Actively Exploited Chrome Zero-Day, CVE-2026-11645 [image: 1781273761520-d2a16b96-fe8b-4891-9856-c7e9ef7a26bb-image.jpeg] Google has pushed an emergency Chrome desktop update for CVE-2026-11645, a high-severity zero-day in the V8 JavaScript engine that is already being exploited in the wild. The patched Stable channel versions are 149.0.7827.102 for Windows and Linux, and 149.0.7827.103 for macOS. The bug is described as an out-of-bounds read/write issue in V8, Chrome’s JavaScript and WebAssembly engine. In practical terms, this is the type of browser memory corruption flaw that can be triggered through attacker-controlled web content, such as a crafted HTML page. Successful exploitation may allow arbitrary code execution inside Chrome’s browser sandbox, and memory corruption bugs like this can sometimes be chained with a second flaw to escape the sandbox or bypass mitigations such as ASLR. Google has not released full technical details yet, which is normal for actively exploited Chrome bugs. Access to bug details is usually restricted until most users have received the fix, reducing the chance of rapid public weaponization. The advisory confirms that an exploit exists in the wild, but does not currently identify the threat actor, target set, exploit chain, or whether the activity is tied to spyware, cybercrime, or targeted intrusion operations. This update is also notable because CVE-2026-11645 is reportedly the fifth Chrome zero-day patched so far in 2026. That continues the pattern of modern browser engines being high-value targets. Chrome, Chromium-based browsers, and embedded browser runtimes are frequently exposed to untrusted content, making V8 bugs especially attractive for initial access, credential/session theft, and targeted drive-by exploitation. Admins should verify Chrome version compliance rather than assuming auto-update has completed. Chrome’s update mechanism usually handles this automatically, but browser restarts are still required. Enterprise fleets should confirm patched versions across Windows, macOS, and Linux endpoints, and should also check Chromium-based browser variants as vendor patches become available. Recommended actions: Update Chrome desktop to 149.0.7827.102 or later on Windows/Linux, or 149.0.7827.103 or later on macOS. Force browser restarts where updates are pending. Review EDR/browser telemetry for unusual Chrome crashes, suspicious renderer behavior, and unexpected child process activity. Treat recent exposure to suspicious or compromised websites as higher risk until endpoints are confirmed patched. Watch for follow-up advisories as Google releases more technical detail after broad patch adoption. Sources: Bleeping Computer: https://www.bleepingcomputer.com/news/security/google-patches-fifth-chrome-zero-day-bug-exploited-in-attacks-this-year/ The Hacker News: https://thehackernews.com/2026/06/chrome-v8-zero-day-cve-2026-11645.html SOC Prime Team: https://socprime.com/blog/cve-2026-11645-chrome-zero-day-vulnerability-exploited-in-the-wild/

Full write up: https://forum.hashpwn.net/post/13339

I have multiple rigs, servers, desktops, laptops and raspberry pi 3b, 4 & 5 SBC, but the two below are my main hash cracking rigs. Rig #1 GPU(s): 1x Nvidia RTX 4090 MSI Suprim Liquid X GPU Cooling: Waterblock GPU Driver: 580.95.05 (CUDA 13.0) GPU Overclock / Undervolt Settings: 400W power limit CPU(s): 1x Ryzen 7 3700X CPU Cooling: Waterblock RAM: 64gb DDR4 G.SKILL Ripjaws V (4x16GB) MB: ASUS ROG STRIX X470-F GAMING Storage: (OS, ZFS RAIDZ1, backups, scratch disk, etc) - NVMe: 1x 2TB ADATA - SSD: 4x 2TB Samsung 870 - SSD: 1x 120GB OCZ - HDD: 2x 8TB WD80 PSU: 1600W EVGA SuperNOVA Platinum+ OS: Debian 13 Tools Used: hashcat 6.2.6 / 7.x, mdxfind, jtr, rling, hashgen, spider, pcfg-go Rig Type: rackmount LAN: 10Gb fiber (SFP+) Rig #2 GPU(s): 2x NVIDIA RTX 4090 MSI Gaming X GPU Cooling: Air (triple-fan) GPU Driver: 580.95.05 (CUDA 13.0) GPU Overclock / Undervolt Settings: 400W power limit CPU(s): 2x Intel Xeon E5-2690 v4 CPU Cooling: OEM Dell RAM: 128GB DDR4 ECC (8x16GB) MB: OEM Dell 0KJCC5 Storage: (OS, ZFS RAIDZ1) - SSD: 5x 2TB Samsung 870 QVO PSU: - 825W Dell OEM Platinum - 1600W EVGA SuperNOVA 1600 Platinum+ (GPUs) OS: Debian 13 Tools Used: hashcat 6.2.6 / 7.x, mdxfind, jtr, rling, hashgen, spider, pcfg-go Rig Type: rackmount LAN: 10Gb fiber (SFP+)

