#Mythos finds a #curl vulnerability

yes, as in singular one.

https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/

@raptor I like to believe that people just deeply care about security researchers and they don't want to see us starving :)

@raptor @karinjiri This phenomenon even has a wiki page:

https://en.wikipedia.org/wiki/In-band_signaling

On vsyscalls and the vDSO
https://lwn.net/Articles/446528/

Implementing virtual system calls
https://lwn.net/Articles/615809/

Creating a vDSO: the Colonel's Other Chicken
https://web.archive.org/web/20240113231746/https://www.linuxjournal.com/content/creating-vdso-colonels-other-chicken

Linux syscall, vsyscall, and vDSO... Oh My!
https://web.archive.org/web/20231125035809/https://davisdoesdownunder.blogspot.com/2011/02/linux-syscall-vsyscall-and-vdso-oh-my.html

We've Been Here Before: Decompilers, Fuzzers, and Now AI

https://www.clearseclabs.com/blog/weve-been-here-before-ai-vulnerability-research/

@Extelec Looks like a GTA glitch

The FreeBSD team has patched a remote code execution in its operating system that impacts all versions released since 2005

Tracked as CVE-2026-42511, the vulnerability resides in the FreeBSD DHCP client and is extremely easy to exploit

https://aisle.com/blog/aisle-discovers-cve-2026-42511-a-21-year-old-freebsd-remote-command-execution-vulnerability

Remember the old 2600Hz thing and how much money it cost AT&T? In hindsight, it was so obviously dumb to put control signalling and user-data in the exact same channel. We'd learn from that, right? It's so obviously a terrible idea that can never work safely that we'd never do something that dumb again, right? RIGHT?!

Oh wait. That's pretty much standard operating procedure with AI agents. Just jam it all in the same context, what could possibly go wrong?! Surely it'll be OK this time, right?

*Bangs head on desk*

Periodic reminder that HuggingFace models can include code, thus possibly malware too

RE: https://mastodon.social/@campuscodi/116550201730434193

Where do the people hang that read our hacks blog post and then went through all of the bugs that we opened up? Really eager for the deeper, informed takes now :) https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/

@freddy still in my backlog...

Post-Quantum Cryptography
A Realistic Guide to Manage the Transition [PDF]

https://www.aumasson.jp/data/talks/pqcbha26.pdf

[RSS] CVE-2026-34354: Guardicore Local Privilege Escalation Vulnerability

https://www.akamai.com/blog/security-research/2026/may/advisory-cve-2026-34354-guardicore-local-privilege-escalation

[RSS] Getting LLMs Drunk to Find Remote Linux Kernel OOB Writes (and More)

https://heyitsas.im/posts/drinking-llms/

“It looks like you’re building an off brand LEGO kit! Would you like help with that?”

here's a technical write-up i wrote on one of the kernel bugs we've found :)
https://bird.makeup/users/bynar_io/statuses/2052720419157782809

When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs?

Well, here they are. We are unhiding 12 security bugs that are representative of the issues we have found.

https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/.

Remember when we used to dial into the internet, and the machines would scream at us?

That was a warning right?

I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.

People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:

https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/

However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.

If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.