There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing.
-
There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. Automated vulnerability hype train again, basically.
A thread on a few of them.
CVE-2026-34486 - Tomcat
- Only exploitable if a certain feature is used, if its endpoint is reachable and if port 4000 is available. It's pretty niche.
-
There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. Automated vulnerability hype train again, basically.
A thread on a few of them.
@GossiTheDog I really want to hear your take on this because I’ve heard conflicting things about whether any of the vulnerabilities are serious or not.
-
CVE-2026-34486 - Tomcat
- Only exploitable if a certain feature is used, if its endpoint is reachable and if port 4000 is available. It's pretty niche.
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
-
@GossiTheDog I really want to hear your take on this because I’ve heard conflicting things about whether any of the vulnerabilities are serious or not.
@MisuseCase @GossiTheDog most of the stuff is just pure marketing fluff. Sure, AI is finding bugs. People are fixing them. This has been the case for a while now. Nothing new. Exploitable bugs still very rare. Catastrophic ones like Heartbleed nil, so far. It’s business as usual. The noise volume is up, quality of the signal seems about same as always.
-
CVE-2026-34486 - Tomcat
- Only exploitable if a certain feature is used, if its endpoint is reachable and if port 4000 is available. It's pretty niche.
@GossiTheDog while they can certainly find some fun things, a number of the "vulns" are ridiculous "Oh this can be an RCE during full moons with ASLR disabled running on TRSDOS ported to ARM."
The models don't really threat model well at all. I like @bagder 's approach of VULN-DISCLOSURE-POLICY.md
-
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
@GossiTheDog
(except fewer) -
@MisuseCase @GossiTheDog most of the stuff is just pure marketing fluff. Sure, AI is finding bugs. People are fixing them. This has been the case for a while now. Nothing new. Exploitable bugs still very rare. Catastrophic ones like Heartbleed nil, so far. It’s business as usual. The noise volume is up, quality of the signal seems about same as always.
@0xtero @GossiTheDog Meanwhile
1. AI coding agents are one of the factors contributing to shorter intervals between “vulnerability discovery” and “working exploit”
2. Orgs can’t be bothered to patch known vulnerabilities in a timely fashion so a huge proportion of cyberattacks and their associated damage are down to bugs that have been known about (and left unpatched) for half a year or more
-
There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. Automated vulnerability hype train again, basically.
A thread on a few of them.
@GossiTheDog I already feel so "boy who cried wolf"ed about all the vulns
-
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.
-
There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. Automated vulnerability hype train again, basically.
A thread on a few of them.
@GossiTheDog I'd be willing to bet that if they paid real humans the same amount of money as the true cost of running the LLM, they'd find more and better bugs.
-
I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.
@GossiTheDog but but but, how else am I supposed to market magic box triage-as-a-service
-
I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.
@GossiTheDog and that's why I'm here. Thanx for keeping us calm.
-
I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.
@GossiTheDog ... also never turn off ASLR! Why would someone do that nowadays!?
-
R relay@relay.infosec.exchange shared this topicR relay@relay.publicsquare.global shared this topic
