C++26 Hardens the Standard
Library
C++26 (P3471R4) converts undefined behaviour in container access —
operator[], front()/back(),
span/string_view indexing, optional/expected dereferencing — into
runtime contract violations. Google deployed this across hundreds of
millions of lines: over 1,000 bugs found including security-critical
ones, 0.30% performance overhead, 30% reduction in baseline segfault
rates. Activation is implementation-defined, typically
-fhardened.
Pyrefly v1.0
Meta’s Python type checker hits production after adoption at
Instagram, PyTorch, NumPy, Pandas, and JAX. Since beta: full
type-checking on PyTorch is 34% faster, incremental editor updates 125x
faster (19ms vs. 2.4s). New in 1.0: built-in Pydantic and Django
support, a gradual adoption mode for high-confidence-only errors, and
experimental tensor shape checking for PyTorch. Already the
most-downloaded extension on Open VSX.
Three Critical
Vulnerabilities
YellowKey — A published PoC demonstrates that
BitLocker-protected drives can be unlocked using only a crafted USB
stick. The technique appears to exploit a mechanism resembling a
deliberate backdoor rather than an implementation bug. Full exploit code
on GitHub. — GitHub · Tom’s
Hardware · HN
NGINX Rift — CVE-2026-42945 is a heap buffer
overflow in the rewrite module, present since 2008 — every NGINX version
from 0.6.27 to 1.30.0. The bug: inconsistent escaping between a
length-calculation pass and a data-copy pass when rewrite
with a question mark meets set with a regex capture group.
An attacker sprays the heap with POST bodies containing fake function
pointers, exploiting deterministic memory layout across worker
processes. Result: unauthenticated RCE on NGINX Open Source, Plus, and
F5 products. — Depth
First Research · Lobsters
Fragnesia — A logic bug in Linux XFRM’s ESP-in-TCP
subsystem lets unprivileged users write arbitrary bytes into the kernel
page cache of read-only files — no race condition needed. TCP sockets
transitioning to espintcp mode process queued file pages as
ESP ciphertext, enabling XOR keystream writes into cached pages. The
practical exploit writes a setuid stub into /usr/bin/su’s
page cache and spawns a root shell. All kernels before the May 13 patch
are affected. — GitHub
· Lobsters
Five Years, Five
Million Dollars, One Mistake
The YC-backed Wasp team built a full-stack web framework around a
custom DSL to eliminate “accidental complexity.” After five years
they’ve concluded the language itself was the mistake: it created a
perception barrier, IDE tooling proved far harder than expected, and it
lacked TypeScript’s ecosystem. The core value — a high-level app
specification — was always separable from the custom syntax. They’re now
replacing the DSL with TypeScript.
The Missing Primitive
The classic stateless-compute-plus-centralized-database pattern
breaks for LLM agents, which need long-running processes, stateful
conversation context, and bi-directional interruption. Current systems
poll the database as a message bus because there’s no way to route to a
specific durable process. The author identifies the missing piece: “a
routable transport name that isn’t a server” — named pub/sub channels
where both client and agent connect by name, enabling stateful
communication without polling.