Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-23883 — Freerdp Freerdp: A malicious server can trigger a client‑side use after free, causing a crash (DoS)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-23534 — Freerdp Freerdp: Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 c CVSSv3.1 9.8 (CRITICAL)
CVE-2026-23533 — Freerdp Freerdp: Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 con CVSSv3.1 9.8 (CRITICAL)
CVE-2026-22797 — OpenStack: An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and
An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_ CVSSv3.1 9.9 (CRITICAL)
CVE-2026-23532 — Freerdp Freerdp: Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version CVSSv3.1 9.8 (CRITICAL)
CVE-2026-23531 — Freerdp Freerdp: Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator beh CVSSv3.1 9.8 (CRITICAL)
CVE-2026-23530 — Freerdp Freerdp: A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-22031 — Fastify Fastify\/middie: @fastify/middie is the plugin that adds middleware support on steroids to Fastify.
@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing atta CVSSv3.1 8.4 (HIGH) · EPSS 29th percentile
From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers
Trend Micro published an in-depth technical analysis of the Evelyn Stealer campaign, a multistage malware operation targeting software developers via weaponized Visual Studio Code extensions. The attack chain uses a malicious VSC extension to deploy a downloader (Lightshot.dll), which fetches a process-hollowing injector that decrypts and injects the final Evelyn Stealer payload into grpconv.exe. Evelyn implements sophisticated anti-analysis techniques, browser credential theft via DLL injection, cryptocurrency wallet harvesting, and FTP-based exfiltration of collected data.
wpair-app — WPair is a defensive security research tool that demonstrates the CVE-2025-36911 (eg WhisperPair) vulnerability in Googl
WPair is a public proof-of-concept tool demonstrating CVE-2025-36911 (WhisperPair), a critical authentication bypass in Google's Fast Pair Bluetooth protocol affecting millions of audio devices. The vulnerability allows unauthenticated attackers to pair with vulnerable devices, establish HFP connections, and access microphone streams without user consent. The tool includes a vulnerability scanner, full exploit chain, and audio capture capabilities targeting JBL, Sony, Marshall, and other major manufacturers.
v1.6.6
Sliver v1.6.6 released with minor improvements to error handling in directory listing operations and TUI/advanced forms. This is a routine maintenance release with 400 commits since v1.6.5, containing no disclosed security fixes or feature additions of note.
One WSL BOF to Rule Them All
SpecterOps released a Beacon Object File (BOF) that enables reliable command execution across all WSL2 versions by reverse-engineering the COM interface variations in WslServiceProxyStub.dll. The tool addresses the challenge of WSL2's unmonitored execution environment by dynamically detecting WSL version and applying the correct interface definition, allowing attackers to pivot from monitored Windows hosts into isolated Linux VMs with minimal detection risk.
CVE-2025-62582 — Deltaww Diaview: Delta Electronics DIAView has multiple vulnerabilities.
Delta Electronics DIAView has multiple vulnerabilities. CVSSv3.1 9.8 (CRITICAL) · EPSS 6th percentile
CVE-2025-62581 — Deltaww Diaview: Delta Electronics DIAView has multiple vulnerabilities.
Delta Electronics DIAView has multiple vulnerabilities. CVSSv3.1 9.8 (CRITICAL) · EPSS 8th percentile
CVE-2026-23622 — Easyappointments Easy\!appointments: In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early
Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/p CVSSv3.1 8.8 (HIGH) · EPSS 1th percentile
CVE-2026-23527 — H3 H3: Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability.
H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5. CVSSv3.1 8.9 (HIGH)
MSSQL and SCCM Elevation of Privilege Vulnerabilities
SpecterOps researcher Chris Thompson disclosed two privilege escalation vulnerabilities: CVE-2025-49758 in MSSQL Server (CVSS 8.8) allowing ALTER ANY LOGIN permission holders to reset securityadmin passwords and escalate to sysadmin, and CVE-2025-47179 in Configuration Manager (CVSS 6.7) allowing CMPivot Administrator role members to grant themselves Full Administrator access. Both vulnerabilities stem from overly permissive role configurations and have been patched; detection capabilities were added to BloodHound and MSSQLHound.
EntraGoat — A deliberately vulnerable Microsoft Entra ID environment. Learn identity security through hands-on, realistic attack cha
EntraGoat is a deliberately vulnerable Microsoft Entra ID lab environment released by Semperis, designed to teach identity security through hands-on attack scenarios. The tool deploys realistic misconfigurations and privilege escalation paths using PowerShell and Microsoft Graph APIs, with multiple challenge scenarios covering service principal abuse, app-only permissions exploitation, and certificate-based authentication attacks.
Introducing ÆSIR: Finding Zero-Day Vulnerabilities at the Speed of AI
Trend Micro's ÆSIR platform, combining AI-assisted vulnerability discovery with human oversight, has identified 21 critical CVEs across NVIDIA, Tencent, MLflow, and MCP tooling since mid-2025. The research demonstrates systematic exploitation of deserialization, authentication bypass, and command injection flaws in foundational AI infrastructure, with particular emphasis on patch bypass identification in NVIDIA Isaac GR00T. The platform's dual-component architecture (MIMIR for threat intelligence, FENRIR for zero-day discovery) operates at machine speed while maintaining human-directed validation and responsible disclosure.
CVE-2026-22859 — Freerdp Freerdp: Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. This vulnerability is fixed in 3.20.1. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-22858 — Freerdp Freerdp: As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup t CVSSv3.1 9.1 (CRITICAL)
CVE-2026-22855 — Freerdp Freerdp: Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-22853 — Freerdp Freerdp: Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1. CVSSv3.1 9.8 (CRITICAL)
A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here?
Project Zero published the third installment of their Pixel 9 0-click exploit chain analysis, detailing systemic vulnerabilities in Android's attack surface management, patch prioritization, and deployment timelines. The chain exploited CVE-2025-54957 (Dolby UDC memory corruption) and CVE-2025-36934 (BigWave driver privilege escalation) to achieve kernel code execution from untrusted audio messages—requiring only two bugs and taking ~11 person-weeks to develop. The post reveals critical gaps: the Dolby UDC vulnerability took 139 days to patch on any Android device and 82 days after public disclosure before Pixel patched it, Dolby's advisory significantly understated exploitability, and Android's severity matrix initially rated both bugs as Moderate despite their 0-click nature.
A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave
Project Zero discloses a complete 0-click exploit chain for Pixel 9 combining a Dolby decoder RCE with three BigWave driver vulnerabilities, culminating in kernel arbitrary read/write and SELinux bypass. The primary vulnerability is a use-after-free in the BigWave AV1 hardware decoder driver triggered by race conditions between ioctl timeout handling and worker thread job processing, patched January 5, 2026.