The author discovered a critical remote zero-day vulnerability (CVE-2025-37899) in the Linux kernel's SMB implementation, ksmbd, using the o3 fuzzer. This vulnerability allows for remote code execution without authentication, potentially enabling attackers to compromise vulnerable systems. The flaw resides in the handling of extended attributes, specifically when processing EA metadata within SMB2_SET_INFO requests. The fuzzer pinpointed an integer overflow leading to a heap out-of-bounds write, which could then be exploited to gain control. The author developed a proof-of-concept exploit demonstrating arbitrary kernel memory reads and writes, highlighting the severity of the issue. A patch was submitted and accepted upstream, and distributions subsequently released updates addressing this vulnerability.
Multiple vulnerabilities were discovered in GNU Screen, a terminal multiplexer. These flaws allow attackers to execute arbitrary code, potentially gaining complete control of the targeted system. The issues stem from how screen handles escape sequences in the terminal emulator, including OSC (Operating System Command) sequences used for setting window titles and other functions, and DCS (Device Control String) sequences. Exploitation can occur remotely if the victim uses a vulnerable version of screen within a session permitting terminal control, such as SSH. Patches are available, and users are strongly urged to update immediately.
Hacker News users discuss the implications of the GNU Screen vulnerabilities, focusing on the difficulty of patching due to its widespread usage in critical systems and embedded devices. Some express concern about the potential for exploitation, given Screen's role in managing persistent sessions. Others highlight the challenge of maintaining legacy software and the trade-offs between security and backward compatibility. The maintainers' commitment to addressing the issues is acknowledged, alongside the pragmatic approach of prioritizing the most severe vulnerabilities. The conversation also touches upon the need for better security practices in general, and the importance of considering alternatives to Screen in new projects.
A severe vulnerability was discovered in Asus's pre-installed software, Asus DriverHub. This software, designed to update drivers, contains a flaw allowing remote code execution (RCE) with a single click. An attacker could craft a malicious URL that, when opened by a user with DriverHub installed, would automatically download and execute arbitrary code with SYSTEM privileges. This effectively gives the attacker full control of the victim's computer. The vulnerability stems from DriverHub improperly using a hardcoded certificate to validate downloaded updates, allowing attackers to sign malicious updates. The researcher disclosed the issue responsibly to Asus, who have since released a patched version. Users are strongly urged to update their DriverHub software immediately.
Hacker News users discuss the severity and implications of the ASUS driver vulnerability. Several express concern over the preinstalled nature of the software, making it difficult for average users to avoid or mitigate the risk. Some question the technical details of the exploit, particularly around the claimed "one-click" nature and the necessity of physical access. Others discuss the ethics of responsible disclosure and the vendor's response (or lack thereof) to the reported vulnerability. A few commenters offer potential solutions, including using a different driver update utility or manually verifying driver signatures. The discussion also touches upon the broader issue of supply chain security and the challenges of ensuring the integrity of preinstalled software.
A critical vulnerability (CVE-2025-32433) exists in Erlang/OTP's SSH implementation, affecting versions prior to 26.2.1 and 25.3.2.6. This flaw allows unauthenticated remote attackers to execute arbitrary code on the server. Specifically, a specially crafted SSH message can trigger the vulnerability during the initial handshake, before authentication occurs, enabling complete system compromise. Users are urged to update their Erlang/OTP installations to the latest patched versions as soon as possible.
Hacker News users discuss the severity and impact of the Erlang/OTP SSH vulnerability. Some highlight the potential for widespread exploitation given Erlang's usage in telecom infrastructure and distributed systems. Several commenters question the assigned CVSS score of 9.8, finding it surprisingly high for a vulnerability that requires non-default configuration (specifically enabling password authentication). The discussion also touches on the practical implications of the vulnerability, acknowledging that while serious, exploitation might be limited by the need for open SSH ports and enabled password logins. Others express concern about the potential for nested exploitation, as vulnerable Erlang systems might host other exploitable services. Finally, some users note the responsible disclosure and patching process.
Security researchers at Prizm Labs discovered a critical zero-click remote code execution (RCE) vulnerability in the SuperNote Nomad e-ink tablet. Exploiting a flaw in the device's update mechanism, an attacker could remotely execute arbitrary code with root privileges by sending a specially crafted OTA update notification via a malicious Wi-Fi access point. The attack requires no user interaction, making it particularly dangerous. The vulnerability stemmed from insufficient validation of update packages, allowing malicious firmware to be installed. Prizm Labs responsibly disclosed the vulnerability to SuperNote, who promptly released a patch. This vulnerability highlights the importance of robust security measures even in seemingly simple devices like e-readers.
