Big news. A Qemu escape. Are you ready? Panic!!1!

https://www.reddit.com/r/blueteamsec/comments/1tfgm80/qemutiny_is_a_memory_corruption_vulnerability_in/

Wait, CXL? Reddit as a source? AI off, brain on moment incoming...

CXL, that's for FPGAs. The escape isn't for x86 or ARM. It's not even for virtio.

Typical Proxmox CE deployments use AppArmor Sandboxing. Guest-to-host escapes are possible, but not this way.

It's not that Qemu is a fortress of years of great security auditing. That's not my point. My point is that the AI hype for vuln hunting is a fata morgana. Unless you work hard, you get nothing with or without AI.

You are welcome.

#qemu #debian #proxmox #kvm #linux

Interesting Git repos of the week:

Strategy:

* https://github.com/stnert/the-supreme-art-of-cyberwar - surveillance, privacy and cyber war

Bugs:

* https://github.com/Swival/security-audits - interesting bug reports from @jedisct1 🤖
* https://github.com/v12-security/pocs - interesting Linux PoCs
* https://github.com/kiddo-pwn/ffffirefox - originally an 0day but now tracked as CVE-2026-8390
* https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn - race condition in ssh-keysign that allows arbitrary file reads, now tracked as CVE-2026-46333
* https://github.com/Nightmare-Eclipse/YellowKey - another goodie, this one is a bugdoor in BitLocker
* https://github.com/Nightmare-Eclipse/MiniPlasma - previously known as CVE-2020-17103, MiniPlasma pops cldflt.sys

Exploitation:

* https://github.com/1r0BIT/WinSSHound - map SSH usage on Windows

Nerd:

* https://github.com/inferno-os/inferno-os - distributed Plan 9-esque OS... I remember playing with this growing up

#security, #research, #code

That's a wrap on Pwn2Own Berlin 2026! 🏆 $1,298,250 awarded. 47 unique 0-days. 3 days of absolute chaos. And talk about main character energy - congrats to DEVCORE for claiming Master of Pwn with 50.5 points and $505,000 - they never slowed down. See you next year! #Pwn2Own #P2OBerlin

RE: https://infosec.exchange/@thezdi/116585566164605071

* Seems many of the Browser exploits couldn't be demoed due to bad luck/last-minute fixes. Really sorry for the participants :( great research!
* No V8 (and Chrome?) submissions for the 2nd year in a row
* Orange's Edge chain sounds wild, very curious for details!
Thanks for running #Pwn2Own @thezdi

Exclusive: Fast16 malware has raised questions about what it was designed to do. Researchers at Symantec finally confirm it was subverting software used to simulate nuclear weapons explosions. Nuclear experts also tell me Iran was the likely target and explain how it impacted nuclear weapons tests. Fast16 wasn't aimed at sabotaging nuclear weapons themselves, but was only designed to alter data being fed to engineers from software used to simulate nuclear explosions tests. The goal was to trick engineers into believing their tests were failing to create confusion and slow down weapons program. Fast16 and Stuxnet were similar in that they both fed false data to engineers. But Stuxnet also physically altered centrifuges while tricking engineers into believing the devices were fine. New analysis from me also shows the two codes were contemporaneous, not separated by years.

Here's my story, which contains a link to a timeline showing how they were being developed around the same time, likely as part of a multi-pronged operation to slow down Iran's nuclear program.

https://www.zetter-zeroday.com/experts-confirm-the-fast16-malware-was-sabotaging-nuclear-weapons-tests-likely-in-iran/

New from Nightmare-Eclipse, we have MiniPlasma

Works reliably to get a SYSTEM cmd.exe prompt on Win11 (including 26H1) with May's updates. Is reportedly a failure to properly fix CVE-2020-17103. I'll note that it does not seem to work on the latest Insider Preview Canary Windows 11.

We're back for the final day of #Pwn2Own Berlin! Yesterday we ended the day with $908,750 awarded, 39 unique 0-days, and DEVCORE with a commanding lead for Master of Pwn. What's in store for today? Follow along for live results! #P2OBerlin

Aaaand it's official! Orange Tsai (@orange_8361) of DEVCORE Research Team chained 3 bugs to achieve Remote Code Execution as SYSTEM on Microsoft Exchange, earning a whooping $200,000 and 20 Master of Pwn points. Full win! #Pwn2Own #P2OBerlin

ssh-keysign-pwn: Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass

https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn

@jhr77 @christopherkunz @buherator
Ah, so this is fascinating.

It appears that Microsoft did NOT address RedSun. They merely added a definition to discover the post-modified TieringEngineService.exe binary (which is the RedSun.exe file itself).

And if you aren't careful, like I wasn't, you might at a glance think that Microsoft broke the RedSun exploit. But that is wrong! They merely now detect the post-exploit-modified binary that RedSun chooses to modify. 🤦‍♂️

They: "On a scale from 1 to 10: How lazy are you?"

Me: Using copy fail instead of sudo to gain root to avoid having to type my password

#copyfail #linux #cybersecurity

Has anyone ENCHANTED any cool WEAPONS lately?

#wizardposting #wizard

Fast Travel

Sources and bonus timelapse: https://www.peppercarrot.com/en/miniFantasyTheater/050.html

#webcomic #krita #miniFantasyTheater

It's official! Kentaro Kawane of GMO Cybersecurity by Ierae chained 2 Use-After-Free bugs to escalate privileges on Microsoft Windows 11 in the third round, earning $15,000 and 3 Master of Pwn points. #Pwn2Own #P2OBerlin

[RSS] Pwn2Own Berlin 2026 - Day One Results

https://www.thezdi.com/blog/2026/5/13/pwn2own-berlin-2026-day-one-results

Calif demonstrates a not-yet-fixed data-only macOS kernel LPE. MIE, which is available on M5 Macs, does not thwart the attack.
https://blog.calif.io/p/first-public-kernel-memory-corruption

Yesterday I attended the first Democratic Tech Alliance (DTA) Assembly over at the European Parliament. The DTA is a political/think tank/civil society/industry initiative that hopes to foster a tech-ecosystem on which we can continue to run our European democracies. Because it is not looking good. Useful progress was made, and here is what I learned: https://berthub.eu/articles/posts/democratic-tech-alliance-may-2026/

In a video highlight from Day 1 of #Pwn2Own Berlin, Orange Tsai of the DEVCORE Research Team takes on Microsoft Edge with a sandbox escape! He earns $175,000 and 17.5 Master of Pwn points. https://youtube.com/shorts/8ngMzEVrdVs?feature=share

Nice work! Angelboy & TwinkleStar03 (@scwuaptx & @_twinklestar03) of DEVCORE Research Team + DEVCORE Internship Program was able to exploit Microsoft Windows 11! If confirmed, they win $30,000 and 3 Master of Pwn points. They're off to the disclosure room to explain how they did it. #Pwn2Own #P2OBerlin

@lina Proper automation has an upfront cost, and I think this is what ppl try to avoid. It's not uncommon that people wait for frontier models to get better at deciding on logical conditions instead of writing two if's...