There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing.

Reply to There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. on Thu, 14 May 2026 11:32:19 GMT

draeath@infosec.exchange — Thu, 14 May 2026 11:32:19 GMT

@GossiTheDog ... also never turn off ASLR! Why would someone do that nowadays!?

Reply to There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. on Thu, 14 May 2026 11:27:30 GMT

fatalisticcritic@cyberplace.social — Thu, 14 May 2026 11:27:30 GMT

@GossiTheDog and that's why I'm here. Thanx for keeping us calm.

Reply to There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. on Thu, 14 May 2026 11:25:41 GMT

nyanbinary@infosec.exchange — Thu, 14 May 2026 11:25:41 GMT

@GossiTheDog but but but, how else am I supposed to market magic box triage-as-a-service

Reply to There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. on Thu, 14 May 2026 11:25:29 GMT

womble@infosec.exchange — Thu, 14 May 2026 11:25:29 GMT

@GossiTheDog I'd be willing to bet that if they paid real humans the same amount of money as the true cost of running the LLM, they'd find more and better bugs.

Reply to There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. on Thu, 14 May 2026 11:24:29 GMT

gossithedog@cyberplace.social — Thu, 14 May 2026 11:24:29 GMT

I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.

Reply to There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. on Thu, 14 May 2026 11:22:40 GMT

robinsyl@meow.social — Thu, 14 May 2026 11:22:40 GMT

@GossiTheDog I already feel so "boy who cried wolf"ed about all the vulns

Reply to There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. on Thu, 14 May 2026 11:20:46 GMT

misusecase@twit.social — Thu, 14 May 2026 11:20:46 GMT

@0xtero @GossiTheDog Meanwhile

1. AI coding agents are one of the factors contributing to shorter intervals between “vulnerability discovery” and “working exploit”

2. Orgs can’t be bothered to patch known vulnerabilities in a timely fashion so a huge proportion of cyberattacks and their associated damage are down to bugs that have been known about (and left unpatched) for half a year or more

Reply to There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. on Thu, 14 May 2026 11:19:44 GMT

wdormann@infosec.exchange — Thu, 14 May 2026 11:19:44 GMT

@GossiTheDog
(except fewer)

Reply to There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. on Thu, 14 May 2026 11:19:32 GMT

mikesiegel@infosec.exchange — Thu, 14 May 2026 11:19:32 GMT

@GossiTheDog while they can certainly find some fun things, a number of the "vulns" are ridiculous "Oh this can be an RCE during full moons with ASLR disabled running on TRSDOS ported to ARM."

The models don't really threat model well at all. I like @bagder 's approach of VULN-DISCLOSURE-POLICY.md

Reply to There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. on Thu, 14 May 2026 11:17:16 GMT

0xtero@ohai.social — Thu, 14 May 2026 11:17:16 GMT

@MisuseCase @GossiTheDog most of the stuff is just pure marketing fluff. Sure, AI is finding bugs. People are fixing them. This has been the case for a while now. Nothing new. Exploitable bugs still very rare. Catastrophic ones like Heartbleed nil, so far. It’s business as usual. The noise volume is up, quality of the signal seems about same as always.

Reply to There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. on Thu, 14 May 2026 11:16:24 GMT

gossithedog@cyberplace.social — Thu, 14 May 2026 11:16:24 GMT

CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)

It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.

The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.

Reply to There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. on Thu, 14 May 2026 11:11:19 GMT

misusecase@twit.social — Thu, 14 May 2026 11:11:19 GMT

@GossiTheDog I really want to hear your take on this because I’ve heard conflicting things about whether any of the vulnerabilities are serious or not.

Reply to There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. on Thu, 14 May 2026 11:11:16 GMT

gossithedog@cyberplace.social — Thu, 14 May 2026 11:11:16 GMT

CVE-2026-34486 - Tomcat

- Only exploitable if a certain feature is used, if its endpoint is reachable and if port 4000 is available. It's pretty niche.