Lifeboat Foundation: Safeguarding Humanity
Toggle light / dark theme

Blog

Category: security

Google accidentally exposed details of unfixed Chromium flaw

Google has accidentally leaked details about an unfixed issue in Chromium that keeps JavaScript running in the background even when the browser is closed, allowing remote code execution on the device.

The flaw was reported by security researcher Lyra Rebane and acknowledged as valid in December 2022, as per the thread on Chromium Issue Tracker.

An attacker could exploit the problem to create a malicious webpage with a Service Worker, such as a download task, that never terminates. Rebane says that this could allow an attacker to execute JavaScript code on the visitors’ devices.

Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

Drupal has released security updates for a “highly critical” security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure.

The vulnerability, now tracked as CVE-2026–9082, carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is used in Drupal Core to validate queries and ensure they are sanitized against SQL injection attacks.

“A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases,” it said. “This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.”

Microsoft shares mitigation for YellowKey Windows zero-day

Microsoft has shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day vulnerability that grants access to protected drives.

The security flaw was disclosed last week by an anonymous security researcher known as ‘Nightmare Eclipse,’ who described it as a backdoor and published a proof-of-concept (PoC) exploit.

Nightmare Eclipse said that exploiting this zero-day involves placing specially crafted ‘FsTx’ files on a USB drive or EFI partition, rebooting into WinRE, and then triggering a shell with unrestricted access to the BitLocker-protected storage volume by holding down the CTRL key.

Exploit released for new PinTheft Arch Linux root escalation flaw

A recently patched Linux privilege escalation vulnerability now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems.

The vulnerability, named PinTheft by the V12 security team and still waiting to be assigned a CVE ID for easier tracking, exists in the Linux kernel’s RDS (Reliable Datagram Sockets) and was patched earlier this month.

“PinTheft is a Linux local privilege escalation exploit for an RDS zerocopy double-free that can be turned into a page-cache overwrite through io_uring fixed buffers,” V12 said in a Tuesday advisory.

To study how chips really work, MIT researchers built their own operating system

When security researchers want to understand what a modern processor is really doing with the kind of detail that determines whether attacks like Spectre and Meltdown are possible, they usually run their experiments on top of an operating system that was never built for the job. They open up macOS or Linux, patch the kernel by hand, and hope the modifications hold. The approach is unstable, hard to reproduce, and on Apple’s platforms, slated for deprecation.

A team at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) decided to build something different. Fractal, a new operating system kernel written from the ground up, treats the hardware itself as the object of study. Its first major use, a deep look at the branch predictors (CPU’s way of guessing what code to run next before it knows for certain), so it doesn’t have to waste time waiting to find out) inside Apple’s M1 processor, has already turned up findings that prior work missed, including the first evidence that a class of speculative attack known as “Phantom” affects Apple Silicon.

“We’re using hardware in ways it wasn’t designed for,” says Joseph Ravichandran, the MIT PhD student who led the project. “It’s not even obvious that this is a possible thing you could do with the hardware. But we found a way to pull all these different primitives off. It’s like a microscope. If you’ve got a hand magnifying glass, you can see a little bit. But if you had an electron microscope, now we’re really talking. That’s what Fractal is. The electron microscope of operating systems.”

US federal funds awarded to spur SMR deployment

In October 2024, the US Department of Energy (DOE) — under the Joe Biden administration — opened applications for funding to support the initial domestic deployment of Generation III+ small modular reactor (SMR) technologies, with up to USD800 million to go to two “first-mover” teams, with an additional USD100 million to address so-called gaps that have hindered plant deployments. According to the solicitation documentation, a Gen III+ SMR is defined as a nuclear fission reactor that uses light water as a coolant and low-enriched uranium fuel, with a single-unit net electrical power output of 50–350 MWe, that maximises factory fabrication approaches, and the same or improved safety, security, and environmental benefits compared with current large nuclear power plant designs.

The solicitation was re-issued by the DOE in March 2025 to better align with President Donald Trump’s agenda on unleashing American energy and AI dominance.

In December last year, the DOE selected Tennessee Valley Authority (TVA) and Holtec Government Services to each receive USD400 million in federal cost-shared funding to support early deployments of advanced light-water small modular reactors in the USA. TVA’s application was selected for funding to accelerate the deployment of a GE Vernova Hitachi BWRX-300 at its Clinch River site in East Tennessee. Holtec plans to deploy two SMR-300 reactors — named Pioneer 1 and 2 — at the Palisades Nuclear Generating Station site in Michigan.

NSA Releases Hundreds of Pages of Formerly Top Secret UMBRA UAP Records After Disclosure Foundation FOIA Appeal

The National Security Agency has produced hundreds of pages of historical UAP-related records following a Freedom of Information Act appeal by the Disclosure Foundation. Many of the records were previously classified “TOP SECRET UMBRA,” one of the most sensitive classification markings associated with signals intelligence.

DirtyDecrypt PoC Released for Linux Kernel CVE-2026–31635 LPE Vulnerability

Dubbed DirtyDecrypt (aka DirtyCBC), the vulnerability was discovered and reported by the Zellic and V12 security team on May 9, 2026, only to be informed by the maintainers that it was a duplicate of a vulnerability that had already been patched in the mainline.

“It’s a rxgk pagecache write due to missing COW [copy-on-write] guard in rxgk_decrypt_skb,” Zellic co-founder Luna Tong (aka cts and gf_256) said in a description shared on GitHub.

Although the CVE identifier was not disclosed, the vulnerability in question is CVE-2026–31635 (CVSS score: 7.5) based on the fact that the NIST National Vulnerability Database (NVD) includes a link to the DirtyDecrypt PoC in its CVE record.

Commercial Space Economy: Space Stations, Space Data Centers, and NASA

Matthew Weinzierl and Brendan Rosseau, authors of Space to Grow, explain the commercial space economy and the role of NASA, Artemis, commercial space stations, space-based data centers, Starlink, GPS, China’s space program, national security, and space governance.

The conversation covers how governments, private companies, and investors build, fund, regulate, and compete in space, from microgravity research and launch markets to lunar exploration, space resources, and the economics of commercial space.

We also try and re-write the Space Treaty and look at the politics of the space race.

Please enjoy the show.

Thinking on Paper is a technology podcast about AI, Space, quantum computing, science, and the systems shaping the future.

🏠 Buy us a beer on Substack: https://thinkingonpaperpodcast.substa… Take us with you on Spotify: https://open.spotify.com/show/00volKq… 🎧 Remember steve jobs on APPLE: https://podcasts.apple.com/us/podcast… 📺 Get the clips and outtakes on Instagram / thinkingonpaperpodcast — Links & Resources Matthew: https://www.hbs.edu/faculty/Pages/pro… Brendan: linkedin.com/in/brendan-rosseau Buy Space To Grow: https://www.hbs.edu/faculty/Pages/ite… — Chapters 00:00 Setting The Scene 03:35 Microgravity 07:43 Economic Incentives 12:14 Political Cycles 17:09 International Collaboration 18:45 National Security in Space 21:36 Space Exploration 24:27 A Day Without Space 28:49 Space Investment 30:37 Space-Based Data Centers 33:40 Space Resources 38:26 Governance in Space 40:55 A New Space Treaty.

Continue reading “Commercial Space Economy: Space Stations, Space Data Centers, and NASA” | >
/* */