Cato SecureStore: when OU was enough to talk to root
Manual reverse engineering of Cato Client’s macOS root helper found an OU-only XPC check and a SecureStore plist write. Handed the extracted surface to an agent for the PoC glue — reboot-to-root on 5.13.0. Fixed in 5.13.1; CVE-2026-12374.
VirtualBox xHCI: eight bytes allocated, 8192 bytes copied
A scoped VirtualBox audit found a quiet mismatch in the xHCI isoch path: 8 bytes allocated, 8192 advertised, and the root-hub PCAP-NG sniffer copied the larger number. A reduced ASAN harness proved it. Fixed upstream; CVE-2026-46974.
Windows Terminal SIXEL: when a good prompt met a stubborn OOB write
A focused prompt narrowed Windows Terminal to crafted SIXEL content and memory-safety bugs. MSRC closed it as not reproducible; WinDbg showed a real write past _Myend. Chunking was the missing piece. Fixed in #20213.
FFmpeg DFPWM: a 4-year-old integer overflow hiding behind eight samples
A focused prompt narrowed FFmpeg to integer-overflow math in decoders. In dfpwmdec.c, packet->size * 8 overflowed an int-sized frame field. ASan confirmed it; upstream now validates nb_samples as uint64_t.
OpenBSD spamd: a multiline reply bug that turned into a heap overflow
After the ftpd write-up, I narrowed the prompt to heap overflows. In spamd, a small indexing bug in append_error_string() advanced with strlen(c) instead of the appended suffix. ASan confirmed it; fixed upstream in openbsd/src.
Bouncy Castle: A Composite "Bypass" in a Legacy OID
A scoped bc-java audit with standards context produced a runnable PoC that looked like a composite downgrade-by-truncation. Maintainers clarified the legacy OID was “either or both.” Context is king — later echoed by CVE-2026-5588.
OpenBSD ftpd: a 29-year-old bug (almost 30)
Curious about Mythos finding decades-old bugs, I tried the same idea with Codex, a small local RAG, and OpenBSD. About 29 minutes later: UB after write() in ftpd’s mmap path. Six-line upstream fix. Context is king.