โผ๏ธ๐จ Microsoft has patched a critical Windows DNS Client remote code execution vulnerability that allows an unauthorized attacker to execute code over a network. All it takes is a malicious DNS response.
The vulnerability is tracked as CVE-2026-41096 with a CVSS score of 9.8. It is a heap-based buffer overflow in dnsapi.dll, the Windows component that processes DNS answers on every machine.
To trigger it, an attacker needs a position where they can influence DNS responses: a rogue DNS server, a poisoned resolver, a compromised router, hostile WiFi, or a man-in-the-middle placement.
That puts ordinary Windows DNS activity in the blast radius. Browsers, VPN clients, enterprise apps, update checks, and background services constantly ask DNS where to connect. The vulnerable processing sits in the Windows DNS Client path, not an edge-facing server product.
Microsoft assessed exploitation as "less likely," and Rapid7 lists the issue as not publicly disclosed and not known to be exploited at release.
On the contrary, a 9.8 unauthenticated network RCE in DNS client handling is exactly the kind of bug defenders should assume will be reverse-engineered quickly.
Defenders should:
- Deploy the May 2026 cumulative updates and confirm coverage across endpoints and servers
- Restrict DNS traffic to trusted resolvers where possible
- Monitor Dnscache and svchost.exe for abnormal child processes or unexpected outbound activity
- Treat public WiFi and untrusted resolver paths as higher-risk until patching is complete
Source: https://hackingpassion.com/windows-dns-rce-2026/
The vulnerability is tracked as CVE-2026-41096 with a CVSS score of 9.8. It is a heap-based buffer overflow in dnsapi.dll, the Windows component that processes DNS answers on every machine.
To trigger it, an attacker needs a position where they can influence DNS responses: a rogue DNS server, a poisoned resolver, a compromised router, hostile WiFi, or a man-in-the-middle placement.
That puts ordinary Windows DNS activity in the blast radius. Browsers, VPN clients, enterprise apps, update checks, and background services constantly ask DNS where to connect. The vulnerable processing sits in the Windows DNS Client path, not an edge-facing server product.
Microsoft assessed exploitation as "less likely," and Rapid7 lists the issue as not publicly disclosed and not known to be exploited at release.
On the contrary, a 9.8 unauthenticated network RCE in DNS client handling is exactly the kind of bug defenders should assume will be reverse-engineered quickly.
Defenders should:
- Deploy the May 2026 cumulative updates and confirm coverage across endpoints and servers
- Restrict DNS traffic to trusted resolvers where possible
- Monitor Dnscache and svchost.exe for abnormal child processes or unexpected outbound activity
- Treat public WiFi and untrusted resolver paths as higher-risk until patching is complete
Source: https://hackingpassion.com/windows-dns-rce-2026/
๐6
โ๏ธ Love this new YouTube genre where a randomly laid-off Atlassian engineer with 8 years at the company just dropped a full technical breakdown of the entire place.
The video: youtu.be/55pTFVoclvE
The video: youtu.be/55pTFVoclvE
๐คฃ22โค1
This media is not supported in your browser
VIEW IN TELEGRAM
๐จ New birth control efficacy data is in:
Condom: 98%
Pill: 99%
A career in IT: 100%
Condom: 98%
Pill: 99%
A career in IT: 100%
๐คฃ42๐1๐ฏ1๐คช1
๐จ๐ฎ๐ฑ Israeli-linked companies have built tooling that can locate Starlink terminals worldwide and, in many cases, link them to real individuals.
The Starlink terminal exposes a connection footprint. Smartphones underneath it leak advertising IDs, location and app telemetry through the adtech supply chain. Time and space correlation links a phone to a terminal, then the same ad ID seen on other networks links the device to an identity.
- ~1 million Starlink terminals monitored
- ~5.5 million connected devices visible through them
- ~200,000 terminals already deanonymized and linked to specific people or devices
- Map refreshes every ~6 minutes
The companies in question:
- TargetTeam (Cyprus-based, Israeli owners tied to Rayzone and Cognyte alumni) with a product called "Stargetz"
- Rayzone, which sells comparable capabilities under Israeli Ministry of Defense.
A TargetTeam salesman, quoted by Haaretz, summed it up bluntly: the ship can hide its AIS, but the crew still needs TikTok.
Sold to governments for counterterrorism, sanctions enforcement and security work. Targets shown in demos covered the Middle East, Gulf, Russia, China and maritime zones. Amnesty's Security Lab warns the same capability puts journalists, activists and civilians under internet shutdowns directly at risk.
