2026
CONTINUATION-flood: a half-state class of HTTP/2 desync
Four widely-deployed reverse proxies accept CONTINUATION frames after a HEADERS frame has been committed. The window between commit and replay is observable, and large enough to exfiltrate one bearer token per pair of requests.
Glitching the boot ROM of a $14 BLE thermostat — RTL8762D
Voltage-glitching the Realtek RTL8762D out of secure-boot using a single MOSFET and a 5 ns pulse. Cost of equipment: under €60. Drops a UART shell with secure-boot fully bypassed.
sudoedit -h: a TOCTOU on /etc/sudoers.d that's older than git
sudo's edit mode resolves include paths twice — once to read, once to write. Between the two stats, /etc/sudoers.d/00-local can be swapped for a symlink owned by the calling user. The PoC fits in a tweet.
2025
Pre-auth RCE in a self-hosted Git server via tag ref names
git-receive-pack hands tag names directly to a Lua post-receive hook, and the hook concatenates them into a shell command. The reference grammar permits backticks. There is no length cap.
Stack overflow in the EAP-PEAP supplicant of an enterprise AP
Inner-EAP packet framing trusts a length field after a vendor-specific opaque TLV. The TLV is mandatory and unauthenticated. The saved return address is reachable from a portal-side captive packet — pre-association.
Fault-injecting a TrustZone secure monitor on the Allwinner T113-S3
The SoC vendor signs the secure-monitor blob but not the OP-TEE supplicant glue. A 12 ns brown-out on VDD_CPU at the SMC return reliably skips the capability check. Reading the eFuse OTP is then one syscall away.
UTF-8 NFKC normalization confusion in an OAuth proxy
The proxy normalizes the email claim before comparison, but the upstream provider does not. @ (U+FF20) folds to @. Predictable email-to-tenant mapping does the rest.
One-byte heap overwrite in Wireshark's GVCP dissector
The GVCP dissector trims a trailing zero from a vendor-name field without checking length. The freed byte lands one past the end of a tvb-backed allocation. Same issue, three different versions.
2024
DNS rebinding against a local-dev TLS proxy used by 70k repos
The proxy's CORS check accepts any host that resolves to 127.0.0.1 at request time. Rebind the A record between the preflight and the body and the browser will happily POST cross-origin JSON at the developer's keychain.
Reading microcode patches off Zen2 via the PMU over SMBus
The PMU's branch-misprediction counter leaks one bit of microcode per measurement on Zen2. 512 measurements yield a full patch word. The attack is unprivileged and works inside a VM.
nginx HPACK decoder: single-byte OOB read in the dynamic table
The HPACK dynamic-table eviction path miscounts the entry length when a Huffman-coded name spans the ring-buffer wrap point. One byte past the allocation is read and reflected in a 400 response.