The slides for my Black Hat talk "XMPP Stanza Smuggling or How I Hacked Zoom" are now available at

Great news for browser security (and not just because it cites my XSLT research :)). A lot of younger folks don't even know this feature exists, yet is/was the default attack surface in all major web browsers with a history of exploitation.

New Project Zero blog post, Defeating KASLR by Doing Nothing at All

FII9: A Lesson for Optimism. Watch the defining moments from the 3-day conference in Riyadh, where global leaders and industry pioneers came together to unlock the next frontier of growth for humanity with the Key To Prosperity. Watch full sessions and exclusive insights now on

We really should be talking about this more....KASLR is just not working properly on Android right now, and it hasn't for a long time. https://t.co/AE0vBXEcob

We derestricted https://t.co/DvAkrs21i4 today which might just be my favorite bug of the last few years: bad interaction between WebAudio changing the CPU's handling of floats and V8 not expecting that. See https://t.co/ovkSmnegNP for a PoC exploit. Also affected other browsers

And no, sorry, still no trajectories :/

Stop waiting for GPU access. Start training.

Also not a bad primer for what can go wrong when implementing a JavaScript engine.

Although the target might not be as impactful as some others we ran against, these bugs in QuickJS are some of my favorite Big Sleep finds, because they demonstrate the ability of LLMs to reason about and detect classic JavaScript engine vulnerabilities.

“I have [...] extreme fear because once things hit this level, you never know what’s going to happen”. Well I guess now he knows how his victims feel.

A fun fact about this bug is that we only had an (entirely internally imposed) ~ 8 hour deadline to find it. Looking forward to sharing more info about it.

The meaning of life

Serious bugs often occur in third-party components integrated by other software. @ifsecure and I found this vulnerability in the Dolby Unified Decoder. It affects Android, iOS and Windows among other platforms, sometimes 0-click. https://t.co/LchMIdKP0P

Really excited to finally announce CodeMender! As part of this we've already submitted and upstreamed several patches to OSS projects via OSS-Fuzz. Check out our post at: https://t.co/qgnroQyIzN There will be more technical details and exciting announcements to come!

I reported an arbitrary code execution in Unity Runtime, which affects all versions starting from Unity 2017.1. As the vulnerability can be exploited without specific usage, I strongly encourage developers to patch. Technical details below: https://t.co/af3d28rXw3

A new Project Zero blogpost by @tehjh in which he writes about an interesting and little-known bug class that affected web browses, Linux and, most recently, macOS. The bug class can also be used for leaking pointer tag information in some scenarios.

Junior Year stats: WR 48 receptions: 634 yards/ 10TDs/ 3 two point conversions. 6 rushes: 44 yards/ 1 TD 3/3 passes: 66 yards/ 1 TD 900(+) all purpose yards DB 20(+) TKLs/ 2 TFL 5 PBUs I'm thankful for all my coaches and teammates for this opportunity. @CoachBlackstock

Super cool potential ASLR leak via dictionary hashing by @tehjh!

In isolation, https://t.co/1VJ5mFZvXA and https://t.co/Wny1SlskAC might not appear very critical. However, together they mean KASLR on Pixel is broken :(. Both of these issues have been declared "working as intended" by the respective vendors :(

I've derestricted 3 unfixed issues in the Google BigWave driver - these bugs are reachable from media decoding contexts on Pixel devices. E.g. https://t.co/KxgeHA6hdw

Oh also this, which is technically WAI but has the unfortunate side effect (because of linear map non-randomization) that instead of bypassing KASLR, you can just use 0xffffff8000010000 as your kernel base instead.... https://t.co/JXMIquQ14s

Who did Texas Tech beat worse?

If you're keeping an eye on the Big Sleep issue tracker ( https://t.co/1hAhesgXRd) you might have noticed that the detailed reports for some bugs (e.g. https://t.co/xNRb1bxr20) are now public. Note however that all reports are lovingly crafted by a human and not AI-generated.

🔺iPhone models announced today include Memory Integrity Enforcement, the culmination of an unprecedented design and engineering effort that we believe represents the most significant upgrade to memory safety in the history of consumer operating systems.

https://t.co/TeYPpUANyW now with even more bugs. Also great to see the first ones getting fixed, including in v8, ANGLE and imagemagick.