Seclog - #186

In this week's Seclog, the security landscape is heavily influenced by the rapid advancements and inherent risks of artificial intelligence, alongside the persistent threat of deep-seated system vulnerabilities. A critical new attack vector demonstrates remote code execution against major LLMs like Claude and Codex through prompt injections hidden in third-party libraries, highlighting significant supply chain risks in AI integration. Concurrently, a 15-year-old stack-UAF vulnerability, GhostLock, has been revealed in the Linux kernel, enabling widespread privilege escalation and container escapes. The community is also releasing powerful new offensive and defensive tools, ranging from multi-architecture Linux LPE kits and weaponized SSO IdPs to rule-based SAST scanners and AWS attack path playgrounds. Discussions further explore the dual nature of LLMs in cybersecurity, evaluating their benefits for blue teams and vulnerability analysis against concerns about hallucinations, cost, and the diminishing uniqueness of traditional security reports.

GhostLock: 15-Year-Old Linux Kernel UAF - nebusec.ai

Details the GhostLock (CVE-2026-43499) vulnerability, a stack Use-After-Free (UAF) flaw present in all major Linux distributions for 15 years. This critical bug enables stable privilege escalation and container escape with a 97% success rate, requiring no special kernel configuration or privileges to trigger. The write-up provides deep technical insights into exploiting this long-standing kernel weakness, indicating its significant impact on Linux security.

Redis 8.6 RCE via Stream PEL UAF - zerotistic.blog

Explores a remote code execution (RCE) vulnerability in Redis 8.6, stemming from a Stream PEL Use-After-Free (UAF) bug. The exploit chain combines a specific Redis stream PEL ownership flaw, a malformed RESTORE payload, and a jemalloc size class collision. This intricate combination turns a shared NACK condition into reliable code execution, providing a detailed breakdown of a complex application-level RCE.

Vulnify: Giving AI Agents a CVE Brain - trustedsec.com

Introduces Vulnify, an open-source tool designed to provide AI agents with a "CVE brain" by stitching together data from eight authoritative vulnerability sources. This aims to enhance AI agents' ability to understand, contextualize, and act upon vulnerability information, improving automated security analysis and response.

ModHeader Extension Exfiltrates Browsing History - aydinnyunus.github.io

A security researcher detailed how the popular ModHeader browser extension silently exfiltrates users' browsing history. The data is sent to api.stanfordstudies.com after being encrypted with AES-GCM and stored in IndexedDB, as revealed by a full reverse engineering analysis. This highlights the significant risk posed by malicious browser extensions to user privacy and data security.

ObfusGit Protects Public Repo from AI Training - trustedsec.com

TrustedSec introduced ObfusGit, a Python tool designed to keep public repositories out of AI training data. The tool aims to protect intellectual property and sensitive code from being inadvertently used by AI models, without altering the standard commit workflow.

George Hotz on LLMs and Hype - geohot.github.io

George Hotz shares his perspective on large language models (LLMs), expressing appreciation for their capabilities while criticizing the associated hype. The post provides insights into the practical aspects and potential future of LLMs from a prominent industry figure.

Vulnerability Reports No Longer Special - filippo.io

Filippo Valsorda argues that vulnerability reports are losing their unique value due to the capabilities of large language models (LLMs). He suggests that LLMs can now generate similar insights and analysis, potentially democratizing access to security information that was once exclusive to specialized researchers.

Cotool: AI for Blue Team Security - cotool.ai

Cotool introduces its platform for leveraging AI in blue team operations, focusing on scaling detection, response, and threat hunting. The platform aims to enable security teams to build AI agents across their entire security stack to improve coverage, reduce MTTR, and automate repetitive tasks.

Caeruleus: Consolidated BLE Security Tester - praetorian.com

Praetorian released Caeruleus, a new Go binary designed to consolidate Bluetooth Low Energy (BLE) security testing. It replaces the need for multiple tools like hcitool, bettercap, gatttool, and custom Bleak scripts, streamlining BLE security assessments.

LLMs in SAST: Benefits and Drawbacks - asecurityengineer.com

An analysis of where large language models (LLMs) genuinely assist in static analysis (SAST), specifically in triage, explanations, and hybrid recall/precision. The post also highlights the significant challenges, including hallucinations, concept drift, and the quiet financial burn rate of LLMs at scale in SAST applications.

Recurring Package Manager CWEs Explored - nesbitt.io

An article discussing recurring weakness classes (CWEs) found in various package managers. This research provides insights into common security pitfalls and patterns in package management systems.

LangGraph SQLi to RCE Exploit - research.checkpoint.com

Details an exploit chain transforming a SQL injection (SQLi) into remote code execution (RCE) within LangGraph's checkpointer mechanism. The vulnerability arises from an unsecured persistence layer used by LangGraph, an open-source framework for stateful AI systems, to store execution state. This demonstrates a critical attack vector in AI agent frameworks where memory persistence is not adequately secured.

Web Security Trends: Top 1 Million Sites - scotthelme.co.uk

Scott Helme's latest "Top 1 Million Analysis" provides a comprehensive look at web security trends over the past decade. The report examines the adoption and impact of various security mechanisms across the internet's most visited websites.

🐦 SecX #

Hijacking LLMs for Remote Code Execution - x.com

Researchers demonstrated Remote Code Execution (RCE) against major large language models (LLMs) like Claude (Sonnet/Opus) and Codex (GPT5.5). The exploit leverages prompt injections disseminated within an open-source/third-party library, achieving RCE when the LLM is used for defensive code assessment. This attack requires no specialized skills, JSON, MCP, or config files, highlighting a novel and concerning vulnerability in LLM interaction with external codebases.

💻 SecGit #

Multi-Architecture Linux LPE Toolkit Released - github.com

This open-source toolkit provides 24 pre-built and runtime-compilable exploits for Linux privilege escalation, supporting multiple architectures. It automates kernel version detection and intelligently filters out patched exploits, streamlining the LPE process for penetration testers and red teamers.

Corgea's Rule-Based SAST Scanner - github.com

Introduces Sighthound, Corgea's open-source, rule-based Static Application Security Testing (SAST) scanner. The tool is designed for analyzing codebases to identify vulnerabilities based on predefined rules.

DataDog AWS Attack Path Playground - github.com

DataDog released pathfinding-labs, a multi-account AWS attack path playground. This tool helps security professionals simulate and understand potential attack paths within complex AWS environments.

maSSO: Malicious IdP for SSO Testing - github.com

maSSO is a weaponized Single Sign-On (SSO) Identity Provider (IdP) for security testing of OIDC and SAML 2.0 Service Providers. The tool also supports the SCIM protocol, enabling comprehensive security assessments of SSO implementations.

ScreenScrub: Redact Credentials in Screenshots - github.com

ScreenScrub is an OCR-based tool designed to automatically find credentials in screenshots, save them to a secret manager, and irreversibly redact them from the image. The tool operates locally and offline, ensuring sensitive data doesn't leave the environment during processing.

Coder: Secure Environments for Developers - github.com

The coder project offers secure development environments for developers and their agents. This aims to provide isolated and controlled spaces, enhancing security posture during software development.

← All Seclogs

Press / to search, Esc to close