-     args->endp - args->begin_argv + consume);
    +     args->endp - (args->begin_argv + consume));

tbh I've considered simply banning math-operator-precedence in projects I work on, and requiring all mixed-operator code to use parenthesis or split to multiple statements. I do that myself, at least.

I've seen so many mistakes from it, and seen people spend so much pointless and avoidable time deciphering and verifying it, it really doesn't seem worth it (in most code) for the extremely minor character savings.

Nice to randomly encounter our own work here.

Check out our blog post for a fun walkthrough: https://blog.calif.io/p/cve-2026-7270-how-i-get-root-on-free...

AI-generated working exploit, write-up and prompts: https://github.com/califio/publications/tree/main/MADBugs/fr...

Calif is just killing it these past couple months. Reminder that Calif is Thai Duong's new firm.

A CVE for exeCVE()

This is from April 28th, it was patched in 15.0R-p7.

Oof that's a pretty big one, I didn't realise but I had already updated anyway.

  memmove(args->begin_argv + extend, args->begin_argv + consume,
      args->endp - args->begin_argv + consume);   // ← bug

C code like this is why we can't have nice things. Arithmetic operation in the arguments of a dangerous function call with no explicit bounds check.

[flagged]

> IV. Workaround

> No workaround is available.

Oh dear.

Linux is on their second and FreeBSD is on their first. How many is Windows on?