I love how my city sends me text message alerts when there’s the chance to see a sinkhole

New Blog Post: Seth Jenkins broke kASLR by doing … nothing 😩 googleprojectzero.blogspot.com/2025/11/defe...

Serious bugs often occur in third-party components integrated by other software. Ivan Fratric and I found this vulnerability in the Dolby Unified Decoder. It affects Android, iOS and Windows among other platforms, sometimes 0-click. project-zero.issues.chromium.org/issues/42807...

Super cool potential ASLR leak involving dictionary hashes! googleprojectzero.blogspot.com/2025/09/poin...

fseek and you shall lfind

Zero-day developer and seller Exodus casually brags in a blog post about having found a WebKit zero-day and sold it for a year and a half. blog.exodusintel.com/2025/08/04/o... Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group were the ones that reported it to Apple.

Left blue, right red #defcon

How to use your Defcon badge

“You wouldn’t happen to have anything that could help me understand today’s ever-changing threat landscape? Perhaps involving a bit of AI?”

Peak BH slide

Do you ever feel like maybe you should sign something, but aren’t quite sure you can follow through?

We also posted our first Transparency Report googleprojectzero.blogspot.com/p/reporting-...

While most vendors ship timely patches for vulnerabilities reported by Project Zero, they don’t always reach users. Today, we’re announcing Reporting Transparency, a new policy to encourage downstream fixes googleprojectzero.blogspot.com/2025/07/repo...

maybe there's still some good left in this world after all

The new Tamagotchi Switch game has rap battles where the Tamas rap about how they respect and enjoy each others’ unique differences

Inventor of the GIF, hearing about Notre Dame burning: oh no the jarjoyles

I accidentally closed a browser yesterday with 72 VERY IMPORTANT TABS that have been following me around like Jacob Marley and somehow my history is not recoverable. Reader, I let them go, and have lived to tell the tale.

At least 3 miles of protesters along El Camino in Sunnyvale

I Googled “how to shorten a chain,” and got no good answers, so here’s the answer, here’s how you temporarily shorten it

www.ibiblio.org/harris/500mi... You might be one of the lucky people to learn today about an emailing bug that turned out to be caused by the speed of light.

If there’s one thing I’ve learned, it’s that tab completion is never “just broken today”

If $106,050.10 was the size of a quarter, it would fit in 424,200.4 fewer shipping containers than …

The world never says hello back

The final part of Mateusz’s Windows Registry series is live! Contains all the hive memory corruption exploitation you’ve been waiting for googleprojectzero.blogspot.com/2025/05/the-...

🚨 CALLING ALL VULNERABILITY RESEARCHERS 🚨 The Junkyard is officially open! This is our live, on-stage pwnathon dedicated to end-of-life systems. Submit your bugs! Prizes range from $100 to $5,000 for categories like: ☄️ Most Impactful System 👾 Best Meme Target 👏 Most Engaging Presentation

Movie you've watched more than 1000 times using gifs. ("Hard mode" no Star Wars, Star Trek, or LoTR)

Should be a Canada goose

Another must-watch talk from RE//verse 2025 is live! Zion Basque challenges decompilers to step up their game and introduces a roadmap for a practical solution to solve some of the trickiest compiler behavior's to analyze. Check it out here:

Comment 6: I don’t know, ask Past Natalie

I know, Word. "syncable" isn't a word. But the dictionary is powerless against Microsoft.

You wouldn’t download an orange tree

Not correct, yet a strange window into my soul

tl;dr WhatsApp fixed the vuln on the back end, so you don't need to do anything to your phone, up to and including enabling Lockdown mode. Paragon Solutions sucks and you should be mad at them for enabling spying on civil society. www.theguardian.com/technology/2...

New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...

Killer lineup! Can’t wait to attend. If you are into reverse engineering, check out the new Re-Verse conference, launching in February! The team behind it is incredible. This is going to be the new Infiltrate.

We're pleased to announce Natalie Silvanovich @natashenka.bsky.social as the keynote speaker for the inaugural RE//verse. She might have started out hacking Tamagotchis, but she certainly didn't stop there!

Just unrestricted an issue that shows a fun new attack surface. Android RCS locally transcribes incoming media, making vulnerabilities audio codecs now fully-remote. This bug in an obscure Samsung S24 codec is 0-click project-zero.issues.chromium.org/issues/36869...

WARNING: This product contains programming languages known to the State of California to cause memory unsafety

Project Zero is hiring 🎉 Please share with anyone you think would be great for the team www.google.com/about/career...

This Justin: Canadian PM resigns. Not sure if Trudeau

Another masterwork by courtroom sketch artist Jane Rosenberg, whose piercing documentation of Rudy Giuliani's descent into madness is one of the most exciting things going on right now in American art.

Oh look, it’s the consistent use of tabs and spaces police

I recently saw an amazing Navajo rug at the National Gallery of Art. It looks abstract at first, but it is a detailed representation of the Intel Pentium processor. Called "Replica of a Chip", it was created in 1994 by Marilou Schultz, a Navajo/Diné weaver and math teacher. 1/n

I thought everyone knew not to shine lasers at anything in the sky this time of year due to the chance of blinding a reindeer

Can you find an ITW 0-day from crash logs? Project Zero finds out googleprojectzero.blogspot.com/2024/12/qual...

TIL there is a herd of 500,000 caribou in Alaska. They know this because Fish and Wildlife stitches together arial photos, like you would when imaging a silicon die. Then a guy named Don Williams counts them all www.adfg.alaska.gov/index.cfm?ad...