The Starlink terminal exposes a connection footprint. Smartphones underneath it leak advertising IDs, location and app telemetry through the adtech supply chain. Time and space correlation links a phone to a terminal, then the same ad ID seen on other networks links the device to an identity.
- ~1 million Starlink terminals monitored
- ~5.5 million connected devices visible through them
- ~200,000 terminals already deanonymized and linked to specific people or devices
- Map refreshes every ~6 minutes
The companies in question:
- TargetTeam (Cyprus-based, Israeli owners tied to Rayzone and Cognyte alumni) with a product called "Stargetz"
- Rayzone, which sells comparable capabilities under Israeli Ministry of Defense.
A TargetTeam salesman, quoted by Haaretz, summed it up bluntly: the ship can hide its AIS, but the crew still needs TikTok.
Sold to governments for counterterrorism, sanctions enforcement and security work. Targets shown in demos covered the Middle East, Gulf, Russia, China and maritime zones. Amnesty's Security Lab warns the same capability puts journalists, activists and civilians under internet shutdowns directly at risk.
๐คฌ12๐2โค1๐ฅ1
โผ๏ธ๐จ MAJOR IMPACT: AI just found an 18-year-old NGINX critical remote code execution vulnerability. It has been disclosed on GitHub including PoC code.
- Affects NGINX 0.6.27 through 1.30.0
- Triggered via the rewrite and set directives in config
- Update NGINX ASAP
- NGINX is a widely used HTTP web server, be sure to check its prevalence in other products
Source: github.com/DepthFirstDiscโฆ
Write up by Markak_: depthfirst.com/research/nginxโฆ
- Affects NGINX 0.6.27 through 1.30.0
- Triggered via the rewrite and set directives in config
- Update NGINX ASAP
- NGINX is a widely used HTTP web server, be sure to check its prevalence in other products
Source: github.com/DepthFirstDiscโฆ
Write up by Markak_: depthfirst.com/research/nginxโฆ
๐ฑ9๐ญ4โค1๐ค1
๐จ UPDATE: 19 MILLION exposed NGINX instances hit by the 18-year-old NGINX RCE found by AI.
Top exposure by country:
- United States: 5,340,011
- China: 2,540,008
- Germany: 1,871,780
Note on ASLR as added security: not all of these instances will have ASLR disabled, but every one of them is running a version inside the vulnerable band.
The vulnerability is a heap buffer overflow. ASLR randomizes memory layout, which makes reliable RCE much harder because the attacker cannot predict where their payload or useful gadgets land. But the overflow itself still happens. The corrupted memory still causes the NGINX worker process to crash.
ASLR-enabled hosts are still trivially DoS-able. ASLR-disabled or non-PIE builds are RCE-able. Either way, patch ASAP!
Top exposure by country:
- United States: 5,340,011
- China: 2,540,008
- Germany: 1,871,780
Note on ASLR as added security: not all of these instances will have ASLR disabled, but every one of them is running a version inside the vulnerable band.
The vulnerability is a heap buffer overflow. ASLR randomizes memory layout, which makes reliable RCE much harder because the attacker cannot predict where their payload or useful gadgets land. But the overflow itself still happens. The corrupted memory still causes the NGINX worker process to crash.
ASLR-enabled hosts are still trivially DoS-able. ASLR-disabled or non-PIE builds are RCE-able. Either way, patch ASAP!
๐ฑ1
โผ๏ธ๐จ Palo Alto Networks just dropped an advisory for CVE-2026-0265, an authentication bypass in PAN-OS.
Palo Alto rated it HIGH with a CVSS of 7.2 and says exploitation has not been observed.
The reporting researcher, Harsh Jaiswal of Hacktron AI, publicly pushed back on that rating.
He says he already got VPN access to major corps by abusing the bug against GlobalProtect.
He also flagged that the issue is not limited to PAN-OS, meaning the blast radius is wider than just firewalls.
If that holds up, this is not a 7.2.
Full technical details are landing on the Hacktron AI blog later next week.
The flaw lives in the Cloud Authentication Service (CAS) when it is enabled and attached to a login interface.
It hits PA-Series and VM-Series firewalls, plus Panorama virtual and M-Series appliances.
Patches are partially available now, with additional fixed builds expected May 28.
Admins running CAS on a Palo Alto login interface should verify exposure and patch on an emergency basis.
