aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Browse All

All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.

to
Export CSV
6436 items

A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave

infonews
security
Jan 14, 2026

A researcher discovered three bugs in the BigWave driver on Pixel 9 phones, including one that allows escaping the mediacodec sandbox (a restricted environment where apps run with limited permissions) to gain kernel arbitrary read/write access. The most dangerous bug is a use-after-free vulnerability (accessing memory that has already been freed), which occurs when a worker thread continues processing a job after the file descriptor managing it has been closed and its memory destroyed.

Fix: Fixes were made available for all three bugs on January 5, 2026.

Google Project Zero

A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby

infonews
security
Jan 14, 2026

Google's security team discovered a critical vulnerability (CVE-2025-54957) in the Dolby Unified Decoder, a library that processes audio formats on Android phones. The vulnerability is dangerous because AI features automatically decode incoming audio messages without user interaction, putting the decoder in the 0-click attack surface (meaning attackers can exploit it without users taking any action). Researchers demonstrated a complete exploit chain on the Pixel 9 that chains multiple vulnerabilities together to gain control of the device, highlighting how media decoder bugs can be practically weaponized on modern Android phones.

CVE-2026-22708: Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode wi

criticalvulnerability
security
Jan 14, 2026
CVE-2026-22708

Cursor is a code editor designed for programming with AI. Before version 2.3, when the Cursor Agent runs in Auto-Run Mode with Allowlist mode enabled (a security setting that restricts which commands can run), attackers could bypass this protection by using prompt injection (tricking the AI by hiding instructions in its input) to execute shell built-ins (basic operating system commands) and modify environment variables (settings that affect how programs behave). This vulnerability allows attackers to compromise the shell environment without user approval.

Robust Physics-Based Deep MRI Reconstruction via Diffusion Purification

inforesearchPeer-Reviewed
research

SLeak: Multi-Target Privacy Stealing Attack Against Split Learning

inforesearchPeer-Reviewed
security

CVE-2026-0532: External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker

highvulnerability
security
Jan 14, 2026
CVE-2026-0532

A vulnerability in the Google Gemini connector allows an authenticated attacker with connector-creation privileges to read arbitrary files on the server by sending a specially crafted JSON configuration. The flaw combines two weaknesses: improper control over file paths (CWE-73, where user input is used unsafely to access files) and server-side request forgery (SSRF, where a server is tricked into making unintended network requests). The server fails to validate the configuration before processing it, enabling both unauthorized file access and arbitrary network requests.

CVE-2026-22686: Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sa

criticalvulnerability
security
Jan 13, 2026
CVE-2026-22686

Enclave is a JavaScript sandbox (a restricted environment for running untrusted code safely) designed to isolate AI agent code execution. Before version 2.7.0, it had a critical vulnerability where attackers could escape the sandbox by triggering an error, climbing the prototype chain (the sequence of objects that inherit properties from each other) to reach the host Function constructor, and then executing arbitrary code on the underlying Node.js system with access to sensitive data like environment variables and files.

CVE-2025-71093: In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000_tbi_should_accept() In e10

infovulnerability
security
Jan 13, 2026
CVE-2025-71093

A vulnerability (OOB, or out-of-bounds memory access, where code reads memory it shouldn't) exists in the Linux kernel's e1000 network driver in the e1000_tbi_should_accept() function. When processing incoming network data, the function tries to read the last byte of a frame without checking if the reported frame length is valid, potentially accessing memory outside the allocated buffer and crashing the system.

CVE-2025-68809: In the Linux kernel, the following vulnerability has been resolved: ksmbd: vfs: fix race on m_flags in vfs_cache ksmbd

infovulnerability
security
Jan 13, 2026
CVE-2025-68809

A race condition (a bug where multiple processes access the same data simultaneously without proper coordination) existed in ksmbd, a Linux kernel component that handles file sharing, where different parts of the code accessed delete-on-close and pending-delete flags inconsistently, sometimes using locks (protective mechanisms that prevent simultaneous access) and sometimes not, potentially causing files to disappear unexpectedly or remain on disk when they shouldn't.

Lack of isolation in agentic browsers resurfaces old vulnerabilities

highnews
securitysafety

CVE-2025-15514: Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal mod

highvulnerability
security
Jan 12, 2026
CVE-2025-15514

Ollama versions 0.11.5-rc0 through 0.13.5 have a null pointer dereference vulnerability (a crash caused by the software trying to use a memory address that doesn't exist) in their image processing code. An attacker can send specially crafted fake image data to the /api/chat endpoint (the interface for chat requests), which causes the application to crash and become unavailable until manually restarted, affecting all users.

