Posts
Cato SecureStore: when OU was enough to talk to root
Manual reverse engineering of Cato Client’s macOS root helper found an OU-only XPC check and a SecureStore
plist write. Handed the extracted surface to an agent for the PoC glue — reboot-to-root on
5.13.0. Fixed in 5.13.1; CVE-2026-12374.
VirtualBox xHCI: eight bytes allocated, 8192 bytes copied
A scoped VirtualBox audit found a quiet mismatch in the xHCI isoch path: 8 bytes allocated, 8192 advertised,
and the root-hub PCAP-NG sniffer copied the larger number. A reduced ASAN harness proved it.
Fixed upstream;
CVE-2026-46974.
Windows Terminal SIXEL: when a good prompt met a stubborn OOB write
A focused prompt narrowed Windows Terminal to crafted SIXEL content and memory-safety bugs. MSRC closed it as
not reproducible; WinDbg showed a real write past
_Myend. Chunking was the missing piece.
Fixed in #20213.
FFmpeg DFPWM: a 4-year-old integer overflow hiding behind eight samples
A focused prompt narrowed FFmpeg to integer-overflow math in decoders. In
dfpwmdec.c,
packet->size * 8 overflowed an int-sized frame field. ASan confirmed it;
upstream now validates nb_samples as uint64_t.
OpenBSD spamd: a multiline reply bug that turned into a heap overflow
After the ftpd write-up, I narrowed the prompt to heap overflows. In
spamd, a small indexing
bug in append_error_string() advanced with strlen(c) instead of the appended
suffix. ASan confirmed it; fixed upstream in openbsd/src.
Bouncy Castle: A Composite "Bypass" in a Legacy OID
A scoped bc-java audit with standards context produced a runnable PoC that looked like a composite
downgrade-by-truncation. Maintainers clarified the legacy OID was “either or both.” Context is king —
later echoed by
CVE-2026-5588.
OpenBSD ftpd: a 29-year-old bug (almost 30)
Curious about Mythos finding decades-old bugs, I tried the same idea with Codex, a small local RAG, and
OpenBSD. About 29 minutes later: UB after
write() in ftpd’s mmap path.
Six-line upstream fix. Context is king.