We publish coordinated-disclosure writeups after vendors ship patches. The current research workload — embargoed, in-flight, awaiting fixes — is below. Public deep-dives drop as the patches land.

• dnsmasq 2.92 · published 2026-05-11 5 CVEs · fixed

  Burning down the house: five CVEs in dnsmasq

  A pre-auth remote heap overflow reachable from a single malicious DNS response, two DNSSEC parser bugs, a DHCPv6 helper local-root, and an ECS validation bypass that turned the cross-check into dead code. Disclosed via VU#471747; fixed in 2.92rel2.

• llama.cpp embargoed
• Oracle ORDS embargoed
• NVIDIA Dynamo + PyTorch embargoed

Product security, vulnerability research, reverse engineering, program analysis, or AI-augmented security tooling? We want to help.

Interested? Shoot us an email — we read everything.