Update: Details of the Solflare “xpass” Exploit March 13, 2026 Over the past year I have received many requests asking when I would release the full details of the Solflare xpass exploit. Today, I am publishing those details. This post serves as an update to my original disclosure in Feb 2025 regarding a purposeful backdoor master key I discovered in the Solflare Chrome wallet extension that allows a wallet vault to be decrypted without requiring the user's wallet password. At the time of the original report I privately disclosed this to Solflare and delayed public publication to give Solflare time to address the exploit. The Core Issue Solflare stores two critical values inside the extension's LevelDB storage: solflaredata – encrypted wallet vault containing the seed phrase <-- this encrypted string contains the wallet seed phrase solflarexpass – a key used to decrypt the vault <-- the "backdoor master key" Because the decryption key is stored locally alongside the encrypted vault, the user's wallet password is not required to decrypt the vault and gain access to the wallet's seed phrase. All that is required to decrypt the wallet and gain access to the seed phrase is access to the Chrome extension storage and extraction of the solflarexpass key -- something very easy for a malicious actor or stealer malware to do. Once the vault is extracted with the key, the seed phrase can be recovered. No password cracking required. Example Storage Layout Inside the Chrome Solflare extension storage database the relevant entries appear similar to: solflaredata: { "data":{ "digest":"sha256", "encoding":"base64", "encrypted64":"..." } } solflarexpass: "<stored key>" Using the key stored in solflarexpass, the encrypted vault (solflaredata) can be decrypted. A screenshot of the original report is attached below. [image: 1773412854934-c25dc614-d139-4de7-9c3b-da142cb773bb-image.png]

CN passwords International

A "clean one" I wean that not all third pepole have it. I had a couple but that was along time ago. So if you please. I will be thankful

