Tag

#memory-safety

4 posts tagged #memory-safety.

Analysis · May 17, 2026 · Colten Anderson

Three CitrixBleeds in 30 months is not a streak, it is a code surface

CVE-2026-3055 is the third pre-auth memory disclosure in NetScaler's authentication stack in 30 months. Citrix says they are unrelated. The endpoints, the class, and the exploitation tempo say otherwise.
Analysis · May 8, 2026 · Colten Anderson

Five critical Fortinet CVEs in 28 months is not a streak of bad luck

Three heap overflows, two auth bypasses, all pre-auth, all ransomware-linked. The pattern in FortiOS and FortiProxy is structural, and patching alone has not been enough to remove attacker access.
Analysis · May 8, 2026 · Colten Anderson

Ivanti Connect Secure: the perimeter that keeps breaking

Five KEV-listed Ivanti Connect Secure bugs in fifteen months, all ransomware-tagged, all on the unauthenticated path. The pledge bought goodwill. The code did not change.
Analysis · May 6, 2026 · Colten Anderson

Citrix shipped CitrixBleed again

Citrix shipped the same pre-auth memory disclosure bug class it patched in 2023. Same binary, same attack surface, same session token leakage. Its own post-patch guidance still doesn't invalidate the tokens attackers actually steal.