Five days from bug class to a working M5 kernel exploit

Calif paired senior researcher Bruce Dang with Mythos Preview on a known bug class and landed a data-only local privilege escalation on macOS 26.4.1, running bare-metal on an M5 with kernel Memory Integrity Enforcement enabled. They say it's the first public macOS kernel exploit on MIE hardware; a 55-page report was hand-delivered to Apple Park. Mythos Preview generalized within the bug class but…

The strip-mining era of open-source security

Metabase

Metabase says their vulnerability inbox moved from roughly ten reports a month to ten a week starting in January, and most of the new ones read like model output. Cal.com is going closed source in response. The maintainer playbook the piece lands on: assume every known bug is now trivially rediscoverable, and patch fast.

“Historically, Metabase averaged 10 submissions per month. Starting in January, we've been averaging 10 submissions per week, and many of these are legit.”

arXiv will ban authors of papers with hallucinated references

r/MachineLearning paraphrasing Tom Dietterich

Tom Dietterich, the arXiv moderator for cs.LG, says authors of papers with incontrovertible evidence of unchecked LLM-generated errors — fake DOIs, citations to papers that don't exist, results referencing experiments that weren't run — face a one-year submission ban. The bar is set on purpose; the open question is whether banned authors get named in public.

“By signing your name as an author of a paper, each author takes full responsibility for all its contents, irrespective of how the content was generated.”

Codex pitches itself as the everyday-work surface

OpenAI Forum (YouTube)

Chris Nicholson and Thibault Sottiaux pair the broader-than-coding pitch with a Codex mobile launch inside the ChatGPT app on iOS and Android. Sottiaux's frame: users start, steer, and review long-running Codex jobs from a phone while the compute keeps running on a remote machine.

“Codex began as a tool for developers. Today, people are using it for much more: research, planning, file organization, automation, data analysis, presentations.”

Replit's iOS app is back after four months

@amasad

Amjad Masad announced the resolution without disclosing what Apple objected to. The replies converge on platform gatekeeping — App Store review, cloud credits, GPUs, payment rails — as the actual ceiling for agentic-AI apps on mobile.

“We worked things out with Apple, and just published our app for the first time in 4 months.”

Uncle Bob switches from Claude to Codex

@unclebobmartin

Robert C. Martin says he's cancelling his Claude account after a few weeks of using Codex as his only agent. His reasons are aesthetic, and he runs eight- to nine-hour Codex sessions on his swarm-forge multi-agent repo without hitting limits.

“Less wordy. More down to earth. More direct. A bit less risk averse — which I consider to be an advantage because I am the guarantor, not it.”

Arvind Narayanan on the verification challenge

@random_walker

Narayanan names the asymmetry behind every agentic-coding product decision this year: confident-sounding output raises the cost of catching the model's mistakes, and that cost lands on the human. The point pairs cleanly with Bob Martin saying he, not the tool, is the guarantor.

“The harder AI companies try to make their products feel like magic genies, the steeper the learning curve gets.”

NVIDIA passes a $300 RTX 5090 price hike to AIC partners

TechPowerUp

TechPowerUp reports a roughly $300 GPU-kit increase to add-in-card partners, driven by GDDR7 supply tightness and weeks-long lead times. MSRP is $1,999; street prices on Newegg have been crossing $4,000. The hike will show up at retailers within days or weeks.

“A $300 (about 2,000 RMB) increase for NVIDIA's add-in card (AIC) partners, who purchase these GPUs from NVIDIA.”

LocalLLaMA: 'glad I bought mine last year'

r/LocalLLaMA

356 upvotes and 160 comments, mostly a mix of resignation and pragmatic comfort. The same subreddit is also celebrating the RTX 5000 Pro 48GB as the new serious-hobbyist ceiling, which is the trade the price hike sharpens: keep buying consumer cards, or move up the stack.

How browsers treat the big sites differently

Den Odell

A tour through Firefox's about:compat page and WebKit's Quirks.cpp documents Safari and Firefox shipping domain-specific overrides for Facebook, X, Reddit, TikTok, Netflix, Instagram, Zillow, SeatGuru, and Amazon. Chrome doesn't carry equivalents, because Chrome's behavior is what other engines paper over.

“Facebook, X (twitter), and Reddit will naively pause a video element that has scrolled out of the viewport, regardless of whether that element is currently in PiP mode.”

A pure-OCaml protocol stack flying in low Earth orbit

Thomas Gazagnaire

Parsimoni's Borealis CCSDS stack booted on DPhi Space's ClusterGate-2 on April 23 — end-to-end encryption with ML-DSA-65 post-quantum signing, GADT-encoded state machines, libcrux and fiat-crypto primitives, and a five-to-ten-megabyte statically linked flight binary on a four-core Cortex-A53. OxCaml mode annotations pushed p99.9 latency on the dispatch hot path from 29 to 9 nanoseconds per packet.

“Switching to OxCaml with exclave_ stack_ annotations drops p99.9 latency from 29 ns to 9 ns per packet on the dispatch hot path, and removes GC pressure entirely.”