[RSS] Pickling the Mailbox: A Deep Dive into CVE-2025-20393

https://starlabs.sg/blog/2026/01-pickling-the-mailbox-a-deep-dive-into-cve-2025-20393/

Update: Lacking any evidence that Signal considers sender consistency a security sensitive property - and given the limited impact I decided to just report this as a UI bug.

tl;dr you can trivially make signal polls that only members using Signal Desktop group can see/interact with/react to.

This allows you to basically hide messages from certain other members. Not great in principle, not very useful in practice. Might have it's uses when combined with other vectors.

https://github.com/signalapp/Signal-Android/issues/14583

I could go into history here, but suffice it to say: if someone tries to explain Class A, Class B, or Class C addresses to you, plug your ears and scream at them not to contaminate your brain with information obsoleted more than two decades ago.

[RSS] TP-Link ER605 DDNS Pre-Auth RCE: Chaining CVE-2024-5242, CVE-2024-5243, CVE-2024-5244

https://www.oobs.io/posts/er605-1day-exploit/

Another alleged stalkerware software maker got compromised and someone leaked all their customers on a cybercrime forum.

AMD updates installed without signature checking (from an HTTP link, no less)? /via @drwhax

https://mrbruh.com/amd/

Recent report about a nation-state implant that would be useful to exploit this:

https://blog.talosintelligence.com/knife-cutting-the-edge/

@drwhax Many sw use HTTP updates so they can get through middleboxes. The bigger issue here is the lack of executable authenticode verification.

Oooooh SNAP!!! 💥

Prime Minister Pedro Sanchez of Spain:

“First, we will change the law in Spain to hold platform executives legally accountable for many infringements taking place on their sites. This means that CEOs of these tech platforms will face criminal liability […]
Second, we will turn algorithmic manipulation and amplification of illegal content into a new criminal offense. […]
spreading hate must come at a cost.”

Have a great weekend, Elon! 😘

https://www.youtube.com/live/NElqgJ1aXFA?si=M52qiZYBt55KRamm

Here is a sad (and somewhat pathetic, I guess) fact: The new Firefox "smart window" (which is an LLM-based browser), doesn't even use a local or open model, it's literally just Google's models run via their API

@lindsey yes.

@jpkeisala https://github.com/jgraph/drawio-desktop

Full-Blown Cross-Assembler…in a Bash Script

https://hackaday.com/2026/02/06/full-blown-cross-assembler-in-a-bash-script/

It doesn't matter whether C is good or not. It matters that if I write code in two languages that aren't C, and I want it to all be part of the same process, I need to care about C. C pervades all. You cannot escape it. C will outlive all of us. The language will die and the ABI will persist. The far future will involve students learning about C just to explain their present day. Our robot overlords will use null terminated strings. C will outlive fungi.

@TarkabarkaHolgy that's actually reasonable, it's expectations of modern family logistics that is bonkers

PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?

Like https://github.com/i3/i3/pull/6564 for example

Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!

This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.

[RSS] Django SQL Injection in RasterField lookup (CVE-2026-1207)

https://vulnerabletarget.com/VT-2026-1207

New Project Zero issue:

Samsung: QuramDng Warp opcodes out-of-bounds read

https://project-zero.issues.chromium.org/issues/462544562

CVE-2026-20973

[RSS] CVE-2025-6978: Arbitrary Code Execution in the Arista NG Firewall

https://www.thezdi.com/blog/2026/2/4/cve-2025-6978-arbitrary-code-execution-in-the-arista-ng-firewall

When a piece of type gets damaged, it's like a fingerprint that can be used to tie all the work of a printer together, whether or not their name appears on the title page. The Catalog of Distinctive Type is building a database of these fingerprints for Restoration England. https://cdt.library.cmu.edu/