Palo Alto rated it HIGH with a CVSS of 7.2 and says exploitation has not been observed.
The reporting researcher, Harsh Jaiswal of Hacktron AI, publicly pushed back on that rating.
He says he already got VPN access to major corps by abusing the bug against GlobalProtect.
He also flagged that the issue is not limited to PAN-OS, meaning the blast radius is wider than just firewalls.
If that holds up, this is not a 7.2.
Full technical details are landing on the Hacktron AI blog later next week.
The flaw lives in the Cloud Authentication Service (CAS) when it is enabled and attached to a login interface.
It hits PA-Series and VM-Series firewalls, plus Panorama virtual and M-Series appliances.
Patches are partially available now, with additional fixed builds expected May 28.
Admins running CAS on a Palo Alto login interface should verify exposure and patch on an emergency basis.
โค2๐ค1
โผ๏ธ๐จ BREAKING: Microsoft Exchange Server CVE-2026-42897 lets an attacker execute arbitrary JavaScript in a victim's browser just by getting them to open an email in Outlook Web Access.
It is being exploited in the wild.
Microsoft classified it as... "spoofing." ๐ค
Affected: on-premises Exchange Server 2016, 2019 and SE. Exchange Online is not impacted.
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
It is being exploited in the wild.
Microsoft classified it as... "spoofing." ๐ค
Affected: on-premises Exchange Server 2016, 2019 and SE. Exchange Online is not impacted.
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
๐ฅด5๐คฃ3โค1
โผ๏ธ๐จ This is wild. OpenAI just confirmed it got hit in the TanStack npm supply chain attack, and the attackers were close to being able to ship malicious code inside official OpenAI software, signed and trusted, if their incident response had not caught it in time.
The campaign is the work of TeamPCP, the same crew running the Mini Shai-Hulud wave.
Two employee devices in OpenAI's corporate environment were compromised through the malicious TanStack packages.
The attackers used that foothold to reach a limited subset of internal source code repositories.
OpenAI says only "limited credential material" was successfully exfiltrated, with no customer data, production systems, intellectual property or deployed software impacted.
Here is the part that should grab your attention.
OpenAI is rotating its code-signing certificates and forcing every macOS user to update their OpenAI apps.
You do not rotate signing certs for "limited credential material."
You rotate signing certs when the attacker was close enough to signing malicious binaries as OpenAI.
The "we contained it in time" framing is doing serious heavy lifting here.
For wider context, the same TeamPCP wave also hit Mistral AI, UiPath, Guardrails AI, OpenSearch and SAP npm packages. The TanStack compromise is tracked as CVE-2026-45321 at CVSS 9.6, and Mistral AI source code is already being advertised for sale by the group.
https://openai.com/index/our-response-to-the-tanstack-npm-supply-chain-attack/
The campaign is the work of TeamPCP, the same crew running the Mini Shai-Hulud wave.
Two employee devices in OpenAI's corporate environment were compromised through the malicious TanStack packages.
The attackers used that foothold to reach a limited subset of internal source code repositories.
OpenAI says only "limited credential material" was successfully exfiltrated, with no customer data, production systems, intellectual property or deployed software impacted.
Here is the part that should grab your attention.
OpenAI is rotating its code-signing certificates and forcing every macOS user to update their OpenAI apps.
You do not rotate signing certs for "limited credential material."
You rotate signing certs when the attacker was close enough to signing malicious binaries as OpenAI.
The "we contained it in time" framing is doing serious heavy lifting here.
For wider context, the same TeamPCP wave also hit Mistral AI, UiPath, Guardrails AI, OpenSearch and SAP npm packages. The TanStack compromise is tracked as CVE-2026-45321 at CVSS 9.6, and Mistral AI source code is already being advertised for sale by the group.
https://openai.com/index/our-response-to-the-tanstack-npm-supply-chain-attack/
โค6๐ฅ3๐1
๐จ Brutal showing: security researcher Orange Tsai just made $375,000 in 24 hours at Pwn2Own Berlin 2026. He landed both Microsoft Edge AND Microsoft Exchange in back-to-back demos.
