Giuseppe Calì

I originally prepared this bug for Pwn2Own Berlin. A few days before the contest, a CVE got assigned. So, here is my technical analysis and exploitation strategy for CVE-2026-40369: a 12-byte kernel increment, exploitable both as an LPE and SBX. https://t.co/agxyuR2AjE

My infinite gratitude goes to everyone who went out of their way to help me with this. Not the outcome I had hoped for, but hey, at least I failed at something incredibly difficult (and learned a ton in the process). 🙃

i did it again 🙏🙏

That's my chain — a full chain w/ logic bugs only! No memory corruption, no AI, and of course no collisions at all 😉

I'm thrilled to announce I have achieved a new level of eyebags trying to make this Pwn2Own participation happen

Bug count != exploitable bug. Finding != chaining. LLMs are exceptional at pattern recognition on known bug classes. They are not reasoning about novel failure modes in complex multi-component systems. The hard bugs still require humans. https://t.co/RISinVDT3d

Pretty sure the vendor reports before the competition starts are likely actively hurting the competitors that have flown out just to have their bounty halved as the issues are now considered 'known'. Equally, you can't just sit on a full chain. Far from the ideal situation...

think i found a bug. which means it’s time to take a break and enjoy the possibility before looking more closely and finding out there’s a check in an upstream code path I missed