@dustinchilds.bsky.social
Just a simple information security gnome trying to make his way through the universe. Part-time patch wrangler. Tweets are just my opinion and such. Got questions about patches or bug bounties? My DMs are open. Signal: DustinChilds.17
Announcing #Pwn2Own Berlin 2026! We've got 10 categories for targets, including an expanded #AI target list. We have 4 AI categories - including coding agents (looking at you #Claude). More than $1,000,000 in cash & prizes available. Read the details at www.zerodayinitiative.com/blog/2026/3/...
Happy Patch Tuesday! The latest security patches from #Adobe and #Microsoft are here. Thankfully, no bugs are listed as being under attack, but there's still some interesting ones in the mix. Join @dustinchilds.bsky.social as he breaks down the March release www.zerodayinitiative.com/blog/2026/3/...
[ZDI-26-124|CVE-2025-15060] claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability (CVSS 9.8; Credit: Peter Girnus of Trend Research) zerodayinitiative.com/advisories/Z...
NEW: Former L3Harris boss Peter Williams was sentenced to seven years in prison for stealing sensitive company hacking tools, and then selling them to a Russian broker.
Williams, aka Doogie, previously pleaded guilty to stealing and selling eight trade secrets to Russian broker Operation Zero.
Heading to the #[un]prompted conference next week? Be sure to catch @gothburz.bsky.social's talk on "FENRIR: AI Hunting for AI Zero-Days at Scale" His talk shows how we're FENRIR has detected over 100+ CVEs since mid-2025. Don't miss it. unpromptedcon.org
CVE-2026-20841: Arbitrary Code Execution in the Windows Notepad - The TrendAI Research team takes a deep dive into this recently patched file parsing bug to show you root cause, source code walk through, and provide detection guidance. Read the details at www.zerodayinitiative.com/blog/2026/2/...
Microsoft report six(!) exploits in the wild while Adobe has a small (and relatively quiet) month. Join @dustinchilds.bsky.social from Tokyo as he breaks down the release and shows you what to watch for. www.zerodayinitiative.com/blog/2026/2/...
A small release from @adobe.com but 6 (yes six!) actively exploited bugs from #Microsoft. I'll have my full thoughts out soon, but get ready for some emergency patching. #PatchTuesday
CVE-2025-6978: Arbitrary Code Execution in the #Arista NG Firewall - our researchers took a deep dive into this recently patched RCE to provide root cause and detection guidance. Read all the details at www.zerodayinitiative.com/blog/2026/2/...
Patches are now available for Office 2016 and 2019. Get to updating them there systems!
Wrapping up Day Two of #Pwn2Own Automotive - we saw some amazing research demonstrated today, some of which had never been seen in public before! Join @dustinchilds.bsky.social as he summarizes the highlights and previews the final day. youtu.be/xKZtfblNrHc
Bold of you to assume I have a WhatsApp number, and thanks for the response on the next day. After six hours, my bags finally showed up - after several AA metal flights that had arrived when we did, or after we did and they've already received their bags. My AirTag says they were't even unloaded.
Wow - Office security feature bypass patched OOB after active exploitation detected. Path now - CVE-2026-21509. At least the Preview Pane isn't an attack vector. msrc.microsoft.com/update-guide...
We landed in DFW at 2:30pm, but thanks to bad weather and @americanair.bsky.social incompetence, here it is 9:30 and we have left customs. Still waiting on bags. *sigh*
Boom! or shall I say Doom? Game On! Aapo Oksman, Elias Ikkelä-Koski and Mikael Kantola of Juurin Oy exploit the Alpitronic HYC50 with a TOCTOU bug - and installed a playable version of Doom to boot. They earn $20,000 and 4 Master of Pwn points. #Pwn2Own #P2OAuto
The a highlight from Day 2 of #Pwn2Own Automotive, the team from @synacktiv.com is at it again. This time, they leverage NFC(!) to exploit the #Autel MaxiCharger with a stack-based buffer overflow. Amazing! We've never seen an NFC exploit like this one before. youtube.com/shorts/eGAMc...
Me too....
Verified! Fuzzware. io (@ScepticCtf, @diff_fusion, @SeTcbPrivilege) chained two vulnerabilities (CWE-306, CWE-347) to achieve code execution on the Autel charger and manipulate the CP signal, earning $50,000 USD and 5 Master of Pwn points. Full win with the add-on. #Pwn2Own #P2OAuto
Confirmed! Taejin Kim (@tae3), Junsu Yeo (@junactually), Sunmin Park (@sunminpark4503), Sungmin Son (@_ssm98), and Hoseok Lee of SKShieldus (@EQSTLab) exploited a hardcoded credential (CWE-798) for code execution via CWE-494 on the Grizzl-E Smart 40A, earning $40,000 and 4 MoP points. #Pwn2Own
Verified! @kiddo_pwn and @freddo_1337 of Team DDOS exploited two bugs, including a command injection, against the ChargePoint Home Flex. Add-on failed, but still earned $40,000 USD and 4 Master of Pwn points. #Pwn2Own #P2OAuto
The exploit in action!
Confirmed! Neodyme AG (@Neodyme) used a stack based buffer overflow to get a root shell on the Alpine iLX-F511, earning $20,000 USD and 2 Master of Pwn points. #Pwn2Own #P2OAuto
There's a story there...for another time ;-]
Zed is learning about sake. I had to apologize for putting him in checked baggage on the way to Tokyo.
We're in the middle of setting up for #Pwn2Own Automotive, and @dustinchilds.bsky.social and Zed peek behind the scenes to see how it's going. youtube.com/shorts/h8dbY...
Patch Tuesday starts at 3am on Wednesday here. For the record, I don't like it.
He may be in Tokyo prepping for #Pwn2Own Automotive, but Patch Tuesday waits for no one. Join @dustinchilds.bsky.social as he breaks down a big #Microsoft release (w/ 1 CVE in the wild) and a smallish #Adobe release. www.zerodayinitiative.com/blog/2026/1/...
It's a big patch Tuesday with more than 110 CVEs from Microsoft but only 25 from Adobe. There's one info disclosure bug under attack. I'll have my full thoughts out soon.
NEW: Apple and Google have rolled out security updates to fix a series of flaws used in an active hacking campaign.
Google updated Chrome; Apple issued fixes for iPhones, Macs, and more. Apple and Google's TAG were credited with the find. TAG usually tracks goverment-backed threats, like spyware.