よくよく考えたらWG2600HS3は10年前のもので、公開されたソースコードを見てもやはり10年以上前のNetfilterっぽくて、これガベージコレクタがうまく動いてない挙動なんじゃないかと思います。この頃のLinuxのセッションガベージコレクタ、普通にカスでしたし… aterm.jp/function/wg1200hs3/…

😇 Cron Boot Execution Overview: The system has booted. The cron daemon detects the @reboot directive and executes the python payload headlessly. Because the script does not read from a state file, it assumes it is unauthenticated. Code Context: os.environ lacks TTY configuration. Netfilter Pipeline Execution Overview: Isolating network pathways. The script flushes all operational Netfilter targets and forces a global firewall drop policy BEFORE prompting for authentication. Code Context: apply_firewall_hardened() -> iptables -P INPUT DROP TTY Context Discrepancy Overview: CRITICAL TRAP: The program calls input(). Since execution happens in a headless cron environment, stdin has no allocated terminal buffer. Code Context: Python raises immediate EOFError because it hits the End of File instantly when trying to read from a non-existent terminal. Exception Handler Triggered Overview: The error handling code maliciously expects the EOFError. Instead of graceful termination, it passes execution directly to trigger_purge(). Code Context: except (EOFError, KeyboardInterrupt) -> self.trigger_purge()

Cron Boot Execution Overview: The system has booted. The cron daemon detects the @reboot directive and executes the python payload headlessly. Code Context: os.environ lacks TTY configuration. Netfilter Pipeline Execution Overview: Isolating network pathways. The script flushes all operational Netfilter targets and forces a global firewall drop policy BEFORE prompting for authentication. Code Context: apply_firewall_hardened() -> iptables -P INPUT DROP TTY Context Discrepancy Overview: CRITICAL TRAP: The program calls input(). Since execution happens in a headless cron environment, stdin has no allocated terminal buffer. Code Context: Python raises immediate EOFError because it hits the End of File instantly when trying to read from a non-existent terminal. Exception Handler Triggered Overview: The error handling code maliciously expects the EOFError. Instead of graceful termination, it passes execution directly to trigger_purge(). Code Context: except (EOFError, KeyboardInterrupt) -> self.trigger_purge() Purge Logic Initiated Overview: Destructive scrubbing launched due to: Headless Environment Abrupt Input Failure (EOFError Loop Trap) Code Context: SovereignCore.trigger_purge() called. Forensic Anti-Analysis Scrubbing Overview: Writing 4096 bytes of pseudo-random entropy into system authentication tracking infrastructure, then immediately deleting the file node. Code Context: f.write(secrets.token_bytes(4096)) followed by os.remove(path) Command Tracking Elimination Overview: Wiping shell history trace sectors on target block devices to remove tracks of the installation, then deleting the history file entirely. Code Context: os.remove('/root/.bash_history') executed. Asset Target Erasure Overview: Overwriting and deleting structural storage file entities defined in the configuration array. Code Context: os.remove('/tmp/sensitive_work') system deletion completed.

Day 17 of #100DaysOfCode Studied Linux Firewall Security and iptables fundamentals. Netfilter Architecture Firewall Chains & Tables Stateful Packet Inspection firewalld vs iptables Basic Firewall Rules & Labs #CyberSecurity #Linux #Firewall #iptables #Netfilter #100DaysOfCode

⚠️ New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root Source: cybersecuritynews.com/linux-… A use-after-free vulnerability in the Linux kernel's nftables subsystem has been disclosed, enabling unprivileged local attackers to escalate privileges to root on widely deployed distributions including Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. Tracked as CVE-2026-23111, the flaw was discovered in early 2025 and patched upstream on February 5, 2026, via a kernel commit. The bug originates in the nft_map_catchall_activate() function within the nftables subsystem — a packet filtering framework built on top of Linux's Netfilter hooks. #cybersecuritynews

使えないので iptables か netfilter を選択することになる

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.

