Nebula Security

Security research lab

Backed by Combinator

AI research and tooling that finds
vulnerabilities before attackers do.

We bring Mythos level protection to everyone.

vega://vulns/

Click to start

Featured · June 2026

Longinus: 2 Boundaries in One Bug, Piercing Chrome’s Renderer and V8 Sandbox with a Single Vulnerability, CVE-2026-6307

Chrome V8 JavaScript engine features a heap sandbox to prevent an attacker from writing outside of the sandbox region with only a vulnerability in their JavaScript engine. However, VEGA discovered a special bug in the JIT compiler that allows an attacker to gain arbitrary read/write primitives in sandbox and even escape the sandbox to write outside of it solely on its own. This writeup will cover the technical details of the vulnerability.

A long telescope on a tripod, framed by a constellation of dotted stars — the lab's hero artwork.

Latest research

Recent publications.

Found by Vega

0

Linux kernel bugs

0

Chrome zero-days

0

CVEs assigned

$0K+

in bug bounties earned

Buglist

The vulnerability list.

A continuously-updated catalog of every bug we've found and reported — 730 entries and counting.

Recent entries

Showing 5 of 730

  • 01 Chrome Turbofan: type confusion in v8 can lead to arbitrary code execution CVE-2026-6307
  • 02 Chrome Maglev: incorrect phi untagging can lead to exploitable write barrier omission CVE-2026-5865
  • 03 Linux kernel `idletimer_tg_checkentry()` (revision 0 path) reuses existing timers by label without validating `timer_type`, and unconditionally calls `mod_timer(&info->timer->timer, ...)`. In `idletimer_tg_create_v1()`, when `timer_type` is `XT_IDLETIMER_ALARM`, only `alarm_init()` is done and `timer_setup()` is never called for `info->timer->timer`. This allows mixing a rev1 ALARM rule and a rev0 rule with the same label, causing rev0 code paths (`idletimer_tg_checkentry()`, `idletimer_tg_target()`, and potentially `idletimer_tg_destroy()`) to operate on an uninitialized `timer_list`, which can corrupt timer internals (memory corruption) and may be exploitable from CAP_NET_ADMIN context. CVE-2026-23274
  • 04 Linux kernel `rxkad_decrypt_ticket()` never checks the return value of `crypto_skcipher_decrypt()`. `rxkad_verify_response()` only constrains `ticket_len` to 4..1024, so a non-block-aligned ticket can make decryption fail while the function continues parsing attacker-controlled bytes as if they were a plaintext ticket and session key. An attacker can then craft the RESPONSE body around that chosen session key and bypass the server secret. CVE-2026-31637
  • 05 CPython Remote OOB write → potential remote code execution CVE-2026-3298