We analyzed the Coruna exploit kit and found intriguing code overlaps with Operation Triangulation. Full analysis on our blog: link below.

BREAKING: powerful iPhone hacking tools used by Chinese criminals originated from US defense giant L3 Harris. The $LHX zero-click exploits went to Russian spies too. Unbelievable harm to our collective security. Scoop by @lorenzofb, here's why this matters 1/

A full iOS exploit toolkit, "Coruna," has been found in the wild, hacking iPhones that visited infected websites, used by Russian spies targeting Ukrainians and thieves targeting Chinese crypto holders. And it may have been created for the US government. wired.com/story/coruna-iphon…

Coruna exploit kit is targeting iOS. Coruna leverages 23 exploits against Apple devices running iOS 13-17.2.1. It is being used for espionage, and by financially motivated actors to steal crypto. Update your iOS devices, and learn more about this threat: bit.ly/4rbeltc

New Project Zero blogpost series describing a 0-click exploit chain targeting Pixel 9, featuring a Dolby decoder bug spotted by yours truly.

⚠️ @RSF_inter has uncovered a previously unknown #spyware tool used by the State Security Committee (KGB) of 🇧🇾Belarus to target, among others, journalists and media workers. rsf.org/en/exclusive-rsf-unc…

We launched a redesigned Project Zero website today at projectzero.google ! To mark the occasion, we released some older posts that never quite made it out of drafts. Enjoy!

Adobe DNG SDK: areaSpec overlap miscalculation lead to integer overflow, leading to OOB read/write project-zero.issues.chromium…

This issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 is a WebKit use-after-free remote code execution flaw that can be exploited by processing maliciously crafted web content. Apple says the flaw was discovered by Google’s Threat Analysis Group. CVE-2025-14174 is a WebKit memory corruption flaw that could lead to memory corruption. support.apple.com/en-us/1258… [N/A][466192044] High CVE-2025-14174: Out of bounds memory access in ANGLE. Reported by Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group on 2025-12-05 chromereleases.googleblog.co… ANGLE and WebGL 2.0 in WebKit trac.webkit.org/wiki/Anglefo…

An analysis of a recent 0-click exploit targeting Samsung devices: googleprojectzero.blogspot.c…

🚨 A huge leak exposes the new targets and internal operations of Intellexa, the secretive and murky company behind the notorious Predator spyware. Introducing #IntellexaLeaks, a joint investigation with partners @insidestory_gr, @haaretzcom & WAV Research Collective 🧵👇

We derestricted a number of vulnerabilities found by Big Sleep in JavaScriptCore today: issuetracker.google.com/issu… All of them were fixed in the iOS 26.1 (and equivalent) update last month. Definitely some cool bugs in there!

All my recent activity wasn't for nothing...I'm pleased to announce that I'll be speaking at @DistrictCon with @natashenka about a 0-click to kernel exploit chain for the Pixel 9 in January!

Samsung: QuramDng getOverlap miscalculation leads to integer overflow, leading to out-of-bounds read/write project-zero.issues.chromium…

woah...Exploited ITW (CVE-2025-10585)[445380761][compiler][maglev]Type Confusion chromium-review.googlesource… chromium-review.googlesource… chromereleases.googleblog.co… Reported by Google TAG

We’re thrilled to announce Donncha Ó Cearbhaill (@DonnchaC) as our keynote speaker for HEXACON 2025! 💥 No doubt he has plenty of juicy stories up his sleeve 👾

If you've been keeping track on the Big Sleep bug tracker at goo.gle/bigsleep you might have noticed it lists more bugs now compared to last week. Including a "High impact issue in V8" :)

Exploited ITW (CVE-2025-6558)[427162086]Incorrect validation of untrusted input(transform feedback buffer modification) chromium-review.googlesource… chromereleases.googleblog.co… Reported by Clément Lecigne(@_clem1) and Vlad Stolyarov(@vladhiewsha)

Leak hole PoC for Chrome in-the-wild vulnerability CVE-2025-6554 published yesterday: github.com/DarkNavySecurity/…

After 6 months of responsible disclosure, proud to announce our team discovered 13 (mostly exploitable) vulnerabilities in Samsung Exynos processors! Kudos to @st424204, @n0psledbyte, @Peterpan980927 & @rainbowpigeon_ CVE-2025-23095 to CVE-2025-23107 📍 semiconductor.samsung.com/su…