Notices by Dr. Christopher Kunz (christopherkunz@chaos.social)

@wdormann https://github.com/0xABCD01/CVE-2026-41089/blob/main/poc.py#L234

@wdormann https://chaos.social/@christopherkunz/116676523296824499

@wdormann This writeup *seems* to make sense, were it not for the magic two letters in the TLD: https://aretiq.ai/research/vul260513-cve-2026-41089-microsoft-windows-netlogon-buildsamlogonresponse-stack-based-buffer-overflow-rce/

@wdormann From what I read in the writeup (and the sparse other sources), you need a long enough DNS name on the victim host to trigger the overflow. I think 54 chars or more? This github has a possible explanation why the PoC fails under most normal conditions: https://github.com/ADScanPro/CVE-2026-41089-LongLogon

@wdormann Of all the writeups, I think I like this one best, especially with it having a human name in the byline: https://adscanpro.com/blog/patch-diffing-cve-2026-41089-netlogon
"read advisories carefully before deciding how to allocate research time." made me chuckle.

So CVE-2026-41089 (CVSS 9.8) in Windows Netlogon can be triggered by sending a username that is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA or longer.
How original.

I wrote a thing about curl and the woefully underfunded open source universe: https://www.heise.de/en/opinion/Comment-Open-source-developers-are-working-themselves-sick-on-AI-bugs-11308553.html
@bagder

@GossiTheDog @metacurity I like "GRACEFUL SPIDER". I think this might be their logo.
Wait, that looks way too familiar.

@GossiTheDog @metacurity I also lowkey like how Crowdstrike goes from "data theft and exto..." to "Contact sales".

@GossiTheDog And then, there's this gem. Google ads for ddos.su and Cloudflare, chilling on the result page for "best stresser tool". ddos.su has been advertising on Google for over a year. I have reported the ads but have not heard back yet.
Of course, ddos.su is behind CF. So I reported ddos.su to Cloudflare who just said "yeah that's no longer on our network". My bad, but www.ddos.su is.

May 11, 2026: The Red Sun still prevails.

However, I noticed something odd. Either this is purely coincidence, or the exploit has less reliability now (?). On a freshly booted system, it works 100%, but after a couple minutes of runtime, it seems that it doesn't always win the race condition (or it takes longer than the usual ~10 seconds).

@wdormann @jhr77 Huh, that's odd. Works fine for me. Same definitions version.

RE: https://hachyderm.io/@dalias/116411631853678642

"Does need a few allowlist exceptions for known broken senders, most notably Microsoft."
Does it? :->

OK, I said it first: CitrixBleed3 incoming. @GossiTheDog

So #OpenAI wants to introduce an "adult mode" to ChatGPT so people who are fed up with the boring AI porn over at Grok have more choice.

And their product policy team pushed back, citing that this would likely be detrimental to users' well-being.

Being the balanced, well-hinged company they are, OpenAI then proceed to fire the head of said product team, citing sexual discrimination against a male colleague. And proceeds to tout "adult mode".

Whew.

RE: https://fosstodon.org/@yschaeff/116034101861476409

After "banana for scale" now the new gamechanger use-case: banana for exfil. 😆

@mkj @manawyrm @ryanc Mobile phone number address spaces are surprisingly variable, especially in Austria. There are in excess of 500 billion possible phone numbers in Austria alone. This table might be useful for an estimate. (UK's not in it), but a couple dozen billion across all those countries seems like a good enough ballpark.
Source: https://arxiv.org/pdf/2511.20252

@GossiTheDog They are snorting pulverized DRAM.

I'm looking for someone who has received one of the ominous unsolicited Instagram password reset e-mails around December 30, last year. I'd like to cross-check their Instagram data with the recent "leak". Appreciate a boost!

@ryanc Oh, so that was you! I think I saw you yesterday.