Arbitrary code execution in objdump -g We have a thing for finding bugs in bug finding tools. IDA Pro, Ghidra, Binja Sidekick, or radare2. You name it we hacked it. Our friends were saying we should try objdump. So here we go. Blog post: blog.calif.io/p/oobdump-relo… AI-generated PoC and writeup: github.com/califio/publicati…

Big news: @lcamtuf has joined us. Michal has been advising us since the earliest days of the company, helping us navigate everything from difficult strategic decisions to situations that were difficult primarily because we created them ourselves. As the business has grown, so has the number of problems that can only be solved by asking, "What would Michal think of this?" We're delighted that he has now joined us officially and can no longer pretend not to see our messages. We're also excited to share that Michal has granted us an exclusive world-wide license to commercialize his groundbreaking C/C remote dependency technology. Existing customers are encouraged to begin planning their migration to our next-generation implementation, which has been carefully re-engineered with Claude in PHP to maximize nostalgia value for some of our hackers. Welcome aboard, Michal!

Introducing HTTP/2 Bomb: a remote DoS in nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. A single client pins 32GB of server memory in 10s. Found by Codex. Blog post: blog.calif.io/p/codex-discov… PoCs: github.com/califio/publicati…

Needle in a haystack: measuring the impact of two nginx RCEs We had a lot of fun hacking nginx earlier this year. We know from experience that finding a real RCE in nginx is hard, especially one that triggers in a default or commonly-used configuration. So when F5 disclosed CVE-2026-42945 (better known as nginx-rift) and CVE-2026-9256 (possibly nginx-poolslip), two critical heap buffer overflows in the nginx rewrite engine, the natural question was: how many real-world configurations are actually vulnerable? To answer that, we built and open sourced ngxray, a static vulnerability scanner for nginx configs, and scanned nearly 36K configs we found on GitHub. The scanner flagged configs across several dozen repositories. The majority turned out to be PoC reproductions, scanner test fixtures, and tutorial snippets. Out of 35,633 configs, we found one vulnerable config, in an abandoned project. open.substack.com/pub/calif/…

An AI audit of FreeBSD open.substack.com/pub/calif/…

Attacks always get better. Here's a new nginx RCE that bypasses ASLR, tested on the latest nginx 1.30 and 1.31. This still requires a non-default config, but unlike some previous bugs, it does not depend on any additional vulnerabilities or external helpers to get to RCE. We reported the bug on May 15. F5 has confirmed it, and hopefully a patch will land soon. This is getting ridiculous 😅. We have enough nginx bugs to do an entire week of MAD Bugs on it. Who could have thought nginx is starting to feel like the new Linux kernel? This is the funniest time in computer hacking. And yet the world is completely unprepared for this new reality.

Early this week, we had a meeting at Apple Park in Cupertino. While there, we also shared with Apple our latest vulnerability research report: the first public macOS kernel memory corruption exploit on M5 silicon, surviving MIE. It was laser printed, in honor of our hacker friends. Full story: open.substack.com/pub/calif/…

We got credited three times in Apple’s latest security drop. Anthropic got named twice, and AISLE once. Does this mean we’re worth more than Anthropic and AISLE combined? Asking for a boss. support.apple.com/en-us/1271…

In 2012, six hackers published the iOS Hacker's Handbook. Two of them are joining Calif: Dion Blazakis @justdionysus and Stefan Esser @i0n1c. @i0n1c does not really need an introduction. I'll say a few words about Dion for the uninformed. When @brucedang told me that a hacker named Dion may be joining us, my first reaction was, wait, is that the same Dion who won a Pwnie Award in 2010 for Most Innovative Research? It turns out, it was him. Dion Blazakis is a legendary hacker who has been breaking into just about everything, from basebands and firmware to kernels and browsers. He was one of the earliest people hacking the iPhone and is still at it. In 2011, he and Charlie Miller won Pwn2Own by pwning an iPhone 4. Our next MAD Bugs drops are welcome gifts for Dion and Stefan. Stay tuned!

MAD Bugs: RCE in Ladybird Blog: open.substack.com/pub/calif/… PoC: github.com/califio/publicati… youtube.com/watch?v=NQxvMRqS…

MAD Bugs: All Your Reverse Engineering Tools Are Belong to US Ghidra, radare2, IDA Pro, and Binary Ninja Sidekick. If your tool doesn't show up here, it's not cool enough. Contact us for a free RCE. open.substack.com/pub/calif/…

Woke up to a stack of good news. 1. OpenAI named @calif_io an official vulnerability research partner, alongside Trail of Bits. 2. We hit the Hacker News front page again, third time in a single week. Hacker News comments are terrible though! Most readers don't really know what they were talking about, but very confident. 3. Microsoft acknowledged our work with Anthropic. A few years from now, when we look back at Calif's history, I suspect that HTTP.sys kernel bug will have a very special place. There's a moment before that bug and after that bug. The entire company has gone all in. We haven't slept much since then. And, honestly, for a bunch of clueless hackers like us, seeing our name next to Anthropic, OpenAI, and Microsoft is something really strange and somewhat uncomfortable 😅

MAD Bugs: Discovering a 0-Day in Zero Day Here’s how I used Claude to find and patch a radare2 0-day on my first day at @calif_io. open.substack.com/pub/calif/…

MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747) To our knowledge, this is the first remote kernel exploit both discovered and exploited by an AI. blog.calif.io/p/mad-bugs-cla…

MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747) To our knowledge, this is the first remote kernel exploit both discovered and exploited by an AI. blog.calif.io/p/mad-bugs-cla…

We asked Claude to find a bug in Vim. It found an RCE. Just open a file, and you’re owned. We joked: fine, we’ll switch to Emacs. Then Claude found an RCE there too. Full story: blog.calif.io/p/mad-bugs-vim…

Reverse engineering Apple’s silent security fixes, by @blacktop__ We grabbed the latest iOS update, and diffed it with ipsw. The diff reveals at least two security-relevant changes that were shipped quietly. open.substack.com/pub/calif/…

Taking Apart iOS Apps: Anti-Debugging and Anti-Tampering in the Wild By @Little_34306 and @brucedang open.substack.com/pub/calif/…

We have some exciting news to share: @blacktop__ is joining Calif to work on a range of R&D projects focused on Apple and AI security. If you work in the Apple security ecosystem, he’s already a household name. He’s the creator of: * ipsw – the ubiquitous Apple firmware analysis tool: github.com/blacktop/ipsw * darwin-xnu-build – reproducible XNU kernel builds: github.com/blacktop/darwin-x… * ipsw-diffs – automated diffing of Apple releases: github.com/blacktop/ipsw-dif… * The only public deep-dive on Apple’s Lockdown Mode: github.com/blacktop/presenta… His tooling is so good that even Apple engineers use it. If you do reverse engineering, chances are you’ve touched his Rust headless IDA MCP server: github.com/blacktop/ida-mcp-…. People have literally collected CVEs and bug bounties just by digging through the diffs produced by his tools. With @brucedang, @Little_34306 and now @blacktop__, we're building a serious Apple security force at Calif. We’ll have more announcements in this space soon! If you're interested in Apple security, AI, automated bug discovery, reverse engineering, or hacking, we’re hiring: calif.io/jobs.

A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets. A step-by-step guide to exploiting a 20-year-old bug in the Linux kernel to achieve full privilege escalation and container escape, plus a cool bug-hunting heuristic. open.substack.com/pub/calif/…