I wrote a proof-of-concept and writeup for CVE-2025-48593, an Android Bluetooth issue that only seems to affect devices that act as Bluetooth headsets / speakers. (i.e. NOT phones, only smartwatches/wearables/cars. And only after pairing. So you can stop worrying.)

https://github.com/zhuowei/blueshrimp

It should be a use-after-free; I haven’t gotten it to do anything interesting though.

So far, I was only able to get a null pointer deref (without malloc debug) or an attempted write to library rodata (with malloc debug).

Today, we're launching SlopStop: Community-driven AI slop detection in Kagi Search.

Join our collective defense against AI-generated spam and content farms:

https://blog.kagi.com/slopstop

#Kagi #Search #AISlop

Update to 4.11.1 now if you use it

CVE-2025-43515
https://support.apple.com/en-us/125693

https://infosec.exchange/@codecolorist/115385827463979240

The video for my TalosCon 2025 keynote, "The Complexity of Simplicity", is now up:

https://www.youtube.com/watch?v=Cum5uN2634o

Slides:

https://speakerdeck.com/bcantrill/the-complexity-of-simplicity

Huge Ws for Rust adoption in Android!

Historically, security improvements often came at a cost. More security meant more process, slower performance, or delayed features, forcing trade-offs between security and other product goals. The shift to Rust is different: we are significantly improving security and key development efficiency and product stability metrics.

https://security.googleblog.com/2025/11/rust-in-android-move-fast-fix-things.html

In our latest blog we speak with Marion Marschalek of @blackhoodie on how community fuels career, how one challenge led to many opportunities and how you can get involved.
https://hex-rays.com/blog/blackhoodie-interview-2025

Is it my weak search-fu again, or the new qlpack.yml format for #CodeQL is not officially documented? @GitHubSecurityLab

The best resource I could find is this one by @trailofbits:

https://appsec.guide/docs/static-analysis/codeql/advanced/#creating-new-query-packs

"DiaSymbolView is a tool for visually inspecting debug information recorded in .pdb files. It relies on MSDIA API and presents a hierarchy of debug symbols and their 200+ properties."

https://github.com/diversenok/DiaSymbolView

#fromBsky

I bet I can use Atomic Rockets to calculate the kinetic energy of an IBM PS/2 Model 80 dropped from low orbit

Making .NET Serialization Gadgets by Hand https://www.vulncheck.com/blog/making-dotnet-gadgets

LibAFL 0.15.4 has just been released 🎉

Of the 30 Contributers for this release, almost half are new faces <3

https://github.com/AFLplusplus/LibAFL/releases/tag/0.15.4

#Fuzzing #LibAFL #AFLplusplus

The open-source FFmpeg project, used by companies like Google for multimedia processing, urged Google to fund its volunteer developers. FFmpeg is overwhelmed by bugs reported by Google's AI security tools and lacks resources to fix them quickly. https://thenewstack.io/ffmpeg-to-google-fund-us-or-stop-sending-bugs/

⏫ After many many years, we upgrade our QEMU fork!

Goodby libptc, welcome libtcg!

Here you can find a summary of the improvements this brings: https://github.com/revng/revng/commit/1429b526abcc65d5cdd04d6f5608b916e4e20d1b

Moreover, we can now support Hexagon, RISC-V and Loongarch.

Is It CitrixBleed4? Well, No. Is It Good? Also, No. (Citrix NetScaler Memory Leak & RXSS CVE-2025-12101) - watchTowr Labs https://labs.watchtowr.com/is-it-citrixbleed4-well-no-is-it-good-also-no-citrix-netscalers-memory-leak-rxss-cve-2025-12101/

TIL about #git subtree split

https://git-memo.readthedocs.io/en/latest/subtree.html

Our Java stacktrace fingerprinting database finally got a long overdue update. Enjoy!
https://x41-dsec.de/security/research/news/2025/11/12/x41-beanstack-update/

Best commit message: https://github.com/torvalds/linux/commit/f076ef44a44d02ed91543f820c14c2c7dff53716

This is a reminder to everyone that security is more than just memory safety. https://www.phoronix.com/news/sudo-rs-security-ubuntu-25.10

#rust #vulnerability #sudo_rs

StreetComplete is a really fun and accessible way to contribute to OpenStreetMap from an Android device - walk around in your local neighbourhood (or anywhere really) and solve 'quests' by answering questions about the things around you!

You don't need to learn anything about mapping conventions, or infrastructure, or about the more complex mapping tools that exist for OpenStreetMap. The app will explain everything to you that you need to know, when you need to know it, and ask easily understandable questions with reference pictures for the answers.

The only setup needed is to make an OSM account and log into it from the app, so that it can upload your answers - and you can also do that at any later time, after trying out the app without an account for a while first. You can just install it and go outside right away!

The app doesn't need any cellular internet connection; it can work offline and synchronize your answers once you reach a place with eg. WiFi. It's also quite performant, and should run well even on lower-end phones. There is also a 'multiplayer' option that lets you split up in teams and each tackle different quests in the area.

https://streetcomplete.app/

#StreetComplete #OpenStreetMap