(See how I cleverly did not mention AI in the title!) You know we have seen more than our fair share of slop reports sent to the curl project so it seems only fair that I also write something about the state of AI when we get to enjoy some positive aspects of this technology. … Continue reading A new breed of analyzers →| daniel.haxx.se
A 13‑year Redis flaw (CVE‑2025‑49844) allows attackers to escape Lua sandbox and run code on hosts. See Wiz Research’s analysis and mitigations.| wiz.io
Note: This post is complemented by a presentation I gave at KazHackStan 2025. The slides for that talk can be found here, or in pptx format here..| Joshua.Hu Joshua Rogers’ Scribbles
In August 16 2025 I did a keynote with this title on the FrOSCon conference in Bonn, Germany. The room held a few hundred seats and every single one was occupied with people also filling up the stairs and was standing along the walls. Awesome! https://www.youtube.com/watch?v=6n2eDcRjSsk See also my death by slop post for more … Continue reading AI slop attacks on the curl project →| daniel.haxx.se
Earlier this summer, Sean Heelan published a great blog post detailing his use of o3 to find a use-after-free vulnerability in the Linux kernel. The internet lit up in response, and for good reason. Since the initial release of ChatGPT in late 2022, we’ve all been wondering: Can LLMs really find complex vulnerabilities in widely used production codebases? The Linux kernel is a great research target to help answer that question.| noperator.dev
In this post I’ll show you how I found a zeroday vulnerability in the Linux kernel using OpenAI’s o3 model. I found the vulnerability with nothing more complicated than the o3 API ̵…| Sean Heelan's Blog
There are two claims I’d like to make: LLMs can be used effectively1 for listwise document ranking. Some complex problems can (surprisingly) be solved by transforming them into document ranking problems. I’ve primarily explored both of these claims in the context of using patch diffing to locate N-day vulnerabilities—a sufficiently domain-specific problem that can be solved using general purpose language models as comparators in document ranking algorithms. I demonstrated at RVAsec ‘2...| noperator.dev
