Just put a reminder in my calendar for November 1, 2026 to check whether we still have bugs
Natalie Silvanovich
- 1,056 Followers
- 129 Following
- 75 Posts
Tamagotchi hacker. Google Project Zero. she/her
Ivan Fratric shares some tips and tricks for grammar fuzzing
https://projectzero.google/2026/03/mutational-grammar-fuzzing.html
Our intrepid 20%-er @dillonfranke exploited a vulnerability in CoreAudio. See his process for gaining privilege escalation on a Mac:
Make sure to check out the full series here: https://projectzero.google/2026/01/pixel-0-click-part-1.html
Supply-chain issues also played a role: both vulnerabilities were patched very slowly, due to a variety of factors including bug prioritization, licensing and communication between vendors.
Attack surface reduction is also important— the UDC is largely used by commercial media like TV shows, most devices don’t even have an encoder.
Does it really need to be 0-click?
IMO, the biggest takeaway from this research is the huge promise shown by memory mitigations, both hardware and software, in protecting users against 0-days.
IMO, the biggest takeaway from this research is the huge promise shown by memory mitigations, both hardware and software, in protecting users against 0-days.
We hope this flag makes it out of Clang experimental, and more vendors start using it!