Hackaday Columns

4690 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

This Week In Security: Plenty Of Patches, Replacing Old Gear, And Phrack Calls For Papers

March 13, 2026 by 1 Comment

When Friday the Thirteenth and Patch Tuesday happen on the same week, we’re surely in for a good time.

Anyone who maintains any sort of Microsoft ecosystem knows by now to brace for impact come Patch Tuesday; March brings the usual batch of “interesting” issues, including:

  • Two high-risk Microsoft Office vulnerabilities (CVE-2026-26110 and CVE-2026-26113), both of which allow execution of arbitrary code with no user interaction other than opening a hostile file. Vulnerabilities like these are especially dangerous in environments where transferring Office documents is considered normal, such as (unsurprisingly) offices, but also for home users who may not be savvy enough to avoid opening hostile files. Arbitrary code execution allows the attacker to run essentially any commands the user would be able to run themselves, typically leveraging it to install remote access or keyboard logging malware.
  • Excel gets a different vulnerability, CVE-2026-26144, which allows leaking of data through a cross-site scripting vulnerability. Coupled with CoPilot Agent, this can be used to leak contents of spreadsheets, again with no direct user interaction.

On the server and container side, this month includes a fairly typical collection of patches for SQL Server, and vulnerabilities in the Microsoft-hosted device pricing and payment orchestrator services, which have been automatically patched by Microsoft.

When it’s Time to Replace Old Gear

We all love getting every ounce of usability from our old gear, but sometimes enough is enough – at least with the stock firmware. The FBI has issued a warning about decommissioning end-of-life routers made by several large companies, with eleven Linksys and one Cisco branded routers being specifically called out for vulnerabilities under active exploitation.

A notice such as this that an exploit is under active exploitation means that a theoretical vulnerability has been commoditized into specific attacks, typically used against all devices accessible from the Internet. It’s generally safe to assume that at this point, if a vulnerable device is exposed to the Internet, it’s been compromised.

The FBI notice doesn’t call out the specific vulnerabilities used, however there’s a wide variety to pick from:

  • CVE-2025-60690 is a simple buffer overflow allowing code execution from parameters passed to the web UI.
  • CVE-2025-60692 is a buffer overflow allowing arbitrary code execution from the local network via control of entries in /proc/net/arp – unlikely to be used for a remote compromise, but still amusing.
  • CVE-2025-60694 and CVE-2025-60693 are both additional stack overflow and code execution from web bugs, which sets a real pattern for the quality of the webserver in the stock firmware.
  • CVE-2025-60689CVE-2025-60691 and CVE-2025-34037 however appear to be the most likely culprits, both allowing arbitrary execution on the router without authentication, with CVE-2025-34037 rated a full 10/10 on the vulnerability scale and explicitly mentioning being used to deploy worm firmware.

Once an attacker is inside your router, the possible havoc they might cause is extensive:

  • Redirecting requests to malicious or fake websites by taking control of the DNS or rewriting requests at other layers.
  • Exposing systems on your private network – such as less secured IoT devices or other local devices with weak internal passwords – to the attackers.
  • Using your Internet connection to perform other attacks or pivots. Installing proxies on home equipment is a common method used for international attackers to appear as a normal home user in a target country.
  • Reselling your Internet access. Ever wonder how “free” VPN apps are able to offer access in random countries? Often an international VPN is just an infected home user!
  • Adding you to a botnet. Some of the largest distributed denial of service (DDoS) attacks have been carried out not by systems with huge bandwidth, but by tens of thousands (or more) of comrpomised small home routers, cameras, and other IoT type devices acting together.

If you have a Linksys E1200, E2500, E1000, E4200, E1500, E3000, E3200, E1550, WRT320N, WRT160N, WRT310N, or a Cisco M10 router still in use, the time is now to finally upgrade it – or at least explore the options of third-party firmware like OpenWRT. Unfortunately, many of these devices are so old that even OpenWRT may have difficulty running well on them, but all the more reason to update to something a little newer!

State-level Exploits in the Wild

In a pattern which should be familiar to anyone who had to deal with the leak of the Eternal Blue exploit as part of a dump of tools from the NSA which later evolved into the Wannacry and NotPetya global ransomware campaigns, another government-backed exploit toolkit has been captured and converted to a more generic criminal exploit.

