docs: add confirmed patch status and new sources

Track CVE assignments, patch dates, and security advisories for the flagship Glasswing-discovered vulnerabilities. 13 new sources added. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 15:51:22 -04:00
parent c0033e5d20
commit 7e735c30fb
2 changed files with 42 additions and 1 deletions
@@ -46,7 +46,25 @@ Thousands of zero-days across every major OS and browser. Notable specifics:
 | Linux Kernel | Privilege escalation | — | Chained vulns: KASLR bypass + heap manipulation |
 | Firefox | JIT heap spray + sandbox escape | — | Chains 4 vulns to escape renderer and OS sandboxes |

-**Critical stat: <1% of discovered vulnerabilities have been patched so far.**
+**Overall: <1% of discovered vulnerabilities patched as of 2026-04-07 announcement.** Discovery rate has "outpaced the patch rate by several orders of magnitude."
+
+### Confirmed Patches (as of 2026-04-14)
+
+The flagship vulnerabilities were disclosed and patched **before** the April 7 announcement — Anthropic had been doing coordinated disclosure for weeks prior.
+
+| Vulnerability | CVE | Patched? | Advisory / Details |
+|---|---|---|---|
+| FreeBSD NFS RCE (RPCSEC_GSS) | CVE-2026-4747 | YES (2026-03-26) | FreeBSD-SA-26:08.rpcsec_gss. Stack buffer overflow in `svc_rpc_gss_validate()`. 17 years old, unauthenticated root RCE. Credited "Nicholas Carlini using Claude, Anthropic." |
+| OpenBSD TCP SACK | — | YES (2026-03-21) | Errata patch `025_sack.patch.sig` for OpenBSD 7.7/7.8. Binary patches via `syspatch`. |
+| FFmpeg H.264 | — | YES (partial) | 3 CVEs fixed in FFmpeg 8.1 (including 16-year slice-counter overflow). "Many more undergoing responsible disclosure." FFmpeg publicly thanked Anthropic for "sending real patches." |
+| Linux kernel priv-esc | — | PARTIAL | At least one commit (`e2f78c7ec165`) merged within 1 week. Multiple bugs found (buffer overflow, use-after-free, double-free) but none remotely exploitable — defense-in-depth held. |
+| Firefox JIT sandbox escape | CVE-2026-4692 + 5 more | YES (2026-03-24) | Firefox 149 patched 37 vulns including 6 from Anthropic team (Carlini, Ben Asher, Lucas, Cheng, Freeman, Gaynor, Weinberger). First multi-CVE AI-assisted contribution to a major browser advisory. Red Hat issued RHSA-2026:7837/7841 downstream. |
+
+### Disclosure Timeline
+
+- **90-day public report** committed (early July 2026): summary of what Glasswing has fixed + lessons learned
+- **90 + 45 day maximum** before public release of vulnerability details
+- Calif.io published a detailed write-up of CVE-2026-4747 including the actual prompts used: github.com/califio/publications/blob/main/MADBugs/CVE-2026-4747/write-up.md

 ## 4. Partnership Structure