For the side channel crowd:

I wrote about how side channels in serialization can theoretically allow breaking ASLR - with a theoretical worst-case example of how a single round trip of deserializing attacker-controlled data, serializing the result again, and sending the re-serialized data to an attacker could leak an entire pointer:
"Pointer leaks through pointer-keyed data structures"
https://googleprojectzero.blogspot.com/2025/09/pointer-leaks-through-pointer-keyed.html

and thanks to posting about this, it has been pointed out to me today that there has been prior research into this that I hadn't been aware of; in particular:
https://www.usenix.org/legacy/events/woot07/tech/full_papers/futoransky/futoransky_html/ looked at similar timing-based attacks to leak information out of database indices.
https://www.usenix.org/system/files/sec19-klein.pdf is also kind of related in that it remotely broke Linux kernel ASLR by abusing that a kernel address was hashed into IP ID generation.

aaand more prior research that Alex Rad pointed out on Twitter: https://gdtr.wordpress.com/2012/08/07/leaking-information-with-timing-attacks-on-hashtables-part-1/

That one is extremely similar to the bug report I sent to Firefox years later, and the comments link to more related research.

and more: https://blog.semantiscope.com/2009/10/29/getting-pointers-from-leaky-interpreters/