-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

Search results for bugs! | Breaking Cybersecurity News | The Hacker News

AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs

AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs

Jun 06, 2026 Vulnerability / Endpoint Security
Two things landed within days of each other this week. A security startup reported 21 previously unknown vulnerabilities in FFmpeg, the media library inside almost everything that touches video, all of them found by an autonomous AI agent. The same week, Google shipped Chrome 149 with patches for 429 security bugs, the most ever in a single release. Only the FFmpeg bugs were found by AI. Chrome's record landed after Google overhauled its bounty program to cope with a flood of AI-generated reports. The mechanisms differ, but the pressure is the same: AI is putting more vulnerabilities in front of the people who have to deal with them, and faster than before. The FFmpeg findings come from depthfirst , whose autonomous security agent scanned the project's roughly 1.5 million lines of C and produced 21 confirmed zero-days, each with a reproducible proof-of-concept input. The company puts the cost of the run at around $1,000. Several of the bugs had been latent for 15 to 2...
French security firm VUPEN Say New Bugs Can Bypass Google Chrome Sandbox !

French security firm VUPEN Say New Bugs Can Bypass Google Chrome Sandbox !

May 10, 2011
French security firm VUPEN Say New Bugs Can Bypass Google Chrome Sandbox ! Researchers at the French security firm VUPEN say that they have discovered several new vulnerabilities in Google Chrome that enable them to bypass the browser's sandbox, as well as ASLR and DEP and run arbitrary code on a vulnerable machine. The company said that they are not going to disclose the details of the bugs right now, but that they have shared information on them with some of their government customers through its customer program. The vulnerabilities are present in the latest version of Chrome running on Windows 7, VUPEN said. VUPEN published a video (  http://www.vupen.com/demos / ) that demonstrates an attack that exploits the Chrome vulnerabilities, although there is no further clues about the bugs themselves. "The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox, it...
Chrome, Firefox, Safari and IE – All Browsers Hacked at Pwn2Own Competition

Chrome, Firefox, Safari and IE – All Browsers Hacked at Pwn2Own Competition

Mar 22, 2015
The Annual Pwn2Own Hacking Competition  2015 held in Vancouver is over and participants from all over the world nabbed $557,500 in bug bounties for 21 critical bugs in top four web browsers as well as Windows OS, Adobe Reader and Adobe Flash. During the second and final day of this year’s hacking contest, the latest version of all the four major browsers including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, were compromised by the two security researchers. Sponsored by HP's Zero Day Initiative program, the Pwn2Own Hacking Competition ran two days at a security conference in Vancouver, Canada. The final highlights for Pwn2Own 2015 are quite impressive: 5 bugs in the Windows operating system 4 bugs in Internet Explorer 11 3 bugs in Mozilla Firefox 3 bugs in Adobe Reader 3 bugs in Adobe Flash 2 bugs in Apple Safari 1 bug in Google Chrome $557,500 USD bounty paid out to researchers The star of the show was South Korean ...
cyber security

Take the AI Sprawl CISO Survey. Get fast track to BlackHat swag

websiteRecoAI Security / SaaS Security
Answer questions on AI sprawl. First access to the peer benchmark report.
cyber security

Zscaler ThreatLabz 2026 VPN Risk Report with Cybersecurity Insiders

websiteZscalerAI Security / Network Security
VPN Risk Report reveals attackers using AI to move at machine speed, leaving legacy VPNs exposed.
Facebook Now Pays Hackers for Reporting Security Bugs in 3rd-Party Apps

Facebook Now Pays Hackers for Reporting Security Bugs in 3rd-Party Apps

Oct 16, 2019
Following a series of security mishaps and data abuse through its social media platform, Facebook today expanding its bug bounty program in a very unique way to beef up the security of third-party apps and websites that integrate with its platform. Last year, Facebook launched " Data Abuse Bounty " program to reward anyone who reports valid events of 3rd-party apps collecting Facebook users' data and passing it off to malicious parties, violating Facebook's revamped data policies. Apparently, it turns out that most of the time, Facebook users' data that had been misused was exposed in the first place as the result of a vulnerability or security weakness in third-party apps or services. The Facebook ecosystem contains millions of third-party apps, and unfortunately, very few of them have a vulnerability disclosure program or offer bug bounty rewards to white-hat hackers for responsibly reporting bugs in their codebase. Because of this communication g...
New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android

