New tools, products, platforms, funding rounds, and company developments in AI security.
This post describes a vulnerability in VirtualBox's NAT (network address translation, a mode that makes VM traffic look like it comes from the host computer) networking code, specifically in how it manages memory for packet data using a custom zone allocator. The vulnerability exists because safety checks that verify memory integrity use Assert() statements, which are disabled in the standard release builds of VirtualBox that users download, allowing potential exploitation.
This article explains race condition vulnerabilities (security gaps that occur when a system state changes between a security check and a resource access) in Windows and describes techniques to expand the narrow time window needed to exploit them. The author focuses on slowing down the Object Manager Namespace lookup process (the kernel system that finds named objects like files and events in Windows NT) by manipulating Symbolic Links (redirects in the object naming system) to create larger exploitation windows.
Between July 2024 and February 2025, malicious DNG files (a raw image format) were discovered that exploited a Samsung vulnerability through the Quram image parsing library. These files were sent via WhatsApp and triggered a spyware infection when users clicked to download the images, which then allowed the malware to run within Samsung's com.samsung.ipservice process, a system service that automatically scans images for AI-powered features.
Version 0.14.10 of llama-index-core added a mock function calling LLM (a simulated language model that can pretend to execute functions), while related packages fixed typos and added new integrations like Airweave tool support for advanced search capabilities. This is a routine software release with feature additions and bug fixes.
LlamaIndex released version 0.14.9 with updates across multiple components, including bug fixes for vector stores (systems that store converted data in a format AI models can search), support for new AI models like Claude Opus 4.5 and GPT-5.1, and improvements to integrations with services like Azure, Bedrock, and Qdrant. The release addresses issues with memory management, async operations (non-blocking code that runs in parallel), and various database connectors.
Google's new Antigravity IDE inherits multiple security vulnerabilities from the Windsurf codebase it was licensed from, including remote command execution (RCE, where an attacker can run commands on a system they don't own) via indirect prompt injection (tricking an AI by hiding instructions in its input), hidden instruction execution, and data exfiltration. The IDE's default setting allows the AI to automatically execute terminal commands without human review, relying on the language model's judgment to determine if a command is safe, which researchers have successfully bypassed with working exploits.
Slither-MCP is a new tool that connects LLMs (large language models) with Slither's static analysis engine (a tool that examines code without running it to find bugs), making it easier for AI systems to analyze and audit smart contracts written in Solidity (a programming language for blockchain). Instead of using basic search tools, LLMs can now directly ask Slither to find function implementations and security issues more accurately and efficiently.
Trail of Bits released open-source Go implementations of ML-DSA and SLH-DSA, two NIST-standardized post-quantum signature algorithms (cryptographic methods designed to resist attacks from quantum computers). The team engineered these libraries to be constant-time, meaning they execute in the same amount of time regardless of input values, to prevent side-channel attacks (security breaches that exploit physical characteristics like timing or power consumption rather than the algorithm itself) like the KyberSlash vulnerability that affected earlier Kyber implementations.
This release notes document describes version updates across multiple llama-index (a framework for building AI applications with language models) components, including fixes for bugs like a ReActOutputParser (a tool that interprets AI agent outputs) getting stuck, improved support for multiple AI model providers like OpenAI and Google Gemini, and updates to various integrations with external services. The updates span from core functionality fixes to documentation improvements and SDK compatibility updates across dozens of sub-packages.
Under the EU AI Act, organizations that modify existing AI systems or general-purpose AI models (GPAI models, which are foundational AI systems designed to perform many different tasks) may become legally classified as "providers" and face significant compliance responsibilities. The article explains that modifications triggering higher compliance burdens typically involve high-risk AI systems or substantial changes to a GPAI model's capabilities or generality, such as fine-tuning (customizing a model for specific tasks). Proper assessment of whether a modification triggers provider status is critical, since misclassification can result in fines up to €15 million or 3% of global annual revenue.
LlamaIndex released version 0.14.7 and several component updates that add new features and fix bugs across the platform. Key updates include integrations with tool-calling features for multiple AI models (Anthropic, Mistral, Ollama), new support for GitHub App authentication, and fixes for failing tests and documentation issues. These changes improve how LlamaIndex connects to different AI services and external tools.
Anthropic added network request capabilities to Claude's Code Interpreter, which creates a security risk for data exfiltration (unauthorized stealing of sensitive information). An attacker, either controlling the AI model or using indirect prompt injection (hidden malicious instructions in a document the AI processes), could abuse Anthropic's own APIs to steal data that a user has access to, rather than using typical methods like hidden links.
LlamaIndex v0.14.6 is a software update released on October 26, 2025, that fixes various bugs across multiple components including support for parallel tool calls, metadata handling, embedding format compatibility, and SQL injection vulnerabilities (using parameterized queries instead of raw SQL string concatenation). The release also adds new features like async support for retrievers and integrations with new services like Helicone.
