Archive - Calif

MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747)

To our knowledge, this is the first remote kernel exploit both discovered and exploited by an AI.

Mar 31 • Calif

MAD Bugs: vim vs emacs vs Claude

We asked Claude to find a bug in Vim. It found an RCE. Just open a file, and you’re owned. We joked: fine, we’ll switch to Emacs. Then Claude found an…

Mar 30 • Calif

Reverse engineering Apple’s silent security fixes

I grabbed the latest iOS update, and diffed it with ipsw. The diff reveals at least two security-relevant changes that were shipped quietly.

Mar 27

Taking Apart iOS Apps: Anti-Debugging and Anti-Tampering in the Wild

Table Of Contents

Mar 17 • Calif

A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets

A step-by-step guide to exploiting a 20-year-old bug in the Linux kernel to achieve full privilege escalation and container escape, plus a cool…

Mar 3 • Calif

August 2025

A history of device-bound cookies

The recent announcement from Google about Device Bound Session Credentials (DBSC) sent me down memory lane.

Aug 24, 2025 • Thai Duong

“Vibe Hacking”: Abusing Developer Trust in Cursor and VS Code Remote Development

Update: Mauro Soria pointed out that this attack vector can be easily adapted for phishing scenarios:

Aug 18, 2025

July 2025

Partnering with Google to Strengthen Open-Source Crypto: An Mbed TLS Security Audit

By Linh Le and Ngan Nguyen

Jul 5, 2025

April 2025

Oracle SSO, SOS

You've probably seen the news: Oracle Cloud got popped, exposing 6 million records from over 140,000 tenants.

Apr 8, 2025 • Thai Duong

March 2025

YouTube Threat Modeling

Last week, we delivered our first training session with YouTube engineers on the attacker's mindset and threat modeling.

Mar 25, 2025 • Thai Duong

January 2025

In Vietnam, we have three seasons: hot, hotter, and damn hot!

Jan 2, 2025 • Thai Duong

December 2024

CVE-2024-10382: Arbitrary code execution in Android Auto and various apps

In July 2024, Google engaged Calif to audit Android Automotive OS (AAOS) and Android Auto.

Dec 18, 2024 • Khanh and Linhlhq

#nojs-banner { position: fixed; bottom: 0; left: 0; padding: 16px 16px 16px 32px; width: 100%; box-sizing: border-box; background: red; color: white; font-family: -apple-system, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 13px; line-height: 13px; } #nojs-banner a { color: inherit; text-decoration: underline; } This site requires JavaScript to run correctly. Please turn on JavaScript or unblock scripts