New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android

Jul 03, 2026 Linux / Android
A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) lets an ordinary user with no special access take full control of a machine as root. It affects Linux desktops, servers, and Android, and a fix is out. Bad Epoll sits in the same small stretch of kernel code where Anthropic's most powerful AI model, Mythos , recently found a different bug. The AI caught one flaw and missed this one. A researcher, Jaeyoung Chung, found it and built a working attack. How the Bug Works Epoll is a standard Linux feature that lets a program watch many files or network connections at once. Servers, network services, and web browsers all lean on it. You cannot simply switch it off. Bad Epoll is a "use-after-free" bug. Two parts of the kernel try to clean up the same internal object at the same time. One frees the memory while the other is still writing into it. That brief collision lets an attacker corrupt kernel memory, then climb from a normal account up to root...
Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices

Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices

Jul 03, 2026 Vulnerability / IoT Security
Security firm runZero has disclosed seven vulnerabilities in  FatFs , a small filesystem library that lets a device read and write the FAT and exFAT formats used on USB drives and SD cards. The flaws matter because FatFs is nearly everywhere. It ships inside the firmware that runs security cameras, drones, industrial controllers, hardware crypto wallets, and other devices built on real-time operating systems. On the worst-affected systems, an attacker who gets a booby-trapped USB drive, SD card, or update file onto a device can corrupt its memory and run their own code. Many embedded devices lack the memory protections found on phones and desktops, which is why runZero says "any physical access leads to a jailbreak." A public kiosk, a camera with an SD slot, an ATM, or a voting machine with a USB port should not hand over full control after a moment of physical access, but here it can. All seven bugs work the same basic way. The device tries to read a storage vo...
AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks

AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks

Jun 30, 2026 Vulnerability / Wireless Security
Two researchers have found six security flaws in AirDrop and Quick Share , the wireless features that beam files between nearby devices with no cables or shared network. An attacker within wireless range, with just a laptop and no prior connection, can crash the sharing service on a Mac or iPhone set to receive from anyone, with no tap or prompt. The same research found Quick Share flaws that bypass Samsung's session checks and trigger a potentially exploitable crash in Google's Windows app. The two features run inside an ecosystem of more than five billion active Apple and Android devices, though the tested bugs hit specific implementations and versions. The work, laid out in a  new research paper  by Arash Ale Ebrahim and Nils Ole Tippenhauer of the CISPA Helmholtz Center for Information Security, is the first to pull both stacks apart side by side, above the radio layer, where discovery becomes session handling, parsing, and trust decisions. The fixes have alre...
5 Network Security Threats And How To Protect Yourself

5 Network Security Threats And How To Protect Yourself

Sep 26, 2022
Cybersecurity today matters so much because of everyone's dependence on technology, from collaboration, communication and collecting data to e-commerce and entertainment. Every organisation that needs to deliver services to their customers and employees must protect their IT 'network' - all the apps and connected devices from laptops and desktops to servers and smartphones. While traditionally, these would all live on one "corporate network," - networks today are often just made up of the devices themselves, and how they're connected: across the internet, sometimes via VPNs, to the homes and cafes people work from, to the cloud and data centres where services live. So what threats does this modern network face? Let's look at them in more detail. #1 Misconfiguration According to recent research by  Verizon , misconfiguration errors and misuse now make up 14% of breaches. Misconfiguration errors occur when configuring a system or application so that it...
Last Years Open Source - Tomorrow's Vulnerabilities

Last Years Open Source - Tomorrow's Vulnerabilities

Nov 01, 2022
Linus Torvalds, the creator of Linux and Git, has his own law in software development, and it goes like this: " given enough eyeballs, all bugs are shallow ." This phrase puts the finger on the very principle of open source: the more, the merrier - if the code is easily available for anyone and everyone to fix bugs, it's pretty safe. But is it? Or is the saying "all bugs are shallow" only true for  shallow  bugs and not ones that lie deeper? It turns out that security flaws in open source can be harder to find than we thought. Emil Wåreus, Head of R&D at  Debricked , took it upon himself to look deeper into the community's performance. As the data scientist he is, he, of course, asked the data:  how good is the open source community at finding vulnerabilities in a timely manner ? The thrill of the (vulnerability) hunt Finding open source vulnerabilities is typically done by the maintainers of the open source project, users, auditors, or external secur...
Google patches 6 serious Chrome bugs

Google patches 6 serious Chrome bugs

Mar 25, 2011
Google on Thursday patched six vulnerabilities in Chrome, and as usual, silently updated users' copies of the browser. The update to Chrome 10.0.648.204 also included two more blacklisted SSL certificates that may be related to last week's theft of nine digital certificates from a Comodo reseller. All six bugs were rated "high," Google's second-most-serious ranking in its threat scoring system. Of the half-dozen bugs, two were "use after free" flaws -- a type of memory management bug that can be exploited to inject attack code -- while a second pair were pegged by Google as "stale pointer" vulnerabilities, another kind of memory allocation flaw. As is Google's practice, the company locked down its bug-tracking database, blocking access to the technical details of the patched vulnerabilities. Google usually unlocks the bug entries several weeks, sometimes months later, to give users time to update before the information goes public. G...
Samsung Launches Bug Bounty Program — Offering up to $200,000 in Rewards

