New Project Zero issue:

Samsung: QuramDng TrimBounds Opcode leads to out-of-bounds reads

https://project-zero.issues.chromium.org/issues/443793212

CVE-2025-21074

New Project Zero issue:

Samsung: QuramDng invalid LossyJpeg component assumption, leading to out-of-bounds write

https://project-zero.issues.chromium.org/issues/444346510

CVE-2025-21075

[RSS] DeXRAY v2.36

https://www.hexacorn.com/blog/2025/12/03/dexray-v2-36/

Workforce shortage: a developer changed career to mine stone for Great Leader after infecting his own machine for testing, turning your operation into an online version of the imperialist video game Uplink.

https://www.hudsonrock.com/northkorean

#LummaC2 #ByBit #NorthKorea

This PoC looks convincing enough (I didn't test though!):

https://github.com/msanft/CVE-2025-55182

CVE-2025-55182

@buherator

Confirmed.

Age Verification: Teaching the world how to evade censorship
https://alecmuffett.com/article/132609
#AgeVerification #OnlineSafety #TheVpnEffect #censorship #missouri #surveillance

@synnfynn FTR this was it: https://unix.stackexchange.com/questions/503111/group-permissions-for-root-not-working-in-tmp/503169#503169

High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 & CVE-2025-66478) https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/

@synnfynn nah, no SELinux, and with a brilliant move I now just log to the console :)

I'm writing this network thing and there are always problems that you only recognize during implementation - this is why it's so enlightening to implement stuff.

What I didn't expect is getting stuck because I can't write to a damn log file as root...

#Ghidra 11.4.3 is out:

https://github.com/NationalSecurityAgency/ghidra/releases/tag/Ghidra_11.4.3_build

Changes:

https://github.com/NationalSecurityAgency/ghidra/blob/Ghidra_11.4.3_build/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.md

AI Warning: Google has been caught A/B testing replacing real article headlines with AI-generated substitutes, which are of course sometimes wildly misleading/against journalistic ethics. If you see a blatantly horrible headline in a news aggregator, check whether the site's own page matches before blaming the site! https://www.pcgamer.com/software/ai/googles-toying-with-nonsense-ai-made-headlines-on-articles-like-ours-in-the-discover-feed-so-please-dont-blame-me-for-clickbait-like-bg3-players-exploit-children/

"We did a number of refactors [...] This also fixes a critical security vulnerability." 👀

CVE-2025-55182, an RCE in React Server Components just landed:

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Enjoy your patching, and make sure to check your bundled frameworks and dependencies.

Here's the commit:
https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700

Critical Security Vulnerability in React Server Components

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

CVE-2025-55182 CVSS 10.0

Hey developers and vulnerability researchers!

I'm currently working on improving my #Semgrep ruleset for C/C++ static code analysis, and I've just published the new v1.1.0 release: https://github.com/0xdea/semgrep-rules

Some notable changes since the previous battle-tested release: new rules for detecting high-entropy assignments and ReDoS vulnerabilities, numerous enhancements to existing rules, reduced false positives without sacrificing coverage, optimized patterns across the board, and overall better documentation. Check the changelog for the full list (yes, there’s a changelog now).

Please test it inside and out, and feel free to open issues or submit pull requests. Your feedback is invaluable and will help shape the project roadmap. I'm aiming for a major release sometime before spring.

UAF in ImageMagick.

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-q3hc-j9x5-mp9m

That progress bar...

WhatsApp Android: Contact gating bypass in groups, leading to interactionless media download

https://project-zero.issues.chromium.org/issues/442425914

Re: https://old.reddit.com/r/crypto/comments/1pca3r8/introducing_constanttime_support_for_llvm_to/nrzywmp/?context=2

It is simultaneously true that:

• Most data breaches do not require any cryptographic wizardry
• Of the ones that involve cryptography, side-channels (timing, power, etc.) are not an attacker's first choice
• The inability to have guarantees that the compiler will not make code variable-time as part of an "optimization" is a massive pain point in writing secure implementations of cryptography

And, sure, the LLVM work won't stop app developers from fucking up something on the OWASP Top 10 list for a given year. Nor will it stop phishing from being hella effective against most users and services.

But it does reduce compiler doom and various forms of auditor bikeshedding, which makes applied cryptography work a little easier to get done.

And the best mitigation we have for phishing attacks today is WebAuthn... which uses cryptography. :P

Sometimes, naysaying is actually counterproductive.