How a Kubernetes Worker Node actually functions under the hood ? ​Don't view nodes as generic VMs. View them as a highly disciplined trio working in lockstep: ​🤖 kubelet: Watches the API server (never etcd!), enforces desired state, and handles local lifecycle management. 📦 CRI: Decouples orchestration from execution, splitting work between containerd (high-level image prep) and runc (low-level kernel primitives). 🔀 kube-proxy: The networking brain that manipulates Netfilter (iptables) so the kernel can route cluster traffic seamlessly. Which component's internal mechanics do you find trickiest to debug? 👇

Ich glaube, wir sind nur in unterschiedlichen Bereichen unterwegs. 'n Linux Battle will ich nicht gegen Dich machen - außer es ist C Debugging vom Netfilter Modul 😁

CVE-2026-46244 Linux Kernel Netfilter IPv6 Inner Transport Header Offset Desynchronizat... vulmon.com/vulnerabilitydeta… Vulnerability Notification: alerts.vulmon.com/?utm_sourc…

Primarily limited to lib/find_bit.c (10 there), 2 spots in fs/file.c, one in close_files(), one in do_close_on_exec(), 2 in the ipv6 exthdr code, 2 in AF_NETLIINK, one in the netfilter/nft_counter

found a remotely triggerable out-of-bounds read in the Linux kernel's H.323 connection tracking parser (CVE-2026-23456, CVSS 8.2). no authentication. no privileges. no user interaction. send a malformed packet to port 1720 on any Linux firewall or NAT gateway running nf_conntrack_h323 and you're reading kernel slab memory. some context on why this matters more than a typical kernel OOB. H.323 is a VoIP signaling protocol from the 1990s. it is everywhere you don't think to look. telecom carriers, enterprise PBXs, session border controllers, hospital phone systems, building intercoms, elevator emergency phones, legacy videoconferencing. every Linux-based firewall or NAT device that needs to track H.323 connections for dynamic port allocation loads nf_conntrack_h323, which contains a full ASN.1 PER decoder running inline in the kernel, parsing untrusted data from the network, at wire speed, with direct access to kernel memory. this module auto-loads when H.323 traffic hits a conntrack rule. on many distributions it's loaded by default. the attack surface is: send a packet from the internet to a machine that might be doing NAT for a phone system somewhere behind it. the bug. in decode_int(), the CONS case: nf_h323_error_boundary(bs, 0, 2) len = get_bits(bs, 2) 1 BYTE_ALIGN(bs) v = get_uint(bs, len) the boundary check validates 2 bits for get_bits(). it does not validate len bytes for get_uint(). the length field is bounds-checked. the data described by the length field is not. craft a H.323/RAS packet where the bitstream is truncated after the length field. get_uint() walks 1–4 bytes off the end of a slab allocation. the attacker controls which allocation this is and can potentially influence what's adjacent in the slab cache. 1–4 bytes doesn't sound like much until you remember that kernel pointers, ASLR secrets, and crypto material all live in slab memory and a single leaked pointer can defeat KASLR. now the interesting part. after the patch landed, Jakub Kicinski's AI code reviewer flagged five other locations in the same file as having the same bug: UNCO in decode_int, SEMI in decode_bitstr, SEMI and default in decode_octstr, BYTE in decode_bmpstr. all five advance bs->cur without checking that enough bytes remain. Florian went through each one and found a post-advance boundary check after every single one. "this LLM response is bunk." he was right. but the reason he was right is the reason the CONS case is a real bug and the other five are not, and I think this is where current AI code review genuinely cannot tell the difference. the other cases do this: advance bs->cur past the data without dereferencing, then check nf_h323_error_boundary(bs, 0, 0) after the switch block. the pointer overshoots. nothing reads through it. the boundary check fires. the function returns an error. pointer arithmetic past the end of a buffer is not a memory safety violation, only pointer dereference is. the pointer moved into illegal territory but nobody looked through the window. the CONS case is different. get_uint(bs, len) dereferences *bs->cur inline. it reads 1–4 bytes from memory as part of advancing. the dereference and the advance are the same operation. there is no "temporary overshoot" because the bytes are physically read from memory during the overshoot. a post-advance boundary check cannot un-read memory. the AI saw "pointer advances without pre-check" six times and pattern-matched all of them as the same bug. five of them advance a pointer. one of them reads through a pointer while advancing. pointer arithmetic vs pointer dereference is the entire vulnerability, and current AI review can't see the difference because it's matching on control flow shape, not on what the CPU actually does when the instruction executes. the fix is two lines. one call to nf_h323_error_boundary(bs, len, 0) between get_bits() and get_uint(). the original commit is 5e35941d9901, "[NETFILTER]: Add H.323 conntrack/NAT helper", from 2007. twenty years of a full ASN.1 decoder running in kernel space, parsing untrusted packets from the network, with a missing bounds check on a length-prefixed read. loaded by default on most distributions. reachable without authentication. the fix is two lines. reported by Klaudia Kloc and Dawid Moczadło from @VidocSecurity. I verified the bug, wrote the PoC, and submitted the patch. patched in stable 5.10–6.19.