Google Threat Intelligence documents the “Coruna” exploit kit, a rare public example of an attack against iPhones from iOS 13 to iOS 17.2.1. Often we see “advanced attack methods” or “targeted specific attacks” in release notes; rarely do we get further insight into the actual attacks!

Evolving from a government-backed tool to a financial crimeware exploit deployed widely to steal cryptocurrencies is interesting on its own, but perhaps the most fascinating aspect is the insight into how difficult modern exploits can be. Coruna combines 23 exploits into 5 chained attacks to be able to actually execute code from a web page. The final payload of the exposed version doesn’t deliver a spy payload, but instead focuses on cryptocurrency: searching for QR codes on disk to discover wallet addresses and saved recovery keys, wallet recovery phrases, and mentions of bank accounts, and leveraging those to steal cryptocurrency.

In true Google fashion, they’ve published indicators of compromise (IOCs) to inspect if a device has been attacked and a map of the control domains. Additional work deobfuscating the attacks and payloads can be found on GitHub here.

More Government Warnings

The US Government Cyber Defense Agency (CISA) has added additional warnings to the Known Exploited Vulnerabilities database (KEV) database. The KEV attempts to distill the torrent of security issues assigned a CVE into the most actionable vulnerabilities which have been observed being used in the wild. CISA advises not only federal and government agencies, but offers guidance for businesses of all sizes.

Many vulnerabilities on the KEV already have fixes. Paradoxically, this can sometimes make a vulnerability higher risk. Attackers have two advantages: a patch to reverse engineer to discover the exact mechanisms to trigger the flaw, and a motivation to use any exploits on a massive scale, knowing that the window of opportunity is about to close. Most of these vulnerabilities will likely be of interest mostly to readers who are in the enterprise space, but the first one regarding Android is a good reminder to everyone that the KEV isn’t just for giant companies.

As for the latest known exploited issues:

  • CVE-2026-21385 sounds very boring – an integer overflow in Qualcomm graphics drivers – except that those chipsets and drivers are found in a huge percentage of Android phones, tablets, set-top boxes, and likely more than a few smart TVs. This fix is bundled into the March Android security release and may prove critical. Remember to keep your devices up to date!
  • CVE-2026-22719 is a patched vulnerability in VMWare enterprise software (Aria Operations, specifically); if you need to care about enterprise-scale VMWare, you’ll care about this one!
  • CVE-2021-22054 resurfaces from 2021, again in VMWare enterprise consoles. The number of unpatched systems exposing a vulnerability from 2021 must be quite scary.
  • CVE-2025-26399 is a vulnerability in SolarWinds help desk sofware, which is a return of a bug not fully fixed in CVE-2024-28988. Which is, itself, the return of a bug not fully fixed in CVE-2024-28986. Look, bug fixing can be hard.
  • CVE-2026-1603 is an authentication bypass in Ivanti Endpoint Manager which allows access to stored credential secrets. Ivanti is an endpoint and device management system, used for monitoring, patching, upgrading, and controlling access on corporate device fleets.

Phrack Calls for Papers

The venerable Phrack has an open call for papers to be contributed to the summer issue. Released since 1985, Phrack has been a font of telecom and computer security hackery, including the critical “Smashing the Stack for Fun and Profit”, one of the first explanations of the now-ubiquitous buffer overflow and stack smashing attack.

If you think you’ve got something to contribute, or just want to check out their awesome retro demo scene loading page and some back issues, head over to the Phrack website.

Blood Tests Could Provide Early Warning Of Alzheimers Disease

March 10, 2026 by 2 Comments

Alzheimer’s disease remains a frustratingly difficult condition to manage for the millions of patients affected worldwide and their families. The cause of the disease is still not properly understood, and by the time memory loss and cognitive decline become apparent, the underlying brain pathology has often been quietly building for decades.

Soon, though it may be possible to diagnose impending Alzheimer’s disease ahead of time, before symptoms have taken hold. New research suggests this could be achieved through a simple blood draw, providing clinicians and patients precious time to manage the condition and plan ahead. Continue reading “Blood Tests Could Provide Early Warning Of Alzheimers Disease”

Ask Hackaday: What Will An LLM Be Good For In The Plateau Of Productivity?