CVE-2024-58340: LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the

highvulnerability
security
Jan 12, 2026
CVE-2024-58340

LangChain versions up to 0.3.1 have a ReDoS vulnerability (a type of bug where a poorly written pattern-matching rule can be tricked into consuming huge amounts of CPU time) in a parser that extracts tool actions from AI model output. An attacker can exploit this by injecting malicious text, either directly or through prompt injection (tricking an AI by hiding instructions in its input), causing the parser to slow down dramatically or stop working entirely.

CVE-2024-58339: LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vuln

highvulnerability
security
Jan 12, 2026
CVE-2024-58339

LlamaIndex versions up to 0.12.2 have a vulnerability where the VannaPack VannaQueryEngine takes user prompts, converts them to SQL statements, and runs them without limits on how much computing power they use. An attacker can exploit this by submitting prompts that trigger expensive SQL operations, causing the system to run out of CPU or memory (a denial-of-service attack, where a service becomes unavailable).

CVE-2024-14021: LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability i

highvulnerability
security
Jan 12, 2026
CVE-2024-14021

LlamaIndex versions up to 0.11.6 contain a vulnerability where the BGEM3Index.load_from_disk() function uses pickle.load() (a Python method that converts stored data back into objects) to read files from a user-provided directory without checking if they're safe. An attacker could provide a malicious pickle file that executes arbitrary code (runs any commands they want) when a victim loads the index from disk.

CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi

criticalvulnerability
security
Jan 12, 2026
CVE-2026-22252

LibreChat, a ChatGPT clone with extra features, has a vulnerability in versions before v0.8.2-rc2 where its MCP stdio transport (a communication method for connecting components) accepts commands without checking if they're safe, letting any logged-in user run shell commands as root inside a container with just one API request. This is a serious authorization flaw because it bypasses permission checks.

CVE-2026-22813: OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into

mediumvulnerability
security
Jan 12, 2026
CVE-2026-22813

OpenCode, an open source AI coding agent, has a vulnerability in its markdown renderer that allows arbitrary HTML to be inserted into the web interface without proper sanitization (blocking of malicious code). Because there is no protection like DOMPurify (a tool that removes dangerous HTML) or CSP (content security policy, rules that restrict what code can run), an attacker who controls what the AI outputs could execute JavaScript (code that runs in the browser) on the local web interface.

CVE-2026-22812: OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP serv

highvulnerability
security
Jan 12, 2026
CVE-2026-22812

OpenCode is an open source AI coding agent that, before version 1.0.216, automatically started an unauthenticated HTTP server (a service that accepts web requests without requiring a password or login). This allowed any local process or website with permissive CORS (a web setting that controls which websites can access a server) to execute arbitrary shell commands with the user's privileges, meaning someone could run malicious commands on the affected computer.

CVE-2025-14279: MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validat

highvulnerability
security
Jan 12, 2026
CVE-2025-14279

MLFlow versions up to 3.4.0 have a vulnerability where the REST server (the interface that external programs use to communicate with MLFlow) doesn't properly validate Origin headers, which are security checks that prevent unauthorized websites from making requests. This allows attackers to use DNS rebinding attacks (tricks where malicious websites disguise their identity to bypass security protections) to query, modify, or delete experiments, potentially stealing or destroying data.

Armor: Shielding Unlearnable Examples Against Data Augmentation

inforesearchPeer-Reviewed
security

Model Lineage Analysis: Determination and Closeness Measurement

inforesearchPeer-Reviewed
research
Previous223 / 322Next

Fix: The vulnerabilities discussed in these posts were fixed as of January 5, 2026.

Google Project Zero

Fix: This vulnerability is fixed in 2.3.

NVD/CVE Database
safety
Jan 14, 2026

Deep learning models used for MRI reconstruction (creating medical images from incomplete data) can fail when faced with unexpected situations like noise, different imaging settings, or unseen medical conditions. This paper proposes RODIO, a method that uses diffusion models (AI systems that gradually refine noisy data into clear images) as "purifiers" to make MRI reconstruction systems more reliable, and shows it works better than existing robustification techniques like adversarial training (deliberately exposing models to bad inputs during training to make them stronger).