Hacker News commenters generally praised the research and write-up for its clarity and depth. Several expressed concern about the Supernote's security posture, especially given its marketing towards privacy-conscious users. Some questioned the practicality of the exploit given its reliance on connecting to a malicious Wi-Fi network, but others pointed out the potential for rogue access points or compromised legitimate networks. A few users discussed the inherent difficulties in securing embedded devices and the trade-offs between functionality and security. The exploit's dependence on a user-initiated firmware update process was also highlighted, suggesting a slightly reduced risk compared to a fully automatic exploit. Some commenters shared their experiences with Supernote's customer support and device management, while others debated the overall significance of the vulnerability in the context of real-world threats.
Google's Project Zero discovered a zero-click iMessage exploit, dubbed BLASTPASS, used by NSO Group to deliver Pegasus spyware to iPhones. This sophisticated exploit chained two vulnerabilities within the ImageIO framework's processing of maliciously crafted WebP images. The first vulnerability allowed bypassing a memory limit imposed on WebP decoding, enabling a large, controlled allocation. The second vulnerability, a type confusion bug, leveraged this allocation to achieve arbitrary code execution within the privileged Springboard process. Critically, BLASTPASS required no interaction from the victim and left virtually no trace, making detection extremely difficult. Apple patched these vulnerabilities in iOS 16.6.1, acknowledging their exploitation in the wild, and has implemented further mitigations in subsequent updates to prevent similar attacks.
Hacker News commenters discuss the sophistication and impact of the BLASTPASS exploit. Several express concern over Apple's security, particularly their seemingly delayed response and the lack of transparency surrounding the vulnerability. Some debate the ethics of NSO Group and the use of such exploits, questioning the justification for their existence. Others delve into the technical details, praising the Project Zero analysis and discussing the exploit's clever circumvention of Apple's defenses. The complexity of the exploit and its potential for misuse are recurring themes. A few commenters note the irony of Google, a competitor, uncovering and disclosing the Apple vulnerability. There's also speculation about the potential legal and political ramifications of this discovery.
Researchers at ReversingLabs discovered malicious code injected into the popular npm package flatmap-stream. A compromised developer account pushed a malicious update containing a post-install script. This script exfiltrated environment variables and established a reverse shell to a command-and-control server, giving attackers remote access to infected machines. The malicious code specifically targeted Unix-like systems and was designed to steal sensitive information from development environments. ReversingLabs notified npm, and the malicious version was quickly removed. This incident highlights the ongoing supply chain security risks inherent in open-source ecosystems and the importance of strong developer account security.
HN commenters discuss the troubling implications of the patch-package exploit, highlighting the ease with which malicious code can be injected into seemingly benign dependencies. Several express concern over the reliance on post-install scripts and the difficulty of auditing them effectively. Some suggest alternative approaches like using pnpm with its content-addressable storage or sticking with lockfiles and verified checksums. The maintainers' swift response and revocation of the compromised credentials are acknowledged, but the incident underscores the ongoing vulnerability of the open-source ecosystem and the need for improved security measures. A few commenters point out that using a private, vetted registry, while costly, may be the only truly secure option for critical projects.
The blog post details a successful remote code execution (RCE) exploit against llama.cpp, a popular open-source implementation of the LLaMA large language model. The vulnerability stemmed from improper handling of user-supplied prompts within the --interactive-first mode when loading a model from a remote server. Specifically, a carefully crafted long prompt could trigger a heap overflow, overwriting critical data structures and ultimately allowing arbitrary code execution on the server hosting the llama.cpp instance. The exploit involved sending a specially formatted prompt via a custom RPC client, demonstrating a practical attack scenario. The post concludes with recommendations for mitigating this vulnerability, emphasizing the importance of validating user input and avoiding the direct use of user-supplied data in memory allocation.
Hacker News users discussed the potential severity of the Llama.cpp vulnerability, with some pointing out that exploiting it requires a malicious prompt specifically crafted for that purpose, making accidental exploitation unlikely. The discussion highlighted the inherent risks of running untrusted code, especially within sandboxed environments like Docker, as the exploit demonstrates a bypass of these protections. Some commenters debated the practicality of the attack, with one noting the high resource requirements for running large language models (LLMs) like Llama, making targeted attacks less probable. Others expressed concern about the increasing complexity of software and the difficulty of securing it, particularly with the growing use of machine learning models. A few commenters questioned the wisdom of exposing LLMs directly to user input without robust sanitization and validation.
