Nebula Security
Menu

Research

Vulnerability Research Bug List

Products

Vega

Lab

Lab

Security research lab

AI research and tooling that finds
vulnerabilities before attackers do.

Nebula Security is a small, independent security-research lab. We build AI-powered security tools to accelerate threat intelligence, vulnerability research, and incident response.

Try Vega

Featured · May 2026

How an Omitted Write Barrier in V8 Turns Into RCE in Chrome: CVE-2026-5865

In March, our system detected a severe vulnerability in V8, the JavaScript engine used by Chrome. This vulnerability enabled remote code execution against billions of Chrome users worldwide.

Continue reading
A long telescope on a tripod, framed by a constellation of dotted stars — the lab's hero artwork.

Latest research

Recent publications.

Found by Vega

0

Linux kernel bugs

0

Chrome zero-days

0

CVEs assigned

$0K+

in bug bounties earned

Buglist

The vulnerability list.

A continuously-updated catalog of every bug we've found and reported — 727 entries and counting.

Browse all 727 entries

Recent entries

Showing 5 of 727

  • 01 Chrome Turbofan: type confusion in v8 can lead to arbitrary code execution CVE-2026-6307
  • 02 Chrome Maglev: incorrect phi untagging can lead to exploitable write barrier omission CVE-2026-5865
  • 03 Linux kernel `idletimer_tg_checkentry()` (revision 0 path) reuses existing timers by label without validating `timer_type`, and unconditionally calls `mod_timer(&info->timer->timer, ...)`. In `idletimer_tg_create_v1()`, when `timer_type` is `XT_IDLETIMER_ALARM`, only `alarm_init()` is done and `timer_setup()` is never called for `info->timer->timer`. This allows mixing a rev1 ALARM rule and a rev0 rule with the same label, causing rev0 code paths (`idletimer_tg_checkentry()`, `idletimer_tg_target()`, and potentially `idletimer_tg_destroy()`) to operate on an uninitialized `timer_list`, which can corrupt timer internals (memory corruption) and may be exploitable from CAP_NET_ADMIN context. CVE-2026-23274
  • 04 Linux kernel `rxkad_decrypt_ticket()` never checks the return value of `crypto_skcipher_decrypt()`. `rxkad_verify_response()` only constrains `ticket_len` to 4..1024, so a non-block- aligned ticket can make decryption fail while the function continues parsing attacker- controlled bytes as if they were a plaintext ticket and session key. An attacker can then craft the RESPONSE body around that chosen session key and bypass the server secret. CVE-2026-31637
  • 05 CPython Remote OOB write → potential remote code execution CVE-2026-3298