Research

// published

Patched and public.

Coordinated-disclosure writeups for vulnerabilities that have shipped fixes upstream. Full technical detail, PoCs, methodology.

• lwIP 2.2.1 (STABLE-2_2_1_RELEASE) — audit series part 1 fixed · 12 reported, WIP with maintainer

  lwIP audit series, part 1: SMTP client server-driven AUTH-line overflow into tx_buf

  First writeup of a thirteen-bug audit against lwIP 2.2.1. smtp_prepare_auth_or_mail() copies the byte distance between the literal AUTH token and the next \r\n straight into the 255-byte tx_buf with no clamp against SMTP_TX_BUF_LEN. Any SMTP server the lwIP client connects to — malicious or MITM'd — can drive a copy of up to ~64 KiB into a 256-byte allocation, plus a one-byte OOB NUL at the returned length. PoC and one-line clamp patch attached; part 1 is fixed via Savannah #68313. The remaining twelve findings have been reported to the lwIP maintainers and we're working with them on patches.

  CWE-120 CWE-787 lwIP SMTP heap overflow series 1/13

  part 1 published 2026-05-16

• Linux KVM v6.13.7 / v7.0.6 fixed in kvm/master 577a8d3bae05

  A KVM dirty-ring OOB that the allocator quietly defuses

  A u64 wraparound in kvm_reset_dirty_gfn() lets a VMM drive a negative index into the per-memslot reverse-map array — an OOB read with a conditional OOB write below it. The rmap array lives in vmalloc, though, so the OOB lands inside the preceding guard page and faults before any controlled value is consumed. A deterministic host-kernel DoS, not the LPE primitive it first looks like. Fix applied upstream by Paolo Bonzini on 2026-05-12 (Cc: stable, fixes 5.10's original dirty-ring patch). Writeup covers the half-step between those two readings and why the guard page closes the door cleanly.

  CWE-190 CWE-125 KVM dirty ring vmalloc guard page

  published 2026-05-16

• dnsmasq 2.92 fixed in 2.92rel2

  Burning down the house: five CVEs in dnsmasq

  A pre-auth remote heap overflow (CVE-2026-2291) reachable from a single malicious DNS response, two DNSSEC parser bugs in NSEC and RRSIG handling, a DHCPv6 helper local-root via oversized CLID hex-encoding, and an EDNS Client Subnet validation bypass that turned the cross-check into dead code. xchglabs credited with five of the six CVEs assigned. Disclosed via VU#471747.

  CVE-2026-2291 CVE-2026-4890 CVE-2026-4891 CVE-2026-4892 CVE-2026-4893 heap overflow DNSSEC

  published 2026-05-11

// in flight

Embargoed — disclosure pending.

Research from our Pwn2Own Berlin 2026 cohort. Public writeups release after vendor patches ship and embargoes elapse.

• llama.cpp disclosure pending
• Ollama disclosure pending
• NVIDIA Dynamo + PyTorch disclosure pending
• Chroma disclosure pending
• LiteLLM disclosure pending
• Oracle Autonomous AI Database / ORDS disclosure pending
• Docker Engine disclosure pending

We do not publish PoCs, payloads, addresses, or vulnerability-class detail for unfixed bugs. Full public writeups are released after the vendor ships a patch and the embargo window has elapsed.