@wdormann @christopherkunz @jhr77 Vuln mgmt is hard, e.g. how you track patch coverage vs. signature update status? Not that pushing a sig was a bad idea, I'd just expect a KB for this too.

Babe wake up, new Windows privesc just dropped. #GreenPlasma. Oh and also Bitlocker bypass #YellowKey https://github.com/Nightmare-Eclipse/GreenPlasma

@wdormann @jhr77 @christopherkunz I don't see a Defender entry in today's update that also points to this being a signature based mitigation

Pwn2Own Berlin 2026 is rejecting working RCEs because organizers ran out of contest slots.

Visit a website in Firefox and get code execution? Rejected.

Strange days indeed.

He says to blame the delay on jet lag, but @dustin_childs has his full review of the #Adobe and #Microsoft patches. Nothing under active attack, but a total of 190 CVEs to look at (plus 120+ from Chrome recently!) read the details at https://www.zerodayinitiative.com/blog/2026/5/12/the-may-2026-security-update-review

Had some fun finding and exploiting state machine logic bug in af_alg_sendmsg last year, it leads to OOB access, arbitrary write then container escape that unnoticed since 2011

kernelCTF writeup: https://github.com/star-sg/security-research/blob/fa38e161bf59e285e3fbc5238a83f71bfa7dc7c7/pocs/linux/kernelctf/CVE-2025-39964_lts_cos_mitigation/docs/exploit.md
Fix commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=1b34cbbf4f011a121ef7b2d7d6e6920a036d5285
https://bird.makeup/users/starlabs_sg/statuses/2054048693716939215

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html Xen advisory posted, should be a kernel fix here any minute now I assume

2026 Hackaday Europe: Pre-party, More Workshops, and Everything Else

https://hackaday.com/2026/05/12/2026-hackaday-europe-pre-party-more-workshops-and-everything-else/

@ekuber Having a chopper to call when you go hiking is definitely nice :D I don't quite get how the principles apply here though: in your opinion, for this particular example, would it be right to require all traits by ::new()?

@ekuber Don't get me wrong, I'm positively amazed by rustc messages in general, and this one is no exception. On the other hand I also like to see how I should approach the API I'm about to use, having a map about the code base before I go down a path that just won't work. I feel like relying on the compiler is like periodically calling a hovering helicopter to get out of the woods, instead of having a proper $5 map.

Dead.Letter (CVE-2026-45185) How XBOW found an unauthenticated RCE on Exim

https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim

We are releasing Firefox 150.0.3 today, in order to fix an important security issue. Please take the time to update.

https://www.mozilla.org/en-US/security/advisories/mfsa2026-45/

@jhr77 @christopherkunz
I suspect that Microsoft pushed out Defender updates that mitigate the exploit.

With current definitions, I've not seen RedSun succeed. No matter how long I wait.

With old definitions, success is pretty quick.

TinyJoyPad 作った #shapolab

LLMs are just the ultimate IP-violation-machines. I love using them for reverse engineering. I picked up so many projects I abandoned in the past because staring at obfuscated code or assembly got boring and tiresome and felt like an endless endeavor that will never be realistically reverse engineered completely anway.

Now I give Opus or whatever other model enough context, datasheets and tests and it starts reversing. Does it hallucinate and is not always correct? Yeah. But who cares? I am not always correct and misunderstand things when manually reversing stuff as well. We all do.

Gradually building more and more context to be able to reason a bit easier about things you didn't understand yet is exactly what an LLM can incrementally help you with. And gathering more and more information helps both me and the LLM to understand the stuff we are looking at a bit better.

It's so awesome.

@stf "might affect cryptology at some future time or (more likely) in some other world." I forgot about this one lol

#eurocrypt just happened, which reminds me of the eurocrypt 35 years ago held in budapest, which an #NSA cryptologist was attending and giving a scorching #report in the internal cryptolog newsletter of the nsa: https://scottaaronson.blog/?p=2059

would be interesting to see the latest cryptolog report on this latest edition...

In a new feature, @TheDustinChilds takes a look at #macOS patches and tries to identify which ones should worry you (since Apple won't). Check it out at https://www.zerodayinitiative.com/blog/2026/5/12/the-apple-macos-security-update-review

Oh look, it's Patch Tuesday. Again.

ARE YOU crew on a generation ship? Did your ancestors maroon you between the stars in a life of involuntary servitude, deprivation and a vatslime diet? You may be entitled to compensation. Gliese 1171c Legal Services inc has a centuries long record of successful class action litigation on behalf of crews and cryopassengers. Depose your autopilot this diurn and join our next action. NO WIN NO FEE. Plans for your warp drive follow this message.

#Tootfic #MicroFiction #PowerOnStoryToot