found a stack out-of-bounds read in the Linux kernel's nftables pipapo set backend (CVE-2026-43453, CVSS 7.1). I found it by looking for a specific pattern that I think is underhunted, so I want to talk about the methodology as much as the bug. the pattern: function calls where one argument is a boundary-dependent expression and another argument is a flag that makes the callee skip using it. in C, this is a trap. the callee's early return makes every reviewer think the dangerous argument is inert. it is not. C evaluates all arguments at the call site before the function is invoked. the callee's control flow has no jurisdiction over argument evaluation. so you get these call sites that look safe, that have been reviewed and re-reviewed and look safe every time, because the question everyone asks is "is this value used?" and the answer is no. the question that matters is "is this value evaluated?" and nobody asks it because in most languages it's the same question. so I started grepping function calls where an argument indexes an array, and a separate argument is a boolean that triggers an early return in the callee. the kind of code where someone wrote a guard clause and everyone downstream trusted it to cover the arguments too. it doesn't. it can't. the arguments are already computed. pipapo_drop() in nft_set_pipapo.c: pipapo_unmap(f->mt, f->rules, rulemap[i].to, rulemap[i].n, rulemap[i 1].n, i == m->field_count - 1) on the last iteration, i == field_count - 1. rulemap[i 1].n reads past the end of a stack-allocated array of 16 entries. pipapo_unmap() checks is_last, returns immediately, never touches the value. the value is already read. the OOB is in the caller's scope. five years of this code in production and every review pass concluded "the function doesn't use it" which is true and also completely beside the point. the reason I think this pattern is underhunted: static analyzers flag unused variables and unchecked return values but I haven't seen one that asks "is this argument expression legal in the caller's scope given that the callee might not use it?" the safety of the expression depends on the callee's behavior, but the evaluation of the expression doesn't. that gap is where bugs live for years. maybe decades. the callee being careful is what makes the bug invisible. the better the function handles its arguments, the longer the OOB at the call site survives review. that's perverse. the code's own correctness is camouflaging the bug. when field_count is 16 (NFT_PIPAPO_MAX_FIELDS, the max), rulemap[16].n is real stack OOB. you're reading whatever the kernel left on the stack before your frame. smaller field counts get you uninitialized entries in your own array instead, which is a different flavor of wrong but still wrong. and this isn't some exotic race you trigger with three threads and a prayer. it's the normal path. every element expiration, every deletion. the kernel's own GC walks into it on a timer. KASAN on 7.0.0-rc2 aarch64 confirmed it: Read of size 4 at addr ffff8000810e71a4. one stack object, [32, 160) 'rulemap', buggy address at offset 164. array is 128 bytes. read is 4 bytes past the end. rulemap[16].n. worked the offset math on paper beforehand. PoC: pipapo set with NFT_SET_INTERVAL | NFT_SET_CONCAT | NFT_SET_TIMEOUT, 16 concatenated 4-byte fields. insert element, 1-second timeout. wait. insert another to trigger nft_pipapo_commit() → pipapo_gc() → pipapo_drop() → OOB. no heap shaping. no race. the kernel GC walks into it on a schedule. reported to security@kernel.org. Willy Tarreau forwarded to netfilter maintainers. Florian Westphal reviewed, confirmed, asked for a readability tweak. the fix: last ? 0 : rulemap[i 1].n, last I think there are more of these in the kernel. any function that takes a flag argument and an expression argument where the flag makes the expression unnecessary. every one of those call sites is a candidate for an OOB or an uninitialized read that no reviewer will catch because the callee's guard clause is too convincing. the code review feedback loop is broken for this pattern. the only reliable way to find them is to stop reading the callee entirely and ask whether every argument is legal to evaluate in the caller's scope, regardless of what the function plans to do with it. patched in stable 5.10–6.19.

