May 19, 2026

        May 19, 2026

May 19, 2026

        May 19, 2026

Nice write up from the Cloudflare team, but the post here is misleading. Patch faster is not the wrong answer, because most teams are patching on the order of weeks or months. You must patch faster than that right now. But I will agree that 2 hours is infeasible beyond the… https://t.co/OQFMn0FO1Z
— Heather Adkins - Ꜻ - Spes consilium non est (@argvee) May 18, 2026

🏴‍☠️ I can finally share a VMware 0day I discovered that led to CVE-2026-41702 (LPE as root). Funny enough, I found the bug in my hotel room after the second day of attending Csaba Fitzl (@theevilbit) & Gergely Kalman (@gergely_kalman) training at Zer0con.https://t.co/mG55Ksc4gE pic.twitter.com/qSjzSKNXDi
— Coiffeur (@Coiffeur0x90) May 17, 2026

                                                    C111000: Race Against The Virtual Machine or how a SUID binary in VMware Fusion was raced to gain root privileges on macOS | Coiffeur’s blog
                                    Vulnerability research blog

Only a very few cyber operations benefit from high speed on target. Generally speaking, most cyber ops want dwell time measured in months, not in minutes. https://t.co/po7lXhgvTW
— thaddeus e. grugq (@thegrugq) May 19, 2026

Speed on-target will primarily benefit cybercriminals and disruptors who alert defenders to their presence as a matter of course. It may be a liability in cyber espionage. https://t.co/Tsd8oc48GZ
— John Hultquist (@JohnHultquist) May 18, 2026

still not quite over the fact that i watched 15 year olds get sued for millions of dollars for downloading twelve songs and now we all have to accept AI slop because every tech company in the known universe decided that IP laws don't exist now that they're inconvenient for them
— theselongwars (@theselongwars_) May 18, 2026

I didn't know Helen of Troy could generate so much conflict.
— Everything Price Sufferer (but especially eggs) (@agraybee) May 18, 2026

The mystery of Fast16 has been solved by @symantec and physicist @DAVIDHALBRIGHT1. Fast16 changed data produced by simulator software to trick Iranian engineers into thinking their nuclear weapons designs were bad. It didn't predate Stuxnet but was developed around the same time https://t.co/MUxh380Wpu
— Kim Zetter (@KimZetter) May 18, 2026

Sometimes it confuses me how the security field today fails to remember why things like least privilege and privilege separation were built into qmail, postfix, and SSH long ago.

Then I remember that an astonishingly small percentage of the field today were around back then.
— Dino A. Dai Zovi (@dinodaizovi) May 18, 2026

Earlier today Cloudflare's CSO shared how they tested Anthropic Mythos using an unreleased 8-stage vulnerability-discovery agent. So I asked Opus to implement the agent for me, it works via Claude SDK with a Pro or Max subscription, no API. 

Enjoy https://t.co/McoZbTvTLL pic.twitter.com/FGOrxhBW4X
— Simone Margaritelli (@evilsocket) May 18, 2026

                                        GitHub - evilsocket/audit: An 8-stage vulnerability-discovery agent. · GitHub
                                    An 8-stage vulnerability-discovery agent. Contribute to evilsocket/audit development by creating an account on GitHub.

evilsocket/audit (160 stars, Python)
  An 8-stage vulnerability-discovery agent.
source: Simone Margaritelli (@evilsocket)

Here's the PoC for Nginx CVE-2026-42945 which works against vanilla Ubuntu (and any other distro?) + Nginx with ASLR enabled. I have included all iterations of the PoC the LLM was kicked to improve.

TL;DR: We can use an  LFI/file-read primitive to leak enough details from…
— Hamid Kashfi (@hkashfi) May 18, 2026

                                        GitHub - Hamid-K/nginx-rift-private-lab: Private Nginx Rift ASLR lab, exploit chain, and demo recordings · GitHub
                                    Private Nginx Rift ASLR lab, exploit chain, and demo recordings - Hamid-K/nginx-rift-private-lab

Hamid-K/nginx-rift-private-lab (20 stars, Python)
  Private Nginx Rift ASLR lab, exploit chain, and demo recordings
source: Hamid Kashfi (@hkashfi)

NATO war game ended with Russia cutting off the Baltics in 24 hours — because Germany froze politically while the US stayed out.

