May 8, 2026

💥 Introducing "Dirty Frag"

A universal Linux LPE chaining two vulns in xfrm-ESP and RxRPC. A successor class to Dirty Pipe & Copy Fail.

No race, no panic on failure, fully deterministic. ~9 years latent.
Ubuntu / RHEL / Fedora / openSUSE / CentOS / AlmaLinux, and more.

Even… pic.twitter.com/2pfLnD77zy

— V4bel (@v4bel) May 7, 2026

GitHub - V4bel/dirtyfrag · GitHub

Contribute to V4bel/dirtyfrag development by creating an account on GitHub.

Having spoken to a senior Saudi official about the NBC article regarding Project Freedom, I honestly think the article completely misunderstood what actually happened because it was written almost entirely from a US perspective rather than from a GCC perspective.

First of all,…

— Aimen Dean (@AimenDean) May 7, 2026

The multisig keys used in production by LayerZero Labs to secure billions in user funds was also being used to trade a memecoin called "McPepes (PEPES)"

... WTF

An absolute failure of even the most basic opsec and key isolation best practices, putting any user who used… https://t.co/J3XAQAcVl7 pic.twitter.com/XncQ8PzOCh

— Zach Rynes | CLG (@ChainLinkGod) May 8, 2026

„Russia is now moving away from using those low-cost, one-time recruits toward more “professional” operations, tapping into organized crime networks, according to the report published on Wednesday by the Internal Security Agency, or ABW.“https://t.co/cGtbPqxNWN

— Florian Flade (@FlorianFlade) May 7, 2026

Poland warns of a sharper Russian sabotage push across Europe | AP News

Poland's internal security service has warned that Russia is shifting from using individual recruits to ‘professional’ networks to carry out a campaign of sabotage across Europe.

It’s worth remembering just how little spy agencies pay their assets. This guy was bribing military officials (paid: $50k) and reading pro PRC propaganda (paid: $4,325) on a major cable news network. Now facing 12 years in jail. Crime doesn’t pay, but it pays better than spying https://t.co/FkJhfVe9lP

— thaddeus e. grugq (@thegrugq) May 8, 2026

My students asked me if it was true that the entire Internet was really coded by hand. All those kernels, protocols, router firmware, browsers, databases, etc. Somebody coded these and debugged them by hand?!?!? They used BBEdit?!?!??! The idea that this was even possible seems…

— Benjamin Bratton (@bratton) May 6, 2026

> web article about unis
> 90% of students using ai to cheat
> uni educators and staff frustrated
> call for revolution of education
> critics say school is cooked now
> phd lady writes article about it
> look inside
> "its not x—its y"
> "why it matters" pic.twitter.com/Kuz7F3sw9p

— vx-underground (@vxunderground) May 7, 2026

https://t.co/rPRlNA7mZG worth a read

— Dave Aitel (@daveaitel) May 7, 2026

None

Anthropic’s powerful AI model is the best cybersecurity news in a decade.

Our new Investigation: Inside Spy School - how Russia trains and recruits GRU staff for its hybrid war against the West at Moscow State University Bauman (gift link) https://t.co/Q8PtsZ3Y6x

— Fidelius Schmid (@FideliusSchmid) May 7, 2026

Russland bildet in geheimem Uni-Programm Spione und Hacker für hybriden Krieg aus - DER SPIEGEL

Russland überzieht Deutschland und den Westen mit Cyberattacken und Lügenkampagnen. Geleakte Dokumente, die dem SPIEGEL vorliegen, zeigen nun, wie Moskau die Angreifer schult – in einem geheimen Universitätsprogramm.

Having spoken to a senior Saudi official about the NBC article regarding Project Freedom, I honestly think the article completely misunderstood what actually happened because it was written almost entirely from a US perspective rather than from a GCC perspective.

First of all,…

— Aimen Dean (@AimenDean) May 7, 2026

wow there're just too many 0days to follow, what's going on world? is it just my feeling, or everyone good at finding and dropping bugs suddenly (due to ai)? Examples like Apache pre-auth UAF, PANW firewall pre-auth 0day, Chrome giant patch 137 bugs, some Chrome 0day exp, Freebsd…

— Haifei Li (@HaifeiLi) May 7, 2026

100/127 CVEs are reported by Google.

Google’s internal tools kills the gamehttps://t.co/bORleSNL10

— ret2happy (@ret2happy) May 7, 2026

Chrome Releases: Stable Channel Update for Desktop

The Chrome team is delighted to announce the promotion of Chrome 148 to the stable channel for Windows, Mac and Linux. This will roll out ov...

Another using ai to find bugs startup, it seems to me everyone is doing this thing right now, maybe only me not? Where can I point wwlib.dll to ai and command “go find Office bugs for me?”😅 https://t.co/XZfVuz4Yol

— Haifei Li (@HaifeiLi) May 7, 2026

OK this is getting out of hands. We created a bot to find and exploit vulnerabilities in FreeBSD. It found many bugs, and we asked it to tell the story of one of them. It composed a blog post and shared it with MoltBook lolhttps://t.co/zTUuthhDvA

Original blog post:…

— thaidn (@XorNinja) May 7, 2026

CVE-2026-7270: How I Get Root on FreeBSD with a Shell Script | moltbook

Posted in m/security by madbugs

They literally vibe-coded an exploit within minutes of me tweeting the fix earlier today: https://t.co/UZPBFyY9Um https://t.co/zsHEmfUQ5U

— Brad Spengler (@spendergrsec) May 7, 2026

Can also read through the mailing list around it, the author of the commit was someone who rediscovered the vuln with their LLM, everyone's looking for this bug class: https://t.co/pYxQJ2OA64

— Brad Spengler (@spendergrsec) May 7, 2026

Someone in China recently bought a second-hand iPad on 🇨🇳 Goofish (闲鱼), Alibaba’s second-hand marketplace, but found out the iPad was MDM-locked by US Department of the Navy…

😂 pic.twitter.com/6XXBTXXy36

— Byron Wan (@Byron_Wan) May 8, 2026

eulogy to a dying world https://t.co/SJVaSYFw0F pic.twitter.com/8eVh7I2ff6

— cts🌸 (@gf_256) May 7, 2026