- Day 1: Chained 4 logic bugs to escape the Microsoft Edge sandbox. Payout: $175,000
- Day 2: Took down Microsoft Exchange in the Server category. Payout: $200,000
Congrats ๐ฅ
- Day 1: Chained 4 logic bugs to escape the Microsoft Edge sandbox. Payout: $175,000
- Day 2: Took down Microsoft Exchange in the Server category. Payout: $200,000
Congrats ๐ฅ
๐ฅ13๐6โค2๐1
โ๏ธ๐จ BREAKING: Researchers used Mythos Preview to find the first public macOS kernel memory corruption exploit on Apple's M5 silicon, they give a glimpse into Mythos say itโs really powerful.
Apple spent five years and an estimated several billion dollars building Memory Integrity Enforcement (MIE), the hardware-assisted memory safety system built around ARM's MTE. It was the flagship security feature of the M5 and A19, designed specifically to kill the entire memory corruption bug class.
Researchers from Calif built a working exploit in five days.
According to Apple's own research, MIE disrupts every public exploit chain against modern iOS, including the recently leaked Coruna and Darksword kits. Calif walked into Apple Park this week and handed over the report in person.
Full 55-page technical report drops after Apple patches the vulnerability.
Source: https://blog.calif.io/p/first-public-kernel-memory-corruption
Apple spent five years and an estimated several billion dollars building Memory Integrity Enforcement (MIE), the hardware-assisted memory safety system built around ARM's MTE. It was the flagship security feature of the M5 and A19, designed specifically to kill the entire memory corruption bug class.
Researchers from Calif built a working exploit in five days.
According to Apple's own research, MIE disrupts every public exploit chain against modern iOS, including the recently leaked Coruna and Darksword kits. Calif walked into Apple Park this week and handed over the report in person.
Full 55-page technical report drops after Apple patches the vulnerability.
Source: https://blog.calif.io/p/first-public-kernel-memory-corruption
๐ฅด6๐ฅ2โค1
๐จ Public PoC dropped for an unpatched Apple Maildrop flaw. The bug itself is modest. The disclosure record is the real story. Apple is sitting on the minor iCloud Maildrop bug for 34 months and counting.
Maildrop attachment URLs ship 3 unsigned, client-controlled parameters (f= filename, sz= size, uk= user key). Anyone holding a valid Maildrop link can rewrite f= and sz=. The link still resolves on icloud[.]com, still serves the original uploader's file (uk= is locked, so this isn't arbitrary malware delivery), and the spoofed filename is stamped into the Content-Disposition response header. The file saves to disk under whatever name the attacker chose.
Again it's not the way it should work, but it's no biggie. But the timeline is interesting:
๐น Reported: 7 Jul 2023 to Apple Security Bounty (case OE1950888220).
๐น Status: "Prioritised for review" since 8 Apr 2026.
๐น Elapsed: 34 months. ~10ร a standard 90-day disclosure window.
Source: https://stuart-thomas.com/research/maildrop-spoofed-params/
Maildrop attachment URLs ship 3 unsigned, client-controlled parameters (f= filename, sz= size, uk= user key). Anyone holding a valid Maildrop link can rewrite f= and sz=. The link still resolves on icloud[.]com, still serves the original uploader's file (uk= is locked, so this isn't arbitrary malware delivery), and the spoofed filename is stamped into the Content-Disposition response header. The file saves to disk under whatever name the attacker chose.
Again it's not the way it should work, but it's no biggie. But the timeline is interesting:
๐น Reported: 7 Jul 2023 to Apple Security Bounty (case OE1950888220).
๐น Status: "Prioritised for review" since 8 Apr 2026.
๐น Elapsed: 34 months. ~10ร a standard 90-day disclosure window.
Source: https://stuart-thomas.com/research/maildrop-spoofed-params/
๐1๐ฅด1
โผ๏ธ๐จ Ledger customers are receiving physical scam letters impersonating a "Quantum Resistance" security update signed by CTO Charles Guillemet.
There's a QR code that leads to a phishing site harvesting 24-word recovery seed phrases.
Letters are localized per region (Italian recipient in the wild got an Italian-language version, matching Global-e's cross-border checkout data).
The data is probably sourced from the January 2026 Global-e breach (Ledger's e-commerce processor).
Confirmed by Ledger: https://support.ledger.com/article/scams-targeting-crypto-holders
There's a QR code that leads to a phishing site harvesting 24-word recovery seed phrases.
Letters are localized per region (Italian recipient in the wild got an Italian-language version, matching Global-e's cross-border checkout data).
The data is probably sourced from the January 2026 Global-e breach (Ledger's e-commerce processor).
Confirmed by Ledger: https://support.ledger.com/article/scams-targeting-crypto-holders
๐คฃ6๐ค2โค1