hashcat v7.0.0+4.2 benchmark (updated 2025/08/02@16:25) # gpu: nvidia rtx 4090 # manufacture: msi # model: suprim liquid x # settings: 450w stock settings # vbios: 95.02.18.00.52 # 08/02/2025 # NVIDIA-SMI 575.57.08 # CUDA Version: 12.9.1 # hashcat (v7.0.0+4.2) ./hashcat.bin -b hashcat (v7.0.0-4-g9727714cf) starting in benchmark mode Benchmarking uses hand-optimized kernel code by default. You can use it in your cracking session by setting the -O option. Note: Using optimized kernel code limits the maximum supported password length. To disable the optimized kernel code in benchmark mode, use the -w option. Initializing bridges. Please be patient...Initialized bridgesInitializing backend runtimes. Please be patient...Initialized backend runtimesInitializing backend devices. Please be patient...Initialized backend devicesCUDA API (CUDA 12.9) ==================== * Device #01: NVIDIA GeForce RTX 4090, 23688/24080 MB, 128MCU OpenCL API (OpenCL 3.0 CUDA 12.9.76) - Platform #1 [NVIDIA Corporation] ======================================================================= * Device #02: NVIDIA GeForce RTX 4090, skipped Benchmark relevant options: =========================== * --backend-devices=2 * --backend-devices-virtmulti=1 * --backend-devices-virthost=1 * --optimized-kernel-enable ------------------- * Hash-Mode 0 (MD5) ------------------- Speed.#01........: 164.2 GH/s (90.81ms) @ Accel:128 Loops:1024 Thr:896 Vec:8 ---------------------- * Hash-Mode 100 (SHA1) ---------------------- Speed.#01........: 58208.9 MH/s (73.51ms) @ Accel:64 Loops:1024 Thr:512 Vec:1 --------------------------- * Hash-Mode 1400 (SHA2-256) --------------------------- Speed.#01........: 21947.7 MH/s (91.50ms) @ Accel:15 Loops:1024 Thr:1024 Vec:4 --------------------------- * Hash-Mode 1700 (SHA2-512) --------------------------- Speed.#01........: 7476.6 MH/s (89.57ms) @ Accel:8 Loops:1024 Thr:640 Vec:1 ------------------------------------------------------------- * Hash-Mode 22000 (WPA-PBKDF2-PMKID+EAPOL) [Iterations: 4095] ------------------------------------------------------------- Speed.#01........: 2574.3 kH/s (88.52ms) @ Accel:7 Loops:1024 Thr:1024 Vec:1 ----------------------- * Hash-Mode 1000 (NTLM) ----------------------- Speed.#01........: 284.1 GH/s (73.54ms) @ Accel:192 Loops:1024 Thr:896 Vec:8 --------------------- * Hash-Mode 3000 (LM) --------------------- Speed.#01........: 155.7 GH/s (95.78ms) @ Accel:448 Loops:1024 Thr:256 Vec:1 -------------------------------------------- * Hash-Mode 5500 (NetNTLMv1 / NetNTLMv1+ESS) -------------------------------------------- Speed.#01........: 158.2 GH/s (77.39ms) @ Accel:96 Loops:1024 Thr:1024 Vec:1 ---------------------------- * Hash-Mode 5600 (NetNTLMv2) ---------------------------- Speed.#01........: 11696.0 MH/s (89.49ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 -------------------------------------------------------- * Hash-Mode 1500 (descrypt, DES (Unix), Traditional DES) -------------------------------------------------------- Speed.#01........: 6321.6 MH/s (84.67ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 ------------------------------------------------------------------------------ * Hash-Mode 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)) [Iterations: 1000] ------------------------------------------------------------------------------ Speed.#01........: 70840.0 kH/s (96.54ms) @ Accel:56 Loops:1000 Thr:1024 Vec:1 ---------------------------------------------------------------- * Hash-Mode 3200 (bcrypt $2*$, Blowfish (Unix)) [Iterations: 32] ---------------------------------------------------------------- Speed.#01........: 248.8 kH/s (95.61ms) @ Accel:8 Loops:32 Thr:24 Vec:1 -------------------------------------------------------------------- * Hash-Mode 1800 (sha512crypt $6$, SHA512 (Unix)) [Iterations: 5000] -------------------------------------------------------------------- Speed.#01........: 1210.2 kH/s (85.52ms) @ Accel:4 Loops:1000 Thr:1024 Vec:1 -------------------------------------------------------- * Hash-Mode 7500 (Kerberos 5, etype 23, AS-REQ Pre-Auth) -------------------------------------------------------- Speed.#01........: 3642.8 MH/s (95.91ms) @ Accel:334 Loops:256 Thr:32 Vec:1 ------------------------------------------------- * Hash-Mode 13100 (Kerberos 5, etype 23, TGS-REP) ------------------------------------------------- Speed.#01........: 3551.8 MH/s (96.00ms) @ Accel:326 Loops:256 Thr:32 Vec:1 --------------------------------------------------------------------------------- * Hash-Mode 15300 (DPAPI masterkey file v1 (context 1 and 2)) [Iterations: 23999] --------------------------------------------------------------------------------- Speed.#01........: 463.4 kH/s (82.19ms) @ Accel:7 Loops:1000 Thr:1024 Vec:1 --------------------------------------------------------------------------------- * Hash-Mode 15900 (DPAPI masterkey file v2 (context 1 and 2)) [Iterations: 12899] --------------------------------------------------------------------------------- Speed.#01........: 262.2 kH/s (76.61ms) @ Accel:4 Loops:512 Thr:1024 Vec:1 ------------------------------------------------------------------ * Hash-Mode 7100 (macOS v10.8+ (PBKDF2-SHA512)) [Iterations: 1023] ------------------------------------------------------------------ Speed.#01........: 3273.1 kH/s (79.01ms) @ Accel:4 Loops:512 Thr:1024 Vec:1 --------------------------------------------- * Hash-Mode 11600 (7-Zip) [Iterations: 16384] --------------------------------------------- Speed.#01........: 2231.6 kH/s (91.80ms) @ Accel:17 Loops:4096 Thr:512 Vec:1 ------------------------------------------------ * Hash-Mode 12500 (RAR3-hp) [Iterations: 262144] ------------------------------------------------ Speed.#01........: 287.1 kH/s (71.10ms) @ Accel:5 Loops:16384 Thr:512 Vec:1 -------------------------------------------- * Hash-Mode 13000 (RAR5) [Iterations: 32799] -------------------------------------------- Speed.#01........: 278.7 kH/s (85.27ms) @ Accel:12 Loops:1024 Thr:512 Vec:1 -------------------------------------------------------------------------------- * Hash-Mode 6211 (TrueCrypt RIPEMD160 + XTS 512 bit (legacy)) [Iterations: 1999] -------------------------------------------------------------------------------- Speed.#01........: 1989.6 kH/s (90.02ms) @ Accel:6 Loops:500 Thr:1024 Vec:1 ----------------------------------------------------------------------------------- * Hash-Mode 13400 (KeePass 1 (AES/Twofish) and KeePass 2 (AES)) [Iterations: 24569] ----------------------------------------------------------------------------------- Speed.#01........: 332.1 kH/s (82.05ms) @ Accel:10 Loops:1024 Thr:512 Vec:1 ------------------------------------------------------------------- * Hash-Mode 6800 (LastPass + LastPass sniffed) [Iterations: 100099] ------------------------------------------------------------------- Speed.#01........: 92374 H/s (86.89ms) @ Accel:8 Loops:1024 Thr:768 Vec:1 -------------------------------------------------------------------- * Hash-Mode 11300 (Bitcoin/Litecoin wallet.dat) [Iterations: 200459] -------------------------------------------------------------------- Speed.#01........: 34141 H/s (78.29ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Started: Sat Aug 2 16:11:47 2025 Stopped: Sat Aug 2 16:19:10 2025

