New Project Zero issue:

vpu driver allocation and free of dmabuf and iova can race causing UAF read

https://project-zero.issues.chromium.org/issues/465824679

CVE-2026-0121

[RSS] Mongoose: Preauth RCE and mTLS Bypass on Millions of Devices

https://www.evilsocket.net/2026/04/02/Mongoose-Preauth-Remote-Code-Execution-and-mTLS-Bypass/

[RSS] Review of AzireVPN and Malwarebytes Privacy VPN

https://x41-dsec.de/security/research/news/2026/04/02/malwarebytes/

Here's a fun post for pro- and anti-AI infosec people alike - guess who is going to have to "fix" AI? If you're thinking "not me" well, think again.

https://www.markloveless.net/blog/2026/4/2/the-uncomfortable-effects-of-ai

#security #ai #infosec

@drwho @simplenomad Yeah, apparently they got the AV working...

https://www.404media.co/artemis-2-astronauts-microsoft-outlook-livestream/

Spread the word! @phrack CFP with demoscene cracktro is live. Turn up the volume and enjoy the awesome stylings of PiotrBania with some hopefully inspiring text from phrack staff :)

phrack.org

🎥 New video about QEMU!

This time, Anton walks through the basics of QEMU system mode using a simple bare metal program! ⚙️

The focus is on understanding how QEMU’s high-level control flow works, from guest code to BIOS, and down to device implementation.

🫡 We’re back.

Today, we’re publishing vulnerabilities we discovered, disclosed, and chained to achieve pre-auth RCE against Progress ShareFile.

Enjoy the journey with us, while you sob into your hands 🫠

https://labs.watchtowr.com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/

@jdonoghue Exactly, see my other replies in the thread!

@troed This may be it, thanks! Still, a shortsighted stance a and a very badly phrased sentence.

@twomikecharlie OK this sounds plausible, but I find it hard to come to this conclusion (or any) from the original sentence. Esp. because the "only sane way to stay safe" part is simply false (see supply chain issues, breaking changes, etc.).

@twomikecharlie But CVEs have very little to do with exploits. Also, there is a whole range of perfectly valid strategies to manage risk from vulns (see my 2nd post in the thread).

I'm all for fixing all vulns, but reality just doesn't work like that and I don't see how the problem statement (some vulns are becoming easier to discover) would affect this.

1) "people will finally understand that security bugs are bugs" - Tautology?
2) "the only sane way to stay safe is to periodically update" - What about attack surface reduction? Risk based mitigations? How does this assertion relate to 1)?
3) "without focusing on 'CVE-xxx'" - CVEs are useful to find information to implement appropriate controls (see 2)). Unless of course the CNA spams the database with useless data....

'people will finally understand that security bugs are bugs, and that the only sane way to stay safe is to periodically update, without focusing on "CVE-xxx"'

Anyone care to explain the logical flow of this sentence? o.O

https://lwn.net/Articles/1065620/

#Linux #LLM

Is it just me or this photo is also a great capture of a toddlers view on their first introduction to the potty? :D

https://www.space.com/space-exploration/artemis/theres-a-bit-of-toilet-trouble-on-nasas-artemis-2-mission-to-the-moon

important update: they fixed the toilet

RE: https://mastodon.social/@invadersil/116324993175863094

TWO THINGS:

1. it’s shocking how well written this terms of service document is. #Microslop uses plain language and proper emphatic formatting to identify what’s important.

2. this was updated on October 24, 2025. since then NOT ONE TECH JOURNALIST has read it; because, not one tech "journalist" has reported that #Copilot IS MEANT AS #ENTERTAINMENT.

Fourth Estate my ass.

Satya Nadella gifted Sam Altman a billion of Windoze money for a lap dance?

c’mon #tech #journalism. DO YOUR JOBS!

Probably going to get a viral blog out of this experience, I'm trying to report a 4tb exposed cloud bucket to a company using their responsible disclosure programme... but they replaced the people with a GenAI ticket system that refuses to discuss the case as it thinks exploring open buckets is unethical and against its rules.

Thanks everyone for liking and sharing the #RC2014 Mini II Picasso toot yesterday.

To answer some of your questions - Yes, it really is a real kit. There's no camera trickery, or photoshopping and definitely no AI slop. And, yes, the discount code was also real as a few of you found out. Some kits shipped yesterday, the others will go out today.

@jcoglan The general view is that most code doesn't have to be good at all, it just needs to be written.