Research 13
- OpenConnect Fortinet: server-induced chosen-offset stack write via snprintf-return-value cursor arithmetic
- Case-variant path aliases in Rust denial gates: anatomy of a canonicalize-fallback bypass
- Android IncFS verity-signature race — and what Google ASR "Won't Fix (Infeasible)" actually means
- An Android Bluetooth ISO out-of-bounds write that lands RIP on `commit_creds`, marked Infeasible by Google ASR
- Two Lenovo Power Manager kernel drivers, one Everyone:RW DACL — a class-pattern in TPPWR64V and ibmpmdrv
- LnvMSRIO.sys, the 13 IOCTLs nobody audited, and an eight-round walk past Cortex XDR
- Eight rounds against Cortex XDR's driver-load coverage — process hollowing, the IAT trap, and a 2.7 KB shellcode that finally landed
- BYOVD LSASS Dump in 2026 — PDFWKRNL, PPL Toggle, and a Cloned Target
- One byte of URL-encoding past a WAF: notes on CVE-2026-40050 and the GraphQL endpoint nobody fenced
- Found the same Linux iSCSI CHAP base64 overflow 25 days early — and what 'review-ready' really means
- u32 + u32 = 0 is still a bug in 2026 — an SMB2 client integer overflow walkthrough
- ProviderSidestep — Defeating Cortex XDR's `sharphound` Rule From User-Mode, Honestly
- Patchless AMSI Bypass via Hardware Breakpoints — Implementation Notes