Samsung Launches Bug Bounty Program — Offering up to $200,000 in Rewards

Sep 12, 2017
With the growing number of cyber attacks and data breaches, a number of tech companies and organisations have started Bug Bounty programs for encouraging hackers, bug hunters and researchers to find and responsibly report bugs in their services and get rewarded. Samsung is the latest in the list of tech companies to launch a bug bounty program, announcing that the South Korean electronics giant will offer rewards of up to $200,000 to anyone who discovers vulnerabilities in its mobile devices and associated software. Dubbed Mobile Security Rewards Program , the newly-launched bug bounty program will cover 38 Samsung mobile devices released from 2016 onwards which currently receive monthly or quarterly security updates from the company. So, if you want to take part in the Samsung Mobile Security Rewards Program, you have these devices as your target—the Galaxy S, Galaxy Note, Galaxy A, Galaxy J, and the Galaxy Tab series, as well as Samsung's flagship devices, the S8, S8+, a...
Google Increases Bug Bounty Payouts by 50% and Microsoft Just Doubles It!

Google Increases Bug Bounty Payouts by 50% and Microsoft Just Doubles It!

Mar 03, 2017
Well, there's some good news for hackers and bug bounty hunters! Both tech giants Google and Microsoft have raised the value of the payouts they offer security researchers, white hat hackers and bug hunters who find high severity flaws in their products. While Microsoft has just doubled its top reward from $15,000 to $30,000, Google has raised its high reward from $20,000 to $31,337, which is a 50 percent rise plus a bonus $1,337 or 'leet' award. In past few years, every major company, from Apple to P*rnHub and Netgear , had started Bug Bounty Programs to encourage hackers and security researchers to find and responsibly report bugs in their services and get rewarded. But since more and more bug hunters participating in bug bounty programs at every big tech company, common and easy-to-spot bugs are hardly left now, and if any, they hardly make any severe impact. Sophisticated and remotely exploitable vulnerabilities are a thing now, which takes more time and...
Ever Wondered How Facebook Decides — How much Bounty Should be Paid?

Ever Wondered How Facebook Decides — How much Bounty Should be Paid?

Mar 18, 2016
Facebook pays Millions of dollars every year to researchers and white hat hackers from all around the world to stamp out security holes in its products and infrastructure under its Bug Bounty Program. Facebook recognizes and rewards bug hunters to encourage more people to help the company keep Facebook users safe and secure from outside entities, malicious hackers or others. Recently, the social media giant revealed that India is on top of all countries to report the maximum number of vulnerabilities or security holes in the Facebook platform as well as holds the top position in the country receiving the most bug bounties paid. "India is home to the largest population of security researchers participating in the Facebook bug bounty program since its inception in 2011. The country also holds the top spot for most bounties paid," Adam Ruddermann, Facebook’s technical program manager notes . If you are one of the Facebook’s bug hunters, you might be aware of the fact t...
Android to Support Rust Programming Language to Prevent Memory Flaws

Android to Support Rust Programming Language to Prevent Memory Flaws

Apr 07, 2021
Google on Tuesday announced that its open source version of the Android operating system will add support for Rust programming language in a bid to prevent memory safety bugs. To that end, the company has been building parts of the Android Open Source Project (AOSP) with Rust for the past 18 months, with plans in the pipeline to scale this initiative to cover more aspects of the operating system. "Managed languages like Java and Kotlin are the best option for Android app development," Google  said . "The Android OS uses Java extensively, effectively protecting large portions of the Android platform from memory bugs. Unfortunately, for the lower layers of the OS, Java and Kotlin are not an option." Stating that code written in C and C++ languages requires robust isolation when parsing untrustworthy input, Google said the technique of containing such code within a tightly constrained and unprivileged sandbox can be expensive, causing latency issues and additional...
Twitter Open Sources 'Diffy' that Automatically Catches Potential Bugs in Code