March 9, 2026 by 71 Comments

A friend of mine has been a software developer for most of the last five decades, and has worked with everything from 1960s mainframes to the machines of today. She recently tried AI coding tools to see what all the fuss is about, as a helper to her extensive coding experience rather than as a zero-work vibe coding tool. Her reaction stuck with me; she referenced her grandfather who had been born in rural America in the closing years of the nineteenth century, and recalled him describing the first time he saw an automobile.

Après Nous, Le Krach

The Gartner hype cycle graph. Jeremykemp, CC BY-SA 3.0.

We are living amid a wave of AI slop and unreasonable hype so it’s an easy win to dunk on LLMs, but as the whole thing climbs towards the peak of inflated expectations on the Gartner hype cycle perhaps it’s time to look forward. The current AI hype is inevitably going to crash and burn, but what comes afterwards? The long tail of the plateau of productivity will contain those applications in which LLMs are a success, but what will they be? We have yet to hack together a working crystal ball, but perhaps it’s still time to gaze into the future. Continue reading “Ask Hackaday: What Will An LLM Be Good For In The Plateau Of Productivity?”

Hackaday Links Column Banner

Hackaday Links: March 8, 2026

March 8, 2026 by 8 Comments

As pointed out by Tom’s Hardware, it’s been 26 years since the introduction of the gigahertz desktop CPU. AMD beat Intel to the punch by dropping the 1 GHz Athlon chip on March 6th of 2000, and partnered with Compaq and Gateway (remember them?) to deliver pre-built machines featuring the speedy silicon just a week later. The archived press release announcing the availability of the chip makes for some interesting reading: AMD compares the accomplishment with Chuck Yeager breaking the sound barrier, and mentions a retail price of $1,299 for the CPU when purchased in 1,000 unit quantities. In response Intel “launched” their 1 GHz Pentium III chip two days later for $990, but supply problems kept it out of customer’s hands for most of the year.

Speaking of breaking a barrier, Mobile World Congress took place this week in Barcelona, where TechCrunch reports there was considerable interest in developing a sub-$50 smartphone. The GSM Association’s Handset Affordability Coalition is working with major telecom carriers in Africa and as of yet unnamed hardware partners to develop the low-cost 4G device with the hopes of bringing an additional 20 million people online. While the goal is worthy enough, industry insiders have pointed out that the skyrocketing cost of memory will make it particularly challenging to meet the group’s aspirational price point.

Continue reading “Hackaday Links: March 8, 2026”

Choice, Control, And Interruption

March 7, 2026 by 47 Comments

We were talking about [Maya Posch]’s rant on smartphones, “The Curse of the Everything Device”. Maya’s main point is that because the smartphone, or computer, can do everything, it’s hard for a person to focus down and do one thing without getting distracted, checking their whatever feed, or getting an important push notification about the Oscars. She was suggesting tying your hands to the mast by using a device that can only accommodate the one function, like a dedicated writing tool or word processor.

[Kristina Panos] compared the all-singing, all-dancing black rectangle to an everything-device of old: the all-in-one stereo receiver with built-in tape player, record player, and not just FM, but also AM radio receiver. The point being, the hi-fi device also does a whole lot of things but isn’t similarly cursed. The tape player never interrupts your listening to the AM radio station. When the record is over, it doesn’t swap over to FM. Your agency is required.

Similarly, it’s probably not intrinsically problematic that the smartphone has a camera, a web browser, text messages, and heck even a telephone built in. It’s how they interact with each other and the user, each vying for user attention, and interrupting with popups and alarms. It’s maybe a simple matter of software! (Says the hardware guy.)

Where would a distraction-free, but fully featured, phone begin? With the operating system? It would be perverse to limit you to one app at a time, or to make switching between them more cumbersome. How about turning off notifications, and relying on changing context only when you think about it? Maybe that’s a middle ground. How do you cope with the endless distractions offered to you by your smartphone? By your main computer?

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

Hackaday Podcast Episode 360: Cool Rubber Bands, Science-y Stuff, And The Whys Of Office Supplies

March 6, 2026 by 7 Comments
An early print of the linoleum block that Kristina started carving during the podcast. (It’s the original Cherry MX patent drawing, re-imagined for block printing.)

