PUBLISHING · RIYADH · SA RESEARCH · PUBLIC
blogs.darkcov.com
Archive · /research Updated 2026-04-18 Maintained by DarkCov LLC Language · en-US

Papers from
the work.

Technical publications from DarkCov. Vulnerability research, exploit development, allocator internals, and systems engineering. Written by the researchers who did the work. No marketing. No abstracts written by people who did not touch the bug. Published when publication is cleared; not before.

repodarkcov / research
statusactive
branchpublic
published1
queuedclassified
withheldclassified
contactresearch@darkcov.com
§ Index

Published research.

Listed newest first. Every paper is authored internally, reviewed by the firm, and cleared for release. Where a vulnerability was disclosed to an upstream vendor, that disclosure precedes publication.

DC-RES-2026-001
2026-03-02 / PUBLISHED 2026-03
heap exploitation glibc 2.43 tcache safe-linking FSOP
PUBLIC · UNRESTRICTED

Schrödinger's Chunk: Is It Freed? Yes. Is It Allocated? Also Yes. Do We Have a Shell? Absolutely.

Jabr (0xmadvise) · Meshaal

A single null byte. No use-after-free in the target. No double-free. Every mitigation the toolchain offers, Full RELRO, stack canary, NX, PIE, all active. We chain five bugs in glibc 2.43's own allocator code to manufacture a use-after-free from nothing and end with a shell. The target program is correct. The bugs are in glibc.

Read the full paper
APPROX READ
38 min

WORD COUNT
~7,800

LEVEL
Advanced
DC-RES-2026-002
FORTHCOMING
classified classified
PENDING CLEARANCE

   

Jabr ·  

Publication pending upstream coordinated disclosure. Title and authorship withheld until embargo lifts.

Embargoed
EST RELEASE
Q3 2026

STATUS
Embargoed
§ Publication policy

What we publish, what we do not.

All vulnerabilities in third party software are reported to the affected vendor in advance of publication. Public posts go out after the vendor has had a reasonable window to respond, fix, or request an extension. Where a coordinated disclosure is in progress, the paper is held until the embargo lifts.

Research produced inside a client engagement is not, and will not be, published. Regardless of technical merit. Regardless of how many times someone asks. A paper lives on this site because it is ours to release, not because it is interesting.

Where a paper references tools, scripts, or proof of concept code, those artefacts are released only when doing so does not meaningfully lower the bar for harm. The reader is expected to be capable of reconstructing the technique from the description alone.

// Research correspondence

Write directly to the desk.

Questions about a paper. Follow-up detail. Reproduction issues. Suggested reading. Research collaboration inquiries from identified principals. Replies are best-effort.

research@darkcov.com
// Security disclosure

Found something in our stack?

Responsible disclosure of issues in darkcov.com, the research subdomain, or any DarkCov infrastructure. Handled confidentially through our incident response process.

security@darkcov.com