Twitter Open Sources 'Diffy' that Automatically Catches Potential Bugs in Code

Sep 04, 2015
After, Facebook open sourced Thrift Technology ( an internally used tool by Facebook ) in 2007, rival entity Twitter brings Diffy , an internal Twitter service to the world. Yesterday, Twitter introduced " Diffy ," an open source tool, acting as a helping hand for the software developers to catch bugs, test and compare results without writing much code. Diffy plays a vital part in Twitter's development. As a service - Twitter modifies portions of its complex code on a timely basis, and Diffy is packed with such advanced automated techniques that it helps Twitter in its smooth workflow and optimized performance. Diffy simultaneously relieves programmers from writing separate codes to test flaws in the modified code. As, Diffy's minimal setup requirements are adaptable to any kind of environment. Apache Thrift and HTTP-based communication are such elaborate environments where Diffy catches bugs automatically . But, What exactly Diffy is? D...
Microsoft's May Patch Tuesday Fixes 38 Flaws, Including 2 Exploited Zero-Day Bugs

Microsoft's May Patch Tuesday Fixes 38 Flaws, Including 2 Exploited Zero-Day Bugs

May 10, 2023 Zero-Day / Vulnerability
Microsoft has rolled out  Patch Tuesday updates  for May 2023 to address 38 security flaws, including two zero-day bugs that it said are being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI)  said  the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months." Of the 38 vulnerabilities, six are rated Critical and 32 are rated Important in severity. Eight of the flaws have been tagged with "Exploitation More Likely" assessment by Microsoft. This is aside from  18 flaws  – including 11 bugs since the start of May – the Windows maker resolved in its Chromium-based Edge browser following the release of April Patch Tuesday updates. Topping the list is  CVE-2023-29336  (CVSS score: 7.8), a privilege escalation flaw in Win32k that has come under active exploitation. It's not immediately clear how widespread the attacks are. "An attacker who successfully explo...
The Ultimate Security Blind Spot You Don't Know You Have

The Ultimate Security Blind Spot You Don't Know You Have

Sep 02, 2022
How much time do developers spend actually writing code? According to recent studies , developers spend more time maintaining, testing and securing existing code than they do writing or improving code. Security vulnerabilities have a bad habit of popping up during the software development process, only to surface after an application has been deployed. The disappointing part is that many of these security flaws and bugs could have been resolved in an earlier stage and there are proper methods and tools to uncover them. How much time does a developer spend on learning to write a functioning code? And how much is spent on learning about code security? Or learning how not to code?" Wouldn't it be better to eradicate the problem from the system rather than having it there, and then trying to detect and stop an ongoing attack targeting it? You can test your secure coding skills with this short  self-assessment. The true cost of bugs Everyone makes mistakes, even developers. ...
Hacker kills his own Pwn2Own bug for Android phones !

Hacker kills his own Pwn2Own bug for Android phones !

Mar 08, 2011
A vulnerability that a researcher planned to use to compromise an Android cellphone at a hacking contest later this week got squashed after Google fixed the underlying bug in the Android Market. Scio Security CTO Jon Oberheide notified Google of the XSS, or cross-site scripting, bug in the application bazaar because he didn't believe the vulnerability would qualify under terms of the Pwn2Own contest that is scheduled to start on Wednesday. The “incredibly low-hanging naive persistent XSS” allowed attackers to to remotely install malicious apps on Android handsets by tricking users into clicking a link on their phones or computer browsers while logged into a Google account. Oberheide later learned that the vulnerability didn't run afoul of contest rules, allowing him to collect $15,000 and a free handset if he was successful. But he recently discovered Google closed the security hole. The $1,337 awarded to Oberheide under Google's bug bounty program, is little consolati...
Google vs. Microsoft — Google reveals Third unpatched Zero-Day Vulnerability in Windows

Google vs. Microsoft — Google reveals Third unpatched Zero-Day Vulnerability in Windows

Jan 16, 2015
Microsoft has heavily criticized Google and its 90-days security disclosure policy after the firm publicly revealed two zero-day vulnerabilities in Microsoft’s Windows 8.1 operating system one after one just days before Microsoft planned to issue a patch to kill the bugs. But, seemingly Google don't give a damn thought. Once again, Google has publicly disclosed a new serious vulnerability in Windows 7 and Windows 8.1 before Microsoft has been able to produce a patch, leaving users of both the operating systems exposed to hackers until next month, when the company plans to deliver a fix. DISCLOSURE OF UNPATCHED BUGS, GOOD OR BAD? Google’s tight 90-days disclosure policy seems to be a good move for all software vendors to patch their products before they get exploited by the hackers and cybercriminals. But at the same time, disclosing all critical bugs along with its technical details in the widely used operating system like Windows 7 and 8 doesn’t appears to be a righ...
⚡ Top Stories This Week
Expert Insights Articles Videos
Cybersecurity Resources