Retired Ukrainian Gen. Romanenko, playing Russia’s commander, says NATO’s biggest weakness was not troops but hesitation, FP. 1/ pic.twitter.com/z6YIXRDiUD
— Tymofiy Mylovanov (@Mylovanov) May 17, 2026

Source: https://t.co/RxzOYw0alI
— Tymofiy Mylovanov (@Mylovanov) May 17, 2026

            https://foreignpolicy.com/2026/05/15/russia-war-game-nato-invasion-baltics-ukraine-putin-germany-ernstfall/    

I just learned the sad news that Peter Neumann has passed away. 

Peter Neumann shaped how a generation of security people learned to think about risk. As editor of RISKS Digest, he gave many of us coming up in the 1990s and early 2000s a steady education in the real-world… pic.twitter.com/pTctaUK7KW
— Chris Wysopal (@WeldPond) May 17, 2026

Reminds me of the findings from various fuzzers (symbolic execution guided like SAGE, dumb bit flips, etc). They all discovered partially overlapping sets of bugs. Both now and back then, there is a also partially overlapping set that are discoverable manually by humans. https://t.co/PRDt4MxSJu
— Dino A. Dai Zovi (@dinodaizovi) May 17, 2026

Just dropped my full notes on Pwn2Own Berlin 2026. Broke down the big wins by DEVCORE, the actual techniques they used, why these matter in the real world, and exactly where you can practice the same skills yourself. Full article here #Pwn2Own #P2OBerlin #CyberSecurity https://t.co/4vE4KCrJ3a
— 𝕡𝕨𝕟.𝕋∅𝕔𝕙! (@0day_ninja) May 17, 2026

I have often wondered how exactly external groups distill the frontier models - this is how. By doing this they get the benefits of genuine user prompts (multi-turn, real codebases, human feedback), subsidize the cost of distilling many tokens, and display real usage patterns and… https://t.co/MdzwQDUjOz
— Brendan O'Donoghue (@bodonoghue85) May 16, 2026

In 1562 a French gentleman was arrested for attending meetings of Protestants, but was acquitted after admitting he’d only gone in the hope of participating in the orgies Catholic propaganda claimed Protestants got up to. pic.twitter.com/bnuHMy2YHl
— Stakeholder Consultant (@echetus) May 17, 2026

Astonishing work! Remind me about @CodeColorist's brilliant logical chains against iOS 14 Safari, which were rooted in Loki more than a decade ago. 
I wonder whether Edge might do something unexpected with URL schemes or web content involving AI features. 
Looking forward for the… https://t.co/23V7IKqd1t
— Toan Pham (@__suto) May 18, 2026

            https://codecolor.ist/talks/    

This applies to frontier labs, governments, AI-for-pentesting companies as well. 

It is worth thinking about the fact that there is very little incentive (and often a strong disincentive) to say the second sentence publicly. https://t.co/IET2JL0MZn
— Sean Heelan (@seanhn) May 17, 2026

CIA counterintelligence chief James Angleton was running a paranoid hunt for Soviet infiltrators while playing a game of "Pee-pee Touch (No Homo)" with *two* actual KGB agents. I imagine a lot of recent Iranian intelligence failures went down the same way. pic.twitter.com/eMUbL7vXlP
— Matthew Petti 🫒 🌲 🌷 🌻 (@matthew_petti) May 17, 2026

                                Don't miss what's next. Subscribe to the grugq's newsletter:

            Email address (required)

          Add a comment:

    You're not signed in. Posting this comment will subscribe you to this newsletter with the email address you enter below.

                Share this email:

                                Share on Twitter

                                Share on Hacker News

                                Share via email

                                Share on Mastodon

                                Share on Bluesky