Fix: The paper proposes RODIO as the solution: using pretrained diffusion models as purifiers to improve robustness by fine-tuning on purified examples, which eliminates the need for adversarial training's complex optimization process. The authors state their approach demonstrates adaptability across multiple deep learning MRI reconstruction models, compatibility with accelerated diffusion samplers, robustness to data with unseen lesions, and effectiveness with unsupervised generative reconstructors.

IEEE Xplore (Security & AI Journals)
research
Jan 14, 2026

Split Learning (SL) is a distributed learning framework designed to preserve privacy while reducing computational load, but researchers discovered a new attack called SLeak that allows a server adversary to steal client data and models. The attack works by exploiting information in the smashed data (intermediate data passed between clients and server) and server model to build a substitute client that mimics the target client's behavior, without needing strong privacy assumptions or much auxiliary data. The study shows SLeak is more effective than previous attacks across different datasets and scenarios.

IEEE Xplore (Security & AI Journals)
NVD/CVE Database

Fix: This vulnerability is fixed in version 2.7.0.

NVD/CVE Database

Fix: The fix rejects frames early if the length is zero or exceeds adapter->rx_buffer_len before attempting to read the last byte. This prevents the out-of-bounds read while preserving the TBI workaround (a workaround for a hardware quirk) for valid frames.

NVD/CVE Database

Fix: The fix involves: (1) Making ksmbd_query_inode_status() check the flags under ci->m_lock (a lock protecting the data) after releasing inode_hash_lock; (2) Adding ci->m_lock protection to all helper functions that read or modify the flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(), ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()); (3) Keeping existing ci->m_lock protection in __ksmbd_inode_close() while moving the actual file deletion outside the lock to unify locking around these flags and remove the data race.

NVD/CVE Database
Jan 13, 2026

Agentic browsers (web browsers with embedded AI agents) lack proper isolation mechanisms, allowing attackers to exploit them in ways similar to cross-site scripting (XSS, where malicious code runs on websites you visit) and cross-site request forgery (CSRF, where attackers trick your browser into making unwanted requests). Because AI agents have access to the same sensitive data that users trust browsers with, like bank accounts and passwords, inadequate isolation between the AI agent and websites creates old security vulnerabilities that the web community thought it had solved decades ago.

Fix: The key recommendation for developers of agentic browsers is to extend the Same-Origin Policy (a security rule that keeps different websites' data separate in browsers) to AI agents, building on proven principles that successfully secured the web.

Trail of Bits Blog
NVD/CVE Database
NVD/CVE Database
NVD/CVE Database
NVD/CVE Database

Fix: Update to v0.8.2-rc2 or later. According to the source, 'This vulnerability is fixed in v0.8.2-rc2.'

NVD/CVE Database

Fix: This vulnerability is fixed in version 1.1.10.

NVD/CVE Database

Fix: Update to version 1.0.216 or later. The vulnerability is fixed in 1.0.216.

NVD/CVE Database

Fix: The issue is resolved in version 3.5.0.

NVD/CVE Database
privacy
Jan 12, 2026

Unlearnable examples are protective noises added to private data to prevent AI models from learning useful information from them, but this paper shows that data augmentation (a common technique that creates variations of training data to improve model performance) can undo this protection and restore learnability from 21.3% to 66.1% accuracy. The researchers propose Armor, a defense framework that adds protective noise while accounting for data augmentation effects, using a surrogate model (a practice model used to simulate the real training process) and smart augmentation selection to keep private data unlearnable even after augmentation is applied.

Fix: The paper proposes Armor, a defense framework that works by: (1) designing a non-local module-assisted surrogate model to better capture the effect of data augmentation, (2) using a surrogate augmentation selection strategy that maximizes distribution alignment between augmented and non-augmented samples to choose the optimal augmentation strategy for each class, and (3) using a dynamic step size adjustment algorithm to enhance the defensive noise generation process. The authors state that 'Armor can preserve the unlearnability of protected private data under data augmentation' and plan to open-source the code upon publication.

IEEE Xplore (Security & AI Journals)
Jan 12, 2026

This research addresses how to identify whether one machine learning model is derived from another model through modification techniques (adjusting or fine-tuning an existing model rather than training from scratch), and how to measure how much two models differ from each other. The authors propose a method that determines lineage (derivative relationships) by checking if two models' parameters exist in the same local optimum of the loss landscape (the mathematical space of possible model configurations), and measure closeness by analyzing how their decision boundaries (the lines or surfaces that separate different predictions) differ from each other.

IEEE Xplore (Security & AI Journals)