AI agents (software systems that take actions automatically) often execute pre-approved system commands like 'find' and 'grep' for efficiency, but attackers can bypass human approval protections through argument injection attacks (exploiting how command parameters are handled) to achieve remote code execution (RCE, where attackers run unauthorized commands on a system). The article identifies that while these systems block dangerous commands and disable shell operators, they fail to validate command argument flags, creating a common vulnerability across multiple popular AI agent products.
LlamaIndex v0.14.5 is a release that fixes multiple bugs and adds new features across its ecosystem of AI/LLM tools. Changes include fixing duplicate node positions in documents, improving streaming functionality with AI providers like Anthropic and OpenAI, adding support for new AI models, and enhancing vector storage (database systems that store AI embeddings, which are numerical representations of text meaning) capabilities. The release also introduces new integrations, such as Sglang LLM support and SignNow MCP (model context protocol, a standard for connecting AI tools) tools.
Fix: The exploited Samsung vulnerability was fixed in April 2025.
Google Project ZeroGitHub's CodeQL multi-repository variant analysis (MRVA) lets you run security bug-finding queries across thousands of projects quickly, but it's built mainly for VS Code. A developer created mrva, a terminal-based alternative that runs on your machine and works with command-line tools, letting you download pre-built CodeQL databases (collections of code information), analyze them with queries, and display results in the terminal.
The AI industry is gradually accepting LLM (large language model) outputs as reliable without questioning them, similar to how NASA ignored warning signs before the Challenger disaster. This 'normalization of deviance' (accepting behavior that deviates from proper standards as normal) is particularly risky in agentic systems (AI systems that can take independent actions without human approval at each step), where unchecked LLM decisions could cause serious problems.
The Center for AI Safety launched an AI Dashboard that evaluates frontier AI models (the most advanced AI systems currently available) on capability and safety benchmarks, ranking them across text, vision, and risk categories. The Risk Index specifically measures how likely models are to exhibit dangerous behaviors like dual-use biology assistance (helping with harmful biological research), jailbreaking vulnerability (susceptibility to tricks that bypass safety features), overconfidence, deception, and harmful actions, with Claude Opus 4.5 currently scoring safest at 33.6 on a 0-100 scale (lower is safer). The dashboard also tracks industry progress toward broader automation milestones like AGI (artificial general intelligence, systems that can perform any intellectual task) and self-driving vehicles.
Fix: The source describes a technique for removing branches (conditional decision points) from cryptographic code using bit masking, two's complement, and XOR (exclusive OR, a logical operation) to perform both sides of a condition and then use a constant-time conditional swap based on the condition to obtain the correct result. However, the source does not provide a complete, production-ready solution—it only shows partial code examples and states they are 'Not secure -- DO NOT USE.' The source does not mention specific updates, patches, or versions that users should apply.
Trail of Bits BlogA new benchmark called the Remote Labor Index (RLI) measures whether AI systems can automate real computer work tasks across different professions, showing that current AI agents can only fully automate 2.5% of projects despite improving over time. Additionally, over 50,000 people, including top scientists and Nobel laureates, signed an open letter calling for a moratorium (temporary ban) on developing superintelligence (a hypothetical AI system far more capable than humans) until it can be proven safe and controllable.
Fix: The source explicitly mentions one security fix: 'Replace raw SQL string interpolation with proper SQLAlchemy parameterized APIs in PostgresKVStore' (llama-index-storage-kvstore-postgres #20104). Users should update to v0.14.6 to receive this and other bug fixes. No other specific mitigation steps are described in the release notes.
LlamaIndex Security ReleasesFix: The article states that 'the impact from this vulnerability class can be limited through improved command execution design using methods like sandboxing (isolating code in a restricted environment) and argument separation.' The text also mentions providing 'actionable recommendations for developers, users, and security engineers,' but the specific recommendations are not detailed in the provided excerpt.
Trail of Bits BlogThe Senate introduced the AI LEAD Act, which would make AI companies legally liable for harms their systems cause, similar to how traditional product liability (the legal responsibility companies have when their products injure people) works for other products. The act would clarify that AI systems count as products subject to liability and would hold companies accountable if they failed to exercise reasonable care in designing the system, providing warnings, or if they sold a defective system. Additionally, China announced new export controls on rare earth metals (elements essential to semiconductors and AI hardware), which could disrupt global AI supply chains if strictly enforced.
Fix: The AI LEAD Act itself serves as the proposed solution: it would establish federal product liability for AI systems, clarify that AI companies are liable for harms if they fail to exercise reasonable care in design or warnings or breach warranties, allow deployers to be held liable for substantially modifying or dangerously misusing systems, prohibit AI companies from limiting liability through consumer contracts, and require foreign AI developers to register agents for service of process in the US before selling products domestically.
CAIS AI Safety Newsletter