There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing.
-
There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. Automated vulnerability hype train again, basically.
A thread on a few of them.
CVE-2026-34486 - Tomcat
- Only exploitable if a certain feature is used, if its endpoint is reachable and if port 4000 is available. It's pretty niche.
-
There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. Automated vulnerability hype train again, basically.
A thread on a few of them.
@GossiTheDog I really want to hear your take on this because I’ve heard conflicting things about whether any of the vulnerabilities are serious or not.
-
CVE-2026-34486 - Tomcat
- Only exploitable if a certain feature is used, if its endpoint is reachable and if port 4000 is available. It's pretty niche.
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
-
@GossiTheDog I really want to hear your take on this because I’ve heard conflicting things about whether any of the vulnerabilities are serious or not.
@MisuseCase @GossiTheDog most of the stuff is just pure marketing fluff. Sure, AI is finding bugs. People are fixing them. This has been the case for a while now. Nothing new. Exploitable bugs still very rare. Catastrophic ones like Heartbleed nil, so far. It’s business as usual. The noise volume is up, quality of the signal seems about same as always.
-
CVE-2026-34486 - Tomcat
- Only exploitable if a certain feature is used, if its endpoint is reachable and if port 4000 is available. It's pretty niche.
@GossiTheDog while they can certainly find some fun things, a number of the "vulns" are ridiculous "Oh this can be an RCE during full moons with ASLR disabled running on TRSDOS ported to ARM."
The models don't really threat model well at all. I like @bagder 's approach of VULN-DISCLOSURE-POLICY.md
-
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
@GossiTheDog
(except fewer) -
@MisuseCase @GossiTheDog most of the stuff is just pure marketing fluff. Sure, AI is finding bugs. People are fixing them. This has been the case for a while now. Nothing new. Exploitable bugs still very rare. Catastrophic ones like Heartbleed nil, so far. It’s business as usual. The noise volume is up, quality of the signal seems about same as always.
@0xtero @GossiTheDog Meanwhile
1. AI coding agents are one of the factors contributing to shorter intervals between “vulnerability discovery” and “working exploit”
2. Orgs can’t be bothered to patch known vulnerabilities in a timely fashion so a huge proportion of cyberattacks and their associated damage are down to bugs that have been known about (and left unpatched) for half a year or more
-
There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. Automated vulnerability hype train again, basically.
A thread on a few of them.
@GossiTheDog I already feel so "boy who cried wolf"ed about all the vulns
-
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.
-
There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. Automated vulnerability hype train again, basically.
A thread on a few of them.
@GossiTheDog I'd be willing to bet that if they paid real humans the same amount of money as the true cost of running the LLM, they'd find more and better bugs.
-
I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.
@GossiTheDog but but but, how else am I supposed to market magic box triage-as-a-service
-
I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.
@GossiTheDog and that's why I'm here. Thanx for keeping us calm.
-
I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.
@GossiTheDog ... also never turn off ASLR! Why would someone do that nowadays!?
-
@0xtero @GossiTheDog Meanwhile
1. AI coding agents are one of the factors contributing to shorter intervals between “vulnerability discovery” and “working exploit”
2. Orgs can’t be bothered to patch known vulnerabilities in a timely fashion so a huge proportion of cyberattacks and their associated damage are down to bugs that have been known about (and left unpatched) for half a year or more
@MisuseCase @GossiTheDog For sure. But the "from vuln to exploitation" trend has been clear downward slope for years now. (https://zerodayclock.com/). We're seeing a high volume of vulns and bugs, but I feel lot of it ends up being low, medium severity, because it's hard to exploit in real conditions. Fixing these vulns is good - but the marketing messages don't quite map to reality I feel (when do they ever..)
-
@GossiTheDog
(except fewer)@wdormann @GossiTheDog
I love this show and that scene so much lol -
@MisuseCase @GossiTheDog For sure. But the "from vuln to exploitation" trend has been clear downward slope for years now. (https://zerodayclock.com/). We're seeing a high volume of vulns and bugs, but I feel lot of it ends up being low, medium severity, because it's hard to exploit in real conditions. Fixing these vulns is good - but the marketing messages don't quite map to reality I feel (when do they ever..)
@0xtero @GossiTheDog I know about the zero day clock and part of the reason it looks like that is that people who have some idea what they’re doing (not script kiddies, though that may change) can use AI coding agents to develop exploits faster than they would otherwise.
So that part is real, or uncomfortably close to it.
-
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
@GossiTheDog this particular defect-leading-to-vulnerability according to F5 can be mitigated by using named parameters instead of numbered in the rewrite regex replace expressions.
I don't think the conditions that expose the issue are too terribly unusual as this is the sort of thing that would be done if one wanted to, say, wrap an older HTTP API with semantics that use path parameters.
The defect also impacts the NginX Kubernetes Ingress Controller.
-
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
> Theoretically, we could leverage this design to leak ASLR by progressively overwriting pointers byte by byte. In this post, we discuss the exploitation technique assuming ASLR has already been bypassed.
Based on that ASLR is "just" a nuisance and not an actual show stopper
https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability
-
> Theoretically, we could leverage this design to leak ASLR by progressively overwriting pointers byte by byte. In this post, we discuss the exploitation technique assuming ASLR has already been bypassed.
Based on that ASLR is "just" a nuisance and not an actual show stopper
https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability
@ePD5qRxX prove it
-
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
@GossiTheDog could this one be related to the Palo Alto captive portal authentication ?
