that conclusion? https://t.co/Cf3mOa2Ys2

— Jeet Heer (@HeerJeet) May 11, 2026

Why are API keys not bound to an IP address allow list? I never see this option available in API services. Failing that, you should also receive an email whenever a new IP address attempts to use your API key. API keys should double up as canary tokens.

— Adam Langley (@BuildHackSecure) May 12, 2026

i'm seeing way, way more of these popping up over the past weeks/months, so i wanted to remind folks of some resources out there:

- https://t.co/szLXm8irSS (full reverse lookup w/ chaining and fallback contacts... MCP-enabled)
- https://t.co/NHWf2Rb5Jm (~30,000 program directory… https://t.co/Ehtjjn0oXS pic.twitter.com/CmVVffGWYR

— cje (@caseyjohnellis) May 11, 2026

lookup.disclose.io — Security Contact Lookup

Find the right security contact for any asset. A disclose.io project.

@disclose_io Community Forum - Security research and vulnerability disclosure community

Hacker connects, security research, and news about The disclose.io Project.

IMO, the funniest part of this entire war is when an OSINTer found a livestreaming camera that captured the region of sky just above one of Iran’s launch silos, and they watched it get bombed, fire off a missile, get bombed again, fire off another missile, and so on and so forth. https://t.co/WkqDrsrODh

— Analytica Camillus (@AnalyticaCamil1) May 12, 2026

Excited to see @Google launch Intrusion Logging, the first purpose-built system to enable forensic investigations of advanced attacks on mobile. @AmnestyTech has worked with @Android as a design partner, during the development of Intrusion Logging and Advanced Protection Mode

— Donncha Ó Cearbhaill (@DonnchaC) May 12, 2026

I wrote a guest article about the implications of stronger LLMs in the German FAZ: https://t.co/Mnygp6kr0p

— Halvar Flake (@halvarflake) May 13, 2026

Thomas Dullien zu Anthropics Mythos: Software war nie auf perfekte Sicherheit ausgelegt - das rächt sich | FAZ

Schwachstellen in Computern wurden lange hingenommen. Denn sie auszunutzen war technisch komplex und teuer. KIs ändern das nun. Damit zwingen sie uns, Altlasten schneller anzugehen.

Aside from the sizzle of threat actors using AI to discover and exploit vulnerabilities, here is the substance that I'm most worried about longer term: https://t.co/BLxOd3e1IA pic.twitter.com/8rTNrDcyUw

— Dino A. Dai Zovi (@dinodaizovi) May 11, 2026

I just reverse engineered the YellowKey BitLocker bypass

Microsoft shipped code that checks for a flag called "FailRelock" in every Windows 11 recovery image. When it's set to 1, after recovery unlocks your BitLocker drive, it never relocks it. All you need is a USB stick.

This… https://t.co/grBweZpwjn pic.twitter.com/3axBhcuDDR

— impulsive (@weezerOSINT) May 12, 2026

How it works:

1. Recovery tools look for a config file called RecoverySimulation.ini on the OS drive
2. If Active=Yes, it enables "test mode" for the recovery tools
3. Test mode unlocks your BitLocker drive but a flag called FailRelock tells it to skip relocking
4. cmd.exe… pic.twitter.com/WZTxOoiWQw

— impulsive (@weezerOSINT) May 12, 2026

When there isn’t yet a patch, like w/ a named Linux vuln, eBPF as a “patching” strategy is what these two very experienced teams out there are doing right now.

Check out what Cloudflare and Datadog did.

Cloudflare:https://t.co/0nRSBs9ajf

Datadog:https://t.co/a3zjQufnww

— Gadi Evron (@gadievron) May 12, 2026

How Cloudflare responded to the “Copy Fail” Linux vulnerability

When a critical Linux kernel privilege escalation was publicly disclosed, Cloudflare's security and engineering teams detected, investigated, and mitigated the threat across our global fleet, confirming zero customer impact and no malicious exploitation.

CVE-2026-31431 Copy Fail AF_ALG splice exploitation detected

Datadog, the leading service for cloud-scale monitoring.

Two more zerodays - https://t.co/kUgSQqq0s8

— Chaotic Eclipse (@ChaoticEclipse0) May 12, 2026

This is like one of those audio journals you find on a corpse in a sci-fi horror game https://t.co/oE4FlhD88w

— Kitten 🐈 (@kitten_beloved) May 12, 2026

Done something cool with AI? Great! Now, have some respect for your own work, and the people reading it, and don't have AI do the write-up.

Good writing is a skill. Conveying complex technical ideas is hard. But AI is not good at it, and the write-ups it generates are dogshit.

— Sean Heelan (@seanhn) May 11, 2026

As an offensive researcher, what scares me isn’t that LLMs can find bugs today.

It’s the post-LLM era:
well-engineered, security-hardened code written with AI assistance, and the industry’s massive shift toward memory-safe languages with help of LLMs

— ohjin (@pwn_expoit) May 11, 2026

Today we are also publishing a forensic guide to help defenders and civil society leverage this tool to further accountability efforts. https://t.co/c9DTfZBCms

— Donncha Ó Cearbhaill (@DonnchaC) May 12, 2026

I feel the traditional "responsible disclosure" concept has been broken since its inception. you can argue that forcing everyone's hand by dropping (weaponized) bugs/exploits is reckless/harmful behavior or blablabla but I feel you have to keep in mind everyone's… https://t.co/Qf0hYeqS0Q

— blasty (@bl4sty) May 12, 2026

The released firefox 150.0.3 today has killed our renderer exploit component, since only 1 day left we have no choice but withdrawal our entry.Kudos to our teammate @trichimtrich , @lanleft_ and @wiz1340 for their hard works that created 2 fullchains work flawlessly from firefox… https://t.co/NAfOx3agjR pic.twitter.com/IvjlWYifPa

— Qrious Secure (@qriousec) May 12, 2026

Except that this httpd pre-auth “RCE” exploit does not work. A real exploit requires an infoleak, and the author conveniently supplied a “helper” that reads addresses directly from /proc/<pid>/mem.

We also found this bug in early April, submitted it, and were told it's a dup.… https://t.co/SatdXsF8zh

— thaidn (@XorNinja) May 11, 2026

CVE-2026-40361 (https://t.co/z0h2NEcXtS), patched today, is a critical 0-click UAF/RCE bug in Microsoft Outlook that I discovered back in Q1. You definitely want to patch this sooner rather than later.

The danger of such 0-click bugs in Outlook is that they are triggered as soon…

— Haifei Li (@HaifeiLi) May 12, 2026

#BadWinmail Demo — Li Haifei

source: Haifei Li (@HaifeiLi)