Research

// published

Patched and public.

Full technical detail, proof of concept, root cause, and fix notes.

• GPSD master @ 43a340603 2026-06-09

  Fuzzing GPSD, Part 3: The Bugs

  The GPSD fuzzing series moves from harnesses to findings: eight memory-safety issues from public work item #397, including Skytraq RCE, NMEA format strings, AIS writes, and parser leaks.

• gpsd_fuzzer lessons 2026-06-09

  Fuzzing GPSD, Part 2: Lessons Learned

  What changed after actually running the fuzzer: target selection, mutation scheduling, corpus quality, performance, and crash triage.

• gpsd_fuzzer 2026-06-09

  Fuzzing GPSD, Part 1: The Lexer Harness

  Building the structure-aware LibAFL fuzzer: fake a consistent gps_lexer_t, mutate GPS protocol shapes, and reach real parser code.

• QEMU EDU PCI device 2026-05-22

  Escaping QEMU

  A guest-to-host escape against QEMU's educational PCI device: an advisory DMA bounds check gives both a leak and a write over QEMUTimer's callback fields.

• lwIP 2.2.1 audit series 2026-05-16

  lwIP Audit Series, Part 1 of 13

  SMTP AUTH-line parsing copies server-controlled EHLO data into tx_buf without a clamp. Includes PoC, patch notes, and the first writeup from a 13-part lwIP audit.

• Linux KVM v6.13.7 / v7.0.6 2026-05-16

  A KVM dirty-ring OOB

  A u64 wraparound in kvm_reset_dirty_gfn() sends the reverse-map index 504 bytes before rmap[]. The access lands in vmalloc guard space and faults.

• dnsmasq 2.92 2026-05-11

  Five CVEs in dnsmasq 2.92

  Five vulnerabilities fixed in 2.92rel2, including CVE-2026-2291, DNSSEC parser bugs, a DHCPv6 helper overflow, and an EDNS Client Subnet validation bypass.