// xchglabs · research

Research

Coordinated disclosure, embargo-honest.

Every entry below is a real bug we've reported to a real vendor. Technical deep-dives are published after the patch ships and the embargo window elapses; we don't publish PoCs or addresses for unfixed bugs.

// published

Patched and public.

Coordinated-disclosure writeups for vulnerabilities that have shipped fixes upstream. Full technical detail, PoCs, methodology.

dnsmasq 2.92 fixed in 2.92rel2

Burning down the house: five CVEs in dnsmasq

A pre-auth remote heap overflow (CVE-2026-2291) reachable from a single malicious DNS response, two DNSSEC parser bugs in NSEC and RRSIG handling, a DHCPv6 helper local-root via oversized CLID hex-encoding, and an EDNS Client Subnet validation bypass that turned the cross-check into dead code. xchglabs credited with five of the six CVEs assigned. Disclosed via VU#471747.

CVE-2026-2291 CVE-2026-4890 CVE-2026-4891 CVE-2026-4892 CVE-2026-4893 heap overflow DNSSEC

published 2026-05-11

// in flight

Embargoed -- disclosure pending.

Research from our Pwn2Own Berlin 2026 cohort. Public writeups release after vendor patches ship and embargoes elapse.

llama.cpp disclosure pending
Ollama disclosure pending
NVIDIA Dynamo + PyTorch disclosure pending
Chroma disclosure pending
LiteLLM disclosure pending
Oracle Autonomous AI Database / ORDS disclosure pending
Linux KVM disclosure pending
Docker Engine disclosure pending

We do not publish PoCs, payloads, addresses, or vulnerability-class detail for unfixed bugs. Full public writeups are released after the vendor ships a patch and the embargo window has elapsed.

Research

Patched and public.

Burning down the house: five CVEs in dnsmasq

Embargoed -- disclosure pending.