[RSS] Adobe Acrobat Reader Escript.api Use-After-Free Remote Code Execution

https://blog.exodusintel.com/2026/06/01/adobe-acrobat-reader-escript-api-use-after-free-remote-code-execution/

"This issue was patched on April 2026 and likely assigned CVE-2026-34621, CVE-2026-34626 or CVE-2026-34622"

What happens when reverse engineers spend weeks digging into a Scala 3 codebase?

🔍 From code review to fuzzing, our assessment helped strengthen Scala's security and identify areas for improvement.

We're happy to share the results of our audit, conducted in collaboration with @ostifofficial

https://blog.quarkslab.com/scala-security-audit.html

Secret Panel HERE 😐 https://tinyview.com/mrlovenstein/2026/05/31/life-finds-a-way

Does anyone have a copy of:

AMD Am29040 Microprocessor User's Manual
1994
Order #18458

I need the full user manual, which is hundreds of pages. I already have the datasheet, which is 31 pages and is readily found online.

Thanks!

#AMD #Am29K #Am29000 #Am29040

Stealing Passwords via HTML Injection Under a Strict CSP https://afine.com/blogs/stealing-passwords-via-html-injection-under-a-strict-csp

[RSS] Analysing an exploit on VLC on Windows using TTD and AI agentic

https://www.eshard.com/blog/vlc-media-player-mkv-exploit-analysis

We have started announcing Recon 2026 Presentations https://recon.cx/2026/en/speakers.html
More talks to be announced soon once we have confirmations

@hexnomad
@joegrand
@invokereversing
@tmanning @pinkflawd

#REcon2026 #ReverseEngineering #InfoSec #cybersecurity

@dey It's not built-in, it's a 3rd party package called `clap`. For simple stuff Rust is pretty easy, esp. because you have a nice package ecosystem (incl. the pkg manager). But for non-trivial stuff, the learning curve is *steep*.

@dey You mean this? https://docs.rs/clap/latest/clap/_derive/_tutorial/index.html

Microsoft has achieved the impossible

@pancake Absolutely, that was part of the point actually :D

@pancake I mostly did this as an excercise in Rust, didn't know rax2 can do the same

Binary extension packages for #Ghidra 12+ are now automatically generated for my XCOFF Loader:

https://github.com/silentsignal/xcoff-ghidra/releases/tag/12

#AIX

I found a bug, so I created a test suite and published a new release for my signed/unsigned integer converter CLI utility, twos:

https://github.com/v-p-b/twos/releases/tag/v0.0.2

I’ve mentioned this before: this is one of the oncoming trains for corp-security. We’ve long failed at least-privilege, but weren’t often punished for it.

Helen in HR (or Bob in accounts) didn’t know what to do with the extra perms they didn’t know they had.

Their agents will.

"a regression was discovered in the #Ghidra Server, so the 12.1.1 download has been disabled. Be on the lookout for a 12.1.2 in the coming days"

https://old.reddit.com/r/ghidra/comments/1tr5qy4/ghidra_1211_has_been_released/oolygdy/

An AI audit of FreeBSD - 15 kernel bugs, including 3 RCEs, 5 LPEs, and 1 bhyve escape.

https://blog.calif.io/p/an-ai-audit-of-freebsd

CVE-2026-45250, CVE-2026-45253, CVE-2026-45251

'Virtual OS Museum' Lets You Try 570 Extinct Operating Systems https://tech.slashdot.org/story/26/05/30/2323231/virtual-os-museum-lets-you-try-570-extinct-operating-systems?utm_source=rss1.0mainlinkanon

ThinkPad firmware reverse-engineering toolchain: archived Lenovo BIOS → named SoC pads, EC analysis, CVE diffs, coreboot/OpenCore port scaffolding https://tetdrad0n.codeberg.page/thinkpad-fw-analysis/

Interesting links of the week:

Strategy:

* https://www.gov.uk/government/publications/energy-sector-cyber-security-strategy - protecting the electrickery with HMG
* https://www.nextgov.com/cybersecurity/2026/05/telecom-firms-form-new-cyber-information-sharing-group/413636/ - new threat sharing group for telecomms
* https://www.linkedin.com/pulse/what-works-cybersecurity-compliance-daniel-woods-ltwwe/ - quantifying the efficacy of governance frameworks like Cyber Essentials
* https://www.crest-approved.org/ai-in-penetration-testing/ - large scale study of the current use of AI in pentesting by UK consultancies
* https://isaiprofitable.com/ - is AI profitable? hell no, unless you make the chips
* https://jerrygamblin.com/2026/04/18/prioritizing-what-matters-bringing-cve-intelligence-to-splunk/ - building your own vulnerability intelligence
* https://jericho.blog/2026/05/25/vulnerability-embargos-are-dead/ - Jericho from @attritionorg calls time on embargoes

Threats:

* https://intel.gayint.org/actors/public - from the wonderful folks at @gayint with love
* https://www.theguardian.com/politics/2026/may/25/nigel-farage-russian-hack-claim-disclosure-5m-gift - did .ru hack Nigel or is he a lying grifter?
* https://atomdrift.org/discoveries/ - @thomrstrom's atomdrift discoveries
* https://www.lumen.com/blog/en-us/introducing-showboat-a-new-malware-family-taunts-defenses-and-targets-international-telecom-firms - a new player in town?

Bugs:

* https://red.anthropic.com/2026/cvd/ - hope it's not too sloppy
* https://sintonen.fi/advisories/signal-deleted-but-not-forgotten.txt - Signal oopsie from @harrysintonen
* https://lcamtuf.coredump.cx/dl/ - an oldie from @lcamtuf
* https://fatgid.io/ - not every bug needs name, but here's another oopsie in FreeBSD

Exploitation:

* https://www.abdulmhsblog.com/posts/useingthewindowssourcecode/ - using the "open source" version of Windows for bug hunting
* https://g3tsyst3m.com/byovd/BYOVD-and-Looting-LSASS-in-the-Modern-EDR-Era/ - looting LSASS in 2026
* https://notes.fadymoheb.com/Penetration-Testing/Post-Exploitation/Linux-Credential-Hunting - Linux password theft for beginners
* https://platformsecurity.com/blog/hawks-prey-snatching-ssh-credentials - automagic pillaging Linux for credentials
* https://www.praetorian.com/blog/llm-edr-signature-reduction/ - Praetorian Labs keep on getting ID'd
* https://cert.pl/en/posts/2026/05/autonomous-fuzzing/ - .pl CERT discuss using agentic approaches in fuzzing
* https://www.wietzebeukema.nl/blog/bypassing-detections-with-command-line-obfuscation - command line obfuscation with @wietze for detection bypasses
* https://www.varonis.com/blog/ghosttree-ntfs-trick - leading EDRs up the garden path and into a maze

Hard hacks:

* https://www.kr3bz.wtf/posts/sdmc-ne6037-router-recovery-backdoor/ - another day, another router abused
* https://minanagehsalalma.github.io/zyxel-cve-2021-35036-super-admin-password-leak/ - more roots in routers

Data:

* https://medium.com/@shravankoninti/build-a-small-language-model-slm-from-scratch-3ddd13fa6470 - building your own SLM
* https://blogs.cisco.com/ai/the-fundamentals-of-ai-what-every-curious-person-should-know-about-how-language-models-work - things everyone should know about LLMs

Nerd:

* https://nesbitt.io/heap - someone has made a game out of NodeJS bugs
* https://www.reenigne.org/blog/80386-microcode-disassembled/ - disassembling 80386 microcode

#security, #research