First, make sure to read through the Forum Rules: https://forum.hashpwn.net/topic/27/welcome-to-hashpwn-start-here There's several ways to contact me: Reply to this Topic with your question Chat with me here on hashpwn: https://forum.hashpwn.net/user/cyclone Message me on Matrix: https://forum.hashpwn.net/post/138

Thanks to everyone who played along! Rust is the clear favorite out of the 59 responses. https://www.rust-lang.org/ With Zig trailing behind for second place. https://ziglang.org/ [image: 1745243283992-2ea96ec5-2d29-4f6b-972f-e42303887766-image.png]

Update: The fake issue posted by djiazz, and the user's account have been removed from GitHub. GitHub's response: ...Our review of the account named in your report has concluded. We have determined that one or more violations of GitHub’s Terms of Service have occurred and have taken appropriate action in response... Full response: GitHub (GitHub Support) Mar 16, 2025, 9:27 PM UTC Hi cyclone, Our review of the account named in your report has concluded. We have determined that one or more violations of GitHub’s Terms of Service have occurred and have taken appropriate action in response. Please note that our response to abuse on GitHub varies depending on the exact circumstances of each case, as noted in our Community Guidelines: What happens if someone violates GitHub's Policies Additional information on dealing with offensive users or content can be found here: What if something or someone offends you? Thank you for helping create a safe and welcoming environment for software developers. Regards, GitHub Trust & Safety

GitHub Repo Updates: 2025/02/22 - Issue: jetkvm/kvm https://github.com/jetkvm/kvm/issues/187 2025/02/24 - Issue: jetkvm/rv1106-system https://github.com/jetkvm/rv1106-system/issues/6 2025/02/24 - PR: jetkvm/rv1106-system https://github.com/jetkvm/rv1106-system/pull/7 2025/02/24 - PR: chemhack removed default root password "rockchip" https://github.com/jetkvm/rv1106-system/pull/8

Just wanted to stop by and say thanks for giving the challenge a go. Your uploads were a fun surprise also, as it's still on the down low :). Made my day, cheers.

Updated mine just now.

And the same to you.

Update. I solve the issue I put -O in the commandline.

Merry Christmas and Happy New Year everyone!