A critical remote code execution (RCE) vulnerability was discovered in the now-defunct mobile game Marvel: Contest of Champions (also known as Marvel Rivals). The game's chat functionality lacked proper input sanitization, allowing attackers to inject and execute arbitrary JavaScript code within clients of other players. This could have been exploited to steal sensitive information, manipulate game data, or even potentially take control of affected devices. The vulnerability, discovered by a security researcher while reverse-engineering the game, was responsibly disclosed to Kabam, the game's developer. Although a fix was implemented, the exploit served as a stark reminder of the potential security risks associated with unsanitized user inputs in online games.
Hacker News users discussed the exploit detailed in the blog post, focusing on the surprising simplicity of the vulnerability and the potential impact it could have had. Several commenters expressed amazement that such a basic oversight could exist in a production game, with one pointing out the irony of a game about superheroes being vulnerable to such a mundane attack. The discussion also touched on the responsible disclosure process, with users questioning why Kabam hadn't offered a bug bounty and acknowledging the author's ethical handling of the situation. Some users debated the severity of the vulnerability, with opinions ranging from "not a big deal" to a serious security risk given the game's access to user data. The lack of a detailed technical explanation in the blog post was also noted, with some users desiring more information about the specific code involved.
Multiple vulnerabilities were discovered in rsync, a widely used file synchronization tool. These vulnerabilities affect both the client and server components and could allow remote attackers to execute arbitrary code or cause a denial of service. Exploitation generally requires a malicious rsync server, though a malicious client could exploit a vulnerable server with pre-existing trust, such as a backup server. Users are strongly encouraged to update to rsync version 3.2.8 or later to address these vulnerabilities.
Hacker News users discussed the disclosed rsync vulnerabilities, primarily focusing on the practical impact. Several commenters downplayed the severity, noting the limited exploitability due to the requirement of a compromised rsync server or a malicious client connecting to a user's server. Some highlighted the importance of SSH as a secure transport layer, mitigating the risk for most users. The conversation also touched upon the complexities of patching embedded systems and the potential for increased scrutiny of rsync's codebase following these disclosures. A few users expressed concern over the lack of memory safety in C, suggesting it as a contributing factor to such vulnerabilities.
Summary of Comments ( 178 )
https://news.ycombinator.com/item?id=44081338
Hacker News users discussed the efficacy of using static analysis tools like O3, with some praising its potential while acknowledging it's not a silver bullet. Several commenters pointed out the vulnerability seemed relatively simple to spot, questioning the need for O3 in this specific case. The conversation also touched on the disclosure process and the discoverer's decision to publish exploit details before a patch was available, sparking debate about responsible disclosure practices. Some users criticized aspects of the write-up itself, such as claims about the novelty of O3's capabilities. Finally, the prevalence of memory safety issues in C code and the role of tools like Rust in mitigating such vulnerabilities were also discussed.
The Hacker News post discussing the blog post about CVE-2025-37899 has generated a substantial number of comments, many of which delve into various technical aspects of the vulnerability and the process used to discover it.
Several commenters commend the author's approach of using compiler optimizations (specifically
-O3) to uncover the vulnerability. They note the ingenuity of leveraging a tool not typically associated with security research for this purpose. Some discuss how compiler optimizations, while designed to improve performance, can sometimes expose latent bugs by rearranging code in ways that reveal unexpected behavior.A few comments delve into the specific details of the vulnerability, discussing the memory management issues that ultimately lead to the exploit. They analyze how the
-O3optimization changed the code's execution flow in a way that made the bug manifest.The use of KASAN (Kernel Address Sanitizer) is also highlighted in the comments, with users praising its efficacy in pinpointing the source of the problem. The discussion touches on the importance of robust sanitizers in modern software development, especially for complex systems like the Linux kernel.
Some commenters express concern about the implications of this discovery, pointing out the potential severity of a remote zero-day in such a widely used component. They discuss the potential impact on various systems and the importance of prompt patching.
There's also a discussion around the responsible disclosure process, with commenters expressing appreciation for the author's approach and the timely patching of the vulnerability. The comments highlight the importance of coordinated disclosure to minimize potential harm while ensuring that users have access to necessary updates.
A recurring theme in the comments is the relative simplicity of the vulnerability once it was uncovered. This leads to some speculation about why it wasn't discovered earlier, with suggestions ranging from the complexity of the codebase to the limitations of traditional testing methods.
Finally, some commenters share their own experiences with similar vulnerabilities and discuss the challenges of finding and fixing bugs in complex systems. They offer insights into various debugging techniques and tools, contributing to a broader conversation about software security and best practices.