This week, Hackaday’s Elliot Williams and Kristina Panos met up over assorted beverages to bring you the latest news, mystery sound results show, and of course, a big bunch of hacks from the previous seven days or so.

In the news, we’ve launched a brand-new contest! Yes, the Green-Powered Challenge is underway, and we need your entry to truly make it a contest. You have until April 24th to enter, so show us what you can do with power you scrounge up from the environment around you!

On What’s That Sound, Kristina was leaning toward some kind of distant typing sounds, but [Konrad] knew it was our own Tom Nardi’s steam heat radiator pinging away.

After that, it’s on to the hacks and such, beginning with an exploration of all the gross security vulnerabilities in a cheap WiFi extender, and we take a look inside a little black and white pay television like you’d find in a Greyhound station in the 80s and 90s.

We also discuss the idea of mixing custom spray paint colors on the fly, a pen clip that never bends out of shape, and running video through a guitar effects pedal. Finally, we discuss climate engineering with disintegrating satellites, and the curse of everything device.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Download in DRM-free MP3 and savor at your leisure.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast Episode 360: Cool Rubber Bands, Science-y Stuff, And The Whys Of Office Supplies”

This Week In Security: Getting Back Up To Speed

March 6, 2026 by 11 Comments

Editor’s Note: Over the course of nearly 300 posts, Jonathan Bennett set a very high bar for this column, so we knew it needed to be placed in the hands of somebody who could do it justice. That’s why we’re pleased to announce that Mike Kershaw AKA [Dragorn] will be taking over This Week In Security! Mike is a security researcher with decades of experience, a frequent contributor to 2600, and perhaps best known as the creator of the Kismet wireless scanner.

He’ll be bringing the column to you regularly going forward, but given the extended period since we last checked in with the world of (in)security, we thought it would be appropriate to kick things off with a review of some of the stories you may have missed.

Hacking like it’s 2009, or 1996

Hello all!  It’s a pleasure to be here, and it already seems like a theme of the new year so far has bringing in the old bugs – what’s old is new again, and 2026 has seen several fixes to some increasingly ancient bugs.

Telnet

Reported on the OpenWall list, the GNU inetd suite brings an update to the telnet server (yes, telnet) that closes a login bug present since 2015 linked to environment variable sanitization.

Under the covers, the telnet daemon uses /bin/login to perform user authentication, but also has the ability to pass environment variables from the client to the host. One of these variables, USER, is passed directly to login — unfortunately this time with no checking to see what it contains. By simply passing a USER variable of “-froot”, login would accept the “-f” argument, or “treat this user as already logged in”. Instant root!

If this sounds vaguely familiar, it might be because the exact same bug was found in the Solaris telnetd service in 2007, including using the “-f” argument in the USER variable. An extremely similar bug targeting other variables (LD_PRELOAD) was found in the FreeBSD telnetd service in 2009, and other historical similar bugs have afflicted AIX and other Unix systems in the past.

Of course, nobody in 2026 should be running a telnet service, especially not exposed to the Internet, but it’s always interesting to see the old style of bugs resurface.

Glibc

Also reported on the OpenWall list, glibc — the GNU LibC library which underpins most binaries on Linux systems, providing kernel interfaces, file and network I/O, string manipulation, and most other common functions programmers expect — has killed another historical bug, present since 1996 in the DNS resolver functions which could be used to expose some locations in the stack.

Although not exploitable directly, the getnetbyaddr resolution functions could still ease in breaking ASLR, making other exploits viable.

Address Space Layout Randomization (ASLR) is a common method of randomizing where in memory a process and its data are loaded, making trivial exploits like buffer overflows much harder to execute. Being able to expose the location of the binary in memory by leaking stack locations weakens this mechanism, possibly exposing a vulnerable program to more traditional attacks.

MSHTML

In February, Microsoft released fixes under CVE-2026-21513 for the MSHTML Trident renderer – the one used in Internet Explorer 5. Apparently still present in Windows, and somehow still accessible through specific shortcut links, it’s the IE5 and Active-X gift that keeps giving, being actively exploited.

Continue reading “This Week In Security: Getting Back Up To Speed”