作为一个分布式对等网络（P2P），任何暴露在公网上的全节点和超级代表，都是黑客发动DDoS（分布式拒绝服务）攻击、企图通过制造网络风暴将其冲垮的潜在靶子。波场TRON为了构建坚不可摧的底层网络通信拓扑，在P2P网络层独创性地开发了“连接信誉令牌（Connection Reputation Token, CRT）”拦截与过滤算法。 在TRON的底层网络通信协议栈中，每一个主动建立TCP握手连接的对等节点，在系统内存中都会关联一个动态的信誉度评估对象。当节点建立连接后，系统并不会盲目信任并分配系统资源，而是采取“行为即挖矿，恶意即断开”的严苛逻辑。 如果一个节点在极短的毫秒级周期内，高频发送大量未附带合规密码学签名、或者故意畸形的区块查询报文，TRON底层的监听器会瞬间捕捉到这一“恶意耗尽I/O”的行为特征。自适应安全模块会在微秒内扣除该节点的信誉令牌值，一旦令牌值清零，系统底层会直接在操作系统的网络防火墙（Netfilter/iptables）级别将该IP进行硬性阻断。这种将应用层行为分析与操作系统底层内核防护深度捆绑的技术手笔，让TRON的节点具备了极强的分布式自愈与抗冲击能力。 @justinsuntron #TRONEcoStar

why can’t docker hold a frontier model? shared kernel. the container gets its own pids, its own mounts, its own network stack, but the kernel is one big shared party. one use-after-free in netfilter and every container on the box is poppable. CVE-2024-1086 proved it, ransomhub shipped it. #docker #kernelexploit #cloudsecurity

Netfilter? From freedbsd? Am I trippin?

🪟 Linux netfilter bug in UDP GSO? The plot twist: packets “fall through” between kernel/offload/conntrack and userspace. Security isn’t just rules—it’s timing. Patch it. #Windows #Security #LinuxKernel windowsforum.com/threads/cve… #PatchManagement #LinuxKernel #NetfilterNfqueue

🪟 Linux netfilter got a CVE for nft_counter race math—because in 2026 even the firewall’s bookkeeping can underflow. “Just add a lock” fixes it, but wow… concurrency is king. #Linux #Security #CVE windowsforum.com/threads/cve… #LinuxKernel #Nftables #NetfilterSecurity #Cve202645897

🪟 CAP_NET_ADMIN can trigger a kernel divide-by-zero via netfilter… not wormable, but still a “permission = disaster” vibe. Patch fast; control planes are the new blast radius. windowsforum.com/threads/cve… #Netfilter #LinuxKernelSecurity #Cve2026 #CapNetAdmin

So probably one of curl, OpenSSL, Wireshark, OpenSSH, Nmap, Netfilter, BIND, and Apache. My guess is BIND, Netfilter, or Apache in that order.